Skip to content

Commit

Permalink
Update to get rid of sensitive file warning from terraform (#69)
Browse files Browse the repository at this point in the history 
Co-authored-by: Friedrich Brunzema <Friedrich.Brunzema@sciex.com>
Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
  • Loading branch information
@brunzefb @friedrich-brunzema @cloudpossebot
3 people committed Mar 24, 2022
1 parent c5db7c0 commit 80941f1
Show file tree
Hide file tree
Showing 13 changed files with 131 additions and 39 deletions.
4 changes: 2 additions & 2 deletions .github/CODEOWNERS
View file
Validating CODEOWNERS rules …
Expand Up @@ -15,8 +15,8 @@

# Cloud Posse must review any changes to standard context definition,
# but some changes can be rubber-stamped.
**/*.tf @cloudposse/engineering @cloudposse/approvers
README.yaml @cloudposse/engineering @cloudposse/approvers
**/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers

Expand Down
3 changes: 2 additions & 1 deletion .github/auto-release.yml
View file
Expand Up @@ -17,6 +17,7 @@ version-resolver:
- 'bugfix'
- 'bug'
- 'hotfix'
- 'no-release'
default: 'minor'

categories:
Expand Down Expand Up @@ -46,7 +47,7 @@ template: |
replacers:
# Remove irrelevant information from Renovate bot
- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
- search: '/(?<=---\s)\s*^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
replace: ''
# Remove Renovate bot banner image
- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
Expand Down
7 changes: 7 additions & 0 deletions .github/mergify.yml
View file
Expand Up @@ -56,3 +56,10 @@ pull_request_rules:
changes_requested: true
approved: true
message: "This Pull Request has been updated, so we're dismissing all reviews."

- name: "close Pull Requests without files changed"
conditions:
- "#files=0"
actions:
close:
message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
2 changes: 1 addition & 1 deletion .github/workflows/auto-context.yml
View file
Expand Up @@ -35,7 +35,7 @@ jobs:
- name: Create Pull Request
if: steps.update.outputs.create_pull_request == 'true'
uses: cloudposse/actions/github/create-pull-request@0.22.0
uses: cloudposse/actions/github/create-pull-request@0.30.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/auto-format.yml
View file
Expand Up @@ -6,7 +6,7 @@ on:
jobs:
auto-format:
runs-on: ubuntu-latest
container: cloudposse/build-harness:slim-latest
container: cloudposse/build-harness:latest
steps:
# Checkout the pull request branch
# "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
Expand All @@ -29,6 +29,8 @@ jobs:
- name: Auto Format
if: github.event.pull_request.state == 'open'
shell: bash
env:
GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host

# Commit changes (if any) to the PR branch
Expand Down Expand Up @@ -60,7 +62,7 @@ jobs:
fi
- name: Auto Test
uses: cloudposse/actions/github/repository-dispatch@0.22.0
uses: cloudposse/actions/github/repository-dispatch@0.30.0
# match users by ID because logins (user names) are inconsistent,
# for example in the REST API Renovate Bot is `renovate[bot]` but
# in GraphQL it is just `renovate`, plus there is a non-bot
Expand Down
71 changes: 71 additions & 0 deletions .github/workflows/auto-readme.yml
View file
@@ -0,0 +1,71 @@
name: "auto-readme"
on:
workflow_dispatch:

schedule:
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

# Update README.md nightly at 4am UTC
- cron: '0 4 * * *'

jobs:
update:
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

- name: Find default branch name
id: defaultBranch
shell: bash
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: |
default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name)
printf "::set-output name=defaultBranch::%s\n" "${default_branch}"
printf "defaultBranchRef.name=%s\n" "${default_branch}"
- name: Update readme
shell: bash
id: update
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
DEF: "${{ steps.defaultBranch.outputs.defaultBranch }}"
run: |
make init
make readme/build
# Ignore changes if they are only whitespace
if ! git diff --quiet README.md && git diff --ignore-all-space --ignore-blank-lines --quiet README.md; then
git restore README.md
echo Ignoring whitespace-only changes in README
fi
- name: Create Pull Request
# This action will not create or change a pull request if there are no changes to make.
# If a PR of the auto-update/readme branch is open, this action will just update it, not create a new PR.
uses: cloudposse/actions/github/create-pull-request@0.30.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
commit-message: Update README.md and docs
title: Update README.md and docs
body: |-
## what
This is an auto-generated PR that updates the README.md and docs
## why
To have most recent changes of README.md and doc from origin templates
branch: auto-update/readme
base: ${{ steps.defaultBranch.outputs.defaultBranch }}
delete-branch: true
labels: |
auto-update
no-release
readme
25 changes: 16 additions & 9 deletions .github/workflows/auto-release.yml
View file
Expand Up @@ -3,17 +3,24 @@ name: auto-release
on:
push:
branches:
- master
- main
- master
- production

jobs:
publish:
runs-on: ubuntu-latest
steps:
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@v5
with:
publish: true
prerelease: false
config-name: auto-release.yml
env:
GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
# Get PR from merged commit to master
- uses: actions-ecosystem/action-get-merged-pull-request@v1
id: get-merged-pull-request
with:
github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
# Drafts your next Release notes as Pull Requests are merged into "main"
- uses: release-drafter/release-drafter@v5
with:
publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }}
prerelease: false
config-name: auto-release.yml
env:
GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
4 changes: 2 additions & 2 deletions .github/workflows/chatops.yml
View file
Expand Up @@ -9,7 +9,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: "Handle common commands"
uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -24,7 +24,7 @@ jobs:
- name: "Checkout commit"
uses: actions/checkout@v2
- name: "Run tests"
uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/validate-codeowners.yml
View file
@@ -1,5 +1,7 @@
name: Validate Codeowners
on:
workflow_dispatch:

pull_request:

jobs:
Expand All @@ -8,18 +10,20 @@ jobs:
steps:
- name: "Checkout source code at current commit"
uses: actions/checkout@v2
- uses: mszostok/codeowners-validator@v0.5.0
- uses: mszostok/codeowners-validator@v0.7.1
if: github.event.pull_request.head.repo.full_name == github.repository
name: "Full check of CODEOWNERS"
with:
# For now, remove "files" check to allow CODEOWNERS to specify non-existent
# files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
# checks: "files,syntax,owners,duppatterns"
checks: "syntax,owners,duppatterns"
owner_checker_allow_unowned_patterns: "false"
# GitHub access token is required only if the `owners` check is enabled
github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
- uses: mszostok/codeowners-validator@v0.5.0
- uses: mszostok/codeowners-validator@v0.7.1
if: github.event.pull_request.head.repo.full_name != github.repository
name: "Syntax check of CODEOWNERS"
with:
checks: "syntax,duppatterns"
owner_checker_allow_unowned_patterns: "false"
12 changes: 6 additions & 6 deletions README.md
View file
Expand Up @@ -131,17 +131,17 @@ Available targets:
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.2.1 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.1 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 2.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
| <a name="provider_local"></a> [local](#provider\_local) | >= 1.3 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
| <a name="provider_local"></a> [local](#provider\_local) | >= 2.2.1 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 2.0 |

## Modules
Expand All @@ -156,8 +156,8 @@ Available targets:
|------|------|
| [aws_key_pair.generated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [aws_key_pair.imported](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [local_file.private_key_pem](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [local_file.public_key_openssh](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [local_sensitive_file.private_key_pem](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
| [tls_private_key.default](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |

## Inputs
Expand Down Expand Up @@ -289,7 +289,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

## Copyright

Copyright © 2017-2021 [Cloud Posse, LLC](https://cpco.io/copyright)
Copyright © 2017-2022 [Cloud Posse, LLC](https://cpco.io/copyright)



Expand Down
10 changes: 5 additions & 5 deletions docs/terraform.md
View file
Expand Up @@ -4,17 +4,17 @@
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.2.1 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.1 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 2.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
| <a name="provider_local"></a> [local](#provider\_local) | >= 1.3 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
| <a name="provider_local"></a> [local](#provider\_local) | >= 2.2.1 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 2.0 |

## Modules
Expand All @@ -29,8 +29,8 @@
|------|------|
| [aws_key_pair.generated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [aws_key_pair.imported](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [local_file.private_key_pem](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [local_file.public_key_openssh](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [local_sensitive_file.private_key_pem](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
| [tls_private_key.default](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |

## Inputs
Expand Down
14 changes: 7 additions & 7 deletions main.tf
View file
Expand Up @@ -41,10 +41,10 @@ resource "local_file" "public_key_openssh" {
filename = local.public_key_filename
}

resource "local_file" "private_key_pem" {
count = local.enabled && var.generate_ssh_key == true ? 1 : 0
depends_on = [tls_private_key.default]
sensitive_content = tls_private_key.default[0].private_key_pem
filename = local.private_key_filename
file_permission = "0600"
}
resource "local_sensitive_file" "private_key_pem" {
count = local.enabled && var.generate_ssh_key == true ? 1 : 0
depends_on = [tls_private_key.default]
content = tls_private_key.default[0].private_key_pem
filename = local.private_key_filename
file_permission = "0600"
}
4 changes: 2 additions & 2 deletions versions.tf
View file
Expand Up @@ -4,15 +4,15 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 2.0"
version = ">= 3.0"
}
tls = {
source = "hashicorp/tls"
version = ">= 2.0"
}
local = {
source = "hashicorp/local"
version = ">= 1.3"
version = ">= 2.2.1"
}
null = {
source = "hashicorp/null"
Expand Down

0 comments on commit 80941f1

Please sign in to comment.