From dc976a852305c4c05c6c124e537a5c7ebe8b86bc Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Tue, 13 Aug 2024 15:53:09 +0200
Subject: [PATCH 01/15] fix: custom terraform test flow

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 42 ++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 1a0ed5e..94162c9 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -9,6 +9,15 @@ on:
                 required: true
                 default: '.'
                 type: string
+            test_timeout:
+                description: 'Test timeout'
+                required: true
+                default: '30m'
+                type: string
+        secrets:
+            TFE_TOKEN:
+                description: 'Terraform Cloud API Token'
+                required: true
 
 jobs:
 
@@ -25,8 +34,35 @@ jobs:
           with:
             path: ${{ inputs.tfdir }}
 
-        - name: Run Terratest
-          uses: cloudposse/github-action-terratest@main
+
+        - uses: actions/setup-go@v5
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
           with:
-            sourceDir: ${{ inputs.tfdir }}
+            go-version-file: ${{ inputs.sourceDir }}/go.mod
+            cache: true
+            cache-dependency-path: ${{ inputs.sourceDir }}/go.mod
+
+        - name: Run Tests
+          if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
+          shell: bash
+          working-directory: ${{ inputs.sourceDir }}
+          env:
+            TFE_TOKEN: ${{ secrets.TFE_TOKEN }}
+          run: |
+            go install github.com/jstemmer/go-junit-report@latest
+            go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
+
+        - name: Post Test Summary
+          uses: test-summary/action@v2
+          with:
+            paths: |
+              ${{ inputs.sourceDir }}/report.xml
+          if: always()
+
+        # - name: Run Terratest
+        #   uses: cloudposse/github-action-terratest@main
+        #   if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
+        #   with:
+        #     sourceDir: ${{ inputs.tfdir }}
+        #   env:
+        #     TFE_TOKEN: ${{ secrets.TFE_TOKEN }}

From f079579bd27318159d0cbc3a4a1a02369afad01d Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 08:27:58 +0200
Subject: [PATCH 02/15] fix: test timeout as optional

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 94162c9..e1c182d 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -11,7 +11,7 @@ on:
                 type: string
             test_timeout:
                 description: 'Test timeout'
-                required: true
+                required: false
                 default: '30m'
                 type: string
         secrets:

From d5b62a95309ec8c6b756c7b6facb8349c9ca6717 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 08:29:26 +0200
Subject: [PATCH 03/15] fix: test timeout as optional

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index e1c182d..253a042 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -4,7 +4,7 @@ name: Analyze Terraform
 on:
     workflow_call:
         inputs:
-            tfdir:
+            sourceDir:
                 description: 'Terraform directory to analyze'
                 required: true
                 default: '.'
@@ -28,11 +28,11 @@ jobs:
         - name: Checkout repository
           uses: actions/checkout@v4
 
-        - name: Check if ${{ inputs.tfdir }} changed
+        - name: Check if ${{ inputs.sourceDir }} changed
           id: detect
           uses: tj-actions/changed-files@v44
           with:
-            path: ${{ inputs.tfdir }}
+            path: ${{ inputs.sourceDir }}
 
 
         - uses: actions/setup-go@v5

From 62457c80602249346e85e9208519a769c9121699 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 08:36:03 +0200
Subject: [PATCH 04/15] fix: testing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 253a042..df5c904 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -49,8 +49,10 @@ jobs:
           env:
             TFE_TOKEN: ${{ secrets.TFE_TOKEN }}
           run: |
-            go install github.com/jstemmer/go-junit-report@latest
-            go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
+            go test -timeout ${{ inputs.test_timeout }} -v ./...
+
+#            go install github.com/jstemmer/go-junit-report@latest
+#            go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
 
         - name: Post Test Summary
           uses: test-summary/action@v2

From bdbe40fd2a36d48df6ba1bd7ddb7a9b49ff2a5d9 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 08:36:59 +0200
Subject: [PATCH 05/15] fix: testing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index df5c904..90be329 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -49,10 +49,8 @@ jobs:
           env:
             TFE_TOKEN: ${{ secrets.TFE_TOKEN }}
           run: |
-            go test -timeout ${{ inputs.test_timeout }} -v ./...
-
-#            go install github.com/jstemmer/go-junit-report@latest
-#            go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
+           go install github.com/jstemmer/go-junit-report@latest
+           go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
 
         - name: Post Test Summary
           uses: test-summary/action@v2

From 02d78a8bd0992e6c8410952553470f442ed5539d Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 09:18:20 +0200
Subject: [PATCH 06/15] fix: hcp auth

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 90be329..bc27bea 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -14,6 +14,11 @@ on:
                 required: false
                 default: '30m'
                 type: string
+            terraform_version:
+                description: 'Terraform version'
+                required: false
+                default: '1.9.0'
+                type: string
         secrets:
             TFE_TOKEN:
                 description: 'Terraform Cloud API Token'
@@ -34,6 +39,12 @@ jobs:
           with:
             path: ${{ inputs.sourceDir }}
 
