kubevela
diff --git a/‎hack/tool/backup_restore/README.md
+197 b/‎hack/tool/backup_restore/README.md
+197
diff --git a/‎hack/tool/backup_restore/cmd/restore.go
+190 b/‎hack/tool/backup_restore/cmd/restore.go
+190
@@ -0,0 +1,197 @@
+# Backup & Restore
+
+This go module is a command line tool to back up and restore the configuration and the Terraform state.
+
+It has two subcommands `backup` and `restore`.
+
+## `restore`
+
+The main usage of the `restore` subcommand is to import an "outside" Terraform instance (maybe created by the terraform command line or managed by another terraform-controller before) to the terraform-controller in the target Kubernetes without recreating the cloud resources.
+
+To use the `restore` subcommand, you should:
+
+1. Prepare the `configuration.yaml` file and the `state.json` file whose content is the state json of the Terraform instance which would be imported.
+
+2. Confirm that the environment variables set in terraform-controller are also set in the current execution environment.
+
+3. Run the `restore` command: `go run main.go restore --configuration <path/to/your/configuration.yaml> --state <path/to/your/state.json>`
+
+To find more usages of the `restore` subcommand, please run `go run main.go restore -h` for help.
+
+### Example
+
+You can find the example in the directory [examples/oss](examples/oss).
+
+Assume that we have created an oss bucket named `restore-example` by applying the `main.tf` using the Terraform command line tool.
+
+```hcl
+provider "alicloud" {
+  alias  = "bj-prod"
+  region = "cn-beijing"
+}
+
+resource "alicloud_oss_bucket" "bucket-acl" {
+  bucket = var.bucket
+  acl = var.acl
+}
+
+output "BUCKET_NAME" {
+  value = "${alicloud_oss_bucket.bucket-acl.bucket}.${alicloud_oss_bucket.bucket-acl.extranet_endpoint}"
+}
+
+variable "bucket" {
+  description = "OSS bucket name"
+  default = "vela-website"
+  type = string
+}
+
+variable "acl" {
+  description = "OSS bucket ACL, supported 'private', 'public-read', 'public-read-write'"
+  default = "private"
+  type = string
+}
+```
+
+```shell
+terraform init && terraform apply -f main.tf
+```
+
+We can get the Terraform state from the backend using `terraform state pull` and store it in the `state.json`. The Terraform state is a json string like the flowing:
+
+```json
+{
+  "version": 4,
+  "terraform_version": "1.1.9",
+  "serial": 4,
+  "lineage": "*******",
+  "outputs": {
+    "BUCKET_NAME": {
+      "value": "restore-example.oss-cn-beijing.aliyuncs.com",
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "alicloud_oss_bucket",
+      "name": "bucket-acl",
+      "provider": "provider[\"registry.terraform.io/hashicorp/alicloud\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "acl": "private",
+            "bucket": "restore-example",
+            "cors_rule": [],
+            "creation_date": "2022-05-25",
+            "extranet_endpoint": "oss-cn-beijing.aliyuncs.com",
+            "force_destroy": false,
+            "id": "restore-example",
+            "intranet_endpoint": "oss-cn-beijing-internal.aliyuncs.com",
+            "lifecycle_rule": [],
+            "location": "oss-cn-beijing",
+            "logging": [],
+            "logging_isenable": null,
+            "owner": "*******",
+            "policy": "",
+            "redundancy_type": "LRS",
+            "referer_config": [],
+            "server_side_encryption_rule": [],
+            "storage_class": "Standard",
+            "tags": {},
+            "transfer_acceleration": [],
+            "versioning": [],
+            "website": []
+          },
+          "sensitive_attributes": [],
+          "private": "*******=="
+        }
+      ]
+    }
+  ]
+}
+```
+
+Now, we need to restore(import) the Terraform instance into the target terraform-controller.
+
+First, we need to prepare the `configuration.yaml`:
+
+```yaml
+apiVersion: terraform.core.oam.dev/v1beta2
+kind: Configuration
+metadata:
+  name: alibaba-oss-bucket-hcl-restore-example
+spec:
+  hcl: |
+    resource "alicloud_oss_bucket" "bucket-acl" {
+      bucket = var.bucket
+      acl = var.acl
+    }
+
+    output "BUCKET_NAME" {
+      value = "${alicloud_oss_bucket.bucket-acl.bucket}.${alicloud_oss_bucket.bucket-acl.extranet_endpoint}"
+    }
+
+    variable "bucket" {
+      description = "OSS bucket name"
+      default = "loheagn-terraform-controller-2"
+      type = string
+    }
+
+    variable "acl" {
+      description = "OSS bucket ACL, supported 'private', 'public-read', 'public-read-write'"
+      default = "private"
+      type = string
+    }
+
+  backend:
+    backendType: kubernetes
+    kubernetes:
+      secret_suffix: 'ali-oss'
+      namespace: 'default'
+
+  variable:
+    bucket: "restore-example"
+    acl: "private"
+
+  writeConnectionSecretToRef:
+    name: oss-conn
+    namespace: default
+
+```
+
+Second, we need to confirm that the environment variables set in terraform-controller are also set in the current execution environment. In this case, please make sure you have set `ALICLOUD_ACCESS_KEY` and `ALICLOUD_SECRET_KEY`.
+
+Third, run the restore subcommand:
+
+```shell
+go run main.go restore --configuration examples/oss/configuration.yaml --state examples/oss/state.json
+```
+
+Finally, you can check the status of the configuration restored just now:
+
+```shell
+$ kubectl get configuration.terraform.core.oam.dev
+NAME                                     STATE       AGE
+alibaba-oss-bucket-hcl-restore-example   Available   13m
+```
+
+And you can check the logs of the `terraform-executor` in the pod of the "terraform apply" job:
+
+```shell
+$ kubectl logs alibaba-oss-bucket-hcl-restore-example-apply--1-b29d6 terraform-executor
+alicloud_oss_bucket.bucket-acl: Refreshing state... [id=restore-example]
+
+No changes. Your infrastructure matches the configuration.
