Replace AWS S3 backend with Cloudflare R2 backend #1588
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
There was a problem hiding this comment.
Pull request overview
This PR migrates the Terraform state backend from AWS S3 to Cloudflare R2. The change replaces AWS OIDC-based authentication with direct R2 credentials and updates the Terraform S3 backend configuration to point to Cloudflare's R2 service.
Changes:
- Modified Terraform backend configuration to use Cloudflare R2 endpoint and R2-compatible settings
- Replaced AWS OIDC authentication with direct R2 credential environment variables in GitHub Actions workflows
- Commented out AWS credential configuration steps in both plan and deploy workflows
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| terraform/provider.tf | Updated S3 backend configuration with R2 endpoint URL, region setting, and R2 compatibility flags |
| .github/workflows/plan_terraform_ensnode_yellow.yml | Replaced AWS OIDC authentication with R2 credentials as environment variables and commented out AWS credential configuration |
| .github/workflows/deploy_ensnode_yellow.yml | Replaced AWS OIDC authentication with R2 credentials as environment variables and commented out AWS credential configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | ||
| # AWS_REGION should be the same as Terraform S3 bucket state region. |
There was a problem hiding this comment.
The comment still refers to 'S3 bucket' but should be updated to mention 'R2 bucket' or 'Cloudflare R2 bucket' to accurately reflect the migration from AWS S3 to Cloudflare R2.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as Terraform S3 bucket state region. | |
| # Terraform keeps its state inside a Cloudflare R2 bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as the Cloudflare R2 bucket state region. |
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | ||
| # AWS_REGION should be the same as Terraform S3 bucket state region. |
There was a problem hiding this comment.
The comment still refers to 'S3 bucket' but should be updated to mention 'R2 bucket' or 'Cloudflare R2 bucket' to accurately reflect the migration from AWS S3 to Cloudflare R2.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as Terraform S3 bucket state region. | |
| # Terraform keeps its state inside a Cloudflare R2 bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as the Cloudflare R2 bucket state region. |
terraform/provider.tf
Outdated
|
|
||
| # R2 Endpoint URL | ||
| endpoints = { | ||
| s3 = "https://568d25449daec794a4cf277e3c286406.r2.cloudflarestorage.com" |
There was a problem hiding this comment.
The R2 endpoint URL contains an account ID that is now hardcoded in version control. This could be a security concern as it exposes infrastructure details. Consider using a Terraform variable or environment variable for the endpoint URL instead of hardcoding it.
| # AWS_REGION is required for aws-actions/configure-aws-credentials@v4 | ||
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | ||
| # AWS_REGION should be the same as Terraform S3 bucket state region. |
There was a problem hiding this comment.
The comment states 'AWS_REGION is required for aws-actions/configure-aws-credentials@v4' but this action is now commented out. The comment should be updated or removed to avoid confusion, as it no longer applies to the R2 configuration.
| # AWS_REGION is required for aws-actions/configure-aws-credentials@v4 | |
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as Terraform S3 bucket state region. | |
| # Optional: set AWS_REGION if required by your Terraform S3-compatible (e.g. R2) state backend configuration. | |
| # Terraform keeps its state inside an S3-compatible bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should match the region configured for the Terraform state bucket, if applicable. |
| # AWS_REGION is required for aws-actions/configure-aws-credentials@v4 | ||
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | ||
| # AWS_REGION should be the same as Terraform S3 bucket state region. | ||
| AWS_REGION: us-east-1 | ||
| # AWS_REGION: us-east-1 |
There was a problem hiding this comment.
The comment states 'AWS_REGION is required for aws-actions/configure-aws-credentials@v4' but this action is now commented out. The comment should be updated or removed to avoid confusion, as it no longer applies to the R2 configuration.
| @@ -25,7 +25,12 @@ | |||
| # AWS_REGION is required for aws-actions/configure-aws-credentials@v4 | |||
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |||
There was a problem hiding this comment.
Grammatical error: 'it's' should be 'its' (possessive form). The comment reads 'Terraform keeps it's state' but should read 'Terraform keeps its state'.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |
| # Terraform keeps its state inside S3 bucket. This bucket needs to be created before running Terraform apply. |
| @@ -26,7 +26,12 @@ jobs: | |||
| # AWS_REGION is required for aws-actions/configure-aws-credentials@v4 | |||
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |||
There was a problem hiding this comment.