+        - name: Setup HCP Terraform authentication
+          if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
+          uses: hashicorp/setup-terraform@v3
+          with:
+            terraform_version: ${{ inputs.terraform_version }}
+            cli_config_credentials_token: ${{ secrets.TFE_TOKEN }}
 
         - uses: actions/setup-go@v5
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'

From 4b8974e3c859b7182a21ace072c5bcfb757f448b Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 09:37:35 +0200
Subject: [PATCH 07/15] use vault to fetch secrets

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index bc27bea..a218c38 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -19,10 +19,6 @@ on:
                 required: false
                 default: '1.9.0'
                 type: string
-        secrets:
-            TFE_TOKEN:
-                description: 'Terraform Cloud API Token'
-                required: true
 
 jobs:
 
@@ -39,12 +35,27 @@ jobs:
           with:
             path: ${{ inputs.sourceDir }}
 
+        - name: Import Secrets
+          id: import-secrets
+          uses: hashicorp/vault-action@v2
+          with:
+            url: https://vault-eu-central-1-public-vault-d0c4b76c.55bfc018.z1.hashicorp.cloud:8200
+            method: jwt
+            path: jwt_github
+            role: tf_mod
+            jwtGithubAudience: sigstore
+            secrets: |
+                kv/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
+                kv/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
+                kv/op/terraform_il_machine token | TFE_TOKEN;
+                aws-dev-eu-central-1/creds/ec2 * | AWS_DATA;
+
         - name: Setup HCP Terraform authentication
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
           uses: hashicorp/setup-terraform@v3
           with:
             terraform_version: ${{ inputs.terraform_version }}
-            cli_config_credentials_token: ${{ secrets.TFE_TOKEN }}
+            cli_config_credentials_token: ${{ steps.import-secrets.outputs.TFE_TOKEN }}
 
         - uses: actions/setup-go@v5
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
@@ -58,7 +69,10 @@ jobs:
           shell: bash
           working-directory: ${{ inputs.sourceDir }}
           env:
-            TFE_TOKEN: ${{ secrets.TFE_TOKEN }}
+            AWS_ACCESS_KEY_ID: ${{ steps.import-secrets.outputs.AWS_DATA.access_key }}
+            AWS_SECRET_ACCESS_KEY: ${{ steps.import-secrets.outputs.AWS_DATA.secret_key }}
+            HCP_CLIENT_ID: ${{ steps.import-secrets.outputs.HCP_CLIENT_ID }}
+            HCP_CLIENT_SECRET: ${{ steps.import-secrets.outputs.HCP_CLIENT_SECRET }}
           run: |
            go install github.com/jstemmer/go-junit-report@latest
            go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml

From f598cb3f899b41c7b6090e82b61ce01c070830f3 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 09:51:13 +0200
Subject: [PATCH 08/15] use vault to fetch secrets

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index a218c38..29b800a 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -20,6 +20,10 @@ on:
                 default: '1.9.0'
                 type: string
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
 
     terratest:

From d0731ce86cc0a9f48f54d29df87ce580812ce050 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:33:27 +0200
Subject: [PATCH 09/15] donot customize aud

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 29b800a..afca8df 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -47,7 +47,7 @@ jobs:
             method: jwt
             path: jwt_github
             role: tf_mod
-            jwtGithubAudience: sigstore
+#            jwtGithubAudience: sigstore
             secrets: |
                 kv/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
                 kv/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;

From 096e7b667f4a9a965dc4fbb3fbb554e4517bb3ba Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:38:15 +0200
Subject: [PATCH 10/15] vault action

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index afca8df..06be751 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -44,6 +44,7 @@ jobs:
           uses: hashicorp/vault-action@v2
           with:
             url: https://vault-eu-central-1-public-vault-d0c4b76c.55bfc018.z1.hashicorp.cloud:8200
+            namespace: admin
             method: jwt
             path: jwt_github
             role: tf_mod

From 5ffc636c4cbda90a961e86b6b567062a5d71c037 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:40:00 +0200
Subject: [PATCH 11/15] vault action

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 06be751..97543d8 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -50,9 +50,9 @@ jobs:
             role: tf_mod
 #            jwtGithubAudience: sigstore
             secrets: |
-                kv/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
-                kv/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
-                kv/op/terraform_il_machine token | TFE_TOKEN;
+                kv/data/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
+                kv/data/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
+                kv/data/op/terraform_il_machine token | TFE_TOKEN;
                 aws-dev-eu-central-1/creds/ec2 * | AWS_DATA;
 
         - name: Setup HCP Terraform authentication

From f343de690a6beee2b916770b9a0452e47c171c09 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:41:43 +0200
Subject: [PATCH 12/15] vault

