From 178be87efe3ffd591c54a427f82473408c0ca28a Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Wed, 1 May 2024 16:49:46 -0500 Subject: [PATCH 001/102] WIP: tf-lock-url --- activate.sh | 3 +- bin/tf-lock-url | 1 + lib/functions.py | 12 +++++ lib/sh/cd.py | 4 +- lib/sh/core.py | 16 +++--- lib/sh/errors.py | 9 ++++ lib/sh/io.py | 17 +++++- lib/tf_lock/lib/env.py | 74 ++++++++++++++++++--------- lib/tf_lock/lib/tf-lock-info-uncached | 58 +++++++++++++++++++++ lib/tf_lock/release.py | 60 ++++------------------ lib/tf_lock/tf-lock-info | 57 ++------------------- lib/tf_lock/tf-lock-url | 7 +++ lib/tf_lock/tf_lock_info.py | 72 ++++++++++++++++++++++++++ lib/tf_lock/tf_lock_url.py | 43 ++++++++++++++++ 14 files changed, 292 insertions(+), 141 deletions(-) create mode 120000 bin/tf-lock-url create mode 100644 lib/sh/errors.py create mode 100755 lib/tf_lock/lib/tf-lock-info-uncached create mode 100755 lib/tf_lock/tf-lock-url create mode 100755 lib/tf_lock/tf_lock_info.py create mode 100755 lib/tf_lock/tf_lock_url.py diff --git a/activate.sh b/activate.sh index 4433b67f..e923dba9 100644 --- a/activate.sh +++ b/activate.sh @@ -2,7 +2,8 @@ _here="$(readlink -f "$(dirname "${BASH_SOURCE:-$0}")")" export TACOS_GHA_HOME="$_here" -export PATH="$TACOS_GHA_HOME/bin${PATH:+:$PATH}}" +export PATH="$TACOS_GHA_HOME/bin${PATH:+:$PATH}" +export PYTHONPATH="$TACOS_GHA_HOME${PYTHONPATH:+:$PYTHONPATH}" if ! flock -h >/dev/null; then echo "Installing missing dependencies... (flock)" diff --git a/bin/tf-lock-url b/bin/tf-lock-url new file mode 120000 index 00000000..94a2c6f1 --- /dev/null +++ b/bin/tf-lock-url @@ -0,0 +1 @@ +../lib/tf_lock/tf-lock-url \ No newline at end of file diff --git a/lib/functions.py b/lib/functions.py index 4ea5411b..0fc491a9 100644 --- a/lib/functions.py +++ b/lib/functions.py @@ -4,6 +4,8 @@ from typing import Iterable from typing import TypeVar +from .types import Lines + T = TypeVar("T") @@ -34,3 +36,13 @@ def one(xs: Iterable[T]) -> T: def noop() -> None: pass + + +def config_lines(lines: Lines) -> Lines: + """Strip commented and empty lines from configuration.""" + for line in lines: + line = line.strip() + if not line or line.startswith("#"): + continue + + yield line diff --git a/lib/sh/cd.py b/lib/sh/cd.py index 734461b7..95581545 100644 --- a/lib/sh/cd.py +++ b/lib/sh/cd.py @@ -19,14 +19,14 @@ @contextmanager def cd( - dirname: Path, env: Environ = environ, *, direnv: bool = True + dirname: OSPath, env: Environ = environ, *, direnv: bool = True ) -> Generator[Path]: oldpwd = Path.cwd(env) newpwd = oldpwd / dirname cwd = OSPath.cwd() if newpwd == oldpwd and cwd.samefile(newpwd): # we're already there - yield oldpwd + yield newpwd return xtrace(("cd", dirname)) diff --git a/lib/sh/core.py b/lib/sh/core.py index 27a35a19..6e993d21 100755 --- a/lib/sh/core.py +++ b/lib/sh/core.py @@ -6,11 +6,14 @@ from lib.functions import LessThanOneError as LessThanOneError from lib.functions import MoreThanOneError as MoreThanOneError +from lib.functions import config_lines from lib.functions import one from lib.types import Environ from lib.types import OSPath from .constant import UTF8 +from .errors import ShError +from .io import quote from .io import xtrace from .types import Command from .types import Generator @@ -66,12 +69,7 @@ def lines(cmd: Command, *, encoding: str = UTF8) -> Generator[Line]: """ process = _popen(cmd, encoding=encoding, capture_output=True) assert process.stdout, process.stdout - for line in process.stdout: - line = line.strip() - if not line or line.startswith("#"): - continue - - yield line + yield from config_lines(process.stdout) # handle termination and error codes _wait(process) @@ -185,8 +183,10 @@ def _wait( raise retcode = process.poll() if check and retcode: - raise subprocess.CalledProcessError( - retcode, process.args, output=stdout, stderr=stderr + assert isinstance(process.args, tuple) + raise