Grammatical error: 'it's' should be 'its' (possessive form). The comment reads 'Terraform keeps it's state' but should read 'Terraform keeps its state'.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |
| # Terraform keeps its state inside S3 bucket. This bucket needs to be created before running Terraform apply. |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
📝 WalkthroughWalkthroughCI workflows and the Terraform backend were switched from AWS S3 to Cloudflare R2: workflows now supply R2 S3-compatible credentials via Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant TF as Terraform CLI
participant R2 as Cloudflare R2 (S3-compatible)
GH->>TF: start workflow with env (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, TERRAFORM_VERSION)
TF->>R2: authenticate to S3 endpoint (use_path_style, region="auto")
TF->>R2: read/write Terraform state (skip credential/region/metadata checks enabled)
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
tk-o
force-pushed
the
infra/replace-s3-backend-provider
branch
from
6e8f9c1 to
7bb1a20
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/deploy_ensnode_yellow.yml:
- Around line 68-72: The workflow currently grants the OIDC permission
"permissions: id-token: write" even though the AWS credentials step (uses:
aws-actions/configure-aws-credentials@v4) is commented out; remove or reduce the
"id-token: write" entry from the workflow permissions block (or set it to
least-privilege needed) and verify no other steps require OIDC before
committing; search for the "permissions: id-token: write" string to locate and
update the permission.
In @.github/workflows/plan_terraform_ensnode_yellow.yml:
- Around line 60-64: The workflow currently requests an OIDC token via
"permissions: id-token: write" but the AWS credentials step
(aws-actions/configure-aws-credentials@v4) is commented out; remove or tighten
the unnecessary permission by deleting the "id-token: write" entry from the
workflow's permissions block (or set it to a more restrictive value if other
steps need it), ensuring only required permissions remain; look for the
"permissions:" block and the "id-token: write" symbol to locate and update the
entry.
| # - name: Configure AWS credentials | ||
| # uses: aws-actions/configure-aws-credentials@v4 | ||
| # with: | ||
| # role-to-assume: ${{ secrets.AWS_ROLE}} | ||
| # aws-region: ${{ env.AWS_REGION }} |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider removing unused OIDC permission here too.
Since the AWS credentials action is commented out, permissions: id-token: write may no longer be needed in this workflow.
🤖 Prompt for AI Agents
In @.github/workflows/deploy_ensnode_yellow.yml around lines 68 - 72, The
workflow currently grants the OIDC permission "permissions: id-token: write"
even though the AWS credentials step (uses:
aws-actions/configure-aws-credentials@v4) is commented out; remove or reduce the
"id-token: write" entry from the workflow permissions block (or set it to
least-privilege needed) and verify no other steps require OIDC before
committing; search for the "permissions: id-token: write" string to locate and
update the permission.
| # - name: Configure AWS credentials | ||
| # uses: aws-actions/configure-aws-credentials@v4 | ||
| # with: | ||
| # role-to-assume: ${{ secrets.AWS_ROLE}} | ||
| # aws-region: ${{ env.AWS_REGION }} |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Drop OIDC token permission if it’s no longer used.
With the AWS credentials action commented out, permissions: id-token: write may be unnecessary. Consider removing it to reduce token scope.
🤖 Prompt for AI Agents
In @.github/workflows/plan_terraform_ensnode_yellow.yml around lines 60 - 64,
The workflow currently requests an OIDC token via "permissions: id-token: write"
but the AWS credentials step (aws-actions/configure-aws-credentials@v4) is
commented out; remove or tighten the unnecessary permission by deleting the
"id-token: write" entry from the workflow's permissions block (or set it to a
more restrictive value if other steps need it), ensuring only required
permissions remain; look for the "permissions:" block and the "id-token: write"
symbol to locate and update the entry.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | ||
| # AWS_REGION should be the same as Terraform S3 bucket state region. |
There was a problem hiding this comment.
The comments still reference AWS S3 and should be updated to reflect the migration to Cloudflare R2. The comments mention 'Terraform keeps it's state inside S3 bucket' which is no longer accurate since the backend now uses R2.
