Merge pull request #238 from dflook/unlock-state

Unlock state

Author: dflook

.github/workflows/test-unlock-state.yaml

@@ -0,0 +1,176 @@
+name: Test terraform-unlock-state
+
+on:
+  - pull_request
+
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+jobs:
+  default_workspace:
+    runs-on: ubuntu-latest
+    name: Default workspace
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Check state is not locked
+        uses: ./terraform-apply
+        with:
+          path: tests/workflows/test-unlock-state
+          auto_approve: true
+
+      - name: Intentionally lock the state
+        uses: ./terraform-apply
+        id: failed-apply
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          auto_approve: true
+          variables:
+            lock=true
+
+      # State is now locked
+
+      - name: Check apply-failed
+        run: |
+          if [[ "${{ steps.failed-apply.outcome }}" != "failure" ]]; then
+            echo "Apply did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.failed-apply.outputs.failure-reason }}" != "apply-failed" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi
+
+      # Check state-locked
+      - name: Try using locked state
+        uses: ./terraform-apply
+        id: locked-state
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          auto_approve: true
+
+      - name: Check state locked failure-reason
+        run: |
+          if [[ "${{ steps.locked-state.outcome }}" != "failure" ]]; then
+            echo "Apply did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.locked-state.outputs.failure-reason }}" != "state-locked" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi
+          
+          echo '"${{ steps.locked-state.outputs.lock-info }}"'
+          
+          echo 'Lock id is ${{ fromJson(steps.locked-state.outputs.lock-info).ID }}'
+
+      - name: Unlock the state
+        uses: ./terraform-unlock-state
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          lock_id: ${{ fromJson(steps.locked-state.outputs.lock-info).ID }}
+
+      - name: Check state is not locked
+        uses: ./terraform-apply
+        with:
+          path: tests/workflows/test-unlock-state
+          auto_approve: true
+
+  nondefault_workspace:
+    runs-on: ubuntu-latest
+    name: Non Default workspace
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Create first workspace
+        uses: ./terraform-new-workspace
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+
+      - name: Check state is not locked
+        uses: ./terraform-apply
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+          auto_approve: true
+
+      - name: Intentionally lock the state
+        uses: ./terraform-apply
+        id: failed-apply-workspace
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+          auto_approve: true
+          variables:
+            lock=true
+
+      # State is now locked
+
+      - name: Check apply-failed
+        run: |
+          if [[ "${{ steps.failed-apply-workspace.outcome }}" != "failure" ]]; then
+            echo "Apply did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.failed-apply-workspace.outputs.failure-reason }}" != "apply-failed" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi
+
+      # Check state-locked
+      - name: Try using locked state
+        uses: ./terraform-apply
+        id: locked-state-workspace
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+          auto_approve: true
+
+      - name: Check state locked failure-reason
+        run: |
+          if [[ "${{ steps.locked-state-workspace.outcome }}" != "failure" ]]; then
+            echo "Apply did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.locked-state-workspace.outputs.failure-reason }}" != "state-locked" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi
+          
+          echo '"${{ steps.locked-state-workspace.outputs.lock-info }}"'
+          
+          echo 'Lock id is ${{ fromJson(steps.locked-state-workspace.outputs.lock-info).ID }}'
+
+      - name: Unlock the state
+        uses: ./terraform-unlock-state
+        continue-on-error: true
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+          lock_id: ${{ fromJson(steps.locked-state-workspace.outputs.lock-info).ID }}
+
+      - name: Check state is not locked
+        uses: ./terraform-apply
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello
+          auto_approve: true
+
+      - name: Destroy workspace
+        uses: ./terraform-destroy-workspace
+        with:
+          path: tests/workflows/test-unlock-state
+          workspace: hello

image/actions.sh

@@ -399,11 +399,11 @@ function plan() {
 
 function destroy() {
     # shellcheck disable=SC2086
-    debug_log terraform destroy -input=false -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS
+    debug_log terraform destroy -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS
 
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && terraform destroy -input=false -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS) \
+    (cd "$INPUT_PATH" && terraform destroy -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS) \
         2>"$STEP_TMP_DIR/terraform_destroy.stderr" \
         | tee /dev/fd/3 \
             >"$STEP_TMP_DIR/terraform_destroy.stdout"
@@ -413,6 +413,12 @@ function destroy() {
     set -e
 }
 
+function force_unlock() {
+    echo "Unlocking state with ID: $INPUT_LOCK_ID"
+    debug_log terraform force-unlock -force $INPUT_LOCK_ID
+    (cd "$INPUT_PATH" && terraform force-unlock -force $INPUT_LOCK_ID)
+}
+
 # Every file written to disk should use one of these directories
 STEP_TMP_DIR="/tmp"
 JOB_TMP_DIR="$HOME/.dflook-terraform-github-actions"

image/entrypoints/apply.sh

@@ -24,17 +24,24 @@ function apply() {
         # shellcheck disable=SC2086
         debug_log terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT
         # shellcheck disable=SC2086
-        (cd "$INPUT_PATH" && terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT) | $TFMASK
+        (cd "$INPUT_PATH" && terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_OUT) \
+            2>"$STEP_TMP_DIR/terraform_apply.stderr" \
+            | $TFMASK
         APPLY_EXIT=${PIPESTATUS[0]}
+        >&2 cat "$STEP_TMP_DIR/terraform_apply.stderr"
     else
         # There is no plan file to apply, since the remote backend can't produce them.
         # Instead we need to do an auto approved apply using the arguments we would normally use for the plan
 
         # shellcheck disable=SC2086
         debug_log terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG '$PLAN_ARGS'  # don't expand plan args
         # shellcheck disable=SC2086
-        (cd "$INPUT_PATH" && terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS) | $TFMASK | tee "$STEP_TMP_DIR/terraform_apply.stdout"
+        (cd "$INPUT_PATH" && terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PARALLEL_ARG $PLAN_ARGS) \
+            2>"$STEP_TMP_DIR/terraform_apply.stderr" \
+            | $TFMASK \
+            | tee "$STEP_TMP_DIR/terraform_apply.stdout"
         APPLY_EXIT=${PIPESTATUS[0]}
+        >&2 cat "$STEP_TMP_DIR/terraform_apply.stderr"
 
         if remote-run-id "$STEP_TMP_DIR/terraform_apply.stdout" >"$STEP_TMP_DIR/remote-run-id.stdout" 2>"$STEP_TMP_DIR/remote-run-id.stderr"; then
             RUN_ID="$(<"$STEP_TMP_DIR/remote-run-id.stdout")"
@@ -49,7 +56,11 @@ function apply() {
     if [[ $APPLY_EXIT -eq 0 ]]; then
         update_status ":white_check_mark: Plan applied in $(job_markdown_ref)"
     else
-        set_output failure-reason apply-failed
+        if lock-info "$STEP_TMP_DIR/terraform_apply.stderr"; then
+            set_output failure-reason state-locked
+        else
+            set_output failure-reason apply-failed
+        fi
         update_status ":x: Error applying plan in $(job_markdown_ref)"
         exit 1
     fi
@@ -76,6 +87,10 @@ fi
 if [[ $PLAN_EXIT -eq 1 ]]; then
     cat >&2 "$STEP_TMP_DIR/terraform_plan.stderr"
 
+    if lock-info "$STEP_TMP_DIR/terraform_plan.stderr"; then
+        set_output failure-reason state-locked
+    fi
+
     update_status ":x: Error applying plan in $(job_markdown_ref)"
     exit 1
 fi

image/entrypoints/destroy-workspace.sh

@@ -21,7 +21,11 @@ fi
 
 if [[ $DESTROY_EXIT -eq 1 ]]; then
     cat >&2 "$STEP_TMP_DIR/terraform_destroy.stderr"
-    set_output failure-reason destroy-failed
+    if lock-info "$STEP_TMP_DIR/terraform_destroy.stderr"; then
+        set_output failure-reason state-locked
+    else
+        set_output failure-reason destroy-failed
+    fi
     exit 1
 fi
 

image/entrypoints/destroy.sh

@@ -21,6 +21,10 @@ fi
 
 if [[ $DESTROY_EXIT -eq 1 ]]; then
     cat >&2 "$STEP_TMP_DIR/terraform_destroy.stderr"
-    set_output failure-reason destroy-failed
+    if lock-info "$STEP_TMP_DIR/terraform_destroy.stderr"; then
+        set_output failure-reason state-locked
+    else
+        set_output failure-reason destroy-failed
+    fi
     exit 1
 fi

image/entrypoints/unlock-state.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# shellcheck source=../actions.sh
+source /usr/local/actions.sh
+
+debug
+setup
+init-backend-workspace
+
+force_unlock

image/setup.py

@@ -15,7 +15,8 @@
             'plan_summary=plan_summary.__main__:main',
             'terraform-cloud-state=terraform_cloud_state.__main__:main',
             'remote-run-id=terraform_cloud_state.__main__:remote_run_id',
-            'get-terraform-checksums=terraform_version.get_checksums:main'
+            'get-terraform-checksums=terraform_version.get_checksums:main',
+            'lock-info=lock_info.__main__:main'
         ]
     },
     install_requires=[

image/src/lock_info/__init__.py

@@ -0,0 +1,51 @@
+"""
+Create an actions output for any lock info
+
+Input arg is a path to a file containing stderr from a terraform command
+If any state lock info is found creates a `lock-info` actions output with a json dump of the lock info
+and has a zero exit code.
+
+If no state locked error is present, has a nonzero exit
+
+Usage:
+    lock-info <TERRAFORM_STDERR_PATH>
+"""
+
+import json
+import re
+import sys
+from typing import Iterable, Optional
+from github_actions.commands import output
+
+def get_lock_info(stderr: Iterable[str]) -> Optional[dict[str, str]]:
+    locked = False
+    lock_info_line = False
+    lock_info = {}
+
+    for line in stderr:
+        if locked is True:
+            if lock_info_line:
+                if match := re.match(r'^\s+(?P<field>.*?):\s+(?P<value>.*)', line):
+                    lock_info[match['field']] = match['value']
+
+            elif line.startswith('Lock Info:'):
+                lock_info_line = True
+
+        elif 'Error acquiring the state lock' in line:
+            locked = True
+
+    return lock_info if locked else None
+
+
+def main():
+    with open(sys.argv[1]) as f:
+        lock_info = get_lock_info(f.readlines())
+
+    if lock_info is None:
+        sys.exit(1)
+
+    output('lock-info', json.dumps(lock_info))
+
+
+if __name__ == '__main__':
+    main()