Commit Graph

273 Commits

Author SHA1 Message Date
Florian Forster 14263223e7 backend/remote-state/gcs: Simplify initialization of the GCS client.
This also implements the (already documented) behavior of checking the
GOOGLE_CREDENTIALS environment variable.
2017-10-27 16:52:21 -04:00
Florian Forster 816c98f387 backend/remote-state/gcs: Read credentials with ioutil.ReadFile().
We never expect the raw JSON to appear in the config, so pathorcontents is
not the right package here.
2017-10-27 16:52:21 -04:00
Florian Forster c00e929ee5 backend/remote-state/gcs: Mark the "path" option as deprecated. 2017-10-27 16:52:21 -04:00
Florian Forster 91b1a39a40 backend/remote-state/gcs: Implement an end-to-end test.
The code is loosely based on state/remote/gcs_test.go. If the
GOOGLE_PROJECT environment variable is set, this test will

1) create a new bucket; error out if the bucket already exists.
2) create a new state
3) list states and ensure that the newly created state is listed
4) ensure that an object with the expected name exists
5) rum "state/remote".TestClient()
6) delete the state

The bucket is deleted when the test exits, though this may fail if the
bucket it not empty.
2017-10-27 16:51:21 -04:00
Florian Forster 14bfbf0617 backend/remote-state/gcs: Document the "prefix" option.
"state_dir" has been renamed to "prefix" to better fix the GCS
terminology.
2017-10-27 16:51:21 -04:00
Florian Forster c054bd0939 backend/remote-state/gcs: Rename "gcloud" to "gcs" for backwards compatibility. 2017-10-27 16:51:21 -04:00
Florian Forster 93a55f15e9 backend/remote-state/gcloud: Add test for Backend.{state,lock}File(). 2017-10-27 16:51:21 -04:00
Florian Forster 5a4e2076e9 backend/remote-state/gcloud: Add the "path" config option.
This config option was used by the legacy "gcs" client. If set, we're
using it for the default state -- all other states still use the
"state_dir" setting.
2017-10-27 16:51:21 -04:00
Florian Forster f80b872bc3 backend/remote-state/gcloud: Unify on the "context" package.
We don't need to use the legacy package here.
2017-10-27 16:51:21 -04:00
Florian Forster 5d4e25ada4 backend/remote-state/gcloud: Make gcsBackend private.
This class is only used via the "backend".Backend interface, so there is
no need to export this type beyond the gcloud package.
2017-10-27 16:51:21 -04:00
Florian Forster 9ec39573ee backend/remote-state/gcloud: Make remoteClient private.
This class is only used via the "state/remote".State interface, so there
is no need to export this type beyond the gcloud package.
2017-10-27 16:51:21 -04:00
Florian Forster 42e8441a2b backend/remote-state/gcloud: Refactor Backend.State().
Fixes:
* https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
* https://github.com/golang/go/wiki/CodeReviewComments#error-strings
* https://github.com/golang/go/wiki/CodeReviewComments#initialisms
2017-10-27 16:51:21 -04:00
Florian Forster 5cb574035a backend/remote-state/gcloud: Refactor Backend.remoteClient().
This replaces stateFileName() and lockFileName() with path.Join().

Fixes:
* https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
* https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
2017-10-27 16:51:21 -04:00
Florian Forster 9ae45e320f backend/remote-state/gcloud: Refactor Backend.DeleteState().
Fixes:
* https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
* https://github.com/golang/go/wiki/CodeReviewComments#error-strings
2017-10-27 16:51:21 -04:00
Florian Forster fabba5c0c8 backend/remote-state/gcloud: Refactor Backend.States().
The previous code listed all objects in the bucket and used local filtering
(using regular expressions) to find .tfstate objects. This new code sets
the delimiter to "/", which causes GCS to only return objects directly in
the given prefix, but not any sub"directories".

