From bb371d69ab98608cbbbf41ac401fbe21026e14af Mon Sep 17 00:00:00 2001
From: Vivian Rook <91909295+vivian-rook@users.noreply.github.com>
Date: Tue, 9 Jan 2024 16:07:17 -0500
Subject: [PATCH] tofu state to s3 (#354)

* tofu state to s3

Bug: T352164

* maybe

* command line vars

* comments removed

* space
---
 .gitattributes    |   2 ++
 README.md         |   5 +++++
 deploy.sh         |  20 ++++++++++++++++++--
 secrets-eqiad1.sh | Bin 0 -> 198 bytes
 tofu/main.tf      |  10 ++++++++++
 5 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 secrets-eqiad1.sh

diff --git a/.gitattributes b/.gitattributes
index 29fc3c99..370e338a 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -6,3 +6,5 @@ ansible/files/csi-secret-cinderplugin.yaml.codfw1dev.crypt filter=git-crypt diff
 paws/codfw-secrets.yaml filter=git-crypt diff=git-crypt
 paws/files/minesweeper/secrets/** filter=git-crypt diff=git-crypt
 tofu/secrets.tf filter=git-crypt diff=git-crypt
+secrets-eqiad1.sh filter=git-crypt diff=git-crypt
+secrets-codfw1dev.sh filter=git-crypt diff=git-crypt
diff --git a/README.md b/README.md
index 7d16af20..c7183f29 100644
--- a/README.md
+++ b/README.md
@@ -116,3 +116,8 @@ bash deploy.sh <eqiad1|codfw1dev>
 update the web proxy in horizon to point to current cluster.
 
 https://wikitech.wikimedia.org/wiki/PAWS/Admin#Deployment
+
+#### Disaster Recovery
+If the entire project is removed two parts of paws are not managed by tofu/ansible.
+Object storage container: An object storage container named "tofu-state" will need to be generated in horizon. This is where the state file for tofu resides.
+NFS: The NFS server is not included. And a fresh NFS server will be needed for paws to operate.
diff --git a/deploy.sh b/deploy.sh
index 786d3500..fe249103 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -15,6 +15,15 @@ else
   exit
 fi
 
+if [ -n "${2}" ]
+then
+  if [ "${2}" = 'tofu' ]
+  then
+    # exit after tofu
+    tofuonly=1
+  fi
+fi
+
 
 if ! command -v kubectl ; then
   echo "please install kubectl"
@@ -31,15 +40,22 @@ if ! command -v tofu ; then
   exit 1
 fi
 
+source secrets-${datacenter}.sh
+
 python3 -m venv .venv/deploy
 source .venv/deploy/bin/activate
 pip install ansible==8.1.0 kubernetes==26.1.0
 
 
 cd tofu
-tofu init
-tofu apply -var datacenter=${datacenter}  # -auto-approve
+AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu init
+AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu apply -var datacenter=${datacenter} # -auto-approve
 export KUBECONFIG=$(pwd)/kube.config
 
+if [ "${tofuonly}" = '1' ]
+then
+  exit
+fi
+
 cd ../ansible
 ansible-playbook paws.yaml --extra-vars "datacenter=${datacenter}"
diff --git a/secrets-eqiad1.sh b/secrets-eqiad1.sh
new file mode 100644
index 0000000000000000000000000000000000000000..6a74de2b7a4f092d24fd6854b2f36b0f4b43d25c
GIT binary patch
literal 198
zcmV;%06G5vM@dveQdv+`05)eir{uLcU-)kxmF5;Tl`<Ts%Uwxt%QL|Zq*jmIf~x*9
z)ESNRg`dm^0@!jwR+Wk}${x+g{Lq;-b<ar5cF?d6{#6?K4%f}VZzb0}l9t`r#k9Oa
z+gGHDKfXUThP-kQRVHe5Z3FhJs@kMQG=ofejNGHxD3d>rUUEl6Z*<d=g#ryE!=OpA
zop>;IT49N}=hI3VnR~%h$m8!|8XJ3|&25WoaJyY;_x|0CIzeiRGCXE5>tIRN1_t6_
A`~Uy|

literal 0
HcmV?d00001

diff --git a/tofu/main.tf b/tofu/main.tf
index 05c25edf..abcf6d4a 100644
--- a/tofu/main.tf
+++ b/tofu/main.tf
@@ -1,5 +1,15 @@
 terraform {
   required_version = ">= 1.6.0"
+  backend "s3" {
+    region   = "eqiad1"
+    bucket   = "paws:tofu-state"
+    endpoint = "https://object.eqiad1.wikimediacloud.org"
+    key      = "state/main"
+
+    skip_region_validation      = true
+    skip_credentials_validation = true
+    force_path_style            = true
+  }
   required_providers {
     openstack = {
       source  = "terraform-provider-openstack/openstack"