Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] support option to create separate logging bucket #5

Open
cdaniluk opened this issue Jun 9, 2020 · 6 comments
Open

[Feature] support option to create separate logging bucket #5

cdaniluk opened this issue Jun 9, 2020 · 6 comments
Labels
enhancement New feature or request

Comments

@cdaniluk
Copy link
Contributor

cdaniluk commented Jun 9, 2020

Problem
The backend bucket is created as part of the bootstrapping process. Because it is presumed that the AWS account is empty and therefore has no other buckets when bootstrapping, it logs internally. Per #4 this causes self-referential logging loops. That PR introduces support for an external bucket, but we should also support creating a second bucket for logging.

Solution
Support optionally creating a separate bucket solely for tfstate logging.

Other Ideas
It would be nice if we could create the bucket with self logging during bootstrap then switch over to our designated logging bucket on first run. Possibly we could do this by conditionally checking for the existence of a logging bucket and self-logging if not found.
@cdaniluk cdaniluk added the enhancement New feature or request label Jun 9, 2020
@sblack4
Copy link
Contributor

sblack4 commented Jun 10, 2020

Maybe we should have a bootstrap-specific module. These guys named their bootstrap module init https://github.com/telia-oss/terraform-aws-terraform-init

@smiller171
Copy link
Contributor

Maybe we should have a bootstrap-specific module. These guys named their bootstrap module init https://github.com/telia-oss/terraform-aws-terraform-init

That's what this repo is...

@mike-rsi
Copy link
Contributor

In my implementation, I actually create the logging bucket in the TF configuration where I'm consuming this module, but outside of the module itself.

Example:

resource "aws_s3_bucket" "logging" {
  bucket = "my-logging-bucket"
  acl    = "log-delivery-write"
}

module "backend" {
  source  = "rhythmictech/backend/aws"
  version = "2.1.0"

  region = "us-east-1"
  bucket = "my-tfstate-bucket"
  table  = "my-tfstate-table"
  logging_target_bucket = aws_s3_bucket.logging.id
  logging_target_prefix = "my-tfstate-bucket/"
}

This seems to follow HashiCorp's advice on how to deal with conditional resources within a module: https://www.terraform.io/docs/modules/composition.html#conditional-creation-of-objects

Note: I do like to aggregate S3 access logs into a common bucket, so this bucket's use case extends outside the scope of this module, which is also why I thought it made sense to define outside of the module. In the same way, it may make sense to treat the KMS key similarly, but the most important thing for me this time around was to prevent the infinite logging loop. 😄

@smiller171
Copy link
Contributor

You make a good point @mike-rsi. It may make sense for us to document this approach rather than building in logic around conditional creation.

@cdaniluk
Copy link
Contributor Author

The only downside to this is it is yet more resources we are building prior to the state being in S3. But I think as long as it's templated/documented well, that's not a problem.

@smiller171
Copy link
Contributor

Yeah, and I think the justification around logging loops is reason enough to do it, plus using a secondary bucket is still optional

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mike-rsi @smiller171 @cdaniluk @sblack4