Fixes:
* https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
* https://github.com/golang/go/wiki/CodeReviewComments#error-strings
2017-10-27 16:51:21 -04:00
Florian Forster 97e1aa7ce9 backend/remote-state/gcloud: Use the lock file's generation as lock ID.
This allows Unlock() to call Delete() without reading the lock file's
content first.
2017-10-27 16:51:21 -04:00
Florian Forster edf2096e28 backend/remote-state/gcloud: Use the context provided to configure().
Calling context.Background() from outside the main() function is
discouraged. The configure functions are only called from
"…/helper/schema".Backend.Configure which provides the Background context,
i.e. a long-living context we can use for backend communication.
2017-10-27 16:51:21 -04:00
Florian Forster 2e5fca78c2 backend/remote-state/gcloud: Coding style changes.
Refactorings to make the code more idiomatic.
2017-10-27 16:51:21 -04:00
Florian Forster f33005faba backend/remote-state/gcloud: Handle errors returned by Write(), too.
Many GCS errors are returned by Close(), but not all.
2017-10-27 16:51:21 -04:00
Florian Forster 1ee194986d backend/remote-state/gcloud: Add the RemoteClient.{state,lock}File() methods. 2017-10-27 16:51:20 -04:00
Florian Forster e54d36b489 backend/remote-state/gcloud: Sort standard library imports before other imports. 2017-10-27 16:51:20 -04:00
Florian Forster 52ac764036 backend/remote-state/gcloud: Rename Url -> URL 2017-10-27 16:51:20 -04:00
Florian Forster 5313e15e07 backend/remote-state/gcloud: Move the definition of the Backend struct. 2017-10-27 16:51:20 -04:00
Florian Forster def3279ec7 backend/remote-state/gcloud: Use package provided OAuth scope. 2017-10-27 16:51:20 -04:00
Piotrek Bzdyl 5854373018 Implemented GCloud backend supporting remote locking and multiple workspaces. 2017-10-27 16:51:20 -04:00
James Bardin b040cd0837 dynamoDB reads are not fully consisten by default
Use fully consistent reads for backend operations.
2017-10-27 16:43:30 -04:00
James Bardin 31912956ce Merge pull request #16290 from hashicorp/jbardin/s3-errors
retry on s3 state upload errors
2017-10-17 16:04:14 -04:00
James Bardin 611b1ced59 retry on s3 state upload errors
While #16243 added the ability to retry getting a state from S3, Put can
return the same InternalError status. Use the same retry logic when
uploading state to S3.
2017-10-08 16:46:33 -04:00
James Bardin f5e9a20c66 reset testLockHook 2017-10-08 16:24:45 -04:00
James Bardin 25a8227291 add broken test for lock lost on connection error
Add a way to inject network errors by setting an immediate deadline on
open consul connections. The consul client currently doesn't retry on
some errors, and will force us to lose our lock.

Once the consul api client is fixed, this test will fail.
2017-10-08 16:16:57 -04:00
James Bardin fd9adcdb36 only init one consul client, and lower keepalive
The consul Client is analogous to an http.Client, and we really don't
need more than 1. Configure a single client and store it in the backend.