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 97543d8..9a2c394 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -52,7 +52,7 @@ jobs:
             secrets: |
                 kv/data/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
                 kv/data/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
-                kv/data/op/terraform_il_machine token | TFE_TOKEN;
+                kv/data/op/terraform_il_machine Token | TFE_TOKEN;
                 aws-dev-eu-central-1/creds/ec2 * | AWS_DATA;
 
         - name: Setup HCP Terraform authentication

From 8fdf089f99495053bacf0fa24d39b985cc60a3b2 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:48:33 +0200
Subject: [PATCH 13/15] vault

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 9a2c394..009659f 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -53,7 +53,7 @@ jobs:
                 kv/data/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
                 kv/data/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
                 kv/data/op/terraform_il_machine Token | TFE_TOKEN;
-                aws-dev-eu-central-1/creds/ec2 * | AWS_DATA;
+                aws-dev-eu-central-1/creds/ec2 * | AWS_;
 
         - name: Setup HCP Terraform authentication
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
@@ -74,13 +74,14 @@ jobs:
           shell: bash
           working-directory: ${{ inputs.sourceDir }}
           env:
-            AWS_ACCESS_KEY_ID: ${{ steps.import-secrets.outputs.AWS_DATA.access_key }}
-            AWS_SECRET_ACCESS_KEY: ${{ steps.import-secrets.outputs.AWS_DATA.secret_key }}
+            AWS_ACCESS_KEY_ID: ${{ steps.import-secrets.outputs.AWS_ACCESS_KEY }}
+            AWS_SECRET_ACCESS_KEY: ${{ steps.import-secrets.outputs.AWS_SECRET_KEY }}
             HCP_CLIENT_ID: ${{ steps.import-secrets.outputs.HCP_CLIENT_ID }}
             HCP_CLIENT_SECRET: ${{ steps.import-secrets.outputs.HCP_CLIENT_SECRET }}
           run: |
-           go install github.com/jstemmer/go-junit-report@latest
-           go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
+            env
+            go install github.com/jstemmer/go-junit-report@latest
+            go test -timeout ${{ inputs.test_timeout }} -v ./... | go-junit-report -set-exit-code > report.xml
 
         - name: Post Test Summary
           uses: test-summary/action@v2

From 5117b643c438af30d8b2fa911dfe2e9506be13d2 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:53:02 +0200
Subject: [PATCH 14/15] vault

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index 009659f..ef64672 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -19,6 +19,11 @@ on:
                 required: false
                 default: '1.9.0'
                 type: string
+            aws_region:
+                description: 'AWS region'
+                required: false
+                default: 'eu-central-1'
+                type: string
 
 permissions:
   contents: read
@@ -53,7 +58,7 @@ jobs:
                 kv/data/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
                 kv/data/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
                 kv/data/op/terraform_il_machine Token | TFE_TOKEN;
-                aws-dev-eu-central-1/creds/ec2 * | AWS_;
+                aws-dev-${{ inputs.aws_region }}/creds/ec2 * | AWS_;
 
         - name: Setup HCP Terraform authentication
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
@@ -74,6 +79,7 @@ jobs:
           shell: bash
           working-directory: ${{ inputs.sourceDir }}
           env:
+            AWS_REGION: ${{ inputs.aws_region }}
             AWS_ACCESS_KEY_ID: ${{ steps.import-secrets.outputs.AWS_ACCESS_KEY }}
             AWS_SECRET_ACCESS_KEY: ${{ steps.import-secrets.outputs.AWS_SECRET_KEY }}
             HCP_CLIENT_ID: ${{ steps.import-secrets.outputs.HCP_CLIENT_ID }}

From ea0610f601685f0ff1ba382908cb156fc2b94346 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 14 Aug 2024 10:56:48 +0200
Subject: [PATCH 15/15] make aws role param

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/terratest.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
index ef64672..cb8b2eb 100644
--- a/.github/workflows/terratest.yml
+++ b/.github/workflows/terratest.yml
@@ -24,6 +24,11 @@ on:
                 required: false
                 default: 'eu-central-1'
                 type: string
+            aws_role:
+                description: 'AWS role'
+                required: false
+                default: 'training'
+                type: string
 
 permissions:
   contents: read
@@ -58,7 +63,7 @@ jobs:
                 kv/data/op/hcp_packer_service_principal username | HCP_CLIENT_ID;
                 kv/data/op/hcp_packer_service_principal password | HCP_CLIENT_SECRET;
                 kv/data/op/terraform_il_machine Token | TFE_TOKEN;
-                aws-dev-${{ inputs.aws_region }}/creds/ec2 * | AWS_;
+                aws-dev-${{ inputs.aws_region }}/creds/${{ inputs.aws_role }} * | AWS_;
 
         - name: Setup HCP Terraform authentication
           if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'