Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interoperate with Terraform DynamoDB locks #356

Closed
nl-brett-stime opened this issue Dec 28, 2020 · 1 comment
Closed

Interoperate with Terraform DynamoDB locks #356

nl-brett-stime opened this issue Dec 28, 2020 · 1 comment

Comments

@nl-brett-stime
Copy link

Moving from serverless/serverless#8663 (comment) .

Use case description

When using the Terraform S3 'backend', it's possible to configure a DynamoDB table for locking:

https://www.terraform.io/docs/state/locking.html
https://www.terraform.io/docs/backends/types/s3.html#dynamodb_table

This TF feature attempts to perform a conditional write to a DynamoDB table before making changes to the resources protected by the lock. If some other user has already begun modifying the protected resources through Terraform, the write condition will fail and the second user will have to wait until the first user has finished making their modifications. This prevents two users from trying to modify the controlled resources at the same time.

Some Serverless features such as Cognito User Pool trigger events modify existing resources. It'd be a good safety feature to tell Serverless to take a list of arbitrary locks that are compatible with Terraform to ensure that resources that are partially managed by both SLS and TF aren't being modified at the same time.
Proposed solution

Add a section in serverless.yml like the following:

terraformDynamoDbLocks:

  • someLockName:
    table: someTableName
    bucket: someBucketName
    workspace_key_prefix: someKeyPrefix
    workspace: someWorkspace
    key: someKey

When running e.g., serverless deploy if Serverless is unable to acquire any of the declared locks it should throw an error message like, "Unable to acquire lock for 'someBucketName/someKeyPrefix/someWorkspace/someKey' the lock was acquired by other.user@your.org at 2020-12-22T15:22:43.960627Z. If you're sure they're done managing the remote state, you can force an unlock by running the following command: serverless terraform-force-unlock someLockName 1a756b9b-93b2-91c3-3811-098b884033aa". It's already possible to use Terraform itself to force the unlock so that part of the feature would be less urgent but convenient for users who didn't also already have easy access to a configured Terraform installation.

Serverless should revert any locks it's created once it's done attempting it's modifications.
@nl-brett-stime nl-brett-stime mentioned this issue Dec 28, 2020
Closed
@medikoo
Copy link
Contributor

medikoo commented Nov 30, 2021

This is a plugin registry, to discuss issues related to how to set up Serverless projects please use https://github.com/serverless/serverless/discussions

@medikoo medikoo closed this as completed Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@medikoo @nl-brett-stime