diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml index 93abbad3..7b924f42 100644 --- a/.github/linters/.markdown-lint.yml +++ b/.github/linters/.markdown-lint.yml @@ -1,5 +1,5 @@ # Default state for all rules -default: true +default: false # Ignore MD041/first-line-heading/first-line-h1 # Error: First line in a file should be a top-level heading [Context: "## what"] diff --git a/Dockerfile b/Dockerfile index c79e3cf8..5c8c12a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,7 @@ RUN apk --update --no-cache add \ ca-certificates \ coreutils \ curl \ + unzip \ git \ gettext \ go \ @@ -77,6 +78,17 @@ RUN update-alternatives --set terraform /usr/share/terraform/$DEFAULT_TERRAFORM_ mkdir -p /build-harness/vendor && \ cp -p /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform /build-harness/vendor/terraform +# Install tflint +RUN curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash +COPY <= 0.12.26' + terraform/fmt Format terraform terraform/get-modules (Obsolete) Ensure all modules can be fetched terraform/get-plugins (Obsolete) Ensure all plugins can be fetched terraform/install Install terraform - terraform/lint Lint check Terraform + terraform/lint Format check terraform terraform/loosen-constraints and convert "~>" constraints to ">=". + terraform/precommit Terraform pull-request routine check/update terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider + terraform/tflint Lint terraform (with tflint) terraform/upgrade-modules This target has not been upgraded to handle registry format terraform/validate Basic terraform sanity check travis/docker-login Login into docker hub diff --git a/docs/targets.md b/docs/targets.md index 395b3159..aa777142 100644 --- a/docs/targets.md +++ b/docs/targets.md @@ -120,12 +120,15 @@ Available targets: template/build Create $OUT file by building it from $IN template file template/deps Install dependencies terraform/bump-tf-12-min-version Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26' + terraform/fmt Format terraform terraform/get-modules (Obsolete) Ensure all modules can be fetched terraform/get-plugins (Obsolete) Ensure all plugins can be fetched terraform/install Install terraform - terraform/lint Lint check Terraform + terraform/lint Format check terraform terraform/loosen-constraints and convert "~>" constraints to ">=". + terraform/precommit Terraform pull-request routine check/update terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider + terraform/tflint Lint terraform (with tflint) terraform/upgrade-modules This target has not been upgraded to handle registry format terraform/validate Basic terraform sanity check travis/docker-login Login into docker hub diff --git a/modules/github/Makefile.init b/modules/github/Makefile.init index 1de04030..3909258c 100644 --- a/modules/github/Makefile.init +++ b/modules/github/Makefile.init @@ -4,17 +4,16 @@ GITHUB_TEMPLATES = \ .github/ISSUE_TEMPLATE/feature_request.yml \ .github/ISSUE_TEMPLATE/bug_report.yml \ .github/ISSUE_TEMPLATE/question.md \ - .github/auto-release.yml \ - .github/workflows/auto-release.yml \ - .github/workflows/validate-codeowners.yml # Install extra configuration for terraform projects -GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml \ - .github/workflows/auto-context.yml \ - .github/workflows/auto-format.yml \ - .github/workflows/auto-readme.yml \ +GITHUB_TERRAFORM_TEMPLATES = .github/workflows/feature-branch.yml \ + .github/workflows/feature-branch-chatops.yml \ + .github/workflows/release-branch.yml \ + .github/workflows/release-published.yml \ + .github/workflows/scheduled.yml \ .github/mergify.yml \ - .github/renovate.json + .github/renovate.json \ + .github/auto-release.yml GTIHUB_CODEOWNERS_FILE = .github/CODEOWNERS diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 59658cbe..d59f25e3 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -26,7 +26,11 @@ terraform/get-modules: terraform/validate: @$(TERRAFORM) validate -## Lint check Terraform +## Lint terraform (with tflint) +terraform/tflint: + tflint --enable-plugin=aws + +## Format check terraform terraform/lint: ifeq ($(OS), darwin) @FAIL=`$(TERRAFORM) fmt -write=false | xargs -n 1 printf '\t- %s\n'`; \ @@ -36,6 +40,7 @@ else [ -z "$$FAIL" ] || (echo "Terraform configuration needs linting. Run '$(TERRAFORM) fmt'"; echo $$FAIL; exit 1) endif +## Format terraform terraform/fmt: ifeq ($(wildcard *.tf),) @echo "* $@: No terraform files detected" @@ -114,3 +119,6 @@ terraform/rewrite-required-providers: terraform/loosen-constraints terraform/v14-rewrite: TERRAFORM = terraform-0.13 terraform/v14-rewrite: terraform/loosen-constraints terraform/bump-tf-12-min-version terraform/rewrite-required-providers terraform/rewrite-module-source terraform/rewrite-readme-source @{ [[ "$(TERRAFORM_FORCE_README)" != "true" ]] && git diff --no-patch --exit-code README.yaml; } || $(MAKE) readme + +## Terraform pull-request routine check/update +terraform/precommit: terraform/fmt terraform/tflint readme/build diff --git a/templates/.github/workflows/auto-release.yml b/templates/.github/workflows/auto-release.yml deleted file mode 100644 index 17d6cabb..00000000 --- a/templates/.github/workflows/auto-release.