ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
terraform/backend/remote-state/s3/client.go

372 lines
8.2 KiB
Go
Raw Normal View History

convert S3 remote state to a backend Move the S3 State from a legacy remote state to an official backend. This increases test coverage, uses a set schema for configuration, and will allow new backend features to be implemented for the S3 state, e.g. "environments".
2017-03-21 18:43:31 +01:00
package s3
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
import (
"bytes"
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
"crypto/md5"
"encoding/hex"
Use single state.LockInfo struct Remove redundant structures
2017-02-07 17:12:02 +01:00
"encoding/json"
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
"errors"
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
"fmt"
"io"
remote/s3: Add support for ACL
2015-09-14 11:38:29 +02:00
"log"
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
"time"
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
provider/aws: handle upstream aws-sdk-go repo move `awslabs/aws-sdk-go => aws/aws-sdk-go` Congrats to upstream on the promotion. :)
2015-06-03 20:36:57 +02:00
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
"github.com/aws/aws-sdk-go/service/dynamodb"
provider/aws: handle upstream aws-sdk-go repo move `awslabs/aws-sdk-go => aws/aws-sdk-go` Congrats to upstream on the promotion. :)
2015-06-03 20:36:57 +02:00
"github.com/aws/aws-sdk-go/service/s3"
convert S3 remote state to a backend Move the S3 State from a legacy remote state to an official backend. This increases test coverage, uses a set schema for configuration, and will allow new backend features to be implemented for the S3 state, e.g. "environments".
2017-03-21 18:43:31 +01:00
multierror "github.com/hashicorp/go-multierror"
Make S3 remote state pass tests TODO: update S3Client to make full use of the state.Locker interface
2017-02-15 00:00:59 +01:00
uuid "github.com/hashicorp/go-uuid"
Use single state.LockInfo struct Remove redundant structures
2017-02-07 17:12:02 +01:00
"github.com/hashicorp/terraform/state"
convert S3 remote state to a backend Move the S3 State from a legacy remote state to an official backend. This increases test coverage, uses a set schema for configuration, and will allow new backend features to be implemented for the S3 state, e.g. "environments".
2017-03-21 18:43:31 +01:00
"github.com/hashicorp/terraform/state/remote"
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
)
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
// Store the last saved serial in dynamo with this suffix for consistency checks.
const stateIDSuffix = "-md5"
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
type RemoteClient struct {
s3Client *s3.S3
dynClient *dynamodb.DynamoDB
Allowing at-rest encryption when using S3 This change allows the user to specify `-backend-config="encrypt=1"` to tell S3 to encrypt the data that's in the bucket when using S3 for remote config storage. The encryption uses "Amazon S3-managed encryption keys" so it should not require any further user intervention. A line was added to the unit test just for coverage. The acceptance test was modified to: a) Use encryption b) Push some test data up to the bucket created to ensure that Amazon accepts the header.
2015-06-19 20:33:03 +02:00
bucketName string
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
path string
Allowing at-rest encryption when using S3 This change allows the user to specify `-backend-config="encrypt=1"` to tell S3 to encrypt the data that's in the bucket when using S3 for remote config storage. The encryption uses "Amazon S3-managed encryption keys" so it should not require any further user intervention. A line was added to the unit test just for coverage. The acceptance test was modified to: a) Use encryption b) Push some test data up to the bucket created to ensure that Amazon accepts the header.
2015-06-19 20:33:03 +02:00
serverSideEncryption bool
remote/s3: Add support for ACL
2015-09-14 11:38:29 +02:00
acl string
Add support S3 server side encryption with KMS. * Example ``` terraform remote config \ -backend=s3 -backend-config="bucket=bucket-tfstate" -backend-config="key=terraform.tfstate" -backend-config="region=ap-northeast-1" -backend-config="encrypt=1" -backend-config="kmsKeyID=arn:aws:kms:ap-northeast-1:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9" ```
2015-07-31 09:09:28 +02:00
kmsKeyID string
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
lockTable string
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
}
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
var (
// The amount of time we will retry a state waiting for it to match the
// expected checksum.
consistencyRetryTimeout = 10 * time.Second
// delay when polling the state
consistencyRetryPollInterval = 2 * time.Second
// checksum didn't match the remote state
errBadChecksum = errors.New("invalid state checksum")
)
// test hook called when checksums don't match
var testChecksumHook func()
func (c *RemoteClient) Get() (payload *remote.Payload, err error) {
deadline := time.Now().Add(consistencyRetryTimeout)
// If we have a checksum, and the returned payload doesn't match, we retry
// up until deadline.