Replace the default Transport's Dialer to reduce the KeepAlive setting
from 30s to 17s. This avoids racing with the common network timeout
value of 30s, and is also coprime to other common intervals.
2017-10-08 11:51:35 -04:00
James Bardin d0ecb232ae record consul session ID in lock info
This can help correlate TF and consul logs
2017-10-08 11:24:43 -04:00
James Bardin b20ab9f0bb Merge pull request #16243 from hashicorp/jbardin/s3-errors
retry on s3 backend internal errors
2017-10-04 09:26:26 -04:00
bclodius fba02f0bea retry on s3 backend internal errors
Internal errors from S3 are usually transient, and can be immediately retried.
Make 2 attempts at retreiving the state object before returning an error.
2017-10-04 09:11:30 -04:00
James Bardin 91442b7146 Merge pull request #15680 from brunomcustodio/etcdv3-backend
[WIP] etcd v3 backend with lock support.
2017-10-03 14:15:58 -04:00
James Bardin d477d1f6d4 Merge pull request #15553 from bonifaido/custom_s3_backend
Allow non-AWS S3 backends
2017-10-02 19:39:48 -04:00
Bruno Miguel Custodio 524c3934c6
Add TLS support. 2017-09-09 08:03:59 +01:00
Bruno Miguel Custodio c8ff10f603
Reuse 'etcd' client. 2017-09-09 00:21:23 +01:00
Bruno Miguel Custodio 6daf1d9d84
Allow for username and password to be read from envvars. 2017-09-08 23:41:27 +01:00
Bruno Miguel Custodio 8f7b315037
Add documentation. 2017-09-08 23:40:05 +01:00
Bruno Miguel Custodio 54dc50ec5c
Cleanup 'etcd' after every test. 2017-09-08 22:49:23 +01:00
Bruno Miguel Custodio 3c21b9c56f
Get rid of 'keyEnvPrefix'. 2017-09-08 22:34:15 +01:00
Bruno Miguel Custodio 6570948bea
Fixing the test suite. 2017-09-08 17:46:39 +01:00
Bruno Miguel Custodio 038f5eb638
Remove 'lockSuffix' as not needed in 'etcd' v3. 2017-09-08 16:59:39 +01:00
Bruno Miguel Custodio bb4dec6032
Make sure we don't relock. 2017-09-08 16:22:14 +01:00
Bruno Miguel Custodio b8f4f6d3e2
Delete lock info when unlocking. 2017-09-08 15:21:06 +01:00
Bruno Miguel Custodio b896348230
Sort the result of 'Backend.States()'. 2017-09-08 12:25:15 +01:00
Bruno Miguel Custodio 70aad79b6e
Make 'endpoints' a schema.TypeList. 2017-09-08 12:16:00 +01:00
Bruno Miguel Custodio 52c97e9fc9
First steps towards an 'etcdv3' backend. 2017-09-08 09:43:33 +01:00
tombuildsstuff d074b0da29 Obtaining the current metadata before setting it 2017-09-06 12:41:05 -07:00
tombuildsstuff a10d23dd95 Removing dead code 2017-09-06 12:41:05 -07:00
Minkyu Kim f12a237747 Fix crash when using consul backend 2017-09-02 20:05:30 +09:00
James Bardin 76eb65c911 Fix crash in consul backend
A TLS config was being assigned to a Transport in a nil http.Client. The
Transport is built in the consul config by default, but the http.Client
is not built until later in NewClient.
2017-08-31 09:29:43 -04:00
Loïc Albertin 21b287e919 backend/consul: allow specifying various Consul client security options
These new options are equivalent to the consul CLI arguments -ca-file, -client-cert and -client-key.
2017-08-23 09:47:21 -07:00
Peter McAtominey 6b9b5ec297 backend/azure: update to latest SDK 2017-08-17 16:32:18 +01:00
Peter McAtominey f9e8e54835 backend: convert Azure remote state to a backend
Added locking support via blob leasing (requires that an empty state is
created before any lock can be acquired.

Added support for "environments" in much the same way as the S3 backend.
2017-08-17 16:32:17 +01:00
James Bardin 2bb5007690 Merge pull request #15683 from hashicorp/jbardin/remote-state-lineage
Remove strict lineage check in remote.State
2017-08-09 17:49:19 -04:00
James Bardin 4c7cd549cd don't allow leading slashes in s3 remote state key
S3 accepts objects with a leading slash and strips them off. This works
fine except in our workspace hierarchy, which then can no longer find
suffixes matching the full key name.
2017-08-08 09:47:44 -04:00
James Bardin c3e943bed2 add another failing test for remote.State lineage
Want to make sure we don't hit this again.
2017-08-01 19:34:21 -04:00
James Bardin 18d71f273e make inmem behave more like remote backends
When remote backend imeplemtations create a new named state, they may
need to acquire a lock and/or save an actual empty state to the backend.
Copy this behavior in the inmem backend for testing.
2017-08-01 19:34:21 -04:00
James Bardin 5deef9621d export Reset()
This package is used for testing, so there needs to be an easy method
for reinitializing the stored data between tests.
2017-08-01 19:34:21 -04:00
James Bardin ac60ddcd40 Support named states in inmeme backend
Used to expand test coverage
2017-08-01 19:34:21 -04:00
James Bardin 1070d04b07 Remove consul context adapter for RenewPeriodic
Updated the vendored consul which no longer requires the channel adapter
to convert a `chan stuct{}` to a `<-chan struct{}`.

Call testutil.NewTestServerConfigT with the new signature.
2017-07-20 11:09:45 -04:00
James Bardin bcb11f6d89 have the consul client manage the lock session
When a consul lock is lost, there is a possibility that the associated
session is still active. Most commonly, the long request to watch the
lock key may error out, while the session is continually refreshed at a
rate of TTL/2.

