labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(pipeline): implementar manejo robusto de state locks de Terraform

Browse Source 
Problema:
- El pipeline fallaba con 'Error acquiring the state lock' cuando un proceso
  anterior de Terraform no liberaba el lock correctamente
- Los locks bloqueados requerían intervención manual

Solución implementada:
1. Nuevo script scripts/terraform-lock-cleanup.sh:
   - Verifica locks existentes en DynamoDB antes de ejecutar Terraform
   - Calcula antigüedad del lock (default: 30 minutos)
   - Elimina locks bloqueados automáticamente
   - Espera si el lock es reciente (operación en curso legítima)

2. Nuevo step 02_pre_terraform_check:
   - Ejecuta antes del step 03_terraform
   - Instala AWS CLI y configura credenciales
   - Limpia locks bloqueados antes de iniciar Terraform

3. Agregado -lock-timeout=5m a comandos Terraform:
   - terraform plan -lock-timeout=5m
   - terraform apply -lock-timeout=5m
   - Permite esperar si hay una operación legítima en curso

4. Aplicado a ambas ramas:
   - developer: cleanup para entorno dev
   - master: cleanup para entorno prod

Beneficios:
- Pipeline más robusto y autónomo
- Menos intervención manual para locks bloqueados
- Mejor manejo de concurrencia entre pipelines
- Previene corrupción de estado por locks huérfanos

Refs: Build #64 falló por state lock en DynamoDB
This commit is contained in:
Evert Romero
2026-04-17 11:11:06 -06:00
parent b1c0be4ea6
commit f32b58fc46
2 changed files with 194 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bitbucket-pipelines.yml
+30 -4
View File
@@ -81,6 +81,19 @@ pipelines:
- export TELEGRAM_CHAT_ID="${DEV_TELEGRAM_CHAT_ID}"
- bash scripts/telegram-pipeline-notify.sh start
- step:
name: 02_pre_terraform_check
oidc: true
script:
- set -euo pipefail
- apt-get update -y && apt-get install -y curl unzip
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
- unzip -q awscliv2.zip
- ./aws/install
- aws --version
- source scripts/aws-oidc-setup.sh dev
- bash scripts/terraform-lock-cleanup.sh dev proyectosacc/terraform.tfstate
- step:
name: 03_terraform
oidc: true
@@ -99,8 +112,8 @@ pipelines:
- terraform version
- export AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-mx-central-1}"
- terraform init -backend-config=backend.dev.hcl
- terraform plan -var-file=environments/dev.tfvars -var="db_password=${DEV_DB_PASSWORD}" -out=dev.tfplan
- terraform apply -auto-approve dev.tfplan
- terraform plan -lock-timeout=5m -var-file=environments/dev.tfvars -var="db_password=${DEV_DB_PASSWORD}" -out=dev.tfplan
- terraform apply -lock-timeout=5m -auto-approve dev.tfplan
- terraform output -json > terraform-outputs.json
- cat terraform-outputs.json
artifacts:
@@ -231,6 +244,19 @@ pipelines:
- export TELEGRAM_CHAT_ID="${PROD_TELEGRAM_CHAT_ID}"
- bash scripts/telegram-pipeline-notify.sh start
- step:
name: 02_pre_terraform_check
oidc: true
script:
- set -euo pipefail
- apt-get update -y && apt-get install -y curl unzip
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
- unzip -q awscliv2.zip
- ./aws/install
- aws --version
- source scripts/aws-oidc-setup.sh prod
- bash scripts/terraform-lock-cleanup.sh prod proyectosacc/terraform.tfstate
- step:
name: 03_terraform
oidc: true
@@ -249,8 +275,8 @@ pipelines:
- terraform version
- export AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-mx-central-1}"
- terraform init -backend-config=backend.prod.hcl
- terraform plan -var-file=environments/prod.tfvars -var="db_password=${PROD_DB_PASSWORD}" -out=prod.tfplan
- terraform apply -auto-approve prod.tfplan
- terraform plan -lock-timeout=5m -var-file=environments/prod.tfvars -var="db_password=${PROD_DB_PASSWORD}" -out=prod.tfplan
- terraform apply -lock-timeout=5m -auto-approve prod.tfplan
- terraform output -json > terraform-outputs.json
- cat terraform-outputs.json
artifacts: