fix(terraform): default bedrock object lock to governance so teardown stays clean#37
Merged
Merged
Conversation
… stays clean The production bedrock substrate forced S3 Object Lock into COMPLIANCE mode with a 7-year retention on the invocation-log bucket. COMPLIANCE retention cannot be shortened or bypassed by anyone — including the account root — so every teardown of a production deploy left an invocation bucket that cannot be emptied or deleted until the retention expires. Iterating on validation clusters slowly accumulated permanently undeletable buckets. Root cause: live/production/bedrock/terragrunt.hcl set object_lock_mode = COMPLIANCE (retention 2555 days), and the component's invocations bucket carried no force_destroy, so even a GOVERNANCE bucket would block destroy on its locked objects. Fix: - Production defaults to GOVERNANCE / 365-day retention. Logs stay immutable by default, but an admin with s3:BypassGovernanceRetention can clear the lock so the environment tears down cleanly. - The invocations bucket sets force_destroy = (object_lock_mode != COMPLIANCE), so GOVERNANCE buckets are removable on terragrunt destroy while COMPLIANCE buckets stay protected from accidental destroy. - COMPLIANCE remains a one-line opt-in: set object_lock_mode = "COMPLIANCE" in an env config for a tenant that needs cryptographic immutability. Existing COMPLIANCE-locked buckets from prior deploys are unaffected — they stay locked until their retention expires; this changes only new applies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The production bedrock substrate forced S3 Object Lock into COMPLIANCE mode with a 7-year retention on the invocation-log bucket. COMPLIANCE retention can't be shortened or bypassed by anyone — not even the account root — so tearing down a deploy leaves an invocation bucket that can't be emptied or deleted until 2033. Spinning validation clusters up and down slowly accumulates permanently undeletable buckets.
Fix
s3:BypassGovernanceRetention) can clear the lock, so environments tear down cleanly.force_destroy = (object_lock_mode != "COMPLIANCE")— GOVERNANCE buckets are removable onterragrunt destroy; COMPLIANCE buckets stay protected.object_lock_mode = "COMPLIANCE"in an env config for a tenant that genuinely needs cryptographic immutability.dev/staging already used GOVERNANCE/365, so this brings production in line and makes teardown clean across the board.
Scope
Existing COMPLIANCE-locked buckets from prior deploys are unaffected — they stay locked until retention expires. This changes only new applies.
tofu fmt+tofu validatepass on the component.