INFRA:5490: Ensure v2 handling of workspace-destroy flag is consisten…

…t with v1 (#327) * INFRA-35490: Ensure v2 workspace uses the same workspace-destroy defaults/options as v1 --------- Co-authored-by: Nick <[email protected]>
mintel · May 29, 2024 · 169569f · 169569f
1 parent 2d11f04
commit 169569f
Show file tree

Hide file tree

Showing 12 changed files with 806 additions and 58 deletions.
diff --git a/charts/terraform-cloud/CHANGELOG.md b/charts/terraform-cloud/CHANGELOG.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v1.2.0] - 2024-05-29
+### Changed
+- Update v2 configuration to use same defaults for allowing workspace-destroy in prod/logs account. Also allow overrides at resource-config layer.
+
 ## [v1.1.0] - 2024-05-22
 ### Added
 - Added support for terraform-cloud-operator v2. v1 is still the default and would result in a noop for appliations consuming this chart.

diff --git a/charts/terraform-cloud/Chart.yaml b/charts/terraform-cloud/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.0
+version: 1.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/terraform-cloud/README.md b/charts/terraform-cloud/README.md
@@ -1,6 +1,6 @@
 # terraform-cloud
 
-![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
+![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
 
 A Helm chart for provisioning resources using Terraform Cloud
 
@@ -77,9 +77,6 @@ A Helm chart for provisioning resources using Terraform Cloud
 | global.owner | string | `""` | Team which "owns" the application |
 | global.partOf | string | `""` | Top level application each deployment is a part of |
 | global.terraform.agentPoolID | string | `""` | ID of the Terraform Cloud Agent Pool to use for the run. Passed in from cluster-env-jsonnet |
-| global.terraform.allowDestroyPlan | bool | `false` | Allows a destroy plan to be created and applied. |
-| global.terraform.applyMethod | string | `"manual"` | Define either change will be applied automatically(auto) or require an operator to confirm(manual). |
-| global.terraform.destroyOnDeletion | bool | `false` | Specify whether or not to execute a Destroy run when the object is deleted from the Kubernetes. Note that deletions are also protected by sentinel policy-enforcement rules in non-development environments See https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/sentinel |
 | global.terraform.enableRestartedAt | bool | `true` | Adds the restartedAt value (see restartedAt). Ensures that any configuration changes (i.e. input vars) result in the operator attempting a new plan/apply |
 | global.terraform.executionMode | string | `"agent"` | Define where the Terraform code will be executed. |
 | global.terraform.externalSecrets | bool | `true` | Set to true as part of tf cloud migrations. When true, it stops standard-application-stack from creating AWS related external secrets and passes that responsibility to the terraform-cloud chart |

diff --git a/charts/terraform-cloud/templates/_helpers.tpl b/charts/terraform-cloud/templates/_helpers.tpl
@@ -90,7 +90,7 @@ app.mintel.com/region: {{ .Values.global.clusterRegion }}
 {{- end }}
 
 {{/* Operator extension Annotations */}}
-{{- define "mintel_common.terraform_cloud.operatorAnnotations" -}}
+{{- define "mintel_common.terraform_cloud.tfCloudOperatorExtentionAnnotations" -}}
 {{/* ternary and hasKey functions are used instead of defaults below due to https://github.com/helm/helm/issues/3308 */}}
 app.mintel.com/terraform-allow-destroy: {{ hasKey .InstanceCfg "workspaceAllowDestroy" | ternary .InstanceCfg.workspaceAllowDestroy (include "mintel_common.terraform_cloud.allow_destroy_default" .) | quote }}
 app.mintel.com/terraform-owner: {{ .InstanceCfg.workspaceOwner | default .Global.owner }}

