From 6d34d18f8243636a21c5cffaf6823c57f2d2ec44 Mon Sep 17 00:00:00 2001
From: Vivian Rook <vrook@wikimedia.org>
Date: Wed, 29 Nov 2023 07:17:15 -0500
Subject: [PATCH 1/5] tofu state to s3

Bug: T352164
---
 .gitattributes    |   2 ++
 README.md         |   5 +++++
 deploy.sh         |   6 ++++--
 secrets-eqiad1.sh | Bin 0 -> 198 bytes
 tofu/main.tf      |  11 +++++++++++
 5 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 secrets-eqiad1.sh

diff --git a/.gitattributes b/.gitattributes
index 29fc3c99..370e338a 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -6,3 +6,5 @@ ansible/files/csi-secret-cinderplugin.yaml.codfw1dev.crypt filter=git-crypt diff
 paws/codfw-secrets.yaml filter=git-crypt diff=git-crypt
 paws/files/minesweeper/secrets/** filter=git-crypt diff=git-crypt
 tofu/secrets.tf filter=git-crypt diff=git-crypt
+secrets-eqiad1.sh filter=git-crypt diff=git-crypt
+secrets-codfw1dev.sh filter=git-crypt diff=git-crypt
diff --git a/README.md b/README.md
index 7d16af20..c7183f29 100644
--- a/README.md
+++ b/README.md
@@ -116,3 +116,8 @@ bash deploy.sh <eqiad1|codfw1dev>
 update the web proxy in horizon to point to current cluster.
 
 https://wikitech.wikimedia.org/wiki/PAWS/Admin#Deployment
+
+#### Disaster Recovery
+If the entire project is removed two parts of paws are not managed by tofu/ansible.
+Object storage container: An object storage container named "tofu-state" will need to be generated in horizon. This is where the state file for tofu resides.
+NFS: The NFS server is not included. And a fresh NFS server will be needed for paws to operate.
diff --git a/deploy.sh b/deploy.sh
index 786d3500..6c6568a4 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -31,14 +31,16 @@ if ! command -v tofu ; then
   exit 1
 fi
 
+source secrets-${datacenter}.sh
+
 python3 -m venv .venv/deploy
 source .venv/deploy/bin/activate
 pip install ansible==8.1.0 kubernetes==26.1.0
 
 
 cd tofu
-tofu init
-tofu apply -var datacenter=${datacenter}  # -auto-approve
+tofu init -backend-config access_key="${ACCESS_KEY}" -backend-config secret_key="${SECRET_KEY}"
+tofu apply -var datacenter=${datacenter} # -auto-approve
 export KUBECONFIG=$(pwd)/kube.config
 
 cd ../ansible
diff --git a/secrets-eqiad1.sh b/secrets-eqiad1.sh
new file mode 100644
index 0000000000000000000000000000000000000000..6a74de2b7a4f092d24fd6854b2f36b0f4b43d25c
GIT binary patch
literal 198
zcmV;%06G5vM@dveQdv+`05)eir{uLcU-)kxmF5;Tl`<Ts%Uwxt%QL|Zq*jmIf~x*9
z)ESNRg`dm^0@!jwR+Wk}${x+g{Lq;-b<ar5cF?d6{#6?K4%f}VZzb0}l9t`r#k9Oa
z+gGHDKfXUThP-kQRVHe5Z3FhJs@kMQG=ofejNGHxD3d>rUUEl6Z*<d=g#ryE!=OpA
zop>;IT49N}=hI3VnR~%h$m8!|8XJ3|&25WoaJyY;_x|0CIzeiRGCXE5>tIRN1_t6_
A`~Uy|

literal 0
HcmV?d00001

diff --git a/tofu/main.tf b/tofu/main.tf
index 05c25edf..789c7bd7 100644
--- a/tofu/main.tf
+++ b/tofu/main.tf
@@ -1,5 +1,16 @@
 terraform {
   required_version = ">= 1.6.0"
+  backend "s3" {
+    #access_key                  = "7f5dc99840424406ae1e888d21b936a7"
+    bucket                      = "tofu-state"
+    endpoint                    = "https://object.eqiad1.wikimediacloud.org"
+    key                         = "paws-state"
+    region                      = "default"
+    #secret_key                  = var.ec2_credential_secret[var.datacenter]
+    skip_credentials_validation = "true"
+    skip_region_validation      = "true"
+    use_path_style              = "true"
+  }
   required_providers {
     openstack = {
       source  = "terraform-provider-openstack/openstack"

From 88b7e27bb50d0c9dc7464463e4debd36e0e0423b Mon Sep 17 00:00:00 2001
From: Vivian Rook <vrook@wikimedia.org>
Date: Tue, 9 Jan 2024 12:16:22 -0500
Subject: [PATCH 2/5] maybe

