BRS-1152: Update TFC to use TF via s3 (#244)

.github/workflows/deploy_dev.yml

@@ -6,11 +6,15 @@ on:
 
 env:
   TF_VERSION: 0.14.7
-  TG_VERSION: 0.26.7
+  TG_VERSION: 0.37.1
   TG_SRC_PATH: terraform
   TFC_WORKSPACE: dev
   TARGET_ENV: dev
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy:
     name: Build and Deploy
@@ -49,10 +53,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN_TO_USE }}
           role-duration-seconds: 900
           role-session-name: parks-ar-admin-dev-gh-action
           role-skip-session-tagging: true
@@ -80,7 +82,6 @@ jobs:
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ env.TF_VERSION }}
-          cli_config_credentials_token: ${{ secrets.TFC_TEAM_TOKEN }}
 
       - name: Setup Terragrunt
         uses: autero1/action-terragrunt@v1.3.0
@@ -98,4 +99,4 @@ jobs:
           api_gateway_origin_id: ${{ env.API_GATEWAY_ORIGIN_ID }}
           api_gateway_path_pattern: ${{ env.API_GATEWAY_PATH_PATTERN }}
           origin_id_assets: ${{ env.ORIGIN_ID_ASSETS }}
-        run: terragrunt apply-all --terragrunt-non-interactive
+        run: terragrunt apply -auto-approve --terragrunt-non-interactive -var target_aws_account_id=${{ vars.ACCOUNT_ID }} -var target_env=dev

.github/workflows/deploy_prod.yml

@@ -11,11 +11,15 @@ on:
 
 env:
   TF_VERSION: 0.14.7
-  TG_VERSION: 0.26.7
+  TG_VERSION: 0.37.1
   TG_SRC_PATH: terraform
   TFC_WORKSPACE: prod
   TARGET_ENV: prod
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy:
     name: Build to Prod
@@ -41,10 +45,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN_TO_USE }}
           role-duration-seconds: 900
           role-session-name: parks-ar-admin-prod-gh-action
           role-skip-session-tagging: true
@@ -72,7 +74,6 @@ jobs:
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ env.TF_VERSION }}
-          cli_config_credentials_token: ${{ secrets.TFC_TEAM_TOKEN }}
 
       - name: Setup Terragrunt
         uses: autero1/action-terragrunt@v1.3.0
@@ -91,7 +92,7 @@ jobs:
           api_gateway_path_pattern: ${{ env.API_GATEWAY_PATH_PATTERN }}
           origin_id_assets: ${{ env.ORIGIN_ID_ASSETS }}
           ssl_cert_arn: ${{ secrets.PARKS_SSL_CERT_ARN }}
-        run: terragrunt apply-all --terragrunt-non-interactive
+        run: terragrunt apply -auto-approve --terragrunt-non-interactive -var target_aws_account_id=${{ vars.ACCOUNT_ID }} -var target_env=prod
 
   alert-if-failure:
     if: ${{ always() && (needs.deploy.result=='failure')}}

.github/workflows/deploy_test.yml

@@ -9,11 +9,15 @@ on:
 
 env:
   TF_VERSION: 0.14.7
-  TG_VERSION: 0.26.7
+  TG_VERSION: 0.37.1
   TG_SRC_PATH: terraform
   TFC_WORKSPACE: test
   TARGET_ENV: test
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy:
     name: Build to Test
@@ -38,10 +42,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN_TO_USE }}
           role-duration-seconds: 900
           role-session-name: parks-ar-admin-test-gh-action
           role-skip-session-tagging: true
@@ -69,7 +71,6 @@ jobs:
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ env.TF_VERSION }}
-          cli_config_credentials_token: ${{ secrets.TFC_TEAM_TOKEN }}
 
       - name: Setup Terragrunt
         uses: autero1/action-terragrunt@v1.3.0
@@ -87,7 +88,7 @@ jobs:
           api_gateway_origin_id: ${{ env.API_GATEWAY_ORIGIN_ID }}
           api_gateway_path_pattern: ${{ env.API_GATEWAY_PATH_PATTERN }}
           origin_id_assets: ${{ env.ORIGIN_ID_ASSETS }}
-        run: terragrunt apply-all --terragrunt-non-interactive
+        run: terragrunt apply -auto-approve --terragrunt-non-interactive -var target_aws_account_id=${{ vars.ACCOUNT_ID }} -var target_env=test
 
   alert-if-failure:
     if: ${{ always() && (needs.deploy.result=='failure')}}

terraform/terragrunt.hcl

@@ -10,12 +10,12 @@ generate "remote_state" {
   if_exists = "overwrite"
   contents  = <<EOF
 terraform {
-  backend "remote" {
-    hostname = "${local.tfc_hostname}"
-    organization = "${local.tfc_organization}"
-    workspaces {
-      name = "${local.project}-${local.environment}-admin"
-    }
+  backend "s3" {
+    bucket         = "terraform-remote-state-${local.project}-${local.environment}"
+    key            = "remote.tfstate-admin"                              # Path and name of the state file within the bucket
+    region         = "ca-central-1"                                      # AWS region where the bucket is located
+    dynamodb_table = "terraform-remote-state-lock-${local.project}"      # Replace with either generated or custom DynamoDB table name
+    encrypt        = true                                                # Enable encryption for the state file
   }
 }
 EOF