Revert to old tacos unlock

.github/actions/basic-setup/action.yml

@@ -0,0 +1,70 @@
+name: Basic-Setup
+# This is derived from the Setup github action.
+# It omits several steps, and is mainly used by tacos_unlock.
+
+inputs:
+  ssh-private-key:
+    description: "Private SSH key to use for git clone"
+    type: string
+    default: ""
+  user:
+    description: the username that will be used for following steps
+    required: false
+    default: ${{github.triggering_actor}}
+  shell:
+    description: "private -- do not use"
+    default: env ./tacos-gha/lib/ci/default-shell {0}
+
+runs:
+  using: composite
+
+  steps:
+    - uses: ./tacos-gha/.github/actions/just-the-basics
+
+    - name: tell TF username and PR
+      uses: ./tacos-gha/.github/actions/set-username-and-hostname
+      with:
+        user: ${{inputs.user}}
+
+    - name: Set up SSH agent
+      if: inputs.ssh-private-key != ''
+      uses: webfactory/ssh-agent@v0.8.0
+      with:
+        ssh-private-key: ${{ inputs.ssh-private-key }}
+
+        # These fix most ownership, permission issues, but the .ssh config files
+        # still get the wrong ownership, fixed in the next step.
+        ssh-agent-cmd: |-
+          ./tacos-gha/lib/ci/bin/sudo-ssh-agent
+        ssh-add-cmd: |-
+          ./tacos-gha/lib/ci/bin/sudo-ssh-add
+
+    - name: Fix .ssh permissions
+      shell: ${{inputs.shell}}
+      if: inputs.ssh-private-key != ''
+      run: |
+        : fix ssh config ownership
+        sudo chown -v -R "$(id -un):$(id -gn)" ~/.ssh
+
+        : Show SSH agent pubkeys
+        ssh-add -L
+
+        : ... hashes too
+        ssh-add -l
+
+    # this should really be default behavior:
+    - shell: ${{inputs.shell}}
+      run: |
+        gha-set-env 'TF_VERSION' < "$(nearest-config-file .terraform-version)"
+        gha-set-env 'TERRAGRUNT_VERSION' < "$(nearest-config-file .terragrunt-version)"
+
+    - name: Setup Terragrunt
+      uses: autero1/action-terragrunt@v1.3.2
+      with:
+        terragrunt_version: ${{env.TERRAGRUNT_VERSION}}
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_wrapper: false
+        terraform_version: ${{ env.TF_VERSION }}

.github/workflows/tacos_unlock.yml

@@ -32,20 +32,18 @@ env:
   GETSENTRY_SAC_VERB: state-admin
 
 jobs:
-  determine-tf-root-modules:
-    name: List Slices
+  determine-terraformers:
+    name: list terraformers
     if: |
       false
       || github.event.action != 'labeled'
       || github.event.label.name == ':taco::unlock'
     outputs:
-      slices: ${{ steps.list-slices.outputs.slices }}
-
+      terraformers: ${{ steps.list-terraformers.outputs.terraformers }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
-
     steps:
       - name: Checkout IAC
         uses: actions/checkout@v4
@@ -55,30 +53,31 @@ jobs:
           repository: ${{inputs.tacos_gha_repo}}
           ref: ${{inputs.tacos_gha_ref}}
           path: tacos-gha
-
-      - name: List Slices
-        id: list-slices
-        uses: ./tacos-gha/.github/actions/list-slices
-
+      - name: basic-setup
+        uses: ./tacos-gha/.github/actions/basic-setup
+      - name: List Terraformers
+        id: list-terraformers
+        run: |
+          "$TACOS_GHA_HOME/"lib/ci/list-terraformers
   tacos_unlock:
     name: TACOS Unlock
-    needs: [determine-tf-root-modules]
+    needs: [determine-terraformers]
     if: |
-      needs.determine-tf-root-modules.outputs.slices != '[]'
+      needs.determine-terraformers.outputs.terraformers != '[]'
     strategy:
       fail-fast: false
       matrix:
-        tf-root-module:
-          ${{ fromJSON(needs.determine-tf-root-modules.outputs.slices) }}
-
+        terraformer:
+          ${{ fromJSON(needs.determine-terraformers.outputs.terraformers) }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
       id-token: write
-
     env:
-      TF_ROOT_MODULE: ${{matrix.tf-root-module}}
+      SUDO_GCP_SERVICE_ACCOUNT: ${{fromJSON(matrix.terraformer).SUDO_GCP_SERVICE_ACCOUNT}}
+      GETSENTRY_SAC_OIDC: ${{fromJSON(matrix.terraformer).GETSENTRY_SAC_OIDC}}
+      SLICES: ${{toJSON(fromJSON(matrix.terraformer).slices)}}
     steps:
       - name: Checkout IAC
         uses: actions/checkout@v4
@@ -88,8 +87,8 @@ jobs:
           repository: ${{inputs.tacos_gha_repo}}
           ref: ${{inputs.tacos_gha_ref}}
           path: tacos-gha
-      - name: Setup
-        uses: ./tacos-gha/.github/actions/setup
+      - name: basic-setup
+        uses: ./tacos-gha/.github/actions/basic-setup
         with:
           ssh-private-key: ${{ secrets.ssh-private-key }}
           # We explicitly list the low-concern actions, during which users will
@@ -104,63 +103,40 @@ jobs:
               && github.event_name == 'pull_request'
               && (
                   false
-                  || github.event.action == 'closed'
-                  || github.event.action == 'converted_to_draft'
+                  || (
+                      true
+                      && github.event.action == 'labeled'
+                      && github.event.label.name == ':taco::plan'
+                  )
+                  || github.event.action == 'ready_for_review'
+                  || github.event.action == 'synchronize'
+                  || github.event.action == 'reopened'
               )
 