ShError( + f"Command failed: (code {retcode})\n\n {quote(process.args)}\n", + code=retcode, ) assert retcode is not None, retcode return subprocess.CompletedProcess(process.args, retcode, stdout, stderr) diff --git a/lib/sh/errors.py b/lib/sh/errors.py new file mode 100644 index 00000000..a2e8c026 --- /dev/null +++ b/lib/sh/errors.py @@ -0,0 +1,9 @@ +from __future__ import annotations + +from subprocess import CalledProcessError + +from lib.user_error import UserError + + +class ShError(UserError, CalledProcessError): + pass diff --git a/lib/sh/io.py b/lib/sh/io.py index 3111100d..c116bcd9 100644 --- a/lib/sh/io.py +++ b/lib/sh/io.py @@ -4,6 +4,7 @@ from os import getenv from typing import ContextManager from typing import Iterable +from typing import TypeVar from lib import ansi @@ -23,6 +24,7 @@ # note: empty-string vars should be treated as unset DEBUG: int = int(getenv("DEBUG") or "1") +T = TypeVar("T") Uniq = set[tuple[object, ...]] UNIQ: Uniq | None = None @@ -110,12 +112,23 @@ def verbosity(newvalue: int) -> Generator[int]: DEBUG = orig +@contextlib.contextmanager +def noop_context(x: T) -> Generator[T]: + yield x + + def quiet() -> ContextManager[int]: - return verbosity(0) + if getenv("DEBUG") is None: + return verbosity(0) + else: + return noop_context(DEBUG) def loud() -> ContextManager[int]: - return verbosity(2) + if getenv("DEBUG") is None: + return verbosity(2) + else: + return noop_context(DEBUG) @contextlib.contextmanager diff --git a/lib/tf_lock/lib/env.py b/lib/tf_lock/lib/env.py index 9cba80bb..4ba172d8 100755 --- a/lib/tf_lock/lib/env.py +++ b/lib/tf_lock/lib/env.py @@ -6,14 +6,35 @@ from os import environ +from lib import json from lib.sh import sh +from lib.types import Environ from lib.types import OSPath from lib.types import Path -from ..release import get_current_host -from ..release import get_current_user -HERE = sh.get_HERE(__file__) +def get_current_host(env: Environ) -> str: + for var in ("HOST", "HOSTNAME"): + if var in env: + return env[var] + else: + import socket + + return socket.gethostname() + + +def get_current_user(env: Environ) -> str: + for var in ("USER", "LOGNAME"): + if var in env: + return env[var] + else: + import getpass + + return getpass.getuser() + + +here = sh.get_HERE(__file__) +LIB = here USER = environ["USER"] = get_current_user(environ) HOST = environ["HOST"] = get_current_host(environ) HOSTNAME = environ["HOSTNAME"] = environ["HOST"] @@ -21,15 +42,16 @@ TF_LOCK_ENONE = 2 TF_LOCK_EHELD = 3 - -TACOS_GHA_HOME = environ.setdefault("TACOS_GHA_HOME", str(HERE / "../../..")) +TACOS_GHA_HOME = Path( + environ.setdefault("TACOS_GHA_HOME", str(here / "../../..")) +) -def path_prepend(env_name: str, env_val: str) -> None: +def path_prepend(env_name: str, env_val: object) -> None: r"""Preprend to a colon delimited environment variable. >>> path_prepend('name', 'val') - >>> path_prepend('name', 'val2') + >>> path_prepend('name', Path('val2')) >>> environ['name'] 'val2:val' """ @@ -38,33 +60,35 @@ def path_prepend(env_name: str, env_val: str) -> None: pythonpath_list = pythonpath.split(":") else: pythonpath_list = [] - pythonpath_list.insert(0, env_val) + pythonpath_list.insert(0, str(env_val)) environ[env_name] = ":".join(pythonpath_list) path_prepend("PYTHONPATH", TACOS_GHA_HOME) -path_prepend("PATH", TACOS_GHA_HOME + "/bin") -path_prepend("PATH", TACOS_GHA_HOME + "/lib/tf_lock/bin") +path_prepend("PATH", TACOS_GHA_HOME / "/bin") +path_prepend("PATH", here / "bin") -def tf_working_dir(root_module: OSPath) -> Path: +def tf_working_dir(root_module: OSPath) -> OSPath: if (root_module / "terragrunt.hcl").exists(): with sh.cd(root_module): # validate-inputs makes terragrunt generate its templates - sh.run(( - "terragrunt", - "--terragrunt-no-auto-init=false", - "validate-inputs", - )) - terragrunt_info = sh.json(( - "terragrunt", - "--terragrunt-no-auto-init=false", - "terragrunt-info", - )) - assert isinstance(terragrunt_info, dict), terragrunt_info - working_dir = terragrunt_info.get("WorkingDir") - assert isinstance(working_dir, str) - return Path(working_dir) + sh.run( + ( + "terragrunt", + "--terragrunt-no-auto-init=false", + "validate-inputs", + ) + ) + terragrunt_info = sh.json( + ( + "terragrunt", + "--terragrunt-no-auto-init=false", + "terragrunt-info", + ) + ) + terragrunt_info = json.assert_dict_of_strings(terragrunt_info) + return OSPath(terragrunt_info["WorkingDir"]) else: return root_module diff --git a/lib/tf_lock/lib/tf-lock-info-uncached b/lib/tf_lock/lib/tf-lock-info-uncached new file mode 100755 index 00000000..16910a6b --- /dev/null +++ b/lib/tf_lock/lib/tf-lock-info-uncached @@ -0,0 +1,58 @@ +#!/bin/bash +set -eEuo pipefail +HERE="$(dirname "$(readlink -f "$0")")" +. "$HERE/"env.sh + +root_module="${1:-"$PWD"}" +working_dir="$(tf_working_dir "$root_module")" + +# at most 1 reiteration should be necessary +i=0 +limit=3 +while (( i < limit )); do + (( i += 1 )) + + + fancy_error="$( + cd "$working_dir" || exit 1 + # swap stdout and stderr: + terraform force-unlock -force -- -1 3>&2 2>&1 1>&3 <<< "" + )" && status=$? || status=$? + # strip ansi fanciness from error messages, for automated consumption + error="$( + uncolor <<< "$fancy_error" | + sed -r 's/^│ //; /^[╷╵]$/d' + )" + + if grep -Eq <<< "$error" $'ID:'; then + "$HERE/"error2json <<< "$error" + exit 0 + elif grep -Eq <<< "$error" '^Failed to unlock state: LocalState not locked$' + then + echo >&2 "No remote tfstate configured, path: '$root_module'" + exit 1 + elif grep -Eq <<< "$error" $'^\t\* storage: object doesn'\''t exist$'; then + echo '{"lock": false}' + exit 0 + elif grep -Eq <<< "$error" \ + 'Error: .*(Backend initialization required, please run "terraform init"|Required plugins are not installed)' + then + ( # NB: need to undo the cd to keep relative paths valid + cd "$working_dir" + if ! noise="$(terraform init 2>&1)" || (( i == limit )); then + echo >&2 Terraform init failed! + echo >&2 "$noise" + exit 1 + fi + ) + continue + else # an unexpected error: show it + set +x + echo -n >&2 "$fancy_error" # avoid the newline appended by <<< + exit "$status" + fi + +done + +echo >&2 AssertionError: this should be impossible: "$i" +exit 99 diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index 129880c6..c3118c75 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -6,14 +6,17 @@ from typing import Tuple from lib import ansi -from lib import json from lib.parse import Parse from lib.sh import sh +from lib.tf_lock.lib.env import tf_working_dir from lib.types import Environ from lib.types import OSPath from lib.types import Path from lib.user_error import UserError +from .lib.env import get_current_host +from .lib.env import get_current_user + HERE = sh.get_HERE(__file__) TF_LOCK_EHELD = 3 @@ -73,26 +76,6 @@ def info(msg: object) -> None: print(msg, file=stderr, flush=True) -def get_current_user(env: Environ) -> str: - for var in ("USER", "LOGNAME"): - if var in env: - return env[var] - else: - import getpass - - return getpass.getuser() - - -def get_current_host(env: Environ) -> str: - for var in ("HOST", "HOSTNAME"): - if var in env: - return env[var] - else: - import socket - - return socket.gethostname() - - def assert_dict_of_strings(json: object) -> dict[str, str]: assert isinstance(json, dict), json @@ -121,7 +104,7 @@ def get_lock_info(root_module: Path) -> Tuple[bool, dict[str, str]]: return lock, assert_dict_of_strings(result) -def tf_lock_release(root_module: Path, env: Environ) -> None: +def tf_lock_release(root_module: OSPath, env: Environ) -> None: lock, lock_info = get_lock_info(root_module) if not lock: info(f"tf-lock-release: success: {root_module}") @@ -130,18 +113,10 @@ def tf_lock_release(root_module: Path, env: Environ) -> None: tf_user = f"{get_current_user(env)}@{get_current_host(env)}" lock_user = lock_info["Who"] if tf_user == lock_user: - try: - with sh.cd(tf_working_dir(root_module)): - sh.run(( - "terraform", - "force-unlock", - "-force", - "--", - lock_info["ID"], - )) - except sh.CalledProcessError as error: - # error message was already printed by subcommand - raise UserError(code=error.returncode) + with sh.cd(tf_working_dir(root_module)): + sh.run( + ("terraform", "force-unlock", "-force", "--", lock_info["ID"]) + ) info(f"tf-lock-release: success: {root_module}({lock_user})") @@ -157,19 +132,6 @@ def tf_lock_release(root_module: Path, env: Environ) -> None: ) -def tf_working_dir(root_module: Path) -> Path: - """dereference terragrunt indirection, if any""" - - if OSPath(root_module / "terragrunt.hcl").exists(): - with sh.cd(root_module): - sh.run(("terragrunt", "validate-inputs")) - info = sh.json(("terragrunt", "terragrunt-info")) - info = json.assert_dict_of_strings(info) - return Path(info["WorkingDir"]) - else: - return root_module - - @UserError.handler def main() -> None: from os import environ @@ -177,9 +139,9 @@ def main() -> None: args = argv[1:] if args: - paths = [Path(arg) for arg in args] + paths = [OSPath(arg) for arg in args] else: - paths = [Path(".")] + paths = [OSPath(".")] from os import environ diff --git a/lib/tf_lock/tf-lock-info b/lib/tf_lock/tf-lock-info index 50dd9ddb..f931d550 100755 --- a/lib/tf_lock/tf-lock-info +++ b/lib/tf_lock/tf-lock-info @@ -1,58 +1,7 @@ #!/bin/bash -set -eEuo pipefail +set -euo pipefail HERE="$(dirname "$(readlink -f "$0")")" . "$HERE/"lib/env.sh -root_module="${1:-"$PWD"}" -working_dir="$(tf_working_dir "$root_module")" - -# at most 1 reiteration should be necessary -i=0 -limit=3 -while (( i < limit )); do - (( i += 1 )) - - - fancy_error="$( - cd "$working_dir" || exit 1 - # swap stdout and stderr: - terraform force-unlock -force -- -1 3>&2 2>&1 1>&3 <<< "" - )" && status=$? || status=$? - # strip ansi fanciness from error messages, for automated consumption - error="$( - uncolor <<< "$fancy_error" | - sed -r 's/^│ //; /^[╷╵]$/d' - )" - - if grep -Eq <<< "$error" $'ID:'; then - "$HERE/"lib/error2json <<< "$error" - exit 0 - elif grep -Eq <<< "$error" '^Failed to unlock state: LocalState not locked$' - then - echo >&2 "No remote tfstate configured, path: '$root_module'" - exit 1 - elif grep -Eq <<< "$error" $'^\t\* storage: object doesn'\''t exist$'; then - echo '{"lock": false}' - exit 0 - elif grep -Eq <<< "$error" \ - 'Error: .*(Backend initialization required, please run "terraform init"|Required plugins are not installed)' - then - ( # NB: need to undo the cd to keep relative paths valid - cd "$working_dir" - if ! noise="$(terraform init 2>&1)" || (( i == limit )); then - echo >&2 Terraform init failed! - echo >&2 "$noise" - exit 1 - fi - ) - continue - else # an unexpected error: show it - set +x - echo -n >&2 "$fancy_error" # avoid the newline appended by <<< - exit "$status" - fi - -done - -echo >&2 AssertionError: this should be impossible: "$i" -exit 99 +# FIXME: we need pip packaging +python3.12 -m lib.tf_lock.tf_lock_info "$@" diff --git a/lib/tf_lock/tf-lock-url b/lib/tf_lock/tf-lock-url new file mode 100755 index 00000000..e6f2b598 --- /dev/null +++ b/lib/tf_lock/tf-lock-url @@ -0,0 +1,7 @@ +#!/bin/bash +set -euo pipefail +HERE="$(dirname "$(readlink -f "$0")")" +. "$HERE/"lib/env.sh + +# FIXME: we need pip packaging +python3.12 -m lib.tf_lock.tf_lock_url "$@" diff --git a/lib/tf_lock/tf_lock_info.py b/lib/tf_lock/tf_lock_info.py new file mode 100755 index 00000000..8186aa78 --- /dev/null +++ b/lib/tf_lock/tf_lock_info.