PLAT-7815 Wait for bastion instance profile, Check efs backup role (#204

) * PLAT-7815 Wait for bastion instance profile, Check efs backup role
dominodatalab · Jan 23, 2024 · 2628577 · 2628577
1 parent 8bfb1b9
commit 2628577
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 2 deletions.
diff --git a/modules/infra/submodules/bastion/README.md b/modules/infra/submodules/bastion/README.md
@@ -15,6 +15,7 @@
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.1.0 |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
 
@@ -36,6 +37,7 @@ No modules.
 | [aws_security_group_rule.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.bastion_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [null_resource.install_binaries](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [terraform_data.check_bastion_instance_profile](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_default_tags.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |

diff --git a/modules/infra/submodules/bastion/main.tf b/modules/infra/submodules/bastion/main.tf
@@ -99,6 +99,35 @@ resource "aws_iam_instance_profile" "bastion" {
   role = aws_iam_role.bastion.name
 }
 
+resource "terraform_data" "check_bastion_instance_profile" {
+  provisioner "local-exec" {
+    command     = <<-EOF
+      set -x -o pipefail
+
+      sleep_duration=10
+      iam_profile="${aws_iam_instance_profile.bastion.name}"
+
+      check_iam_profile() {
+        echo "Checking for $iam_profile ..."
+        aws iam get-instance-profile --instance-profile-name $iam_profile > /dev/null 2>&1
+      }
+
+      for _ in {1..30}; do
+        if check_iam_profile; then
+          exit 0
+        fi
+
+        sleep "$sleep_duration"
+      done
+
+      echo "Timeout reached waiting for $iam_profile ...Exiting"
+      exit 1
+    EOF
+    interpreter = ["bash", "-c"]
+  }
+  depends_on = [aws_iam_instance_profile.bastion]
+}
+
 data "aws_ami" "amazon_linux_2" {
   count       = var.bastion.ami_id == null ? 1 : 0
   most_recent = true
@@ -176,6 +205,7 @@ resource "aws_instance" "bastion" {
       root_block_device[0].kms_key_id,
     ]
   }
+  depends_on = [terraform_data.check_bastion_instance_profile]
 }
 
 resource "aws_eip" "bastion" {

diff --git a/modules/infra/submodules/storage/README.md b/modules/infra/submodules/storage/README.md
@@ -51,6 +51,7 @@ No modules.
 | [aws_s3_bucket_server_side_encryption_configuration.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.buckets_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_security_group.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [terraform_data.check_backup_role](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [terraform_data.set_monitoring_private_acl](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_elb_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy.aws_backup_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |

diff --git a/modules/infra/submodules/storage/efs_backup_vault.tf b/modules/infra/submodules/storage/efs_backup_vault.tf
@@ -60,12 +60,51 @@ resource "aws_iam_role_policy_attachment" "efs_backup_role_attach" {
   policy_arn = data.aws_iam_policy.aws_backup_role_policy[0].arn
 }
 
+resource "terraform_data" "check_backup_role" {
+  count = var.storage.efs.backup_vault.create ? 1 : 0
+
+  provisioner "local-exec" {
+    command     = <<-EOF
+      set -x -o pipefail
+
+      sleep_duration=10
+      iam_role="${aws_iam_role.efs_backup_role[0].name}"
+
+      check_iam_role(){
+        echo "Checking assume on $iam_role ..."
+        aws iam get-role --role-name $iam_role > /dev/null 2>&1
+      }
+
+      for _ in {1..30}; do
+        if check_iam_role; then
+          exit 0
+        fi
+
+        sleep "$sleep_duration"
+      done
+
+      echo "Timeout reached waiting for $iam_role ...Exiting"
+      exit 1
+    EOF
+    interpreter = ["bash", "-c"]
+  }
+
+  triggers_replace = [
+    aws_iam_role.efs_backup_role[0].id,
+  ]
+  depends_on = [
+    aws_iam_role.efs_backup_role,
+    aws_iam_role_policy_attachment.efs_backup_role_attach
+  ]
+}
+
 resource "aws_backup_selection" "efs" {
   count = var.storage.efs.backup_vault.create ? 1 : 0
   name  = "${var.deploy_id}-efs"
 
   plan_id      = aws_backup_plan.efs[0].id
   iam_role_arn = aws_iam_role.efs_backup_role[0].arn
 
-  resources = [aws_efs_file_system.eks.arn]
+  resources  = [aws_efs_file_system.eks.arn]
+  depends_on = [terraform_data.check_backup_role]
 }
diff --git a/tests/deploy/infra-ci.tfvars.tftpl b/tests/deploy/infra-ci.tfvars.tftpl
@@ -68,4 +68,4 @@ tags = {
   CIRCLE_BUILD_NUM      = "${CIRCLE_BUILD_NUM}"
 }
 
-ignore_tag_keys = ["my-ignored-tag"]
+ignore_tags = ["my-ignored-tag"]