Releases: suzuki-shunsuke/tfaction
v0.6.7
Issues | Pull Requests | v0.6.6...v0.6.7 | Base revision
Features
#1128 Support tfsec v1.28.2. Parse the output of tfsec properly
As of tfsec v1.28.2, tfsec outputs the transition message to the standard output.
e.g.
======================================================
tfsec is joining the Trivy family
tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.
You can read more here:
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
{
"results": []
}
Because of this message, this action couldn't parse the output as JSON.
Parsing tfsec result
Error: Unexpected token = in JSON at position 1
This release enables to parse the output properly by removing the transition message before parsing the output as JSON.
Please see https://github.com/suzuki-shunsuke/github-action-tfsec/releases/tag/v0.1.9 too.
v0.6.6
Issues | Pull Requests | v0.6.5...v0.6.6 | Base revision
🐛 Bug Fixes
#1114 test-module: Fix a bug that it fails to push a commit by ghcp @kyontan
This bug occurs if Terraform Module document isn't latest.
🎉 New Contributors 🎉
Thank you for your contribution!
Contributors
Assets 2
v0.6.5
Issues | Pull Requests | v0.6.4...v0.6.5 | Base revision
Features
#1111 scaffold-module, scaffold-working-dir: Support scaffolding linters conditionally
By default, these actions generate aqua.yaml and add linters to aqua.yaml.
From this release, these actions add only enabled linters to aqua.yaml.
The default behaviour isn't changed, so tfsec and tflint are added.
If linters are enabled or disabled in tfaction-root.yaml, only enabled linters are added to aqua.yaml.
For example, if tfsec is disabled and trivy is enabled, trivy and tflint are added to aqua.yaml.
v0.6.4
Issues | Pull Requests | v0.6.3...v0.6.4 | Base revision
Features
#1110 test-module: Support Trivy and disabling linters tflint, tfsec, and trivy
This follows up #1106 (tfaction v0.6.3).
In addition to test action, test-module action also supports Trivy and disabling linters tflint, tfsec, and trivy.
The configuration is same with test action, so please see the release note v0.6.3.
v0.6.3
Issues | Pull Requests | v0.6.2...v0.6.3 | Base revision
Features
#1106 test: Support enabling Trivy and disabling tflint and tfsec
--
test action ever ran tflint and tfsec.
From this release, test action supports running Trivy and stop running tflint and tfsec.
The default behaviour isn't changed, so test action runs tflint and tfsec and doesn't run Trivy by default.
To run Trivy, you need to install Trivy by aqua.
aqua g -i aquasecurity/trivyYou can enable or disable Trivy, tfsec, and tflint with tfaction-root.yaml.
tfsec:
enabled: false # By default, this is true
trivy:
enabled: true # By default, this is false
# tflint:
# enabled: true # By default, this is true
We will consider allowing to configure these setting at tfaction-root.yaml's target_groups and tfaction.yaml too if necessary.
Background
- https://github.com/suzuki-shunsuke/tfaction/discussions/957
- https://github.com/aquasecurity/tfsec/discussions/1994
- https://github.com/aquasecurity/tfsec/blob/master/docs/index.md#-tfsec-to-trivy-migration
tfsec maintainers encourage the tfsec community to transition over to Trivy.
So tfaction needed to support migrating tfsec to Trivy.
tfsec doesn't support Terraform import block and the issue was closed because maintainers encourage to migrate to Trivy.
https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1673920879
So you should migrate tfsec to Trivy in near future.
Scaffold working directories
If you want to use Trivy instead of tfsec in new working directories, you should skip creating aqua.yaml following to the guide. https://suzuki-shunsuke.github.io/tfaction/docs/feature/scaffold-working-dir#-skip-creating-aquayaml-and-adding-packages
tfaction-root.yaml
scaffold_working_directory:
skip_adding_aqua_packages: trueAnd please add aqua.yaml to templates.
aqua init
aqua g -i open-policy-agent/conftest terraform-linters/tflint aquasecurity/trivy hashicorp/terraformKnown issues
test-module action doesn't support Trivy and doesn't support enabling and disabling linters.
We will work on it.
Fixes
#1102 test: Enable tfsec's --ignore-hcl-errors to prevent the parse error of Terraform's import block
- suzuki-shunsuke/github-action-tfsec#612
- https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215
You don't need to do anything.
tfsec is always run with --ignore-hcl-errors to prevent the parse error of Terraform's import block.
tfsec doesn't support Terraform's import block, but --ignore-hcl-errors can be used for workaround. https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215
v0.6.2
Issues | Pull Requests | v0.6.1...v0.6.2 | Base revision
Features
#1005 #1006 #1007 Support tflint v0.47.0
Update suzuki-shunsuke/github-action-tflint to v0.16.
https://github.com/suzuki-shunsuke/github-action-tflint/releases/tag/v0.1.6
v0.6.1
Issues | Pull Requests | v0.6.0...v0.6.1 | Base revision
Fixes
#986 Fixed the pull request comment for terraform validate @ponkio-o
AS IS
TO BE
Contributors
Assets 2
v0.6.1-1
v0.6.0
Issues | Pull Requests | v0.5.25...v0.6.0 | Base revision
Features
#851 #876 Support Drift Detection
For details, please see the document.
tfaction enables you to detect the drift periodically and manage the drift as GitHub Issues.
This feature is disabled by default. To enable, please see the document.
tfaction creates an Issue per working directory.
tfaction checks if the drift exists at the following timing.
applyworkflowapplyworkflow is run when the pull request is merged- If the job succeeds, the issue is closed.
- If the job fails, the issue is reopened.
schedule-detect-driftsworkflowschedule-detect-driftsis run periodically- If
terraform planhas no change, the issue is closed - If the job fails or
terraform planhas change, the issue is reopened.
tfaction reopens the issue when the drift is detected, and closes the issue when the drift is resolved.
tfaction posts a comment and updates the issue description according to the result of the drift detection.
Example 1. An Issue is closed because terraform apply succeeded and the drift is resolved
Example 2. An Issue is opened because terraform apply fails
Example 3. Drift is checked by schedule-detect-drifts periodically
Example 4. The latest comment is reflected to the issue description
Good point
If you already use GitHub Issues for your task management, you can add drift handling into your task management naturally.
You don't have to create issues yourself. You can manage issues in GitHub Projects, adjust the priority, and assign someone to issues.
Issue's comments become the history, so you can track when the drift is raised and which pull request caused the drift.
And comments tell you not only the existence of the drift but also the content of the drift.
You can adjust the frequency of the drift detection, and select workfing directories where the dirft detection is enabled.