Skip to main content

Terraform statefile refresh for existing Github Teams not included in code

Github Users and Teams are maintained using terraform hmpps-github-teams. Currently there are many teams which already exists in Github and not added in code. This document covers the step to add the teams in terraform statefile without recreating them.

1. Retrieve AWS account details
2. Login to AWS account
3. Backup existing statefile on local machine
4. Get existing Team and Team members details
5. Update repository Terraform files (terraform/teams.tf and terraform/users.tf) to include existing team details
6. Run terraform plan to get the plan details to check only new teams are included in plan.
7. Import the existing team from github in AWS S3 terraform statefile.
8. Import team members from github in AWS S3 terraform statefile
9. Push local terraform code changes to Github Repository

Example below is from recent hmpps-book-a-video-link import in statefile

1. Retrieve AWS account details

AWS account details are stored in hmpps-portfolio-management-dev namespace.

kubectl get secrets -n hmpps-portfolio-management-dev  s3-bucket-output -o yaml

Decode the values for bucket_name, s3_access_key_id and s3_secret_access_key.

echo $VALUE_FROM_ABOVE_COMMAND | base64 --decode

2. Login to AWS account

Provide the decoded values for AWS Access Key ID and AWS Secret Access Key.

$ aws configure
AWS Access Key ID [****************]: ********
AWS Secret Access Key [****************]: *******
Default region name [eu-west-2]:
Default output format [json]:

3. Backup existing statefile on local machine

Backup the existing statefile before importing existing teams.

aws s3 cp s3://cloud-platform-59ac75c5c19ea6fee9760900194529a5/hmpps-github-teams-dev.tfstate ~/. 

#### Setup terraform locally 

Setup the terraform locally. 

* Remove the existing .terraform directory 

 $ cd hmpps-github-teams/terraform
$ rm -fr .terraform
$ aws s3 cp s3://cloud-platform-59ac75c5c19ea6fee9760900194529a5/hmpps-github-teams-dev.tfstate ~/.
download: s3://cloud-platform-59ac75c5c19ea6fee9760900194529a5/hmpps-github-teams-dev.tfstate to ./hmpps-github-teams-dev.tfstate
$ terraform init
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 5.0"...
- Finding integrations/github versions matching "~> 6.0"...
- Installing hashicorp/aws v5.74.0...
- Installed hashicorp/aws v5.74.0 (signed by HashiCorp)
- Installing integrations/github v6.3.1...
- Installed integrations/github v6.3.1 (signed by a HashiCorp partner, key ID 38027F80D7FD5FB2)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
$



4. Get existing Team and Team members details


$ gh api -X GET 'orgs/ministryofjustice/teams/hmpps-book-a-video-link'
{
  "name": "hmpps-book-a-video-link",
  "id": 10891591,
  "node_id": "T_kwDOACGfts4ApjFH",
  "slug": "hmpps-book-a-video-link",
  "description": "",
  "privacy": "closed",
  "notification_setting": "notifications_enabled",
  "url": "https://api.github.com/organizations/2203574/team/10891591",
  "html_url": "https://github.com/orgs/ministryofjustice/teams/hmpps-book-a-video-link",
  "members_url": "https://api.github.com/organizations/2203574/team/10891591/members{/member}",
  "repositories_url": "https://api.github.com/organizations/2203574/team/10891591/repos",
  "permission": "pull",
  "created_at": "2024-09-04T08:42:05Z",
  "updated_at": "2024-09-04T08:43:57Z",
  "members_count": 4,
  "repos_count": 0,
  "organization": {
    "login": "ministryofjustice",
    "id": 2203574,
    "node_id": "MDEyOk9yZ2FuaXphdGlvbjIyMDM1NzQ=",
    "url": "https://api.github.com/orgs/ministryofjustice",
    "repos_url": "https://api.github.com/orgs/ministryofjustice/repos",
    "events_url": "https://api.github.com/orgs/ministryofjustice/events",
    "hooks_url": "https://api.github.com/orgs/ministryofjustice/hooks",
    "issues_url": "https://api.github.com/orgs/ministryofjustice/issues",
    "members_url": "https://api.github.com/orgs/ministryofjustice/members{/member}",
    "public_members_url": "https://api.github.com/orgs/ministryofjustice/public_members{/member}",
    "avatar_url": "https://avatars.githubusercontent.com/u/2203574?v=4",
    "description": "",
    "name": "Ministry of Justice",
    "company": null,
    "blog": "https://www.justice.gov.uk/",
    "location": "London, UK",
    "email": null,
    "twitter_username": null,
    "is_verified": true,
    "has_organization_projects": true,
    "has_repository_projects": true,
    "public_repos": 2184,
    "public_gists": 0,
    "followers": 567,
    "following": 0,
    "html_url": "https://github.com/ministryofjustice",
    "created_at": "2012-08-23T11:22:38Z",
    "updated_at": "2024-09-16T10:17:47Z",
    "archived_at": null,
    "type": "Organization"
  },
  "parent": null
}
$ gh api -X GET 'orgs/ministryofjustice/teams/hmpps-book-a-video-link/members'
[
  {
    "login": "*****",
    "id": 30229564,
    "node_id": "MDQ6VXNlcjMwMjI5NTY0",
    "avatar_url": "https://avatars.githubusercontent.com/u/30229564?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/*****",
    "html_url": "https://github.com/*****",
    "followers_url": "https://api.github.com/users/*****/followers",
    "following_url": "https://api.github.com/users/*****/following{/other_user}",
    "gists_url": "https://api.github.com/users/*****/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/*****/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/*****/subscriptions",
    "organizations_url": "https://api.github.com/users/*****/orgs",
    "repos_url": "https://api.github.com/users/*****/repos",
    "events_url": "https://api.github.com/users/*****/events{/privacy}",
    "received_events_url": "https://api.github.com/users/*****/received_events",
    "type": "User",
    "user_view_type": "public",
    "site_admin": false
  }
]
$



5. Update repository Terraform files (terraform/teams.tf and terraform/users.tf) to include existing team details


Create branch on hmpps-github-teams, Update terraform/teams.tf to include the details retrieved from above commands


    {
      name        = "hmpps-book-a-video-link"
      parent      = "hmpps-developers"
      description = "HMPPS book a video link team"
    },


Update terraform/users.tf to include team members in this team for all the teams members. 


    {
      full_name       = "*****",
      email           = "******@justice.gov.uk"
      github_username = "*****"
      github_teams    = ["activities-and-appointments", "connect-dps-collaborators-devs", "connect-dps-collaborators-live", "hmpps-book-a-video-link"]
    },



6. Run terraform plan to get the plan details to check only new teams are included in plan.


Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
Terraform will perform the following actions:
  # github_team.parent_team["hmpps-book-a-video-link"] will be created
  + resource "github_team" "parent_team" {
      + create_default_maintainer = true
      + description               = "HMPPS book a video link team • This team is managed by Terraform, see https://github.com/ministryofjustice/hmpps-github-teams - DO NOT UPDATE MANUALLY!"
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "hmpps-book-a-video-link"
      + node_id                   = (known after apply)
      + parent_team_id            = "4043920"
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "closed"
      + slug                      = (known after apply)
    }
  # github_team_members.hmpps_developers_members will be updated in-place
  ~ resource "github_team_members" "hmpps-book-a-video-link" {
        id      = "4043920"
        # (1 unchanged attribute hidden)
      + members {
          + role     = "member"
          + username = "*******"
        }
        # (183 unchanged blocks hidden)
    }
  # github_team_members.members["hmpps-book-a-video-link"] will be updated in-place
  ~ resource "github_team_members" "members" {
        id      = "10891591"
        # (1 unchanged attribute hidden)
      + members {
          + role     = "member"
          + username = "*****"
        }
        # (13 unchanged blocks hidden)
    }

Plan: 1 to add, 1 to change, 0 to destroy.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.




7. Import the existing team from github in AWS S3 terraform statefile.


$  terraform import 'github_team.parent_team["hmpps-book-a-video-link"]' hmpps-book-a-video-link
data.github_team.parent: Reading...
data.github_team.parent: Read complete after 4s [id=4043920]
github_team.parent_team["hmpps-book-a-video-link"]: Importing from ID "hmpps-book-a-video-link"...
github_team.parent_team["hmpps-book-a-video-link"]: Import prepared!
  Prepared github_team for import
github_team.parent_team["hmpps-book-a-video-link"]: Refreshing state... [id=10891591]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
$



This import command will import in statefile on AWS S3 bucket.


8. Import team members from github in AWS S3 terraform statefile


Replace 10891591 with relevant teams id retrieved from Link


 $  terraform import 'github_team_members.members["hmpps-book-a-video-link"]' 10891591
data.github_team.parent: Reading...
data.github_team.parent: Read complete after 3s [id=4043920]
github_team_members.members["hmpps-book-a-video-link"]: Importing from ID "10891591"...
github_team_members.members["hmpps-book-a-video-link"]: Import prepared!
  Prepared github_team_members for import
github_team_members.members["hmpps-book-a-video-link"]: Refreshing state... [id=10891591]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

$



This import will import in statefile on AWS S3 bucket.


9. Push local terraform code changes to Github Repository


Push the branch, check the plan, it should not show any changes as statefile already has the team details. If all good merge the branch to main.

 
   This page was last reviewed on 11-Nov-2024, next review will be on 11-Feb-2025. 
  

  Edit this page here.