fix: enable and verify remote state with example

.github/workflows/release.yaml

@@ -157,6 +157,49 @@ jobs:
         run: |
           ./run_tests.sh -t TestProdBasic
 
+  test_TestThreeBasic:
+    needs:
+      - release
+      - test_TestOneBasic
+    if: needs.release.outputs.release_pr
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{secrets.GITHUB_TOKEN}}
+          fetch-depth: 0
+      - id: aws-creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{env.AWS_ROLE}}
+          role-session-name: ${{github.run_id}}
+          aws-region: ${{env.AWS_REGION}}
+          role-duration-seconds: 14400 # 4 hours
+          output-credentials: true
+      - name: install-nix
+        run: |
+          curl -L https://nixos.org/nix/install | sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
+      - name: run_tests
+        shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
+          AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
+          AWS_MAX_ATTEMPTS: 100
+          AWS_RETRY_MODE: adaptive
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_OWNER: rancher
+          IDENTIFIER: ${{github.run_id}}
+          ZONE: ${{secrets.ZONE}}
+          ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
+          RANCHER_INSECURE: false
+        run: |
+          ./run_tests.sh -t TestThreeBasic
+
+
   test_TestDownstreamBasic:
     needs:
       - release
@@ -200,11 +243,12 @@ jobs:
         run: |
           ./run_tests.sh -t TestDownstreamBasic
 
-  test_TestDownstreamRoles:
+  test_TestDownstreamSplitrole:
     needs:
       - release
       - test_TestOneBasic
       - test_TestProdBasic
+      - test_TestThreeBasic
       - test_TestDownstreamBasic
     if: needs.release.outputs.release_pr
     runs-on: ubuntu-latest
@@ -242,15 +286,16 @@ jobs:
           ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
           RANCHER_INSECURE: false
         run: |
-          ./run_tests.sh -t TestDownstreamRoles
+          ./run_tests.sh -t TestDownstreamSplitrole
 
   test_Cleanup:
     needs:
       - release
       - test_TestOneBasic
       - test_TestProdBasic
+      - test_TestThreeBasic
       - test_TestDownstreamBasic
-      - test_TestDownstreamRoles
+      - test_TestDownstreamSplitrole
     if: always() && needs.release.outputs.release_pr
     runs-on: ubuntu-latest
     steps:
@@ -293,8 +338,9 @@ jobs:
       - release
       - test_TestOneBasic
       - test_TestProdBasic
+      - test_TestThreeBasic
       - test_TestDownstreamBasic
-      - test_TestDownstreamRoles
+      - test_TestDownstreamSplitrole
       - test_Cleanup
     if: success() && needs.release.outputs.release_pr #Ensure the test jobs succeeded, and that a release PR was created.
     runs-on: ubuntu-latest

.github/workflows/validate.yaml

@@ -87,13 +87,14 @@ jobs:
           # This format enables automatic generation of changelogs and versioning
           filter() {
             COMMIT="$1"
-            output="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e 'refactor!: ' -e 'feature!: ' -e 'feat!: ' -e '^chore(main): ')"
+            output="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e '^refactor!: ' -e '^feature!: ' -e '^feat!: ' -e '^chore(main): ')"
             echo "$output"
           }
           prefix_check() {
             message="$1"
-            if [ "" != "$(filter "$message")" ]; then
-              echo "...Commit message does not start with the required prefix.
+            if [ -z "$(filter "$message")" ]; then
+              echo "
+              ...Commit message does not start with the required prefix.
               Please use one of the following prefixes: fix:, feature:, feat:, refactor!:, feature!:, feat:!.
               'chore(main): ' is also allowed for release PRs.
               This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message.
@@ -105,7 +106,7 @@ jobs:
           }
           empty_check() {
             message="$1"
-            if [ "" == "$message" ]; then
+            if [ -z "$message" ]; then
               echo "...Empty commit message."
               exit 1
             else
@@ -141,9 +142,9 @@ jobs:
 
           while read -r message; do
             echo "checking message ^$message\$"
-            prefix_check "$message"
             empty_check "$message"
             length_check "$message"
+            prefix_check "$message"
             spell_check "$message"
             echo "message ^$message\$ passed all checks"
           done <<<"$COMMIT_MESSAGES"