First have the lock monitor retry the lock internally for at least 10
seconds (5 attempts with the default 2 second wait time). In most cases
this will reconnect on the first try, keeping the lock channel open.

If the consul lock can't recover itself, then cancel the session as soon
as possible (terminating the PreiodicRenew will call Session.Destroy),
and start over. In the worse case, the consul agents were split, and the
session still exists on the leader so we may need to wait for the old
session TTL, plus the LockWait time to renew the lock.

We use a Context for the cancellation channels here, because that
removes the need to worry about double-closes and nil channels. It
requires an awkward adapter goroutine for now to convert the Done()
`<-chan` to a `chan` for PeriodicRenew, but makes the rest of the code
safer in the long run.
2017-07-14 14:42:42 -04:00
Nandor Kracser f6c77339f2 Allow non-AWS S3 backends
This commit makes sts, metadata and other AWS related API calls optional, thus the backend initialization will not send non-AWS API tokens to AWS APIs
2017-07-14 13:08:47 +02:00
James Bardin 5066fa2151 Merge pull request #13871 from fatmcgav/swift_move_to_backend
Move Swift remote state to backend
2017-06-27 16:23:46 -04:00
James Bardin 42cbb716b7 Merge pull request #15370 from rowleyaj/s3_backend_workspaces
Add configurable workspace prefix for S3 Backend
2017-06-27 11:44:12 -04:00
Alex Rowley 2dd464cf8f
Clarify field description 2017-06-27 16:32:00 +01:00
James Bardin 1fa7667ad4 s3 backend should use Client.Delete to DeleteState
The s3.Backend was using it's own code for DeleteState, but the dynamo
entries are only handled through the RemoteClient. Have DeleteState use
a RemoteClient for delete.
2017-06-23 10:19:50 -04:00
Alex Rowley db40dc06ab
Add configurable workspace prefix for S3 Backend
Fixes #13184
2017-06-22 18:24:10 +01:00
Gavin Williams c2550e78cf Rename openstack provider for swift remote backend 2017-06-13 22:11:16 +01:00
Gavin Williams ee2e390f85 remote/swift: Migrate Swift remote state to a backend
Move the Swift State from a legacy remote state to an official backend.
Add `container` and `archive_container` configuration variables, and deprecate `path` and `archive_path` variables.

Future improvements: Add support for locking and environments.
2017-06-13 22:04:01 +01:00
James Bardin ac959af6b4 rename aws provider import in s3 backend 2017-06-12 13:43:51 -04:00
James Bardin 6b700ff1fb replace lock_table with dynamodb_table in s3 cfg
Since the DynamoDB table used by the S3 backend is no longer only used
for locks, rename it in the config to remove any confusion about it
being lock-specific.
2017-05-30 16:27:04 -04:00
James Bardin ecc5bfb801 Merge pull request #14937 from hashicorp/jbardin/GH-14927
check for nil state in s3 client Get
2017-05-30 15:12:55 -04:00
James Bardin 82eba5801d Test losing and reacquiring a consul lock 2017-05-30 14:38:33 -04:00
James Bardin 3df48bfc27 relock consul when lock is lost
Consul locks are based on liveness, and may be lost due timeouts,
network issued, etc. If the client determines the lock was lost, attempt
to reacquire the lock immediately.

The client was also not using the `lock` config option. Disable locks if
that is not set.
2017-05-30 14:38:33 -04:00
James Bardin e8330b6f53 use CAS for consul state Put 2017-05-30 14:38:32 -04:00
James Bardin e7502454b4 check for nil state in s3 client Get
The S3 client can return (nil, nil) when the remote state doesn't exist.
The caused a nil pointer dereference when checking the payload.MD5
against the expected value.

This can happen if the remote state was manually removed, but the digest
entry was left in the DynamoDB table.
2017-05-30 14:36:13 -04:00
James Bardin ef1d53934c Merge pull request #14746 from hashicorp/jbardin/s3-consistency
store and verify s3 remote state checksum to avoid consistency issues.
2017-05-24 16:47:57 -04:00
James Bardin 91be40a577 add detailed error message s3 checksum mismatch
Have the s3 RemoteClient return a detailed error message to the user in
the case of a mismatch state checksum.
2017-05-24 13:51:33 -04:00
James Bardin 0022d224e8 store and verify s3 remote state checksum
Updates to objects in S3 are only eventually consistent. If the
RemoteClient has a DynamoDB table available, use that to store a
checksum of the last written state, so the object can be verified by the
next client to call Get.