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as Terraform S3 bucket state region. | |
| # Terraform keeps its state inside a Cloudflare R2 bucket (S3-compatible). This bucket needs to be created before running Terraform apply. | |
| # AWS_REGION should be the same as the Cloudflare R2 bucket region (or the region used for the R2 S3-compatible endpoint). |
| # AWS_REGION is required for aws-actions/configure-aws-credentials@v4 | ||
| # Terraform keeps it's state inside S3 bucket. This bucket needs to be created before running Terraform apply. | ||
| # AWS_REGION should be the same as Terraform S3 bucket state region. | ||
| AWS_REGION: us-east-1 |
There was a problem hiding this comment.
The AWS_REGION environment variable is still set to 'us-east-1' but is no longer used since the AWS credential configuration step is commented out. This creates confusion and inconsistency. In the deploy_ensnode_yellow.yml file, AWS_REGION is commented out (line 29), but here it's still active. Either remove this environment variable entirely or comment it out consistently with the deploy workflow.
| AWS_REGION: us-east-1 | |
| # AWS_REGION: us-east-1 |
tk-o
force-pushed
the
infra/replace-s3-backend-provider
branch
from
7bb1a20 to
b083a92
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@terraform/provider.tf`:
- Around line 12-24: The Terraform R2 backend block is missing required flags;
update the same backend configuration that contains endpoints, region,
skip_credentials_validation, skip_region_validation, and skip_metadata_api_check
by adding skip_requesting_account_id = true, skip_s3_checksum = true, and
use_path_style = true so the backend is fully compatible with Cloudflare R2;
ensure these new boolean flags are placed alongside the existing settings
(endpoints, region, skip_* keys) in the backend block.
In `@terraform/README.md`:
- Around line 9-10: Add a blank line immediately after the "### Cloudflare
Resources" heading in terraform/README.md to satisfy markdownlint; locate the
heading text "### Cloudflare Resources" and insert an empty line before the
following list line ("- R2 bucket for Terraform state - `ensnode-terraform`") so
the heading is separated from content.
b083a92 to
b3fc9b1
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@terraform/provider.tf`:
- Around line 15-25: Update the GitHub Actions workflows to use Terraform
>=1.6.3 for R2 backend compatibility: in deploy_ensnode_yellow.yml change the
hashicorp/setup-terraform step's terraform_version from 1.6.0 to 1.6.3; in
plan_terraform_ensnode_yellow.yml replace the undefined reference `${{
env.TERRAFORM_VERSION }}` in the hashicorp/setup-terraform step with an explicit
terraform_version: 1.6.3; and in deploy_ensnode_blue_green.yml add/ensure
terraform_version: 1.6.3 in its hashicorp/setup-terraform step so all three
workflows explicitly pin to at least 1.6.3.
| key = "render-tfstate.json" | ||
| region = "auto" | ||
| skip_credentials_validation = true | ||
| skip_metadata_api_check = true | ||
| skip_region_validation = true | ||
| skip_requesting_account_id = true | ||
| skip_s3_checksum = true | ||
| use_path_style = true | ||
| endpoints = { | ||
| s3 = "https://568d25449daec794a4cf277e3c286406.r2.cloudflarestorage.com" | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Terraform version in workflow files
echo "=== Checking Terraform version in workflows ==="
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" | head -20Repository: namehash/ensnode
Length of output: 605
🏁 Script executed:
#!/bin/bash
# First, let's find all workflow files and check their Terraform version
echo "=== Workflow files in repository ==="
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null
echo ""
echo "=== Checking Terraform version specifications ==="
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null | xargs grep -l "terraform" 2>/dev/null || echo "No matches found"Repository: namehash/ensnode
Length of output: 771
🏁 Script executed:
#!/bin/bash
# Check for Terraform version requirements
echo "=== Searching for Terraform version in workflows ==="
rg "terraform|TERRAFORM" .github/workflows/ --type yaml -A 2 -B 1 2>/dev/null || echo "Searching in all files..."
