From 15367aeb79f73e5c0b3cc83d81f9787d1ee1ea40 Mon Sep 17 00:00:00 2001 From: Hector Rivas Gandara Date: Tue, 29 Mar 2016 15:19:50 +0100 Subject: [PATCH 1/2] Workaround terraform codecommit issue Terraform codecommit resource[1] has a bug managing the default_branch property. Although this property is optional, terraform will try to manage it. If defined, codecommit will fail during creation: BranchDoesNotExistException: refs/heads/master does not exist Meanwhile if default_branch is defined, codecommit it will fail as soon as a branch is pushed to the repository. The reason is that AWS enforces having at least one branch as default branch, failing when terraform is trying to set it empty: * aws_codecommit_repository.concourse-pool: Error Updating Default * Branch for CodeCommit Repository: InvalidParameter: 1 validation * errors: - field too short, minimum length 1: DefaultBranchName This will be reported upstream, but meanwhile we will workaround it by passing the default branch as a variable, and quering it using awscli. If the respository does not exist or does not have default branch, the variable will be set to empty string "". --- concourse/pipelines/create-deployer.yml | 39 +++++++++++++++++++++++++ terraform/concourse/codecommit.tf | 2 +- terraform/concourse/variables.tf | 5 ++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/concourse/pipelines/create-deployer.yml b/concourse/pipelines/create-deployer.yml index c44dd04f9d..99eaf82d5d 100644 --- a/concourse/pipelines/create-deployer.yml +++ b/concourse/pipelines/create-deployer.yml @@ -270,6 +270,41 @@ jobs: "/C=UK/ST=London/L=London/O=GDS/CN=deployer.${SYSTEM_DNS_ZONE_NAME}" tar czvf concourse-cert.tar.gz concourse.crt concourse.key + # Temporary task to retrieve the codecommit default branch if it exists + - task: get-codecommit-default-branch + config: + image: docker:///governmentpaas/awscli + inputs: + - name: paas-cf + outputs: + - name: codecommit-default-branch + params: + DEPLOY_ENV: {{deploy_env}} + run: + path: sh + args: + - -c + - | + aws codecommit get-repository \ + --region us-east-1 \ + --repository-name concourse-pool-${DEPLOY_ENV} \ + --query 'repositoryMetadata.defaultBranch' \ + --output text > output.txt 2>&1 + RET=$? + + if [ "$RET" == "0" ]; then + if [ "$(cat output.txt)" == "None" ]; then + echo "" > codecommit-default-branch/default_branch.txt + else + cat output.txt > codecommit-default-branch/default_branch.txt + fi + elif grep -q RepositoryDoesNotExistException output.txt; then + echo "" > codecommit-default-branch/default_branch.txt + else + cat output.txt + exit 1 + fi + - task: terraform-apply config: image: docker:///governmentpaas/terraform @@ -279,6 +314,7 @@ jobs: - name: concourse-terraform-state - name: generate-concourse-cert - name: git-ssh-public-key + - name: codecommit-default-branch params: VAGRANT_IP: {{vagrant_ip}} TF_VAR_env: {{deploy_env}} @@ -292,7 +328,10 @@ jobs: - | cp generate-concourse-cert/concourse.crt generate-concourse-cert/concourse.key . . vpc-terraform-outputs/tfvars.sh + export TF_VAR_git_rsa_id_pub=$(cat git-ssh-public-key/git_id_rsa.pub) + export TF_VAR_git_default_branch_workaround=$(cat codecommit-default-branch/default_branch.txt) + terraform_params=${VAGRANT_IP:+-var vagrant_cidr=$VAGRANT_IP/32} terraform apply ${terraform_params} \ -var-file=paas-cf/terraform/{{aws_account}}.tfvars \ diff --git a/terraform/concourse/codecommit.tf b/terraform/concourse/codecommit.tf index 5b0c91939f..d43562d209 100644 --- a/terraform/concourse/codecommit.tf +++ b/terraform/concourse/codecommit.tf @@ -2,7 +2,7 @@ resource "aws_codecommit_repository" "concourse-pool" { provider = "aws.codecommit" repository_name = "concourse-pool-${var.env}" description = "Git repository to keep concourse pool resource locks" - default_branch = "master" + default_branch = "${var.git_default_branch_workaround}" } resource "aws_iam_user" "git" { diff --git a/terraform/concourse/variables.tf b/terraform/concourse/variables.tf index f9b0dcab9f..784a9f75ed 100644 --- a/terraform/concourse/variables.tf +++ b/terraform/concourse/variables.tf @@ -9,3 +9,8 @@ variable "system_dns_zone_name" { variable "git_rsa_id_pub" { description = "Public SSH key for the git user" } + +variable "git_default_branch_workaround" { + description = "Value of current default branch for codecommit git repo. Temporary workaround." + default = "" +} From 383e8ca4b6f3e124276ac7d63c0e40ac274c481e Mon Sep 17 00:00:00 2001 From: Hector Rivas Gandara Date: Wed, 30 Mar 2016 12:21:16 +0100 Subject: [PATCH 2/2] Init job should not bump the pipeline-trigger After adding the job lock pipeline, which bumps the pipeline-trigger resource, it is not required that init to do the same. --- concourse/pipelines/create-bosh-cloudfoundry.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/concourse/pipelines/create-bosh-cloudfoundry.yml b/concourse/pipelines/create-bosh-cloudfoundry.yml index 7249c5a79f..5ee30c17f6 100644 --- a/concourse/pipelines/create-bosh-cloudfoundry.yml +++ b/concourse/pipelines/create-bosh-cloudfoundry.yml @@ -312,8 +312,6 @@ jobs: paas-cf/concourse/scripts/s3init.sh {{state_bucket}} cf.tfstate paas-cf/concourse/init_files/terraform.tfstate.tpl paas-cf/concourse/scripts/s3init.sh {{state_bucket}} cf-certs.tar.gz paas-cf/concourse/init_files/empty.tar.gz paas-cf/concourse/scripts/s3init.sh {{state_bucket}} git-keys.tar.gz paas-cf/concourse/init_files/empty.tar.gz - - put: pipeline-trigger - params: {bump: patch} - name: bosh-terraform serial_groups: [bosh-deploy]