               && github.event.pull_request.user.login
 
               || github.triggering_actor
             }}
-
+      - name: gcp auth
+        id: auth
+        uses: google-github-actions/auth@v2.1.1
+        with:
+          workload_identity_provider: ${{env.GETSENTRY_SAC_OIDC}}
+          service_account: ${{env.SUDO_GCP_SERVICE_ACCOUNT}}
       - name: Unlock
         id: main
         run: |
-          tf-step-summary "TACOS Unlock" "$TACOS_GHA_HOME/"lib/tacos/unlock
-
-      - name: Save matrix result
-        # we need to show any errors to end-users
-        if: always()
-        uses: ./tacos-gha/.github/actions/matrix-fan-out
-
-  summary:
-    needs: tacos_unlock
-    # we need to report failures, too
-    if: always() && needs.tacos_unlock.result != 'skipped'
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout tacos-gha
-        uses: actions/checkout@v4
-        with:
-          repository: ${{inputs.tacos_gha_repo}}
-          ref: ${{inputs.tacos_gha_ref}}
-          path: tacos-gha
-
-      - name: Setup
-        uses: ./tacos-gha/.github/actions/just-the-basics
-      - name: Run matrix-fan-in
-        uses: ./tacos-gha/.github/actions/matrix-fan-in
-      - name: Summarize
-        id: summary
-        run: |
-          ./tacos-gha/lib/ci/tacos-unlock-summary |
-            gha-step-summary
-
-      - name: Update PR
-        # we want to report failures, too
+          # release all tfstate locks currently held 
+          jq <<< "$SLICES" -r '.[]' | ./tacos-gha/lib/ci/unlock
+      - name: update PR
         if: always()
-
         uses: thollander/actions-comment-pull-request@v2.4.3
         with:
-          message: ${{ fromJSON(steps.summary.outputs.summary) }}
+          message: ${{ fromJSON(steps.main.outputs.summary) }}
           comment_tag: unlock
           mode: recreate
-
   reset-label:
     name: Reset Label
-
     uses: ./.github/workflows/reset-label.yml
     with:
       label: ":taco::unlock"

bin/terragrunt-slices

@@ -0,0 +1 @@
+../lib/terragrunt/slices

lib/ci/list-terraformers

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+python3 -m lib.tacos.terraformers |
+jq -R |
+jq -cs |
+gha-set-output terraformers |
+# prettify
+jq . \
+;

lib/ci/set-terraformer

@@ -1,7 +1,9 @@
 #!/bin/bash
 set -euo pipefail
 
-with-user-env "$TF_ROOT_MODULE" \
-    sudo-gcp-service-account |
-  gha-set-env SUDO_GCP_SERVICE_ACCOUNT \
-;
+if ! [[ "${SUDO_GCP_SERVICE_ACCOUNT:-}" ]]; then
+  with-user-env "$TF_ROOT_MODULE" \
+      sudo-gcp-service-account |
+    gha-set-env SUDO_GCP_SERVICE_ACCOUNT \
+  ;
+fi

