Allow flexibility in exemptions format
Currently the exemptions file does not allow any flexibility in the names of resource addresses that are being removed.
The addresses are resolved literally:
exemptions:
- module.abc.aws_secretsmanager_secret.foo
- module.abc.aws_secretsmanager_secret.barUnfortunately, there are some cases where some more flexibility is required.
For example, in https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/5127, terra-transformer is failing with
⚠️ Terraform Plan contains changes that will delete protected resources.
The following protected resources will be deleted:
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["itestmhsvn-consul-1-logs"]
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["itestmhsvn-consul-2-logs"]
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["itestmhsvn-consul-3-logs"]
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_instance.gitlab[0]
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_instance.gitlab[1]
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_instance.gitlab[2]
⚠️ This may lead to loss of critical data. Manual intervention required.The problem here is that the resource address, module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["itestmhsvn-consul-1-logs"] will differ from tenant to tenant.
Option 1: Wildcards
The obvious solution is to add wildcards.
exemptions:
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["*-consul-1-logs"]The problem with wildcards
The problem with wildcards is that they tend to be misused. I can recall multiple major S1 incidents at GitLab which came down to wildcards.
The problem with wildcards is that it's difficult to distinguish as reasonable wildcard, say module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["*-consul-1-logs"] from a terrible one: module.provisional_regional_r0.module.get.*.
What's worse is that this bad wildcard exemption could be introduced and lay dormant for many months or years before -- exactly at the time we need the protection to work -- it goes ahead and allows the deletion of critical resources.
Like in a game of cards, wildcards introduce an element of surprise. In Infrastructure, unlike in card games, surprise is never fun.
Option 2: Substitutions
An alternative would be to use substitution values.
The most obvious option, probably, would be environment substitutions:
exemptions:
- module.provisional_regional_r0.module.get.module.item.module.consul.aws_ebs_volume.gitlab["${TENANT_ID}-consul-1-logs"]This approach would be naturally safer than wildcards, while still providing flexibility in exemptions.
cc @julbrady