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 +"""Print the metadata of the terraform state lock. + +No arguments: like terraform/terragrunt this operates on $PWD. + + +$ sudo-gcp tf-lock-info | jq . +{ + "ID": "1710368348617077", + "Path": "gs://sac-dev-tf--team-sre/regions/multi-tenant/tacos-gha/de/terraform.tfstate/default.tflock", + "Operation": "OperationTypeInvalid", + "Who": "bukzor@9685.ops.getsentry.github.invalid", + "Version": "1.5.3", + "Created": "2024-03-13 22:19:08.45158468 +0000 UTC", + "Info": "", + "lock": true +} +""" + +from __future__ import annotations + +from lib import json +from lib.functions import config_lines +from lib.functions import one +from lib.sh import sh +from lib.types import ExitCode +from lib.types import OSPath +from lib.types import Path +from lib.user_error import UserError + +from .lib.env import LIB + +CACHE_PATH = Path(".config/tf-lock-info/Path") + + +def cache_get(tg_root_module: OSPath) -> str | None: + with (tg_root_module / CACHE_PATH).open() as cache: + return one(config_lines(cache)) + + +def cache_put(tg_root_module: OSPath, path: str) -> None: + cache = tg_root_module / CACHE_PATH + cache.parent.mkdir(parents=True, exist_ok=True) + cache.write_text(path) + + +def tf_lock_info(tg_root_module: OSPath) -> json.Value: + with sh.cd(tg_root_module): + lock_info = sh.json((LIB / "tf-lock-info-uncached",)) + assert isinstance(lock_info, dict) + + if lock_info["lock"]: + path = lock_info["Path"] + assert isinstance(path, str) + cache_put(tg_root_module, path) + else: + lock_info.setdefault("Path", cache_get(tg_root_module)) + + return lock_info + + +@UserError.handler +def main() -> ExitCode: + with sh.quiet(): + import json + + print(json.dumps(tf_lock_info(OSPath.cwd()))) + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/lib/tf_lock/tf_lock_url.py b/lib/tf_lock/tf_lock_url.py new file mode 100755 index 00000000..7f9954c8 --- /dev/null +++ b/lib/tf_lock/tf_lock_url.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 +"""Print the URL to the terraform state lock for the IAC. + +This will require lock-acquire permission if the lock url is not already cached. +No arguments: like terraform/terragrunt this operates on $PWD. +""" + +from __future__ import annotations + +from lib.sh import sh +from lib.types import ExitCode +from lib.types import OSPath +from lib.user_error import UserError + +from .tf_lock_info import cache_get +from .tf_lock_info import tf_lock_info + + +def tf_lock_url(tg_root_module: OSPath) -> str: + path = cache_get(tg_root_module) + if path is not None: + return path + + # cache miss! go figure out the lock url (slowly) + with sh.cd(tg_root_module): + sh.run(("tf-lock-acquire",)) + tf_lock_info(tg_root_module) + sh.run(("tf-lock-release",)) + + path = cache_get(tg_root_module) + assert isinstance(path, str) + return path + + +@UserError.handler +def main() -> ExitCode: + # with sh.quiet(): + print(tf_lock_url(OSPath.cwd())) + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) From d10c6f9c89ec65187ef9dcd95d488719202a60ad Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 22 May 2024 11:34:36 -0700 Subject: [PATCH 002/102] updating cache properly --- lib/tf_lock/lib/env.py | 2 +- lib/tf_lock/tf_lock_info.py | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/tf_lock/lib/env.py b/lib/tf_lock/lib/env.py index 4ba172d8..706c9b71 100755 --- a/lib/tf_lock/lib/env.py +++ b/lib/tf_lock/lib/env.py @@ -33,7 +33,7 @@ def get_current_user(env: Environ) -> str: return getpass.getuser() -here = sh.get_HERE(__file__) +here: OSPath = sh.get_HERE(__file__) LIB = here USER = environ["USER"] = get_current_user(environ) HOST = environ["HOST"] = get_current_host(environ) diff --git a/lib/tf_lock/tf_lock_info.py b/lib/tf_lock/tf_lock_info.py index 8186aa78..004a1ce5 100755 --- a/lib/tf_lock/tf_lock_info.py +++ b/lib/tf_lock/tf_lock_info.py @@ -34,8 +34,10 @@ def cache_get(tg_root_module: OSPath) -> str | None: - with (tg_root_module / CACHE_PATH).open() as cache: - return one(config_lines(cache)) + if (tg_root_module / CACHE_PATH).exists(): + with (tg_root_module / CACHE_PATH).open() as cache: + return one(config_lines(cache)) + return None def cache_put(tg_root_module: OSPath, path: str) -> None: @@ -48,7 +50,6 @@ def tf_lock_info(tg_root_module: OSPath) -> json.Value: with sh.cd(tg_root_module): lock_info = sh.json((LIB / "tf-lock-info-uncached",)) assert isinstance(lock_info, dict) - if lock_info["lock"]: path = lock_info["Path"] assert isinstance(path, str) From 1bc7d305139abc36bc4ca416072dbd1d1ce16c57 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 12:05:37 -0700 Subject: [PATCH 003/102] auto-commit: GHA deps, for test --- lib/tf_lock/tf_lock_info.