lib/ci/unlock

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -euo pipefail
+set -ex
+exec 1>&2  # stdout is reserved for tf plan/apply results
+(
+    echo "### TACOS Unlock"
+    echo
+    if results=$(xargs -r -P10 -n10 tf-lock-release 2>&1); then
+    cat <<EOF
+<details>
+<summary>
+Success! all slices have been unlocked.
+</summary>
+
+\`\`\`console
+$results
+\`\`\`
+</details>
+EOF
+    else
+    cat <<EOF 
+
+<details>
+<summary> 
+Some slices failed to unlock.
+</summary>
+
+\`\`\`console
+$results
+\`\`\`
+
+</details>
+EOF
+    fi
+) | gha-step-summary;
+

lib/tacos/terraformers.py

@@ -0,0 +1,82 @@
+#!/usr/bin/env python3.12
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Dict
+from typing import List
+from typing import Union
+
+from lib.constants import TACOS_GHA_HOME
+from lib.sh import sh
+from lib.types import Generator
+
+from .dependent_slices import TFCategorized
+from .dependent_slices import TopLevelTFModule
+
+
+@dataclass(frozen=True)
+class TerraformerResult:
+    GETSENTRY_SAC_OIDC: str
+    SUDO_GCP_SERVICE_ACCOUNT: str
+    slices: set[TopLevelTFModule]
+
+
+def list_terraformers() -> Generator[TerraformerResult]:
+    """List all slices and the oidc provider and terraformer of that slice"""
+    for slice in sorted(TFCategorized.from_git().slices):
+        with sh.cd(slice):
+            oidc_provider = sh.stdout(
+                (TACOS_GHA_HOME / "lib/getsentry-sac/oidc-provider",)
+            )
+            terraformer = sh.stdout(("sudo-gcp-service-account",))
+
+            yield TerraformerResult(oidc_provider, terraformer, set([slice]))
+
+
+def terraformers() -> Generator[TerraformerResult]:
+    """Which slices need to be unlocked?"""
+    from collections import defaultdict
+
+    by_terraformer: defaultdict[tuple[str, str], set[TopLevelTFModule]] = (
+        defaultdict(set)
+    )
+
+    for tf_result in list_terraformers():
+        key = (
+            tf_result.GETSENTRY_SAC_OIDC,
+            tf_result.SUDO_GCP_SERVICE_ACCOUNT,
+        )
+        for slice in tf_result.slices:
+            by_terraformer[key].add(slice)
+
+    for key in by_terraformer:
+        oidc_provider, terraformer = key
+        yield TerraformerResult(
+            oidc_provider, terraformer, by_terraformer[key]
+        )
+
+
+def convert_terraform_result(
+    result: TerraformerResult,
+) -> Dict[str, Union[str, List[str]]]:
+    """Convert TerraformerResult to a JSON-serializable dictionary"""
+    return {
+        "GETSENTRY_SAC_OIDC": result.GETSENTRY_SAC_OIDC,
+        "SUDO_GCP_SERVICE_ACCOUNT": result.SUDO_GCP_SERVICE_ACCOUNT,
+        # Convert each TopLevelTFModule in the set to a string, then convert the set to a list
+        "slices": [str(path) for path in result.slices],
+    }
+
+
+def main() -> int:
+    import json
+
+    for result in terraformers():
+        # use custom conversion here, because json doesn't like sets or OSPaths
+        print(json.dumps(convert_terraform_result(result)))
+
+    return 0
+
+
+if __name__ == "__main__":
+    exit(main())

lib/terragrunt/slices

@@ -1,5 +1,7 @@
-#!/bin/sh
+#!/bin/bash
 # print a list of all known terragrunt slices
+set -euo pipefail
+
 terragrunt output-module-groups |
   jq '.[] | .[]' -r |
   sed -r 's@^'"$PWD"'/@@' \

lib/tf_lock/TESTING.md

@@ -2,8 +2,8 @@ FIXME: automated testing for lib/tf_lock
 
 ```console
 cd slice-0-project
-alias sudo-plan='sudo-gcp -u tacos-gha-tf-plan@sac-dev-sa.iam.gserviceaccount.com'
-alias sudo-apply='sudo-gcp -u tacos-gha-tf-apply@sac-dev-sa.iam.gserviceaccount.com'
+alias sudo-plan='env GETSENTRY_SAC_VERB=plan sudo-gcp'
+alias sudo-apply='env GETSENTRY_SAC_VERB=apply sudo-gcp'
 
 sudo-plan tf-lock-info
 > {"lock": false}