Terraform currently doesn't have any sort of user feedback around
RefreshState/Get, so we poll only for a short time before returning an
error.
2017-05-24 13:39:30 -04:00
James Bardin b279b1abb5 check for named s3 states before acquiring a lock
In order to force-unlock a named state, we have to fetch that state
first. Don't attempt to acquire a lock if we know the state already
exists in s3.
2017-05-19 14:40:59 -04:00
James Bardin a2d452acec failing test to force-unlock a named state in s3
The State call attempts to get a lock before determining if a named
state exists. This prevents force-unlock, since we need the state to
call Unlock.
2017-05-19 14:39:42 -04:00
James Bardin 9c431aee1b only list environments when the keyName matches
Prevent extra keys in the s3 envPrefix path from showing up as
listed environments.

Better handle keys containing slashes

Add tests for unexpected keys in s3.
2017-04-12 13:57:22 -04:00
James Bardin 5621d97925 cleanup consul lock entries
This matches the consul cli behavior, where locks are cleaned up after
use.

Return an error from re-locking the state. This isn't required by the
Locker interface, but it's an added sanity check for state operations.
What was incorrect here was returning an empty ID and error, which would
indicate that Lock/Unlock isn't supported.
2017-04-06 14:19:55 -04:00
James Bardin 6e136c848a use the aws provider client initialization
Use the aws provider code to create the clients for the s3 backend, so
that all the behavior matches that of the provider.

Remove the fake creds from the test, as the aws provider will attempt to
validate them.
2017-04-05 12:39:50 -04:00
James Bardin 54aa466b74 initialize the s3 lock path in one place 2017-04-04 14:44:58 -04:00
James Bardin d059939f88 Merge pull request #13262 from hashicorp/jbardin/lock-timeouts
lock timeouts
2017-04-04 14:30:20 -04:00
James Bardin 75458a182d remove extra state.Locker assertions
All states are lockers, so get rid of extra asertions.
2017-04-01 17:01:45 -04:00
Paul Stack 4501be7e5c backend/remote-state: Add support for assume role extensions to s3 backend (#13236)
Fixes: #13234

This now matches the AWS provider for the Assume Role support
2017-03-31 19:59:29 +03:00
James Bardin 575e7f1811 Properly create a new named state in s3
If the state doesn't exist, we need to initialize one so that it can be
listed be States.
2017-03-23 10:03:22 -04:00
James Bardin fa4dc01cf4 add named state support to the s3 backend
This adds named state (environment) support to the S3 backend.

A state NAME will prepend the configured s3 key with `env:/NAME/`.
The default state will remain rooted in the bucket for backwards
compatibility.

Locks in DynamoDB use the S3 key as the as the primary key value, so
locking will work as expected for multiple states.
2017-03-22 16:59:13 -04:00
James Bardin 4980fa20e7 move s3 config from client to backend
The RemoteClient needs to be configured for the named state, so move the
general config to the backend.

Rename some fields for consistency.
2017-03-22 15:52:55 -04:00
James Bardin 9f5cf2b105 convert S3 remote state to a backend
Move the S3 State from a legacy remote state to an official backend.