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/tf_lock/tf_lock_info.py b/lib/tf_lock/tf_lock_info.py index 004a1ce5..69136c8a 100755 --- a/lib/tf_lock/tf_lock_info.py +++ b/lib/tf_lock/tf_lock_info.py @@ -55,17 +55,26 @@ def tf_lock_info(tg_root_module: OSPath) -> json.Value: assert isinstance(path, str) cache_put(tg_root_module, path) else: - lock_info.setdefault("Path", cache_get(tg_root_module)) + path = cache_get(tg_root_module) + if path is not None: + lock_info.setdefault("Path", path) return lock_info @UserError.handler def main() -> ExitCode: + from sys import argv + with sh.quiet(): import json - print(json.dumps(tf_lock_info(OSPath.cwd()))) + if len(argv) >= 2 and argv[1]: + # root_module="${1:-"$PWD"}" + root_module = OSPath(argv[1]) + else: + root_module = OSPath.cwd() + print(json.dumps(tf_lock_info(root_module))) return 0 From af14332c7fde5451a8a757187693d6cc87b511a5 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 12:41:20 -0700 Subject: [PATCH 004/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index ebfc80da..e40fc096 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -12,6 +12,13 @@ if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) + git add -f .cache/tf-lock-info + if ! git diff --cached --exit-code .cache/tf-lock-info; then + ( set -ex + git commit -m 'updating tf-lock cache' .cache/tf-lock-info + git push + ) + fi fi quietly sudo-gcp terragrunt run-all init From b0971c2432db9f897f6f1cdc7eb431971f38bf94 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:08:20 -0700 Subject: [PATCH 005/102] auto-commit: GHA deps, for test --- lib/tf_lock/lib/env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tf_lock/lib/env.sh b/lib/tf_lock/lib/env.sh index 9b74a9d9..cbaa4580 100644 --- a/lib/tf_lock/lib/env.sh +++ b/lib/tf_lock/lib/env.sh @@ -30,6 +30,6 @@ tf_working_dir() { } export DEBUG="${DEBUG:-}" -if (( DEBUG >= 0 )); then +if (( DEBUG >= 1 )); then set -x fi From 456bba5890ec11de957413b35995c75f3f40d86f Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:13:27 -0700 Subject: [PATCH 006/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index e40fc096..67bdf2ad 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -7,17 +7,20 @@ exec 3>&1 1>&2 # note: for terragrunt, tfplan must be absolute TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" +cache=.cache/tf-lock-info if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) - git add -f .cache/tf-lock-info - if ! git diff --cached --exit-code .cache/tf-lock-info; then - ( set -ex - git commit -m 'updating tf-lock cache' .cache/tf-lock-info - git push - ) + if [[ -d $cache ]]; then + git add -f $cache + if ! git diff --cached --exit-code $cache; then + ( set -ex + git commit -m 'updating tf-lock cache' $cache + git push + ) + fi fi fi From 1d6034bbd7486ef213cbf75b2826e5e8fb10b4ba Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:18:55 -0700 Subject: [PATCH 007/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 67bdf2ad..09c48188 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -7,7 +7,7 @@ exec 3>&1 1>&2 # note: for terragrunt, tfplan must be absolute TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" -cache=.cache/tf-lock-info +cache=.config/tf-lock-info if "$TACOS_LOCK"; then ( set -ex From c3d2b46a02e979d96c6553517e65ceddb87c65d1 