feat!: multiple buckets / providers support (#48)

[hbollon]

As the title shown, I've added the multiple buckets / providers support into Terraboard.
It's now possible to set multiples S3/MinIO buckets or to mix providers (to have AWS, Gitlab and GCP simultaneously for example), Terraboard will fetch them all on db refresh.

However:

• To use this functionality, the only configuration method usable is through Yaml config file. Env and flags are still usable for mono bucket configuration (maybe we can use them for multiple providers but it's not appropriated imo)
• Atm, Terraboard is dependent of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env variables for AWS provider, which prevents being able to have several backend AWS or others compatible providers like MinIO (we can still have several buckets under the same backend). We could consider making these values configurable via the yaml file however (@raphink what do you think?).

I tested that with MinIO/AWS but not with others providers since I don't have any account for them.
The terraboard-dev-multi-providers service in the test/ docker-compose is configured to use two MinIO bucker (just replace terraboard-dev by it in the compose file)
I also updated the ReadMe with some instructions / advices.

Should meets the needs of #48 😄

[coveralls]

Coverage decreased (-0.4%) to 57.412% when pulling f3a13f8 on hbollon:multi-bucket-support into ad88878 on camptocamp:master.

[raphink]

Suggested change

	You can find a ready-to-use docker example with two *MinIO* buckets in the `test/` sub-folder (just swipe the two terraboard services in the docker-compose file).
	You can find a ready-to-use Docker example with two *MinIO* buckets in the `test/` sub-folder (just swipe the two terraboard services in the docker-compose file).

[raphink]

What do you mean by "swipe the services"?

[hbollon]

What do you mean by "swipe the services"?

I added in the docker-compose of /test, a Terraboard container configured to use a YAML config file and two MinIO buckets.
However, I commented it in favor of the Terraboard lambda container to avoid having two applications simultaneously.

services:
  terraboard-dev:
    build:
      context: ../
      dockerfile: ./Dockerfile
    environment:
      AWS_ACCESS_KEY_ID: root
      AWS_SECRET_ACCESS_KEY: mypassword
      AWS_BUCKET: test-bucket
      AWS_REGION: eu-west-1
      AWS_ENDPOINT: http://minio:9000/
      AWS_FORCE_PATH_STYLE: "true"
      TERRABOARD_LOG_LEVEL: debug
      TERRABOARD_NO_LOCKS: "true"
      TERRABOARD_NO_VERSIONING: "true"
      DB_PASSWORD: mypassword
      DB_SSLMODE: disable
      GODEBUG: netdns=go
    depends_on:
      db:
        condition: service_healthy
      minio:
        condition: service_started
    volumes:
      - ../static:/static:ro
    ports:
      - "8080:8080"

  # terraboard-dev-multi-providers:
  #   build:
  #     context: ../
  #     dockerfile: ./Dockerfile
  #   environment:
  #     AWS_ACCESS_KEY_ID: root
  #     AWS_SECRET_ACCESS_KEY: mypassword
  #     DB_SSLMODE: disable
  #     CONFIG_FILE: config/config.yml
  #     GODEBUG: netdns=go
  #   depends_on:
  #     db:
  #       condition: service_healthy
  #     minio:
  #       condition: service_started
  #   volumes:
  #     - ../static:/static:ro
  #     - ./config.yml:/config/config.yml:ro
  #   ports:
  #     - "8081:8080"

I'm not really happy with that, maybe we can split the test sub-folder into multiple config folders each with a docker-compose 🤔

[raphink]

Ah, so you mean "swap" then, not "swipe" :-)

[hbollon]

Yes 😆

[raphink]

Why is this necessary?

[hbollon]

It's for keeping the env / flags configuration possible with single provider Terraboard.
Indeed, now we have providers array in the config struct:

AWS []AWSConfig `group:"AWS Options" yaml:"aws"`

TFE []TFEConfig `group:"Terraform Enterprise Options" yaml:"tfe"`

GCP []GCPConfig `group:"Google Cloud Platform Options" yaml:"gcp"`

Gitlab []GitlabConfig `group:"GitLab Options" yaml:"gitlab"`

And so they don't have any elements in them on Config instanciation which prevent from using env variables or flags.
c := initDefaultConfig() add an empty struct in each of them and parse go-flags stuff in them. If they're still empty or invalid they will be ignored but with that process we can still use Terraboard with others configuration methods as before (although they are incompatible with multi buckets).

parseStructFlagsAndEnv(interface{}) is just a DRY function for go-flags parsing

[raphink]

Looping inside refreshDB() means providers will be parsed sequentially. Maybe we could parallelize providers instead by looping ouside the call to refreshDB() in main() and keep refreshDB() the way it is.

[hbollon]

Great idea that I should have thought of!
This will allow to not interrupt all the fetching processes if one of them has an error and reduce the time that the refresh takes
I will do that

[hbollon]

I've done the following changes:

• RefreshDB is now parallelized
• I added mutex lock security on sensible db operations (FirstOrCreate principally, which lead to errors without locks)
• I split test directory into multiples sub-folder containing different configurations
• I fixed all ReadMe typo issues

[raphink]

It could be interesting to use a structured log here (with fields).

