Enhance Terraform configuration: add Google Cloud Storage bucket for state management with versioning and uniform access; update .gitignore to exclude auth.json

Author: JeanFraga

.github/workflows/terraform.yml

@@ -11,7 +11,9 @@ jobs:
     name: 'Terraform'
     runs-on: ubuntu-latest
     env:
-      TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }} # Make sure to set this secret in your repository
+      TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }}
+      TF_VAR_region: ${{ secrets.GCP_REGION }}
+      TF_VAR_environment: ${{ secrets.GCP_ENVIRONMENT }}
 
     steps:
       - name: 'Checkout'
@@ -20,17 +22,20 @@ jobs:
       - name: 'Authenticate to Google Cloud'
         uses: 'google-github-actions/auth@v2'
         with:
-          credentials_json: '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}' # Make sure to set this secret in your repository
+          credentials_json: '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}'
+
+      - name: 'Set up Google Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v2'
 
       - name: 'Set up Terraform'
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: latest # Or specify a version e.g., 1.0.0
+          terraform_version: latest
 
       - name: 'Terraform Init'
         id: init
         run: terraform init
-        working-directory: ./terraform # Assuming your Terraform files are in a 'terraform' subdirectory
+        working-directory: ./terraform
 
       - name: 'Terraform Validate'
         id: validate
@@ -41,14 +46,12 @@ jobs:
         id: plan
         run: terraform plan -no-color -input=false -out=tfplan
         working-directory: ./terraform
-        # Only run on pull requests or direct pushes to main (not on merges)
         if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
 
       - name: 'Terraform Apply'
         id: apply
         run: terraform apply -auto-approve -input=false tfplan
         working-directory: ./terraform
-        # Only run on pushes to the main branch (e.g., after a PR is merged)
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
 
       - name: 'Check BigQuery Dataset and Load Titanic Data'
@@ -57,5 +60,4 @@ jobs:
           chmod +x ../scripts/check_and_load_titanic_data.sh
           ../scripts/check_and_load_titanic_data.sh ${{ secrets.GCP_PROJECT_ID }}
         working-directory: ./terraform
-        # Only run on pushes to the main branch (after terraform apply)
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'

.gitignore

@@ -105,6 +105,7 @@ venv.bak/
 *.tfvars
 .terraform/
 .terraform*
+auth.json
 
 # Spyder project settings
 .spyderproject

terraform/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "agentic-data-science-460701-terraform-state"
+    prefix = "terraform/state"
+  }
+}

terraform/main.tf

@@ -4,6 +4,29 @@ provider "google" {
   region  = var.region
 }
 
+# Cloud Storage bucket for Terraform state
+resource "google_storage_bucket" "terraform_state" {
+  name     = "${var.project_id}-terraform-state"
+  location = var.region
+  
+  # Prevent accidental deletion of this bucket
+  lifecycle {
+    prevent_destroy = true
+  }
+    # Enable versioning for state file history
+  versioning {
+    enabled = true
+  }
+  
+  # Enable uniform bucket-level access
+  uniform_bucket_level_access = true
+  
+  labels = {
+    environment = var.environment
+    purpose     = "terraform-state"
+  }
+}
+
 resource "google_bigquery_dataset" "test_dataset" {
   dataset_id = "test_dataset"
   friendly_name = "test_dataset"