S3 backend (terraform state file), versioning disabled
Is there any specific reason why all S3 buckets that stores terraform state files in Ref Arch got versioning disabling ? Got versioning enabling is part of the best practices to prevent accidental data loss and keep history. Planing to run an aws-vault command that enable versioning in all S3 buckets that stores terraform state files, Is there any other approach ? Couldn't find a way to enable it directly from the backend.tf file. Thanks!!!! --- <ins datetime="2023-06-06T16:22:01Z"> <p><a href="https://support.gruntwork.io/hc/requests/110233">Tracked in ticket #110233</a></p> </ins>
Separating terragrunt from the Reference Architecture for a moment, I did this test: ``` terragrunt_s3_versioning $ cat terragrunt.hcl remote_state { backend = "s3" generate = { path = "backend.tf" if_exists = "overwrite_terragrunt" } config = { bucket = "pete-tf-state" # skip_bucket_versioning = true key = "${path_relative_to_include()}/terraform.tfstate" region = "us-west-2" encrypt = true dynamodb_table = "pete-tf-lock-table" } } terragrunt_s3_versioning $ cat main.tf resource "null_resource" "test" { provisioner "local-exec" { command = "date" } } ``` After running `terragrunt plan`, my `backend.tf` file got created, and the S3 bucket got created with versioning enabled: ``` terragrunt_s3_versioning $ aws-vault exec sand -- aws s3api get-bucket-versioning --bucket pete-tf-state | cat { "Status": "Enabled" } ``` This leads me to think a couple of possibilities: **A newer version of terragrunt might be enabling versioning, but older ones do not (at least, not by default).** The function `EnableVersioningForS3Bucket` was added back in 2016, so I think this leads us down the wrong path. **The Reference Architecture is explicitly turning off versioning for some reason (valid or not).** Skipping Bucket Versioning was added in [`v0.38.8`](https://github.com/gruntwork-io/terragrunt/releases/tag/v0.38.8), so if you have a terragrunt version older than this in your reference architecture, this won't apply. In your reference architecture, the version of terragrunt is pinned in `/shared/REGION/_regional/container_images/build_deploy_runner_image.sh` on roughly line 47. I was able to turn off S3 bucket versioning by adding `skip_bucket_versioning = true` to the `config` section (see above). It worked as anticipated. Internally, it looks like a lot of reference architectures have been delivered with a terragrunt version of `v0.38.6`, so I suspect you may fall into this category, however, I do not see that `skip_bucket_versioning` configuration in our reference architectures at all. **S3 bucket versioning turned off by some other mechanism** I'm not seeing a way to set the default at an account level or via AWS organizations, although that may be possible. Of course, internal scripting to explicitly turn versioning off is possible, but that feels like a stretch to me and is unlikely. **Recommendation** At any rate, I do think your best course of action is to leverage aws-vault and some shell scripting to turn on bucket versioning.