.gitignore

@@ -31,3 +31,4 @@ run.sh
 *.test
 static_files.txt
 * copy
+*.tfbackend

examples/backend_s3/main.tf

@@ -0,0 +1,24 @@
+provider "aws" {
+  default_tags {
+    tags = {
+      Id    = local.identifier
+      Owner = local.owner
+    }
+  }
+}
+
+locals {
+  identifier = var.identifier
+  owner      = var.owner
+}
+
+module "s3_bucket" {
+  source        = "terraform-aws-modules/s3-bucket/aws"
+  version       = "5.0.2"
+  bucket        = lower(local.identifier)
+  force_destroy = true
+  versioning = {
+    status     = true
+    mfa_delete = false
+  }
+}

examples/backend_s3/variables.tf

@@ -0,0 +1,14 @@
+variable "identifier" {
+  type        = string
+  description = <<-EOT
+    Unique ID for the resource, a tag will be added to the resource.
+    This helps with identifying and cleaning up resources.
+  EOT
+}
+variable "owner" {
+  type        = string
+  description = <<-EOT
+    Owner tag to be added to the resource, helps when identifying and cleaning up resources.
+    Often this is an email address, so that someone can see and contact the person who generated the object.
+  EOT
+}

examples/backend_s3/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.11"
+    }
+  }
+}

examples/three/main.tf

@@ -22,6 +22,16 @@ provider "rancher2" {
   timeout   = "300s"
 }
 
+terraform {
+  backend "s3" {
+    # This needs to be set in the backend configs on the command line.
+    # bucket = local.identifier
+    # https://developer.hashicorp.com/terraform/language/backend/s3
+    # https://developer.hashicorp.com/terraform/language/backend#partial-configuration
+    key = "tfstate"
+  }
+}
+
 resource "rancher2_bootstrap" "authenticate" {
   depends_on = [
     module.rancher,

modules/deploy/create.sh.tpl

@@ -0,0 +1,55 @@
+${export_contents}
+cd ${deploy_path}
+export TF_DATA_DIR="${tf_data_dir}"
+TF_CLI_ARGS_init=""
+TF_CLI_ARGS_apply=""
+
+${init_script}
+
+MAX=${attempts}
+EXITCODE=1
+ATTEMPTS=0
+E=1
+E1=0
+while [ $EXITCODE -gt 0 ] && [ $ATTEMPTS -lt $MAX ]; do
+  A=0
+  while [ $E -gt 0 ] && [ $A -lt $MAX ]; do
+    timeout -k 1m ${timeout} terraform apply -var-file="${deploy_path}/inputs.tfvars" -auto-approve -state="${deploy_path}/tfstate"
+    E=$?
+    if [ $E -eq 124 ]; then echo "Apply timed out after ${timeout}"; fi
+    A=$((A+1))
+  done
+  # don't destroy if the last attempt fails
+  if [ $E -gt 0 ] && [ $ATTEMPTS != $((MAX-1)) ]; then
+    A1=0
+    while [ $E1 -gt 0 ] && [ $A1 -lt $MAX ]; do
+      timeout -k 1m ${timeout} terraform destroy -var-file="${deploy_path}/inputs.tfvars" -auto-approve -state="${deploy_path}/tfstate"
+      E1=$?
+      if [ $E1 -eq 124 ]; then echo "Apply timed out after ${timeout}"; fi
+      A1=$((A1+1))
+    done
+  fi
+  if [ $E -gt 0 ]; then
+    echo "apply failed..."
+  fi
+  if [ $E1 -gt 0 ]; then
+    echo "destroy failed..."
+  fi
+  if [ $E -gt 0 ] || [ $E1 -gt 0 ]; then
+    EXITCODE=1
+  else
+    EXITCODE=0
+  fi
+  ATTEMPTS=$((ATTEMPTS+1))
+  if [ $EXITCODE -gt 0 ] && [ $ATTEMPTS -lt $MAX ]; then
+    echo "wait ${interval} seconds between attempts..."
+    sleep ${interval}
+  fi
+done
+if [ $ATTEMPTS -eq $MAX ]; then echo "max attempts reached..."; fi
+if [ $EXITCODE -ne 0 ]; then echo "failure, exit code $EXITCODE..."; fi
+if [ $EXITCODE -eq 0 ]; then
+  echo "success...";
+  terraform output -json -state="${deploy_path}/tfstate" > ${deploy_path}/outputs.json
+fi
+exit $EXITCODE

modules/deploy/destroy.sh.tpl

@@ -0,0 +1,11 @@
+${export_contents}
+cd ${deploy_path}
+TF_CLI_ARGS_init=""
+TF_CLI_ARGS_apply=""
+export TF_DATA_DIR="${tf_data_dir}"
+if [ -z "${skip_destroy}" ]; then
+  timeout -k 1m ${timeout} terraform init -upgrade -reconfigure
+  timeout -k 1m ${timeout} terraform destroy -var-file="${deploy_path}/inputs.tfvars" -auto-approve -state="${deploy_path}/tfstate" || true
+else
+  echo "Not destroying deployed module, it will no longer be managed here."
+fi