diff --git a/charts/terraform-cloud/templates/helpers/_module_v2.yaml b/charts/terraform-cloud/templates/helpers/_module_v2.yaml
@@ -20,7 +20,6 @@ metadata:
     app.kubernetes.io/name: {{ printf "%s-%s" ($instanceCfg.name | kebabcase) ($resourceType | kebabcase) | trunc 63 }}
   annotations:
     {{ include "mintel_common.commonAnnotations" $ | nindent 4 }}
-    {{ include "mintel_common.terraform_cloud.operatorAnnotations" $workspaceDict | nindent 4 }}
     {{- if (eq $resourceType "irsa") }}
     app.mintel.com/altManifestFileSuffix: "{{ $global.name }}-{{ $resourceType | kebabcase }}"
     {{- else }}
@@ -51,14 +50,17 @@ spec:
     secretKeyRef:
       name: terraformrc
       key: token
-  destroyOnDeletion: {{ $global.terraform.destroyOnDeletion }}
+  destroyOnDeletion: {{  $instanceCfg.moduleDestroyOnDeletion| default "true" }}
   variables:
   {{- $_ := unset $instanceCfg "workspaceNameOverride" }}
   {{- $_ := unset $instanceCfg "workspaceAllowDestroy" }}
   {{- $_ := unset $instanceCfg "workspaceOwner" }}
   {{- $_ := unset $instanceCfg "workspaceTags" }}
   {{- $_ := unset $instanceCfg "outputSecretMap" }}
   {{- $_ := unset $instanceCfg "syncWave" }}
+  {{- $_ := unset $instanceCfg "workspaceAllowDestroyPlan" }}
+  {{- $_ := unset $instanceCfg "workspaceApplyMethod" }}
+  {{- $_ := unset $instanceCfg "moduleDestroyOnDeletion" }}
   {{- range $varKey, $varVal := $instanceCfg }}
     {{- if kindIs "map" $varVal }}
       {{- include "mintel_common.terraform_cloud.tf_module_var" (merge (dict "key" $varKey) $varVal) | indent 2 }}

diff --git a/charts/terraform-cloud/templates/helpers/_workspace-v1.yaml b/charts/terraform-cloud/templates/helpers/_workspace-v1.yaml
@@ -21,7 +21,7 @@ metadata:
     app.kubernetes.io/name: {{ printf "%s-%s" ($instanceCfg.name | kebabcase) ($resourceType | kebabcase) | trunc 63 }}
   annotations:
     {{ include "mintel_common.commonAnnotations" $ | nindent 4 }}
-    {{ include "mintel_common.terraform_cloud.operatorAnnotations" $workspaceDict | nindent 4 }}
+    {{ include "mintel_common.terraform_cloud.tfCloudOperatorExtentionAnnotations" $workspaceDict | nindent 4 }}
     {{- if (eq $resourceType "irsa") }}
     app.mintel.com/altManifestFileSuffix: "{{ $global.name }}-{{ $resourceType | kebabcase }}"
     {{- else }}
@@ -54,6 +54,9 @@ spec:
   {{- $_ := unset $instanceCfg "workspaceTags" }}
   {{- $_ := unset $instanceCfg "outputSecretMap" }}
   {{- $_ := unset $instanceCfg "syncWave" }}
+  {{- $_ := unset $instanceCfg "workspaceAllowDestroyPlan" }}
+  {{- $_ := unset $instanceCfg "workspaceApplyMethod" }}
+  {{- $_ := unset $instanceCfg "moduleDestroyOnDeletion" }}
   {{- range $varKey, $varVal := $instanceCfg }}
     {{- if kindIs "map" $varVal }}
       {{- include "mintel_common.terraform_cloud.tfVar" (merge (dict "key" $varKey) $varVal) | indent 2 }}

diff --git a/charts/terraform-cloud/templates/helpers/_workspace-v2.yaml b/charts/terraform-cloud/templates/helpers/_workspace-v2.yaml
@@ -21,7 +21,7 @@ metadata:
     app.kubernetes.io/name: {{ printf "%s-%s" ($instanceCfg.name | kebabcase) ($resourceType | kebabcase) | trunc 63 }}
   annotations:
     {{ include "mintel_common.commonAnnotations" $ | nindent 4 }}
-    {{ include "mintel_common.terraform_cloud.operatorAnnotations" $workspaceDict | nindent 4 }}
+    {{ include "mintel_common.terraform_cloud.tfCloudOperatorExtentionAnnotations" $workspaceDict | nindent 4 }}
     {{- if (eq $resourceType "irsa") }}
     app.mintel.com/altManifestFileSuffix: "{{ $global.name }}-{{ $resourceType | kebabcase }}"
     {{- else }}
@@ -37,8 +37,8 @@ spec:
   name: {{ $instanceCfg.workspaceNameOverride | default (include "mintel_common.terraform_cloud.workspaceName" $workspaceDict) | trim | quote }}
   agentPool:
     id: {{ $global.terraform.agentPoolID | quote }}
-  applyMethod: {{ $global.terraform.applyMethod| quote }}
-  allowDestroyPlan: {{ $global.terraform.allowDestroyPlan }}
+  applyMethod: {{  $instanceCfg.workspaceApplyMethod | default "auto" }}
+  allowDestroyPlan: {{ hasKey $instanceCfg "workspaceAllowDestroy" | ternary $instanceCfg.workspaceAllowDestroy (include "mintel_common.terraform_cloud.allow_destroy_default" $workspaceDict) }}
   executionMode: {{ $global.terraform.executionMode | quote }}
   organization: {{ $global.terraform.organization | quote }}
   token:
@@ -59,6 +59,9 @@ spec:
   {{- $_ := unset $instanceCfg "workspaceTags" }}
   {{- $_ := unset $instanceCfg "outputSecretMap" }}
   {{- $_ := unset $instanceCfg "syncWave" }}
+  {{- $_ := unset $instanceCfg "workspaceAllowDestroyPlan" }}
+  {{- $_ := unset $instanceCfg "workspaceApplyMethod" }}
+  {{- $_ := unset $instanceCfg "moduleDestroyOnDeletion" }}
   {{- range $varKey, $varVal := $instanceCfg }}
     {{- if kindIs "map" $varVal }}
       {{- include "mintel_common.terraform_cloud.tfVar_v2" (merge (dict "key" $varKey) $varVal) | indent 2 }}