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: auto-release - -on: - push: - branches: - - main - - master - - production - -jobs: - publish: - runs-on: ubuntu-latest - steps: - # Get PR from merged commit to master - - uses: actions-ecosystem/action-get-merged-pull-request@v1 - id: get-merged-pull-request - with: - github_token: ${{ secrets.REPO_ACCESS_TOKEN }} - # Drafts your next Release notes as Pull Requests are merged into "main" - - uses: release-drafter/release-drafter@v5 - with: - publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }} - prerelease: false - config-name: auto-release.yml - env: - GITHUB_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/templates/.github/workflows/validate-codeowners.yml b/templates/.github/workflows/validate-codeowners.yml deleted file mode 100644 index b3f7c327..00000000 --- a/templates/.github/workflows/validate-codeowners.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Validate Codeowners -on: - workflow_dispatch: - - pull_request: - -jobs: - validate-codeowners: - runs-on: ubuntu-latest - steps: - - name: "Checkout source code at current commit" - uses: actions/checkout@v2 - # Leave pinned at 0.7.1 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved - - uses: mszostok/codeowners-validator@v0.7.1 - if: github.event.pull_request.head.repo.full_name == github.repository - name: "Full check of CODEOWNERS" - with: - # For now, remove "files" check to allow CODEOWNERS to specify non-existent - # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos - # checks: "files,syntax,owners,duppatterns" - checks: "syntax,owners,duppatterns" - owner_checker_allow_unowned_patterns: "false" - # GitHub access token is required only if the `owners` check is enabled - github_access_token: "${{ secrets.REPO_ACCESS_TOKEN }}" - - uses: mszostok/codeowners-validator@v0.7.1 - if: github.event.pull_request.head.repo.full_name != github.repository - name: "Syntax check of CODEOWNERS" - with: - checks: "syntax,duppatterns" - owner_checker_allow_unowned_patterns: "false" diff --git a/templates/.github/auto-release.yml b/templates/terraform/.github/auto-release.yml similarity index 97% rename from templates/.github/auto-release.yml rename to templates/terraform/.github/auto-release.yml index 17cd39c8..cc9bf057 100644 --- a/templates/.github/auto-release.yml +++ b/templates/terraform/.github/auto-release.yml @@ -18,6 +18,7 @@ version-resolver: - 'bug' - 'hotfix' default: 'minor' +filter-by-commitish: true categories: - title: '🚀 Enhancements' diff --git a/templates/terraform/.github/workflows/auto-context.yml b/templates/terraform/.github/workflows/auto-context.yml deleted file mode 100644 index e439b602..00000000 --- a/templates/terraform/.github/workflows/auto-context.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: "auto-context" -on: - schedule: - # Update context.tf nightly - - cron: '0 3 * * *' - -jobs: - update: - if: github.event_name == 'schedule' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Find default branch name - id: defaultBranch - shell: bash - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name) - echo "defaultBranch=${default_branch}" >> "$GITHUB_OUTPUT" - printf "defaultBranchRef.name=%s\n" "${default_branch}" - - - name: Update context.tf - shell: bash - id: update - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - if [[ -f context.tf ]]; then - echo "Discovered existing context.tf! Fetching most recent version to see if there is an update." - curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf - if git diff --no-patch --exit-code context.tf; then - echo "No changes detected! Exiting the job..." - else - echo "context.tf file has changed. Update examples and rebuild README.md." - make init - make github/init/context.tf - make readme/build - echo "create_pull_request=true" >> "$GITHUB_OUTPUT" - fi - else - echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates." - fi - - - name: Create Pull Request - if: steps.update.outputs.create_pull_request == 'true' - uses: cloudposse/actions/github/create-pull-request@0.30.0 - with: - token: ${{ secrets.REPO_ACCESS_TOKEN }} - committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>' - author: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>' - commit-message: Update context.tf from origin source - title: Update context.tf - body: |- - ## what - This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label` - - ## why - To support all the features of the `context` interface. - - branch: auto-update/context.tf - base: ${{ steps.defaultBranch.outputs.defaultBranch }} - delete-branch: true - labels: | - auto-update - context diff --git a/templates/terraform/.github/workflows/auto-format.yml b/templates/terraform/.github/workflows/auto-format.yml deleted file mode 100644 index b8c20641..00000000 --- a/templates/terraform/.github/workflows/auto-format.yml +++ /dev/null @@ -1,88 +0,0 @@ -name: Auto Format -on: - pull_request_target: - types: [opened, synchronize] - -jobs: - auto-format: - runs-on: ubuntu-latest - container: cloudposse/build-harness:latest - steps: - # Checkout the pull request branch - # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using - # the repository’s GITHUB_TOKEN, a new workflow will not run even when the repository contains - # a workflow configured to run when push events occur." - # However, using a personal access token will cause events to be triggered. - # We need that to ensure a status gets posted after the auto-format commit. - # We also want to trigger tests if the auto-format made no changes. - - uses: actions/checkout@v2 - if: github.event.pull_request.state == 'open' - name: Privileged Checkout - with: - token: ${{ secrets.REPO_ACCESS_TOKEN }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - # Check out the PR commit, not the merge commit - # Use `ref` instead of `sha` to enable pushing back to `ref` - ref: ${{ github.event.pull_request.head.ref }} - - # Do all the formatting stuff - - name: Auto Format - if: github.event.pull_request.state == 'open' - shell: bash - env: - GITHUB_TOKEN: "${{ secrets.REPO_ACCESS_TOKEN }}" - run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host - - # Commit changes (if any) to the PR branch - - name: Commit changes to the PR branch - if: github.event.pull_request.state == 'open' - shell: bash - id: commit - env: - SENDER: ${{ github.event.sender.login }} - run: | - set -x - output=$(git diff --name-only) - - if [ -n "$output" ]; then - echo "Changes detected. Pushing to the PR branch" - git config --global user.name 'cloudpossebot' - git config --global user.email '11232728+cloudpossebot@users.noreply.github.com' - git add -A - git commit -m "Auto Format" - # Prevent looping by not pushing changes in response to changes from cloudpossebot - [[ $SENDER == "cloudpossebot" ]] || git push - # Set status to fail, because the push should trigger another status check, - # and we use success to indicate the checks are finished. - echo "changed=true" >> "$GITHUB_OUTPUT" - exit 1 - else - echo "changed=false" >> "$GITHUB_OUTPUT" - echo "No changes detected" - fi - - - name: Auto Test - uses: cloudposse/actions/github/repository-dispatch@0.30.0 - # match users by ID because logins (user names) are inconsistent, - # for example in the REST API Renovate Bot is `renovate[bot]` but - # in GraphQL it is just `renovate`, plus there is a non-bot - # user `renovate` with ID 1832810. - # Mergify bot: 37929162 - # Renovate bot: 29139614 - # Cloudpossebot: 11232728 - # Need to use space separators to prevent "21" from matching "112144" - if: > - contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id)) - && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open' - with: - token: ${{ secrets.REPO_ACCESS_TOKEN }} - repository: cloudposse/actions - event-type: test-command - client-payload: |- - { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}}, - "pull_request": ${{ toJSON(github.event.pull_request) }}, - "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }}, - "comment": {"id": ""} - } - } - } diff --git a/templates/terraform/.github/workflows/auto-readme.yml b/templates/terraform/.github/workflows/auto-readme.yml deleted file mode 100644 index b2db520b..00000000 --- a/templates/terraform/.github/workflows/auto-readme.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: "auto-readme" -on: - workflow_dispatch: - - schedule: - # Example of job definition: - # .---------------- minute (0 - 59) - # | .------------- hour (0 - 23) - # | | .---------- day of month (1 - 31) - # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... - # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat - # | | | | | - # * * * * * user-name command to be executed - - # Update README.md nightly at 4am UTC - - cron: '0 4 * * *' - -jobs: - update: - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Find default branch name - id: defaultBranch - shell: bash - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name) - echo "defaultBranch=${default_branch}" >> "$GITHUB_OUTPUT" - printf "defaultBranchRef.name=%s\n" "${default_branch}" - - - name: Update readme - shell: bash - id: update - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - DEF: "${{ steps.defaultBranch.outputs.defaultBranch }}" - run: | - make init - make readme/build - # Ignore changes if they are only whitespace - if ! git diff --quiet README.md && git diff --ignore-all-space --ignore-blank-lines --quiet README.md; then - git restore