Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bucket versioning for logging bucket disabled #3841

Open
kenroydhs opened this issue Feb 5, 2025 · 4 comments
Open

Bucket versioning for logging bucket disabled #3841

kenroydhs opened this issue Feb 5, 2025 · 4 comments
Labels
bug Something isn't working contributions-requested Requesting contributions from the community preserved Preserved issues never go stale

Comments

@kenroydhs
Copy link

Describe the bug

The remote_state->config bucket specified by "bucket" creates bucket with versioning enabled by default, but the bucket specified by "accesslogging_bucket_name" creates bucket with versioning disabled by default.

Steps To Reproduce

Execute terragrunt init using HCL provided.

# ----------------------------------------------------------------------------------------------------------------
# LOAD COMMON VARIABLES
# ----------------------------------------------------------------------------------------------------------------
locals {
  # Automatically load common variables shared across all accounts
  common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl"))

  # Automatically load account-level variables
  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))

  # Extract commonly used variables for easy acess
  name_tags     = local.common_vars.locals.name_tags
  account_name  = local.account_vars.locals.account_name
  aws_partition = local.account_vars.locals.aws_partition
  account_id    = local.common_vars.locals.account_ids[local.account_name]
  aws_region    = local.account_vars.locals.aws_region
  region_prefix = local.account_vars.locals.region_prefix

  bucket_name_prefix = join("-", [
    local.name_tags.divisions.ocio,
    substr(local.account_name, 0, 1),
    local.region_prefix,
    local.account_name
  ])

}

# ----------------------------------------------------------------------------------------------------------------
# GENERATED PROVIDER BLOCK
# ----------------------------------------------------------------------------------------------------------------
generate "provider" {
  path      = "provider.tf"
  if_exists = "skip" #"overwrite_terragrunt"
  contents  = <<EOF
provider "aws" {
  region = "${local.aws_region}"

  # Only these AWS Account IDs may be operated on by this template
  allowed_account_ids = ["${local.account_id}"]
}
EOF
}

# Use an override file to lock the provider version, regardless of if required_providers is defined in the modules.
generate "provider_version" {
  path      = "provider_version_override.tf"
  if_exists = "skip"
  contents  = <<EOF
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.80"
    }
  }
}
EOF
}

# ----------------------------------------------------------------------------------------------------------------
# GENERATED REMOTE STATE BLOCK
# ----------------------------------------------------------------------------------------------------------------
# Generate the Terraform remote state block for storing state in S3
remote_state {
  backend = "s3"
  disable_dependency_optimization = true
  config = {
    encrypt                   = true
    bucket                    = "test-tf-state"
    key                       = "${path_relative_to_include()}/terraform.tfstate"
    region                    = local.aws_region
    dynamodb_table            = "terraform-locks"
    accesslogging_bucket_name = "test-tf-logs"
  }
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
}
# ----------------------------------------------------------------------------------------------------------------
# DEFAULT INPUTS
# ----------------------------------------------------------------------------------------------------------------
inputs = {
  # Set globaly used inputs here to keep all the child terragrunt.hcl files more DRY.
  aws_account_id = local.account_id
  aws_region     = local.aws_region
  name_tags      = local.common_vars.locals.name_tags
}

#-----------------------------------------------------------------------------------------------------------------
# ALLOW .terraform-version FILE TO BE COPIED
#-----------------------------------------------------------------------------------------------------------------
terraform {
  include_in_copy = [".terraform-version"]
}

EOF
}

## Expected behavior

Expect the created buckets "test-tf-state" and "test-tf-logs" to both have versioning enabled.

## Nice to haves

- [ ] Terminal output
- [ ] Screenshots

## Versions

- Terragrunt version: v0.54.17 
- OpenTofu/Terraform version: v1.10.5 on linux_amd64 
- Environment details (Ubuntu 20.04, Windows 10, etc.): RHEL8

## Additional context

Add any other context about the problem here.
@kenroydhs kenroydhs added the bug Something isn't working label Feb 5, 2025
@kenroydhs
Copy link
Author

Here are some logs for the terragrunt init:

"test-tf-state" shows "Enabling versioning", but "test-tf-logs" does not.

Remote state S3 bucket test-tf-state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n) y DEBU[0024] Create S3 bucket with retry test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0024] Create S3 bucket test-tf-state with versioning, SSE encryption, and access logging. prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0024] Creating S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0024] Created S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0024] Waiting for bucket test-tf-state to be created prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0024] S3 bucket test-tf-state created. prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0024] Enabling root access to S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Policy not exists for bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Enabled root access to bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Enabling enforced TLS access for S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Policy already exists for bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Enabled enforced TLS access for bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Blocking all public access to S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Blocked all public access to S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] No tags specified for bucket test-tf-state. prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Enabling versioning on S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Enabled versioning on S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0025] Enabling bucket-wide SSE on AWS S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0026] Enabled bucket-wide SSE on AWS S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0026] Enabling bucket-wide Access Logging on AWS S3 bucket test-tf-state - using as TargetBucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] Logs S3 bucket test-tf-logs for the remote state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n) y DEBU[0059] Creating S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Created S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Blocking all public access to S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Blocked all public access to S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Granting WRITE and READ_ACP permissions to S3 Log Delivery (http://acs.amazonaws.com/groups/s3/LogDelivery) for bucket test-tf-logs. This is required for access logging. prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Waiting for ACL bucket test-tf-logs to have the updated ACL for access logging. prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Bucket test-tf-logs now has the proper ACL permissions for access logging! prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Putting bucket logging on S3 bucket test-tf-state with TargetBucket test-tf-logs and TargetPrefix TFStateLogs/ prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Enabled bucket-wide Access Logging on AWS S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0059] Enabling bucket-wide SSE on AWS S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0060] Enabled bucket-wide SSE on AWS S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0060] Enabling enforced TLS access for S3 bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0060] Policy not exists for bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0060] Enabled enforced TLS access for bucket test-tf-logs prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0060] No tags specified for bucket test-tf-logs. prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0060] Verifying AWS S3 Bucket Versioning test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Checking if SSE is enabled for AWS S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Checking if bucket test-tf-state is have root access prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Policy for RootAccess already exists for bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Checking if bucket test-tf-state is enforced with TLS prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Policy for EnforcedTLS already exists for bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Checking if Access Logging is enabled for AWS S3 bucket test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Checking if S3 bucket test-tf-state is configured to block public access prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] S3 bucket is already up to date prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Verifying AWS S3 Bucket Versioning test-tf-state prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc] DEBU[0061] Running command: terraform init prefix=[/home/ec2-user/Desktop/iac/SCTASK0054329-TF-Buckets-Reconfig/tg/c-ai-sbx/us-east-1/networking/vpc]

@kenroydhs
Copy link
Author

If you look at the last two debug lines, it appears that terragrunt is verifying versioning on the wrong bucket ("test-tf-state" rather than "test-tf-logs"). Perhaps that is where the bug is?

@yhakbar
Copy link
Collaborator

yhakbar commented Feb 7, 2025

Definitely worth addressing. We'll look to address it during our next tech debt cycle if the community doesn't address it first.

@kenroydhs , it seems like you've already done some root cause analysis. Are you interested in contributing a fix? If you're not comfortable with Golang, we're happy to get you ramped up for contribution. We're always looking for more help.

@yhakbar yhakbar added contributions-requested Requesting contributions from the community preserved Preserved issues never go stale labels Feb 7, 2025
@kenroydhs
Copy link
Author

Sure, I'd be more than happy to look at the code and provide a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working contributions-requested Requesting contributions from the community preserved Preserved issues never go stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yhakbar @kenroydhs