---
 secrets-eqiad1.sh | Bin 198 -> 311 bytes
 tofu/main.tf      |  28 +++++++++++++++++++---------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/secrets-eqiad1.sh b/secrets-eqiad1.sh
index 6a74de2b7a4f092d24fd6854b2f36b0f4b43d25c..0b752fb8b8ed851f6f003efbfd2c72371b932251 100644
GIT binary patch
literal 311
zcmV-70m%LUM@dveQdv+`0F|V-(%T_D#d~8gZsKXF@ai>_E?rj}%;6FIRTp1ryT$Bh
zVGbp$z<vDj)^$dMfB;*Wj2~#^D^zba#p)vsxTDlLdOFh@5SU*HaD8nAK8T1fN2OK+
z6TV9FNvW76nr7LO_J1E3Z1U_>`qkwZF365%$e&FriB<N~JGufsmIW+q(>$a0z?+9`
z^{|B<0R}>uTrzg=;^1!rW;W9}G>}`dk8VcDUJ_;{WkcW_trta2kCfy}k3Tk$toC)7
zC?t`ecr<Ko?AZ0|I3<|pU%yeKK3woF%rSG8>8nxNwbAH1yt*=d=K2*^K&Ubd*aW*j
z(atv^e7&$9M`=uNcBS#fetVV3&a3KcojDlCjj~Ep3su$FQ8_5bL7h#2i_k;+xLvmH
JYGBFEU}s+^mrVcw

literal 198
zcmV;%06G5vM@dveQdv+`05)eir{uLcU-)kxmF5;Tl`<Ts%Uwxt%QL|Zq*jmIf~x*9
z)ESNRg`dm^0@!jwR+Wk}${x+g{Lq;-b<ar5cF?d6{#6?K4%f}VZzb0}l9t`r#k9Oa
z+gGHDKfXUThP-kQRVHe5Z3FhJs@kMQG=ofejNGHxD3d>rUUEl6Z*<d=g#ryE!=OpA
zop>;IT49N}=hI3VnR~%h$m8!|8XJ3|&25WoaJyY;_x|0CIzeiRGCXE5>tIRN1_t6_
A`~Uy|

diff --git a/tofu/main.tf b/tofu/main.tf
index 789c7bd7..794cbfdb 100644
--- a/tofu/main.tf
+++ b/tofu/main.tf
@@ -1,15 +1,25 @@
 terraform {
   required_version = ">= 1.6.0"
   backend "s3" {
-    #access_key                  = "7f5dc99840424406ae1e888d21b936a7"
-    bucket                      = "tofu-state"
-    endpoint                    = "https://object.eqiad1.wikimediacloud.org"
-    key                         = "paws-state"
-    region                      = "default"
-    #secret_key                  = var.ec2_credential_secret[var.datacenter]
-    skip_credentials_validation = "true"
-    skip_region_validation      = "true"
-    use_path_style              = "true"
+    region   = "eqiad1"
+    bucket   = "paws:tofu-state"
+    endpoint = "https://object.eqiad1.wikimediacloud.org"
+    key      = "state/main"
+
+    skip_region_validation      = true
+    skip_credentials_validation = true
+    force_path_style            = true
+
+
+    ##access_key                  = "7f5dc99840424406ae1e888d21b936a7"
+    #bucket                      = "tofu-state"
+    #endpoint                    = "https://object.eqiad1.wikimediacloud.org"
+    #key                         = "paws-state"
+    #region                      = "default"
+    ##secret_key                  = var.ec2_credential_secret[var.datacenter]
+    #skip_credentials_validation = "true"
+    #skip_region_validation      = "true"
+    #use_path_style              = "true"
   }
   required_providers {
     openstack = {

From cd8a7f702bc8deb2be93ba71a909bf705a4c6c67 Mon Sep 17 00:00:00 2001
From: Vivian Rook <vrook@wikimedia.org>
Date: Tue, 9 Jan 2024 14:29:13 -0500
Subject: [PATCH 3/5] command line vars

---
 deploy.sh         |  20 ++++++++++++++++++--
 secrets-eqiad1.sh | Bin 311 -> 198 bytes
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/deploy.sh b/deploy.sh
index 6c6568a4..5f7d09f3 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -15,6 +15,15 @@ else
   exit
 fi
 
+if [ -n "${2}" ]
+then
+  if [ "${2}" = 'tofu' ]
+  then
+    # exit after tofu
+    tofuonly=1
+  fi
+fi
+
 
 if ! command -v kubectl ; then
   echo "please install kubectl"
@@ -39,9 +48,16 @@ pip install ansible==8.1.0 kubernetes==26.1.0
 
 
 cd tofu
-tofu init -backend-config access_key="${ACCESS_KEY}" -backend-config secret_key="${SECRET_KEY}"
-tofu apply -var datacenter=${datacenter} # -auto-approve
+AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu init 
+#tofu init -backend-config access_key="${ACCESS_KEY}" -backend-config secret_key="${SECRET_KEY}"
+AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu apply -var datacenter=${datacenter} # -auto-approve
+#tofu apply -var datacenter=${datacenter} # -auto-approve
 export KUBECONFIG=$(pwd)/kube.config
 
