Disable automatic support for Terraform Cloud remote state backend (#56)

cloudposse · Oct 17, 2022 · 80b790b · 80b790b
1 parent 9fc6dcc
commit 80b790b
Show file tree

Hide file tree

Showing 21 changed files with 68 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -343,7 +343,7 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.0 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | >= 2.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.3 |
 | <a name="requirement_utils"></a> [utils](#requirement\_utils) | >= 1.5.0 |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -3,7 +3,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.0 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | >= 2.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.3 |
 | <a name="requirement_utils"></a> [utils](#requirement\_utils) | >= 1.5.0 |

diff --git a/examples/backend/versions.tf b/examples/backend/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.1.0"
 
   required_providers {
     local = {

diff --git a/examples/remote-state/versions.tf b/examples/remote-state/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.1.0"
 
   required_providers {
     local = {

diff --git a/examples/spacelift/versions.tf b/examples/spacelift/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/examples/stack/versions.tf b/examples/stack/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/examples/stacks/versions.tf b/examples/stacks/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/modules/backend/versions.tf b/modules/backend/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/modules/env/versions.tf b/modules/env/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/modules/remote-state/dummy-remote-state.json b/modules/remote-state/dummy-remote-state.json
@@ -0,0 +1 @@
+{"version": 1}
diff --git a/modules/remote-state/main.tf b/modules/remote-state/main.tf
@@ -31,7 +31,7 @@ locals {
   workspace            = lookup(local.config, "workspace", "")
   workspace_key_prefix = lookup(local.backend, "workspace_key_prefix", null)
 
-  remote_state_enabled = ! var.bypass
+  remote_state_enabled = !var.bypass
 
   remote_states = {
     s3     = data.terraform_remote_state.s3

diff --git a/modules/remote-state/remote.tf b/modules/remote-state/remote.tf
@@ -3,7 +3,9 @@ locals {
 }
 
 data "terraform_remote_state" "remote" {
-  count = local.remote_state_enabled && local.backend_type == "remote" ? 1 : 0
+  # workaround for https://github.com/hashicorp/terraform/issues/32023
+  count = local.remote_state_enabled && (var.backend_type == "remote" ? true : var.backend_type != "auto" ? false : local.backend_type == "remote") ? 1 : 0
+
 
   backend = "remote"
 

diff --git a/modules/remote-state/s3.tf b/modules/remote-state/s3.tf
@@ -3,13 +3,27 @@ locals {
 }
 
 data "terraform_remote_state" "s3" {
-  count = local.remote_state_enabled && local.backend_type == "s3" ? 1 : 0
+  # workaround for https://github.com/hashicorp/terraform/issues/32023
+  count = local.remote_state_enabled && (var.backend_type == "s3" ? true : var.backend_type != "auto" ? false : local.backend_type == "s3") ? 1 : 0
 
-  backend = "s3"
+  # Mitigation for https://github.com/hashicorp/terraform/issues/32023
+  #
+  # With this bug, `local.config` is unknown and everything that flows from it
+  # is unknown, and cannot be used in count or for_each. This includes
+  # `local.backend_type`. The workaround is to force the S3 terraform remote
+  # state data source to be created, and then use `local.backend_type` to
+  # determine if we really meant to reference the S3 remote state, because by
+  # the time we get there, `local.config` is known. Except now that it is
+  # known, it might not really be S3, so we have to supply a dummy value if it
+  # is not S3. The rest of our code will ignore the dummy value, because it
+  # will not be looking to this resource for the data it needs, it will be
+  # looking to the correct backend type.
 
-  workspace = local.s3_workspace
+  backend = local.backend_type == "s3" ? "s3" : "local"
 
-  config = {
+  workspace = local.backend_type == "s3" ? local.s3_workspace : null
+
+  config = local.backend_type == "s3" ? {
     encrypt        = local.backend.encrypt
     bucket         = local.backend.bucket
     key            = local.backend.key
@@ -56,12 +70,14 @@ data "terraform_remote_state" "s3" {
     # component, we don't touch the `globals.yaml` file at all, and we don't update the component's `role_arn` and `profile` settings).
 
     # Use the role to access the remote state if the component is not privileged and `role_arn` is specified
-    role_arn = ! coalesce(try(local.backend.privileged, null), var.privileged) && contains(keys(local.backend), "role_arn") ? local.backend.role_arn : null
+    role_arn = !coalesce(try(local.backend.privileged, null), var.privileged) && contains(keys(local.backend), "role_arn") ? local.backend.role_arn : null
 
     # Use the profile to access the remote state if the component is not privileged and `profile` is specified
-    profile = ! coalesce(try(local.backend.privileged, null), var.privileged) && contains(keys(local.backend), "profile") ? local.backend.profile : null
+    profile = !coalesce(try(local.backend.privileged, null), var.privileged) && contains(keys(local.backend), "profile") ? local.backend.profile : null
 
     workspace_key_prefix = local.workspace_key_prefix
+    } : {
+    path = "${path.module}/dummy-remote-state.json"
   }
 
   defaults = var.defaults

diff --git a/modules/remote-state/variables.tf b/modules/remote-state/variables.tf
@@ -56,3 +56,17 @@ variable "atmos_base_path" {
   description = "atmos base path to components and stacks"
   default     = null
 }
+
+variable "backend_type" {
+  type = string
+  # Due to Terraform [issue #32023](https://github.com/hashicorp/terraform/issues/32023),
+  # we cannot reliably get the backend type from the stack configuration, even when
+  # the stack has it. So we need to pass it in as a variable.
+  description = <<-EOF
+    Set to "auto" to get the backend type from the stack configuration.
+    Unfortunately, the "auto" setting causes Terraform [issue #32023](https://github.com/hashicorp/terraform/issues/32023).
+    However, please continue to configure the backend type in the stack configuration,
+    because when the Terraform issue is fixed, the default will be quietly changed to "auto".
+    EOF
+  default     = "s3"
+}
diff --git a/modules/remote-state/versions.tf b/modules/remote-state/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.1.0"
 
   required_providers {
     local = {
@@ -11,8 +11,17 @@ terraform {
       version = ">= 2.0"
     }
     utils = {
-      source  = "cloudposse/utils"
-      version = "1.5.0"
+      source = "cloudposse/utils"
+      # Do not allow automatic updates to this provider
+      # until we have tested the new version thoroughly.
+      # Move the <= version constraint to the latest version
+      # after testing is complete. Move the >= version constraint
+      # when a new version adds a required feature or fixes a bug.
+      # If a version in between is found to have a bug,
+      # add a != constraint for that version.
+      # Leave a redundant != constraint for the last known bad version
+      # as an example of how to add a constraint for a bad version.
+      version = ">= 1.5.0, != 1.4.0, <= 1.5.0"
     }
   }
 }
diff --git a/modules/settings/versions.tf b/modules/settings/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/modules/spacelift/versions.tf b/modules/spacelift/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/modules/stack/versions.tf b/modules/stack/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/modules/vars/versions.tf b/modules/vars/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {

diff --git a/versions.tf b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.14.0"
 
   required_providers {
     local = {