diff --git a/charts/terraform-cloud/tests/__snapshot__/module-v2_test.yaml.snap b/charts/terraform-cloud/tests/__snapshot__/module-v2_test.yaml.snap
@@ -22,8 +22,8 @@ Test module defaults:
     spec:
       agentPool:
         id: test-agent-pool
-      allowDestroyPlan: false
-      applyMethod: manual
+      allowDestroyPlan: true
+      applyMethod: auto
       executionMode: agent
       name: dev-eu-west-1-cluster1-test-namespace-mntl-test-workspace-s3
       organization: Mintel
@@ -84,9 +84,6 @@ Test module defaults:
       annotations:
         app.mintel.com/altManifestFileSuffix: mntl-test-workspace-s3
         app.mintel.com/placeholder: placeholder
-        app.mintel.com/terraform-allow-destroy: "true"
-        app.mintel.com/terraform-cloud-tags: env:dev,owner:sre,mod:s3
-        app.mintel.com/terraform-owner: sre
         argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
         argocd.argoproj.io/sync-wave: "-40"
       labels:
@@ -98,7 +95,7 @@ Test module defaults:
       name: dev-eu-west-1-cluster1-test-namespace-mntl-test-workspace-s3
       namespace: test-namespace
     spec:
-      destroyOnDeletion: false
+      destroyOnDeletion: true
       module:
         source: app.terraform.io/Mintel/private-s3-bucket/aws
         version: 3.0.2
@@ -145,8 +142,8 @@ Test module overrides:
     spec:
       agentPool:
         id: test-agent-pool
-      allowDestroyPlan: false
-      applyMethod: manual
+      allowDestroyPlan: true
+      applyMethod: auto
       executionMode: agent
       name: dev-eu-west-1-cluster1-test-namespace-mntl-test-workspace-s3
       organization: Mintel
@@ -207,9 +204,6 @@ Test module overrides:
       annotations:
         app.mintel.com/altManifestFileSuffix: mntl-test-workspace-s3
         app.mintel.com/placeholder: placeholder
-        app.mintel.com/terraform-allow-destroy: "true"
-        app.mintel.com/terraform-cloud-tags: env:dev,owner:sre,mod:s3
-        app.mintel.com/terraform-owner: sre
         argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
         argocd.argoproj.io/sync-wave: "-40"
       labels:
@@ -268,8 +262,8 @@ Test module restartedAt disabled:
     spec:
       agentPool:
         id: test-agent-pool
-      allowDestroyPlan: false
-      applyMethod: manual
+      allowDestroyPlan: true
+      applyMethod: auto
       executionMode: agent
       name: dev-eu-west-1-cluster1-test-namespace-mntl-test-workspace-s3
       organization: Mintel
@@ -330,9 +324,6 @@ Test module restartedAt disabled:
       annotations:
         app.mintel.com/altManifestFileSuffix: mntl-test-workspace-s3
         app.mintel.com/placeholder: placeholder
-        app.mintel.com/terraform-allow-destroy: "true"
-        app.mintel.com/terraform-cloud-tags: env:dev,owner:sre,mod:s3
-        app.mintel.com/terraform-owner: sre
         argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
         argocd.argoproj.io/sync-wave: "-40"
       labels:
@@ -344,7 +335,7 @@ Test module restartedAt disabled:
       name: dev-eu-west-1-cluster1-test-namespace-mntl-test-workspace-s3
       namespace: test-namespace
     spec:
-      destroyOnDeletion: false
+      destroyOnDeletion: true
       module:
         source: app.terraform.io/Mintel/private-s3-bucket/aws
         version: 0.0.1