From 973b8b87cd0b3dcef7ea223a2ea777c3dab279a2 Mon Sep 17 00:00:00 2001
From: Chuqian Susan Li <22352112+suzyng83209@users.noreply.github.com>
Date: Fri, 23 Feb 2024 11:36:29 -0800
Subject: [PATCH] Allow SGTM to be setup with Terraform Cloud  (#164)

SGTM has only used the s3-backed terraform backend with terragrunt for a
while. Asana is moving to using just Terraform Cloud so we want to
enable SGTM to move to TFC as well.

Changes:
* Created a new generate block with conditionals depending on which
remote backend wants to use. This should generate a well-formatted
`backend.tf`
* Still kept the old pathway for s3 remote backend
* Added 3 new TF vars to define the backend configuration
* Updated docs and instructions for deployment


Pull Request synchronized with [Asana
task](https://app.asana.com/0/0/1206682923832152)
---
 README.md                | 38 ++++++++++++++++++++++++--------------
 terraform/terragrunt.hcl | 24 ++++++++++++++++--------
 terraform/variables.tf   | 20 ++++++++++++++++++++
 3 files changed, 60 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index b98368a7..b5416129 100644
--- a/README.md
+++ b/README.md
@@ -64,37 +64,47 @@ NOTE: AWS S3 Bucket names are globally unique, so you will need to choose your o
 ### Run setup script
 You'll first need to set up the [Terraform remote state](https://www.terraform.io/docs/state/remote.html) to be the source of truth for the state of your deployed infrastructure.
 
+SGTM supports both s3 and terraform cloud backend. Please select only 1 to deploy your terraform changes to.
+
+#### S3 Backend Setup
+
 1. Run `python3 ./scripts/setup.py state` (this will create  an S3 bucket and DyanmoDb lock table for Terraform)
+2. Ensure `TF_VAR_terraform_backend_use_tfc=false` and continue the setup instructions from Step #2 below.
+
+#### Terraform Cloud Setup
+You'll need to have a Terraform Cloud account have the workspace you want to deploy SGTM in already setup. Make sure you have admin/write access to the workspace
+
+1. Set `TF_VAR_terraform_backend_use_tfc=true` and make sure the dependent TF_VARs are defined as well. (`TF_VAR_terraform_backend_organization_name` and `TF_VAR_terraform_backend_workspace_name`)
 2. Initialize and apply the infrastructure:
 ```bash
 > cd ./terraform
 > terragrunt init
 > terragrunt apply
 ```
-1. Save the output of `terragrunt apply`, which should print out a `api_gateway_deployment_invoke_url`. You'll need this in the next step.
-1. Push your secrets to the ecrypted S3 bucket that Terraform just created. `cd` back to the root of your repository and run: `python3 ./scripts/setup.py secrets` and follow the prompts.
+3. Save the output of `terragrunt apply`, which should print out a `api_gateway_deployment_invoke_url`. You'll need this in the next step.
+4. Push your secrets to the ecrypted S3 bucket that Terraform just created. `cd` back to the root of your repository and run: `python3 ./scripts/setup.py secrets` and follow the prompts.
 
 ### Add Mapping of Github Repository -> Asana Project
 For each repository that you are going to sync:
 1. Find that repository's Github Graphql `node_id`:
    1. You can get this using `curl -i -u <username>:<github_personal_access_token> https://api.github.com/repos/<organization>/<repository>`
-1. Using the "SGTM tasks" project id from [Create Asana Projects](#create-asana-projects), update the sgtm-objects DynamoDb table with the mapping of `{"github-node": "<node_id>", "asana-id": "<project_id>"}`
+2. Using the "SGTM tasks" project id from [Create Asana Projects](#create-asana-projects), update the sgtm-objects DynamoDb table with the mapping of `{"github-node": "<node_id>", "asana-id": "<project_id>"}`
 
 ### Create Your Github Webhook
 For each repository that you want to sync to Asana through SGTM:
 1. Navigate to `https://github.com/<organization>/<repository>/settings/hooks`
-1. Click "Add webhook"
-1. Under "Payload URL", input the `api_gateway_deployment_invoke_url` from the previous step
-1. Under "Content Type", select "application/json"
-1. Under "Secret", input your secret token that you generated earlier
-1. Under "Which events would you like to trigger this webhook?", select "Let me select individual events."
+2. Click "Add webhook"
+3. Under "Payload URL", input the `api_gateway_deployment_invoke_url` from the previous step
+4. Under "Content Type", select "application/json"
+5. Under "Secret", input your secret token that you generated earlier
+6. Under "Which events would you like to trigger this webhook?", select "Let me select individual events."
    1. Issue comments
-   1. Pull requests
-   1. Pull request reviews
-   1. Pull request review comments
-   1. Statuses
-1. Make sure "Active" is selected
-1. Click "Add webhook"
+   2. Pull requests
+   3. Pull request reviews
+   4. Pull request review comments
+   5. Statuses
+7. Make sure "Active" is selected
+8. Click "Add webhook"
 
 ### Take it for a spin!
 At this point, you should be all set to start getting Pull Requests synced to Asana Tasks. Open up a Pull Request, and Enjoy!
diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl
index 9fa46ca5..1ab1b98d 100644
--- a/terraform/terragrunt.hcl
+++ b/terraform/terragrunt.hcl
@@ -1,19 +1,27 @@
 # Should be able to use vars directly in main.tf, but can't
 # in backend configuration, so we use terragrunt for now.
 # See: https://github.com/hashicorp/terraform/issues/13022
-remote_state {
-  backend = "s3"
-
-  generate = {
-    path      = "backend.tf"
-    if_exists = "overwrite_terragrunt"
+generate "backend" {
+  path = "backend.tf"
+  if_exists = "overwrite_terragrunt"
+  contents = <<EOF
+terraform {
+%{ if get_env("TF_VAR_terraform_backend_use_tfc", false) }
+  backend "remote" {
+    organization = "${get_env("TF_VAR_terraform_backend_organization_name")}"
+    workspaces {
+      name = "${get_env("TF_VAR_terraform_backend_workspace_name")}"
+    }
   }
-
-  config = {
+%{ else }
+  backend "s3" {
     bucket = "${get_env("TF_VAR_terraform_backend_s3_bucket_name")}"
     dynamodb_table = "sgtm_terraform_state_lock"
     region = "us-east-1"
 
     key = "${path_relative_to_include()}/terraform.tfstate"
   }
+%{ endif }
+}
+EOF
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
index adede93d..9d7e2625 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -35,14 +35,34 @@ variable "lambda_runtime" {
 
 variable "terraform_backend_s3_bucket_name" {
   type        = string
+  default     = ""
   description = "S3 bucket name to store the Terraform state"
 }
 
 variable "terraform_backend_dynamodb_lock_table" {
   type        = string
+  default     = ""
   description = "The DynamoDb table to store the Terraform state lock"
 }
 
+variable "terraform_backend_use_tfc" {
+  type        = bool
+  default     = false
+  description = "Whether to use Terraform Cloud as the remote backend. Defaults to false."
+}
+
+variable "terraform_backend_tfc_organization" {
+  type        = string
+  default     = ""
+  description = "The Terraform Cloud organization to use as the remote backend. Must be provided if terraform_backend_use_tfc is true."
+}
+
+variable "terraform_backend_tfc_workspace" {
+  type        = string
+  default     = ""
+  description = "The Terraform Cloud workspace to use as the remote backend. Must be provided if terraform_backend_use_tfc is true."
+}
+
 variable "asana_users_project_id" {
   type        = string
   description = "Project ID that holds the tasks that map Github handles to Asana user ids"