This increases test coverage, uses a set schema for configuration, and
will allow new backend features to be implemented for the S3 state, e.g.
"environments".
2017-03-22 10:59:37 -04:00
Mitchell Hashimoto 0cd15176ff
backend/consul: rebase and modify gzip test 2017-03-14 17:59:54 -07:00
Mitchell Hashimoto 1daff7a826
backend/consul: support "lock" option to disable locking
This adds a "lock" config (default true) to allow users to optionally
disable state locking with Consul. This is necessary if the token given
doesn't have session permission and is necessary for backwards
compatibility.
2017-03-14 17:59:10 -07:00
James Bardin 08d2b44ada add gzip to consul backend tests 2017-03-14 15:41:00 -04:00
James Bardin 1527eae6b7 Merge pull request #8748 from christoe/christoe/8491-gzip-consul-remote-state
state/remote: Add gzip support to consul remote state (#8491)
2017-03-14 15:27:46 -04:00
James Bardin 86f711f6fc Make consul backend tests opt-in
This way we don't require contributers to have consul installed to run
make test.
2017-03-14 14:44:03 -04:00
James Bardin fa7743b627 quiet the consul server during backend tests
Don't display logs unless using `-v`
2017-03-14 10:49:38 -04:00
James Bardin 90055c6ae2 convert the consul backend to use consul/testutil
Start up our own consul server for unit tests.
2017-03-13 18:25:58 -04:00
Christoffer Kylvåg abfa35db7c backend/remote-state/consul: Make gzip compression configurable (#8491) 2017-03-13 08:17:33 +01:00
Christoffer Kylvåg e098c7c24a backend/remote-state/consul: Add gzip support to consul backend client (#8491) 2017-03-09 08:00:19 +01:00
Mitchell Hashimoto 35afb7bc86
backend/consul: some comments 2017-03-01 23:01:28 -08:00
Mitchell Hashimoto b842fd0c27
backend/consul: support named states 2017-03-01 22:58:51 -08:00
Mitchell Hashimoto 3db55cf747
backend/consul: build your own backend 2017-03-01 22:19:36 -08:00
Mitchell Hashimoto 549d525487 Merge pull request #12320 from hashicorp/b-legacy-state
command: fix loading legacy remote state + migration guide
2017-03-01 12:39:17 -08:00
Mitchell Hashimoto 6ea0dc0964
backend/consul: make address have a default to prevent input 2017-02-28 19:29:05 -08:00
James Bardin f866bb545c update remote-state/consul 2017-02-28 16:35:46 -05:00
James Bardin 597eb6c918 update remote-state/inmem client 2017-02-28 16:35:45 -05:00
James Bardin 8fdf3a42b8 update remote-state.Backend 2017-02-28 16:35:45 -05:00
James Bardin 761c63d14a Update Backend to incorporate environments
Add the missing methods/arguments to handle Terraform environments in
Backends. Extra functionality simply returns defaults for now.
2017-02-28 16:03:36 -05:00
James Bardin 2392455a67 Add inmem remote backend
Add an Inmem remote state backend.

The only config option right now is a lock_id, which will instantiate
the backend in a locked state for testing.
2017-02-20 14:49:46 -05:00
Mitchell Hashimoto efe754183b
state/remote: export ClientLocker, test for implementation
This adds unit tests (that will fail at compile time) if various structs
don't implement the right interfaces for locking
2017-02-15 14:20:59 -08:00
James Bardin ec00564be6 Clean up LockInfo and LockError and use them
Gove LockInfo a Marshal method for easy serialization, and a String
method for more readable output.

Have the state.Locker implementations use LockError when possible to
return LockInfo and an error.
2017-02-15 14:44:43 -05:00
James Bardin 67bbebce08 Have consul state reutrn the lock ID
The lock ID isn't used because the lock is tied to the client, but
return the lock ID to match the behavior of other locks.
2017-02-15 14:44:43 -05:00
James Bardin cd233fef6a make consul client pass state.Locker tests 2017-02-15 14:41:55 -05:00
James Bardin 80fab23e04 Don't test consul using demo.consul.io
We shoudn't require an external service for unit test.

TODO: create some proper acceptance tests for consul
2017-02-08 11:34:31 -05:00
James Bardin 14d965722e Use single state.LockInfo struct
Remove redundant structures
2017-02-08 11:34:31 -05:00
James Bardin 9b76f6e138 Move TestRemoteLocks to state/remote
This was legacy remote state client and backends can use this test
function without an import cycle.
2017-02-08 11:25:52 -05:00
James Bardin 54cac349a3 Add state locking to consul backend
Use consul locks to implement state locking. The lock path is state path
+ "/.lock" which matches the consul cli default for locks. Lockinfo is
stored at path + "/.lockinfo".
2017-02-08 11:25:52 -05:00
Mitchell Hashimoto 1f5d425428
backend/remote-state
This allows migration of the remote state implementations to a richer
experience including input asking.
2017-01-26 14:33:49 -08:00