Releases: suzuki-shunsuke/tfaction
v0.6.7
Issues | Pull Requests | v0.6.6...v0.6.7 | Base revision
Features
#1128 Support tfsec v1.28.2. Parse the output of tfsec properly
As of tfsec v1.28.2, tfsec outputs the transition message to the standard output.
e.g.
======================================================
tfsec is joining the Trivy family
tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.
You can read more here:
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
{
"results": []
}
Because of this message, this action couldn't parse the output as JSON.
Parsing tfsec result
Error: Unexpected token = in JSON at position 1
This release enables to parse the output properly by removing the transition message before parsing the output as JSON.
Please see https://github.com/suzuki-shunsuke/github-action-tfsec/releases/tag/v0.1.9 too.
v0.6.6
Issues | Pull Requests | v0.6.5...v0.6.6 | Base revision
🐛 Bug Fixes
#1114 test-module: Fix a bug that it fails to push a commit by ghcp @kyontan
This bug occurs if Terraform Module document isn't latest.
🎉 New Contributors 🎉
Thank you for your contribution!
v0.6.5
Issues | Pull Requests | v0.6.4...v0.6.5 | Base revision
Features
#1111 scaffold-module
, scaffold-working-dir
: Support scaffolding linters conditionally
By default, these actions generate aqua.yaml
and add linters to aqua.yaml
.
From this release, these actions add only enabled linters to aqua.yaml
.
The default behaviour isn't changed, so tfsec
and tflint
are added.
If linters are enabled or disabled in tfaction-root.yaml
, only enabled linters are added to aqua.yaml
.
For example, if tfsec
is disabled and trivy
is enabled, trivy
and tflint
are added to aqua.yaml
.
v0.6.4
Issues | Pull Requests | v0.6.3...v0.6.4 | Base revision
Features
#1110 test-module: Support Trivy and disabling linters tflint, tfsec, and trivy
This follows up #1106 (tfaction v0.6.3).
In addition to test
action, test-module
action also supports Trivy and disabling linters tflint, tfsec, and trivy.
The configuration is same with test
action, so please see the release note v0.6.3.
v0.6.3
Issues | Pull Requests | v0.6.2...v0.6.3 | Base revision
Features
#1106 test: Support enabling Trivy and disabling tflint and tfsec
--
test
action ever ran tflint and tfsec.
From this release, test
action supports running Trivy and stop running tflint and tfsec.
The default behaviour isn't changed, so test
action runs tflint and tfsec and doesn't run Trivy by default.
To run Trivy, you need to install Trivy by aqua.
aqua g -i aquasecurity/trivy
You can enable or disable Trivy, tfsec, and tflint with tfaction-root.yaml
.
tfsec:
enabled: false # By default, this is true
trivy:
enabled: true # By default, this is false
# tflint:
# enabled: true # By default, this is true
We will consider allowing to configure these setting at tfaction-root.yaml's target_groups and tfaction.yaml too if necessary.
Background
- https://github.com/suzuki-shunsuke/tfaction/discussions/957
- https://github.com/aquasecurity/tfsec/discussions/1994
- https://github.com/aquasecurity/tfsec/blob/master/docs/index.md#-tfsec-to-trivy-migration
tfsec maintainers encourage the tfsec community to transition over to Trivy.
So tfaction needed to support migrating tfsec to Trivy.
tfsec doesn't support Terraform import
block and the issue was closed because maintainers encourage to migrate to Trivy.
https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1673920879
So you should migrate tfsec to Trivy in near future.
Scaffold working directories
If you want to use Trivy instead of tfsec in new working directories, you should skip creating aqua.yaml following to the guide. https://suzuki-shunsuke.github.io/tfaction/docs/feature/scaffold-working-dir#-skip-creating-aquayaml-and-adding-packages
tfaction-root.yaml
scaffold_working_directory:
skip_adding_aqua_packages: true
And please add aqua.yaml to templates.
aqua init
aqua g -i open-policy-agent/conftest terraform-linters/tflint aquasecurity/trivy hashicorp/terraform
Known issues
test-module
action doesn't support Trivy and doesn't support enabling and disabling linters.
We will work on it.
Fixes
#1102 test: Enable tfsec's --ignore-hcl-errors
to prevent the parse error of Terraform's import
block
- suzuki-shunsuke/github-action-tfsec#612
- https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215
You don't need to do anything.
tfsec is always run with --ignore-hcl-errors
to prevent the parse error of Terraform's import
block.
tfsec doesn't support Terraform's import
block, but --ignore-hcl-errors
can be used for workaround. https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215
v0.6.2
Issues | Pull Requests | v0.6.1...v0.6.2 | Base revision
Features
#1005 #1006 #1007 Support tflint v0.47.0
Update suzuki-shunsuke/github-action-tflint to v0.16.
https://github.com/suzuki-shunsuke/github-action-tflint/releases/tag/v0.1.6
v0.6.1
Issues | Pull Requests | v0.6.0...v0.6.1 | Base revision
Fixes
#986 Fixed the pull request comment for terraform validate
@ponkio-o
AS IS
TO BE
v0.6.1-1
v0.6.0
Issues | Pull Requests | v0.5.25...v0.6.0 | Base revision
Features
#851 #876 Support Drift Detection
For details, please see the document.
tfaction enables you to detect the drift periodically and manage the drift as GitHub Issues.
This feature is disabled by default. To enable, please see the document.
tfaction creates an Issue per working directory.
tfaction checks if the drift exists at the following timing.
apply
workflowapply
workflow is run when the pull request is merged- If the job succeeds, the issue is closed.
- If the job fails, the issue is reopened.
schedule-detect-drifts
workflowschedule-detect-drifts
is run periodically- If
terraform plan
has no change, the issue is closed - If the job fails or
terraform plan
has change, the issue is reopened.
tfaction reopens the issue when the drift is detected, and closes the issue when the drift is resolved.
tfaction posts a comment and updates the issue description according to the result of the drift detection.
Example 1. An Issue is closed because terraform apply succeeded and the drift is resolved
Example 2. An Issue is opened because terraform apply fails
Example 3. Drift is checked by schedule-detect-drifts
periodically
Example 4. The latest comment is reflected to the issue description
Good point
If you already use GitHub Issues for your task management, you can add drift handling into your task management naturally.
You don't have to create issues yourself. You can manage issues in GitHub Projects, adjust the priority, and assign someone to issues.
Issue's comments become the history, so you can track when the drift is raised and which pull request caused the drift.
And comments tell you not only the existence of the drift but also the content of the drift.
You can adjust the frequency of the drift detection, and select workfing directories where the dirft detection is enabled.