Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable state locking for remaining TF backends in the MP repo #8789

Open
4 tasks
richgreen-moj opened this issue Dec 19, 2024 · 1 comment
Open
4 tasks

Enable state locking for remaining TF backends in the MP repo #8789

richgreen-moj opened this issue Dec 19, 2024 · 1 comment
Labels
needs refining

Comments

@richgreen-moj
Copy link
Contributor

User Story

As a MP Engineer
I need to enable Terraform state locking for some of the backends in the MP repo
So that we are following best practices

Value / Purpose

Checkov has highlighted that some of our backend definitions do not enable state locking. This ticket would be to look into enabling state locking for all the remaining TF backends that don't have it enabled in the MP repo.

This will ensure that we are following best practices - e.g. no conflicts to TF state if multiple people are running deployments simultaneously.

If there is a reason these have been ommited from teh previous work to do this then we can just articulate why in the exclude comments.

Context / Background

This was discovered as part of a static analysis job that ran recently... https://github.com/ministryofjustice/modernisation-platform/actions/runs/12407887097/job/34638615664

Example:

Running Checkov in terraform/environments/bootstrap/delegate-access
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 07:10:16,130 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=ef80831bbc71e96733abb9ff32cc3f24bcc7e55f:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 6, Failed checks: 1, Skipped checks: 0

Check: CKV_TF_3: "Ensure state files are locked"
	FAILED for resource: terraform
	File: /backend.tf:1-12

		1  | terraform {
		2  |   # `backend` blocks do not support variables, so the following are hard-coded here:
		3  |   # - S3 bucket name, which is created in terraform/modernisation-platform-account/s3.tf
		4  |   backend "s3" {
		5  |     acl                  = "bucket-owner-full-control"
		6  |     bucket               = "modernisation-platform-terraform-state"
		7  |     encrypt              = true
		8  |     key                  = "terraform.tfstate"
		9  |     region               = "eu-west-2"
		10 |     workspace_key_prefix = "environments/bootstrap/delegate-access" # This will store the object as environments/bootstrap/delegate-access/${workspace}/terraform.tfstate
		11 |   }
		12 | }

The affected backend.tf files are in:

  • terraform/environments/bootstrap/delegate-access
  • terraform/environments/bootstrap/member-bootstrap
  • terraform/environments/bootstrap/secure-baselines
  • terraform/environments/bootstrap/single-sign-on
  • terraform/environments/core-sandbox
  • terraform/github
  • terraform/pagerduty
  • terraform/environments/main.tf

Useful Contacts

No response

Additional Information

No response

Definition of Done

  • Enable state locking
  • Test deployments
  • Remove Checkov excludes and check static analysis
  • Ticket reviewed by a team member
@richgreen-moj richgreen-moj mentioned this issue Dec 19, 2024
Merged
4 tasks
@dms1981
Copy link
Contributor

dms1981 commented Jan 3, 2025

This could / should be rolled into #8345

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs refining
Projects
Modernisation Platform
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dms1981 @richgreen-moj