for {
payload, err = c.get()
if err != nil {
return nil, err
}
// verify that this state is what we expect
if expected, err := c.getMD5(); err != nil {
log.Printf("[WARNING] failed to fetch state md5: %s", err)
} else if len(expected) > 0 && !bytes.Equal(expected, payload.MD5) {
log.Printf("[WARNING] state md5 mismatch: expected '%x', got '%x'", expected, payload.MD5)
if testChecksumHook != nil {
testChecksumHook()
}
if time.Now().Before(deadline) {
time.Sleep(consistencyRetryPollInterval)
log.Println("[INFO] retrying S3 RemoteClient.Get...")
continue
}
return nil, errBadChecksum
}
break
}
return payload, err
}
func (c *RemoteClient) get() (*remote.Payload, error) {
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
output, err := c.s3Client.GetObject(&s3.GetObjectInput{
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
Bucket: &c.bucketName,
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
Key: &c.path,
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
})
if err != nil {
update remote state s3 file to fix error
2015-05-20 22:20:30 +02:00
if awserr := err.(awserr.Error); awserr != nil {
provider/aws: fix breakages from awserr refactor This landed in aws-sdk-go yesterday, breaking the AWS provider in many places: https://github.com/awslabs/aws-sdk-go/commit/3c259c9586a4a82d6f00e7c01a69263f798e8ffe Here, with much sedding, grepping, and manual massaging, we attempt to catch Terraform up to the new `awserr.Error` interface world.
2015-05-20 13:21:23 +02:00
if awserr.Code() == "NoSuchKey" {
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
return nil, nil
} else {
return nil, err
}
} else {
return nil, err
}
}
defer output.Body.Close()
buf := bytes.NewBuffer(nil)
if _, err := io.Copy(buf, output.Body); err != nil {
return nil, fmt.Errorf("Failed to read remote state: %s", err)
}
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
sum := md5.Sum(buf.Bytes())
convert S3 remote state to a backend Move the S3 State from a legacy remote state to an official backend. This increases test coverage, uses a set schema for configuration, and will allow new backend features to be implemented for the S3 state, e.g. "environments".
2017-03-21 18:43:31 +01:00
payload := &remote.Payload{
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
Data: buf.Bytes(),
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
MD5: sum[:],
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
}
// If there was no data, then return nil
if len(payload.Data) == 0 {
return nil, nil
}
return payload, nil
}
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
func (c *RemoteClient) Put(data []byte) error {
S3 remote state use application/json Content-Type. The state is always JSON, in spite of the fact that this interface presents it as an opaque byte array. It's more helpful to those interacting with the state object outside of Terraform for it to have a more specific content-type.
2015-10-02 00:14:55 +02:00
contentType := "application/json"
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
contentLength := int64(len(data))
Allowing at-rest encryption when using S3 This change allows the user to specify `-backend-config="encrypt=1"` to tell S3 to encrypt the data that's in the bucket when using S3 for remote config storage. The encryption uses "Amazon S3-managed encryption keys" so it should not require any further user intervention. A line was added to the unit test just for coverage. The acceptance test was modified to: a) Use encryption b) Push some test data up to the bucket created to ensure that Amazon accepts the header.
2015-06-19 20:33:03 +02:00
i := &s3.PutObjectInput{
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
ContentType: &contentType,
ContentLength: &contentLength,
Body: bytes.NewReader(data),
Bucket: &c.bucketName,
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
Key: &c.path,
Allowing at-rest encryption when using S3 This change allows the user to specify `-backend-config="encrypt=1"` to tell S3 to encrypt the data that's in the bucket when using S3 for remote config storage. The encryption uses "Amazon S3-managed encryption keys" so it should not require any further user intervention. A line was added to the unit test just for coverage. The acceptance test was modified to: a) Use encryption b) Push some test data up to the bucket created to ensure that Amazon accepts the header.
2015-06-19 20:33:03 +02:00
}
if c.serverSideEncryption {
Add support S3 server side encryption with KMS. * Example ``` terraform remote config \ -backend=s3 -backend-config="bucket=bucket-tfstate" -backend-config="key=terraform.tfstate" -backend-config="region=ap-northeast-1" -backend-config="encrypt=1" -backend-config="kmsKeyID=arn:aws:kms:ap-northeast-1:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9" ```
2015-07-31 09:09:28 +02:00
if c.kmsKeyID != "" {
Fix typo
2015-10-07 16:39:08 +02:00
i.SSEKMSKeyId = &c.kmsKeyID
Add support S3 server side encryption with KMS. * Example ``` terraform remote config \ -backend=s3 -backend-config="bucket=bucket-tfstate" -backend-config="key=terraform.tfstate" -backend-config="region=ap-northeast-1" -backend-config="encrypt=1" -backend-config="kmsKeyID=arn:aws:kms:ap-northeast-1:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9" ```
2015-07-31 09:09:28 +02:00
i.ServerSideEncryption = aws.String("aws:kms")
} else {
i.ServerSideEncryption = aws.String("AES256")
}
Allowing at-rest encryption when using S3 This change allows the user to specify `-backend-config="encrypt=1"` to tell S3 to encrypt the data that's in the bucket when using S3 for remote config storage. The encryption uses "Amazon S3-managed encryption keys" so it should not require any further user intervention. A line was added to the unit test just for coverage. The acceptance test was modified to: a) Use encryption b) Push some test data up to the bucket created to ensure that Amazon accepts the header.
2015-06-19 20:33:03 +02:00
}
remote/s3: Add support for ACL
2015-09-14 11:38:29 +02:00
if c.acl != "" {
i.ACL = aws.String(c.acl)
}
log.Printf("[DEBUG] Uploading remote state to S3: %#v", i)
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
_, err := c.s3Client.PutObject(i)
if err != nil {
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
return fmt.Errorf("Failed to upload state: %v", err)
}
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
sum := md5.Sum(data)
if err := c.putMD5(sum[:]); err != nil {
// if this errors out, we unfortunately have to error out altogether,
// since the next Get will inevitably fail.
return fmt.Errorf("failed to store state MD5: %s", err)
}
return nil
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
}
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
func (c *RemoteClient) Delete() error {
_, err := c.s3Client.DeleteObject(&s3.DeleteObjectInput{
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
Bucket: &c.bucketName,
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
Key: &c.path,
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
})
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
if err != nil {
return err
}
if err := c.deleteMD5(); err != nil {
log.Printf("error deleting state md5: %s", err)
}
return nil
S3 remote stage storage backend, against the new remote state API. Stores state in a particular key in a given S3 bucket.
2015-04-30 18:21:49 +02:00
}
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
func (c *RemoteClient) Lock(info *state.LockInfo) (string, error) {
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
if c.lockTable == "" {
Make S3 remote state pass tests TODO: update S3Client to make full use of the state.Locker interface
2017-02-15 00:00:59 +01:00
return "", nil
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
}
initialize the s3 lock path in one place
2017-03-30 19:36:54 +02:00
info.Path = c.lockPath()
Make S3 remote state pass tests TODO: update S3Client to make full use of the state.Locker interface
2017-02-15 00:00:59 +01:00
Use NewLockInfo to get a pre-populated value Using NewLockInfo ensure we start with all required fields filled.
2017-02-15 16:25:04 +01:00
if info.ID == "" {
lockID, err := uuid.GenerateUUID()
if err != nil {
return "", err
}
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
Use NewLockInfo to get a pre-populated value Using NewLockInfo ensure we start with all required fields filled.
2017-02-15 16:25:04 +01:00
info.ID = lockID
}
Make S3 remote state pass tests TODO: update S3Client to make full use of the state.Locker interface
2017-02-15 00:00:59 +01:00
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
putParams := &dynamodb.PutItemInput{
Item: map[string]*dynamodb.AttributeValue{
initialize the s3 lock path in one place
2017-03-30 19:36:54 +02:00
"LockID": {S: aws.String(c.lockPath())},
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
"Info": {S: aws.String(string(info.Marshal()))},
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
},
TableName: aws.String(c.lockTable),
ConditionExpression: aws.String("attribute_not_exists(LockID)"),
}
Use NewLockInfo to get a pre-populated value Using NewLockInfo ensure we start with all required fields filled.
2017-02-15 16:25:04 +01:00
_, err := c.dynClient.PutItem(putParams)
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
if err != nil {
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockInfo, infoErr := c.getLockInfo()
if infoErr != nil {
err = multierror.Append(err, infoErr)
Use single state.LockInfo struct Remove redundant structures
2017-02-07 17:12:02 +01:00
}
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockErr := &state.LockError{
Err: err,
Info: lockInfo,
}
return "", lockErr
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
}
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
Use NewLockInfo to get a pre-populated value Using NewLockInfo ensure we start with all required fields filled.
2017-02-15 16:25:04 +01:00
return info.ID, nil
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
}
store and verify s3 remote state checksum Updates to objects in S3 are only eventually consistent. If the RemoteClient has a DynamoDB table available, use that to store a checksum of the last written state, so the object can be verified by the next client to call Get. Terraform currently doesn't have any sort of user feedback around RefreshState/Get, so we poll only for a short time before returning an error.