[hbollon]

Done 👍

[Shocktrooper]

As the title shown, I've added the multiple buckets / providers support into Terraboard.
It's now possible to set multiples S3/MinIO buckets or to mix providers (to have AWS, Gitlab and GCP simultaneously for example), Terraboard will fetch them all on db refresh.

However:

• To use this functionality, the only configuration method usable is through Yaml config file. Env and flags are still usable for mono bucket configuration (maybe we can use them for multiple providers but it's not appropriated imo)
• Atm, Terraboard is dependent of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env variables for AWS provider, which prevents being able to have several backend AWS or others compatible providers like MinIO (we can still have several buckets under the same backend). We could consider making these values configurable via the yaml file however (@raphink what do you think?).

I tested that with MinIO/AWS but not with others providers since I don't have any account for them.
The terraboard-dev-multi-providers service in the test/ docker-compose is configured to use two MinIO bucker (just replace terraboard-dev by it in the compose file)
I also updated the ReadMe with some instructions / advices.

Should meets the needs of #48 😄

With AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY being needed does this prevent multiple cross account S3 buckets from being selected? Would they all have to be in the same account and is there work to migrate over to the AWS SDK or something that can automatically handle credentials automatically instead of relying on hardcoded environment variables

[hbollon]

With AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY being needed does this prevent multiple cross account S3 buckets from being selected?

Actually, with this PR, yes all AWS buckets must be on the same account.

is there work to migrate over to the AWS SDK or something that can automatically handle credentials automatically instead of relying on hardcoded environment variables

This is exactly what I proposed to @raphink 😃

[hbollon]

I've added:

• AWS access key and secret access key config fields and aws sdk appropriate usage to support multiple AWS accounts configuration
• AWS Session Token support (should do the trick for feat: support aws_session_token #181)
• The ability to directly configure multiple buckets for the same AWS account under the "S3" field of the YAML file which is now an objects array

I also updated unit test and docker testing env to match with new config (I also add a second minio container in the multiple-minio-buckets test env)
Like previously, I made sure that the config via environment variables or by flags is always possible for the instances of Terraboard with a single provider

Example of a YAML config file:

aws:
  - access-key: root
    secret-access-key: mypassword
    endpoint: http://minio:9000/
    region: eu-west-1
    s3:
      - bucket: test-bucket
        force-path-style: true
        file-extension: 
          - .tfstate
      - bucket: test-bucket2
        force-path-style: true
        file-extension: 
          - .tfstate

  - access-key: admin
    secret-access-key: password
    endpoint: http://minio-2:9000/
    region: eu-west-1
    s3:
      - bucket: test-bucket
        force-path-style: true
        file-extension: 
          - .tfstate

[raphink]

I wonder if it'd be easier to keep the existing NewAWS() method as it is and add a NewAWSCollection() wrapper.

[hbollon]

To avoid the iteration in NewAWS()?

[raphink]

Yes, and also because generally I'd expect an instantiation method to return a single instance.

[hbollon]

Ok so I will do that for AWS but also for all others providers
Each one will have a NewProvider() function wich return a single instance and a NewProviderCollection() one which will iterate and call the other one. (ofc in functions names Provider will be replaced by his name)

[Shocktrooper]

Is there since there was mention of aws sdk usage of credentials is there an example of how to tell terraboard to assume a role in another account or how to tell it to use an instance profile in the case of S3 buckets

[raphink]

Suggested change

	1. Environment variables **(only usable for mono provider configuration)**
	1. Environment variables **(only usable for single provider configuration)**

[raphink]

Suggested change

	2. CLI parameters **(only usable for mono provider configuration)**
	2. CLI parameters **(only usable for single provider configuration)**

[raphink]

Yes, and also because generally I'd expect an instantiation method to return a single instance.

[raphink]

If you named the return values of the method, you might just use return here iirc

[raphink]

Note, if one provider fails, you get no providers at all at the moment.

[hbollon]

Note, if one provider fails, you get no providers at all at the moment.

Do you think it's better to just log an error and continue with the following ones?
Initially, I considered this error as fatal since it would lead to the non-inclusion of an entire provider and because, potentially, it could come from an error in the configuration file which could impact the rest.

[raphink]

Not sure. I say I'd prefer to see some data and get an error somewhere rather than nothing at all.

[hbollon]

If you named the return values of the method, you might just use return here iirc

Indeed but in this case I think it's more simple like this since if I name the return values I can't use := anymore with err which will force me to declare the temp variable objs before each time I use it. It's, imo, more complex and furthermore it raise an error on gosimple if I do it.

[hbollon]

Not sure. I say I'd prefer to see some data and get an error somewhere rather than nothing at all.

Doesn't the user risk not realizing it if a provider fails but the others still bring states in Terraboard?

[mcanevet]

I guess you should change one of your commits' commit message with an exclamation mark as it contains a breaking change.