echo ""
echo "=== Checking setup-terraform action ==="
rg "hashicorp/setup-terraform|terraform_version" .github/workflows/ -A 3 2>/dev/null || echo "No matches"
echo ""
echo "=== Checking for version specifications ==="
rg "1\.6|version" .github/workflows/ -i 2>/dev/null | head -20 || echo "No version specs found"Repository: namehash/ensnode
Length of output: 7304
🏁 Script executed:
#!/bin/bash
# List .github directory structure
echo "=== Directory structure ==="
find .github -type f 2>/dev/null | head -30Repository: namehash/ensnode
Length of output: 1251
🏁 Script executed:
#!/bin/bash
# Find TERRAFORM_VERSION definition
echo "=== Searching for TERRAFORM_VERSION definition ==="
rg "TERRAFORM_VERSION" .github/workflows/ -B 2 -A 1
echo ""
echo "=== Checking deploy_ensnode_blue_green.yml for Terraform version ==="
grep -n "setup-terraform\|terraform_version\|TERRAFORM" .github/workflows/deploy_ensnode_blue_green.yml || echo "No match"
echo ""
echo "=== Full context of plan_terraform_ensnode_yellow.yml env section ==="
grep -n "env:" .github/workflows/plan_terraform_ensnode_yellow.yml -A 20 | head -30Repository: namehash/ensnode
Length of output: 2132
🏁 Script executed:
#!/bin/bash
# Get full plan_terraform_ensnode_yellow.yml file to see complete env section
echo "=== Full plan_terraform_ensnode_yellow.yml file ==="
cat -n .github/workflows/plan_terraform_ensnode_yellow.yml
echo ""
echo "=== Check if TERRAFORM_VERSION is globally defined ==="
grep -r "TERRAFORM_VERSION" . --include="*.yml" --include="*.yaml" --include="*.json" --include="*.sh" 2>/dev/null | grep -v ".git"Repository: namehash/ensnode
Length of output: 3844
Update CI workflows to use Terraform 1.6.3 or later for R2 backend compatibility.
The R2 backend configuration requires Terraform ≥1.6.3 for the skip_requesting_account_id and skip_s3_checksum flags, but your current workflows have compatibility issues:
deploy_ensnode_yellow.ymlusesterraform_version: 1.6.0(too old)plan_terraform_ensnode_yellow.ymlreferences${{ env.TERRAFORM_VERSION }}which is undefined in your repository, causing the workflow to faildeploy_ensnode_blue_green.ymldoes not specify a version constraint
Update both workflows to explicitly use terraform_version: 1.6.3 (or later) in their hashicorp/setup-terraform step, and remove the undefined environment variable reference.
🤖 Prompt for AI Agents
In `@terraform/provider.tf` around lines 15 - 25, Update the GitHub Actions
workflows to use Terraform >=1.6.3 for R2 backend compatibility: in
deploy_ensnode_yellow.yml change the hashicorp/setup-terraform step's
terraform_version from 1.6.0 to 1.6.3; in plan_terraform_ensnode_yellow.yml
replace the undefined reference `${{ env.TERRAFORM_VERSION }}` in the
hashicorp/setup-terraform step with an explicit terraform_version: 1.6.3; and in
deploy_ensnode_blue_green.yml add/ensure terraform_version: 1.6.3 in its
hashicorp/setup-terraform step so all three workflows explicitly pin to at least
1.6.3.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
terraform/provider.tf:39
- The AWS provider is being added with a comment about "legacy Route53 resources in state", but no AWS resources (including Route53) are found in the current Terraform configuration. If this provider is truly needed for state migration purposes, please document the migration plan or cleanup steps. If legacy resources have already been removed from state, this provider block and the aws provider requirement (lines 3-6) should be removed to avoid unnecessary dependencies and potential confusion.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| s3 = "https://568d25449daec794a4cf277e3c286406.r2.cloudflarestorage.com" | ||
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
The Cloudflare R2 account ID is hardcoded in the endpoint URL. This is a security concern as it exposes the account identifier in version control. Consider using a secret variable like CF_R2_ENDPOINT or CF_R2_ACCOUNT_ID to store this value, similar to how CF_R2_ACCESS_KEY_ID and CF_R2_SECRET_ACCESS_KEY are handled.
| s3 = "https://568d25449daec794a4cf277e3c286406.r2.cloudflarestorage.com" | |
| } | |
| } | |
| } | |
| s3 = var.cf_r2_endpoint | |
| } | |
| } | |
| } | |
| variable "cf_r2_endpoint" { | |
| type = string | |
| description = "Cloudflare R2 S3-compatible endpoint URL for the Terraform backend." | |
| } |
| bucket = "ensnode-terraform" | ||
| key = "render-tfstate" | ||
| region = "us-east-1" | ||
| key = "render-tfstate.json" |
There was a problem hiding this comment.