+
+Terraform has compared your real infrastructure against your configuration
+and found no differences, so no changes are needed.
+
+Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
+
+Outputs:
+
+BUCKET_NAME = "restore-example.oss-cn-beijing.aliyuncs.com"
+```
+
+You can see the "No changes.". This shows that we did not recreate cloud resources during the restore process.
@@ -0,0 +1,190 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/oam-dev/terraform-controller/api/v1beta2"
+	"github.com/oam-dev/terraform-controller/controllers/configuration/backend"
+	"github.com/spf13/cobra"
+	v1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var (
+	stateJSONPath     string
+	configurationPath string
+	k8sClient         client.Client
+)
+
+// newRestoreCmd represents the restore command
+func newRestoreCmd(kubeFlags *genericclioptions.ConfigFlags) *cobra.Command {
+	restoreCmd := &cobra.Command{
+		Use: "restore",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var err error
+			k8sClient, err = buildClientSet(kubeFlags)
+			if err != nil {
+				return err
+			}
+			pwd, err := os.Getwd()
+			if err != nil {
+				return err
+			}
+			stateJSONPath = filepath.Join(pwd, stateJSONPath)
+			configurationPath = filepath.Join(pwd, configurationPath)
+			return restore(context.Background())
+		},
+	}
+	restoreCmd.Flags().StringVar(&stateJSONPath, "state", "state.json", "the path of the backed up Terraform state file")
+	restoreCmd.Flags().StringVar(&configurationPath, "configuration", "configuration.yaml", "the path of the backed up configuration objcet yaml file")
+	return restoreCmd
+}
+
+func buildClientSet(kubeFlags *genericclioptions.ConfigFlags) (client.Client, error) {
+	config, err := kubeFlags.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	return client.New(config, client.Options{})
+}
+
+func restore(ctx context.Context) error {
+	configuration, err := getConfiguration()
+	if err != nil {
+		return err
+	}
+	backendInterface, err := backend.ParseConfigurationBackend(configuration, k8sClient)
+	if err != nil {
+		return err
+	}
+
+	// restore the backend
+	if err := resumeK8SBackend(ctx, backendInterface); err != nil {
+		return err
+	}
+
+	// apply the configuration yaml
+	// FIXME (loheagn) use the restClient to do this
+	applyCmd := exec.Command("bash", "-c", fmt.Sprintf("kubectl apply -f %s", configurationPath))
+	if err := applyCmd.Run(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func getConfiguration() (*v1beta2.Configuration, error) {
+	configurationYamlBytes, err := os.ReadFile(configurationPath)
+	if err != nil {
+		return nil, err
+	}
+	configuration := &v1beta2.Configuration{}
+	scheme := runtime.NewScheme()
+	serializer := json.NewSerializerWithOptions(json.DefaultMetaFactory, scheme, scheme, json.SerializerOptions{Yaml: true})
+	if _, _, err := serializer.Decode(configurationYamlBytes, nil, configuration); err != nil {
+		return nil, err
+	}
+	return configuration, nil
+}
+
+func resumeK8SBackend(ctx context.Context, backendInterface backend.Backend) error {
+	k8sBackend, ok := backendInterface.(*backend.K8SBackend)
+	if !ok {
+		log.Println("the configuration doesn't use the kubernetes backend, no need to restore the Terraform state")
+		return nil
+	}
+
+	tfState, err := compressedTFState()
+	if err != nil {
+		return err
+	}
+
+	var gotSecret v1.Secret
+
+	configureSecret := func() {
+		if gotSecret.Annotations == nil {
+			gotSecret.Annotations = make(map[string]string)
+		}
+		gotSecret.Annotations["encoding"] = "gzip"
+
+		if gotSecret.Labels == nil {
+			gotSecret.Labels = make(map[string]string)
+		}
+		gotSecret.Labels["app.kubernetes.io/managed-by"] = "terraform"
+		gotSecret.Labels["tfstate"] = "true"
+		gotSecret.Labels["tfstateSecretSuffix"] = k8sBackend.SecretSuffix
+		gotSecret.Labels["tfstateWorkspace"] = "default"
+
+		gotSecret.Type = v1.SecretTypeOpaque
+	}
+
+	if err := k8sClient.Get(ctx, client.ObjectKey{Name: "tfstate-default-" + k8sBackend.SecretSuffix, Namespace: k8sBackend.SecretNS}, &gotSecret); err != nil {
+		if !kerrors.IsNotFound(err) {
+			return err
+		}
+		// is not found, create the secret
+		gotSecret = v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "tfstate-default-" + k8sBackend.SecretSuffix,
+				Namespace: k8sBackend.SecretNS,
+			},
+			Type: v1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				"tfstate": tfState,
+			},
+		}
+		configureSecret()
+		if err := k8sClient.Create(ctx, &gotSecret); err != nil {
+			return err
+		}
+	} else {
+		// update the secret
+		configureSecret()
+		gotSecret.Data["tfstate"] = tfState
+		if err := k8sClient.Update(ctx, &gotSecret); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func compressedTFState() ([]byte, error) {
+	srcBytes, err := os.ReadFile(stateJSONPath)
+	var buf bytes.Buffer
+	writer := gzip.NewWriter(&buf)
+	_, err = writer.Write(srcBytes)
+	if err != nil {
+		return nil, err
+	}
+	if err := writer.Close(); err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}