Update production workflow and backend configuration for OpenTofu migration (#30)

Author: brettcurtis

.github/workflows/production.yml

@@ -18,19 +18,19 @@ permissions:
 jobs:
   main:
     name: "Main"
-    uses: osinfra-io/github-opentofu-gcp-called-workflows/.github/workflows/plan-and-apply.yml@367d86eecaab18bb7fae7f5fa17fe7001df13f16
+    uses: osinfra-io/github-opentofu-gcp-called-workflows/.github/workflows/plan-and-apply.yml@e3c59e43f2458550c7f13b6369fb6978b6f42c6e # v0.2.9
     if: github.actor != 'osinfra-sa'
     with:
       checkout_ref: ${{ github.ref }}
       github_environment: "Production: Main"
       service_account: plt-dd-organization-github@plt-lz-backend-tf5f-prod.iam.gserviceaccount.com
+      opentofu_kms_encryption_key: projects/plt-lz-backend-tf5f-prod/locations/us/keyRings/state-encryption/cryptoKeys/default
       opentofu_plan_args: -var-file=tfvars/production.tfvars
       opentofu_state_bucket: plt-dd-organization-d3c2-prod
       opentofu_version: ${{ vars.OPENTOFU_VERSION }}
       opentofu_workspace: main-production
       workload_identity_provider: projects/134040294660/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
     secrets:
-      gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
       opentofu_plan_secret_args: >-
         -var=datadog_api_key=${{ secrets.DATADOG_API_KEY }}
         -var=datadog_app_key=${{ secrets.DATADOG_APP_KEY }}

backend.tofu

@@ -1,12 +1,13 @@
 # Backend Configuration
-# https://www.terraform.io/language/settings/backends/configuration
+# https://opentofu.org/docs/language/settings/backends/configuration
 
 terraform {
-
   # Google Cloud Storage
-  # https://www.terraform.io/language/settings/backends/gcs
+  # https://opentofu.org/docs/language/settings/backends/gcs
 
   backend "gcs" {
-    prefix = "datadog-organization-management"
+    bucket             = var.state_bucket
+    kms_encryption_key = var.state_kms_encryption_key
+    prefix             = var.state_prefix
   }
 }

main.tofu

@@ -2,6 +2,43 @@
 # https://registry.terraform.io/providers/DataDog/datadog/latest/docs
 
 terraform {
+  # State and Plan Encryption
+  # https://opentofu.org/docs/language/state/encryption
+
+  # The commented out sections below demonstrate how to configure
+  # fallback encryption methods for state and plan files for bootstrapping.
+
+  encryption {
+    method "unencrypted" "migrate" {}
+
+    key_provider "gcp_kms" "default" {
+      kms_encryption_key = var.state_kms_encryption_key
+      key_length         = 32
+    }
+
+    method "aes_gcm" "default" {
+      keys = key_provider.gcp_kms.default
+    }
+
+    plan {
+      method = method.aes_gcm.default
+      # enforced = true
+
+      fallback {
+        method = method.unencrypted.migrate
+      }
+    }
+
+    state {
+      method = method.aes_gcm.default
+      # enforced = true
+
+      fallback {
+        method = method.unencrypted.migrate
+      }
+    }
+  }
+
   required_providers {
     datadog = {
       source = "datadog/datadog"
@@ -162,3 +199,9 @@ resource "datadog_user" "this" {
   name  = each.value.name
   roles = [data.datadog_role.this[each.value.role].id]
 }
+
+resource "null_resource" "force_apply" {
+  triggers = {
+    always_run = timestamp()
+  }
+}

variables.tofu

@@ -29,6 +29,24 @@ variable "log_indexes" {
   }))
 }
 
+# These three state_* variables are required for early variable evaluation for backend and provider configuration.
+# They are defined in the GitHub Actions called workflows and should NOT be set in the OpenTofu configuration.
+
+variable "state_bucket" {
+  description = "The name of the GCS bucket to store state files"
+  type        = string
+}
+
+variable "state_kms_encryption_key" {
+  description = "The KMS encryption key for state and plan files"
+  type        = string
+}
+
+variable "state_prefix" {
+  description = "The prefix for state files in the GCS bucket"
+  type        = string
+}
+
 variable "teams" {
   description = "Map of Datadog teams to create"
   type = map(object({