The state file key has been changed from "render-tfstate" to "render-tfstate.json". This change will cause Terraform to look for the state in a different location, effectively creating a new state file. If there's existing state at the old key location, this could result in Terraform trying to recreate all existing resources. Ensure proper state migration has been performed (using terraform state mv or migrating the file in R2) before applying this change, or document why a fresh state is acceptable.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/plan_terraform_ensnode_yellow.yml:
- Around line 76-84: The Configure AWS credentials step
(aws-actions/configure-aws-credentials@v4) is overwriting AWS env vars required
for Cloudflare R2 auth and causing terraform plan (terraform plan -out=tfplan in
the Terraform Plan step) to fail; fix by moving the AWS credential configuration
to occur before any terraform init/plan, and ensure R2 credentials are passed
explicitly to Terraform init via -backend-config flags (or via distinct
TF_VAR_/backend-specific env vars) so R2 credentials are preserved and not
clobbered by the OIDC-assumed AWS creds.
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_ROLE}} | ||
| aws-region: ${{ env.AWS_REGION }} | ||
|
|
||
| - name: Terraform Plan | ||
| run: terraform plan -out=tfplan | ||
| working-directory: terraform |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd -t f "*.tf" terraform --exec grep -l "backend" {} \;Repository: namehash/ensnode
Length of output: 343
🏁 Script executed:
cat .github/workflows/plan_terraform_ensnode_yellow.yml | head -100Repository: namehash/ensnode
Length of output: 3136
🏁 Script executed:
rg "AWS_|S3_|R2_" .github/workflows/plan_terraform_ensnode_yellow.yml -nRepository: namehash/ensnode
Length of output: 707
🏁 Script executed:
find terraform -type f -name "*.tf" | head -10Repository: namehash/ensnode
Length of output: 406
🏁 Script executed:
rg -n "backend\|terraform" terraform -A 5 | head -100Repository: namehash/ensnode
Length of output: 42
🏁 Script executed:
cat terraform/main.tf | head -80Repository: namehash/ensnode
Length of output: 3354
🏁 Script executed:
rg -n "backend\s*\{" terraform -A 10Repository: namehash/ensnode
Length of output: 42
🏁 Script executed:
find terraform -name "*.tf" -exec grep -l "backend" {} \;Repository: namehash/ensnode
Length of output: 81
🏁 Script executed:
cat terraform/*.tf | grep -A 20 "terraform\s*{"Repository: namehash/ensnode
Length of output: 555
🏁 Script executed:
cat terraform/provider.tf | grep -A 30 "backend"Repository: namehash/ensnode
Length of output: 800
🏁 Script executed:
rg "skip_credentials_validation|terraform workspace|terraform init" .github/workflows/plan_terraform_ensnode_yellow.yml -B 2 -A 3Repository: namehash/ensnode
Length of output: 450
Credential overwrite will break R2 backend access during terraform plan.
The aws-actions/configure-aws-credentials@v4 step overwrites AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with OIDC-assumed AWS credentials. Since terraform plan needs to read state from the Cloudflare R2 backend (configured in terraform/provider.tf), and R2 requires its own credentials (not AWS credentials), the plan step will fail with authentication errors.
Fix by moving the AWS credentials configuration before terraform init and using -backend-config flags to explicitly provide R2 credentials during init, or by using separate environment variables (e.g., TF_VAR_* or backend-specific vars) that persist after the AWS credentials step.
🤖 Prompt for AI Agents
In @.github/workflows/plan_terraform_ensnode_yellow.yml around lines 76 - 84,
The Configure AWS credentials step (aws-actions/configure-aws-credentials@v4) is
overwriting AWS env vars required for Cloudflare R2 auth and causing terraform
plan (terraform plan -out=tfplan in the Terraform Plan step) to fail; fix by
moving the AWS credential configuration to occur before any terraform init/plan,
and ensure R2 credentials are passed explicitly to Terraform init via
-backend-config flags (or via distinct TF_VAR_/backend-specific env vars) so R2
credentials are preserved and not clobbered by the OIDC-assumed AWS creds.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }} |
There was a problem hiding this comment.
The AWS credentials are being set twice with the same values - once at the job level (lines 32-33) and again in the "Terraform Init" step (lines 63-64). The job-level environment variables should be sufficient. The redundant setting in the Terraform Init step can be removed for cleaner code.
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }} |
Lite PR
Tip: Review docs on the ENSNode PR process
Summary
Why
Testing
Notes for Reviewer (Optional)
Pre-Review Checklist (Blocking)