2017-05-19 17:51:46 +02:00
func (c *RemoteClient) getMD5() ([]byte, error) {
if c.lockTable == "" {
return nil, nil
}
getParams := &dynamodb.GetItemInput{
Key: map[string]*dynamodb.AttributeValue{
"LockID": {S: aws.String(c.lockPath() + stateIDSuffix)},
},
ProjectionExpression: aws.String("LockID, Digest"),
TableName: aws.String(c.lockTable),
}
resp, err := c.dynClient.GetItem(getParams)
if err != nil {
return nil, err
}
var val string
if v, ok := resp.Item["Digest"]; ok && v.S != nil {
val = *v.S
}
sum, err := hex.DecodeString(val)
if err != nil || len(sum) != md5.Size {
return nil, errors.New("invalid md5")
}
return sum, nil
}
// store the hash of the state to that clients can check for stale state files.
func (c *RemoteClient) putMD5(sum []byte) error {
if c.lockTable == "" {
return nil
}
if len(sum) != md5.Size {
return errors.New("invalid payload md5")
}
putParams := &dynamodb.PutItemInput{
Item: map[string]*dynamodb.AttributeValue{
"LockID": {S: aws.String(c.lockPath() + stateIDSuffix)},
"Digest": {S: aws.String(hex.EncodeToString(sum))},
},
TableName: aws.String(c.lockTable),
}
_, err := c.dynClient.PutItem(putParams)
if err != nil {
log.Printf("[WARNING] failed to record state serial in dynamodb: %s", err)
}
return nil
}
// remove the hash value for a deleted state
func (c *RemoteClient) deleteMD5() error {
if c.lockTable == "" {
return nil
}
params := &dynamodb.DeleteItemInput{
Key: map[string]*dynamodb.AttributeValue{
"LockID": {S: aws.String(c.lockPath() + stateIDSuffix)},
},
TableName: aws.String(c.lockTable),
}
if _, err := c.dynClient.DeleteItem(params); err != nil {
return err
}
return nil
}
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
func (c *RemoteClient) getLockInfo() (*state.LockInfo, error) {
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
getParams := &dynamodb.GetItemInput{
Key: map[string]*dynamodb.AttributeValue{
initialize the s3 lock path in one place
2017-03-30 19:36:54 +02:00
"LockID": {S: aws.String(c.lockPath())},
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
},
ProjectionExpression: aws.String("LockID, Info"),
TableName: aws.String(c.lockTable),
}
resp, err := c.dynClient.GetItem(getParams)
if err != nil {
return nil, err
}
var infoData string
if v, ok := resp.Item["Info"]; ok && v.S != nil {
infoData = *v.S
}
lockInfo := &state.LockInfo{}
err = json.Unmarshal([]byte(infoData), lockInfo)
if err != nil {
return nil, err
}
return lockInfo, nil
}
move s3 config from client to backend The RemoteClient needs to be configured for the named state, so move the general config to the backend. Rename some fields for consistency.
2017-03-22 20:52:55 +01:00
func (c *RemoteClient) Unlock(id string) error {
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
if c.lockTable == "" {
return nil
}
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockErr := &state.LockError{}
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
// TODO: store the path and lock ID in separate fields, and have proper
// projection expression only delete the lock if both match, rather than
// checking the ID from the info field first.
lockInfo, err := c.getLockInfo()
if err != nil {
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockErr.Err = fmt.Errorf("failed to retrieve lock info: %s", err)
return lockErr
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
}
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockErr.Info = lockInfo
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
if lockInfo.ID != id {
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockErr.Err = fmt.Errorf("lock id %q does not match existing lock", id)
return lockErr
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
}
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
params := &dynamodb.DeleteItemInput{
Key: map[string]*dynamodb.AttributeValue{
initialize the s3 lock path in one place
2017-03-30 19:36:54 +02:00
"LockID": {S: aws.String(c.lockPath())},
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
},
TableName: aws.String(c.lockTable),
}
Have S3 check the lockID on Unlock This needs to be improved to happen in a transaction, but it gets the implementation passing the new tests.
2017-02-15 18:51:57 +01:00
_, err = c.dynClient.DeleteItem(params)
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
if err != nil {
Clean up LockInfo and LockError and use them Gove LockInfo a Marshal method for easy serialization, and a String method for more readable output. Have the state.Locker implementations use LockError when possible to return LockInfo and an error.
2017-02-15 20:01:18 +01:00
lockErr.Err = err
return lockErr
Add locking for s3 state Use a DynamoDB table to coodinate state locking in S3. We use a simple strategy here, defining a key containing the value of the bucket/key of the state file as the lock. If the keys exists, the locks fails. TODO: decide if locks should automatically be expired, or require manual intervention.
2017-01-12 22:55:42 +01:00
}
return nil
}
initialize the s3 lock path in one place
2017-03-30 19:36:54 +02:00
func (c *RemoteClient) lockPath() string {
return fmt.Sprintf("%s/%s", c.bucketName, c.path)
}