+if [ "${tofuonly}" = '1' ]
+then
+  exit
+fi
+
 cd ../ansible
 ansible-playbook paws.yaml --extra-vars "datacenter=${datacenter}"
diff --git a/secrets-eqiad1.sh b/secrets-eqiad1.sh
index 0b752fb8b8ed851f6f003efbfd2c72371b932251..6a74de2b7a4f092d24fd6854b2f36b0f4b43d25c 100644
GIT binary patch
literal 198
zcmV;%06G5vM@dveQdv+`05)eir{uLcU-)kxmF5;Tl`<Ts%Uwxt%QL|Zq*jmIf~x*9
z)ESNRg`dm^0@!jwR+Wk}${x+g{Lq;-b<ar5cF?d6{#6?K4%f}VZzb0}l9t`r#k9Oa
z+gGHDKfXUThP-kQRVHe5Z3FhJs@kMQG=ofejNGHxD3d>rUUEl6Z*<d=g#ryE!=OpA
zop>;IT49N}=hI3VnR~%h$m8!|8XJ3|&25WoaJyY;_x|0CIzeiRGCXE5>tIRN1_t6_
A`~Uy|

literal 311
zcmV-70m%LUM@dveQdv+`0F|V-(%T_D#d~8gZsKXF@ai>_E?rj}%;6FIRTp1ryT$Bh
zVGbp$z<vDj)^$dMfB;*Wj2~#^D^zba#p)vsxTDlLdOFh@5SU*HaD8nAK8T1fN2OK+
z6TV9FNvW76nr7LO_J1E3Z1U_>`qkwZF365%$e&FriB<N~JGufsmIW+q(>$a0z?+9`
z^{|B<0R}>uTrzg=;^1!rW;W9}G>}`dk8VcDUJ_;{WkcW_trta2kCfy}k3Tk$toC)7
zC?t`ecr<Ko?AZ0|I3<|pU%yeKK3woF%rSG8>8nxNwbAH1yt*=d=K2*^K&Ubd*aW*j
z(atv^e7&$9M`=uNcBS#fetVV3&a3KcojDlCjj~Ep3su$FQ8_5bL7h#2i_k;+xLvmH
JYGBFEU}s+^mrVcw


From ffa36e50049b4e3ce240ca576c13a84ada6a4776 Mon Sep 17 00:00:00 2001
From: Vivian Rook <vrook@wikimedia.org>
Date: Tue, 9 Jan 2024 15:01:10 -0500
Subject: [PATCH 4/5] comments removed

---
 deploy.sh    |  2 --
 tofu/main.tf | 11 -----------
 2 files changed, 13 deletions(-)

diff --git a/deploy.sh b/deploy.sh
index 5f7d09f3..193c9f1a 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -49,9 +49,7 @@ pip install ansible==8.1.0 kubernetes==26.1.0
 
 cd tofu
 AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu init 
-#tofu init -backend-config access_key="${ACCESS_KEY}" -backend-config secret_key="${SECRET_KEY}"
 AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu apply -var datacenter=${datacenter} # -auto-approve
-#tofu apply -var datacenter=${datacenter} # -auto-approve
 export KUBECONFIG=$(pwd)/kube.config
 
 if [ "${tofuonly}" = '1' ]
diff --git a/tofu/main.tf b/tofu/main.tf
index 794cbfdb..abcf6d4a 100644
--- a/tofu/main.tf
+++ b/tofu/main.tf
@@ -9,17 +9,6 @@ terraform {
     skip_region_validation      = true
     skip_credentials_validation = true
     force_path_style            = true
-
-
-    ##access_key                  = "7f5dc99840424406ae1e888d21b936a7"
-    #bucket                      = "tofu-state"
-    #endpoint                    = "https://object.eqiad1.wikimediacloud.org"
-    #key                         = "paws-state"
-    #region                      = "default"
-    ##secret_key                  = var.ec2_credential_secret[var.datacenter]
-    #skip_credentials_validation = "true"
-    #skip_region_validation      = "true"
-    #use_path_style              = "true"
   }
   required_providers {
     openstack = {

From 9e24f3dab88c2d0253b5770bb7ae78dd260d140e Mon Sep 17 00:00:00 2001
From: Vivian Rook <vrook@wikimedia.org>
Date: Tue, 9 Jan 2024 16:05:49 -0500
Subject: [PATCH 5/5] space

---
 deploy.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy.sh b/deploy.sh
index 193c9f1a..fe249103 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -48,7 +48,7 @@ pip install ansible==8.1.0 kubernetes==26.1.0
 
 
 cd tofu
-AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu init 
+AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu init
 AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu apply -var datacenter=${datacenter} # -auto-approve
 export KUBECONFIG=$(pwd)/kube.config