README.md - echo Ignoring whitespace-only changes in README - fi - - - name: Create Pull Request - # This action will not create or change a pull request if there are no changes to make. - # If a PR of the auto-update/readme branch is open, this action will just update it, not create a new PR. - uses: cloudposse/actions/github/create-pull-request@0.30.0 - with: - token: ${{ secrets.REPO_ACCESS_TOKEN }} - commit-message: Update README.md and docs - title: Update README.md and docs - body: |- - ## what - This is an auto-generated PR that updates the README.md and docs - - ## why - To have most recent changes of README.md and doc from origin templates - - branch: auto-update/readme - base: ${{ steps.defaultBranch.outputs.defaultBranch }} - delete-branch: true - labels: | - auto-update - no-release - readme diff --git a/templates/terraform/.github/workflows/chatops.yml b/templates/terraform/.github/workflows/chatops.yml deleted file mode 100644 index 0f645747..00000000 --- a/templates/terraform/.github/workflows/chatops.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: chatops -on: - issue_comment: - types: [created] - -jobs: - default: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: "Handle common commands" - uses: cloudposse/actions/github/slash-command-dispatch@0.30.0 - with: - token: ${{ secrets.REPO_ACCESS_TOKEN }} - reaction-token: ${{ secrets.GITHUB_TOKEN }} - repository: cloudposse/actions - commands: rebuild-readme, terraform-fmt - permission: triage - issue-type: pull-request - - test: - runs-on: ubuntu-latest - steps: - - name: "Checkout commit" - uses: actions/checkout@v2 - - name: "Run tests" - uses: cloudposse/actions/github/slash-command-dispatch@0.30.0 - with: - token: ${{ secrets.REPO_ACCESS_TOKEN }} - reaction-token: ${{ secrets.GITHUB_TOKEN }} - repository: cloudposse/actions - commands: test - permission: triage - issue-type: pull-request - reactions: false - - diff --git a/templates/terraform/.github/workflows/feature-branch-chatops.yml b/templates/terraform/.github/workflows/feature-branch-chatops.yml new file mode 100644 index 00000000..9abfc612 --- /dev/null +++ b/templates/terraform/.github/workflows/feature-branch-chatops.yml @@ -0,0 +1,16 @@ +--- +name: feature-branch-chatops +on: + issue_comment: + types: [created] + +permissions: + pull-requests: write + id-token: write + contents: write + +jobs: + terraform-module: + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/feature-branch-chatops.yml@main + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/templates/terraform/.github/workflows/feature-branch.yml b/templates/terraform/.github/workflows/feature-branch.yml new file mode 100644 index 00000000..e8c7528a --- /dev/null +++ b/templates/terraform/.github/workflows/feature-branch.yml @@ -0,0 +1,19 @@ +--- +name: feature-branch +on: + pull_request: + branches: + - main + - release/** + types: [opened, synchronize, reopened, labeled, unlabeled] + +permissions: + pull-requests: write + id-token: write + contents: read + +jobs: + terraform-module: + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/feature-branch.yml@main + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/templates/terraform/.github/workflows/release-branch.yml b/templates/terraform/.github/workflows/release-branch.yml new file mode 100644 index 00000000..3f8fe623 --- /dev/null +++ b/templates/terraform/.github/workflows/release-branch.yml @@ -0,0 +1,22 @@ +--- +name: release-branch +on: + push: + branches: + - main + - release/** + paths-ignore: + - '.github/**' + - 'docs/**' + - 'examples/**' + - 'test/**' + +permissions: + contents: write + id-token: write + +jobs: + terraform-module: + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-branch.yml@main + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/templates/terraform/.github/workflows/release-published.yml b/templates/terraform/.github/workflows/release-published.yml new file mode 100644 index 00000000..f86352b3 --- /dev/null +++ b/templates/terraform/.github/workflows/release-published.yml @@ -0,0 +1,14 @@ +--- +name: release-published +on: + release: + types: + - published + +permissions: + contents: write + id-token: write + +jobs: + terraform-module: + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main diff --git a/templates/terraform/.github/workflows/scheduled.yml b/templates/terraform/.github/workflows/scheduled.yml new file mode 100644 index 00000000..163be0b4 --- /dev/null +++ b/templates/terraform/.github/workflows/scheduled.yml @@ -0,0 +1,17 @@ +--- +name: scheduled +on: + workflow_dispatch: { } # Allows manually trigger this workflow + schedule: + - cron: "0 3 * * *" + +permissions: + pull-requests: write + id-token: write + contents: write + +jobs: + scheduled: + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/scheduled.yml@main + secrets: + github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}