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:34:16 -0700 Subject: [PATCH 008/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index 09c48188..b633c26b 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -16,6 +16,8 @@ if "$TACOS_LOCK"; then if [[ -d $cache ]]; then git add -f $cache if ! git diff --cached --exit-code $cache; then + git config --global user.email "$USER@$HOSTNAME" + git config --global user.name "$USER" ( set -ex git commit -m 'updating tf-lock cache' $cache git push From 2aaf3eed691f3397b458815f630611e94dc43204 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:44:57 -0700 Subject: [PATCH 009/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index b633c26b..e6b5af04 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -18,6 +18,7 @@ if "$TACOS_LOCK"; then if ! git diff --cached --exit-code $cache; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" + git config --global push.default current ( set -ex git commit -m 'updating tf-lock cache' $cache git push From ed1fa440b6d16a582fc93fd9de5375a206a5bcce Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:47:40 -0700 Subject: [PATCH 010/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index e6b5af04..43dc5f63 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -19,9 +19,11 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current + git branch -avv + env | grep GITHUB | sort ( set -ex git commit -m 'updating tf-lock cache' $cache - git push + git push -q ) fi fi From 619301a832eb0f66a949d06285f7db2bad1a1b3b Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:52:58 -0700 Subject: [PATCH 011/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 43dc5f63..36e2191d 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -19,8 +19,7 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current - git branch -avv - env | grep GITHUB | sort + git checkout -b "$GITHUB_HEAD_REF" ( set -ex git commit -m 'updating tf-lock cache' $cache git push -q From 5440e0f33b5d6ee4fa2dab78ecc98f5526696400 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 13:57:41 -0700 Subject: [PATCH 012/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_apply.yml | 2 +- .github/workflows/tacos_detect_drift.yml | 2 +- .github/workflows/tacos_plan.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tacos_apply.yml b/.github/workflows/tacos_apply.yml index f164cc34..9d44ee46 100644 --- a/.github/workflows/tacos_apply.yml +++ b/.github/workflows/tacos_apply.yml @@ -45,7 +45,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write pull-requests: write steps: diff --git a/.github/workflows/tacos_detect_drift.yml b/.github/workflows/tacos_detect_drift.yml index ac52b725..fb2568c6 100644 --- a/.github/workflows/tacos_detect_drift.yml +++ b/.github/workflows/tacos_detect_drift.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write pull-requests: write steps: diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index fb0fb17e..c0adbd79 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -15,7 +15,7 @@ on: default: refs/heads/stable debug: type: string - default: 0 + default: "0" secrets: ssh-private-key: description: "Private SSH key to use for git clone" @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write pull-requests: write steps: From 2cc802f3589734839de6e672583160fd02cb998f Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:03:00 -0700 Subject: [PATCH 013/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_apply.yml | 4 ++-- .github/workflows/tacos_detect_drift.yml | 4 ++-- .github/workflows/tacos_plan.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tacos_apply.yml b/.github/workflows/tacos_apply.yml index 9d44ee46..fbfaa2cd 100644 --- a/.github/workflows/tacos_apply.yml +++ b/.github/workflows/tacos_apply.yml @@ -45,7 +45,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: write + contents: read pull-requests: write steps: @@ -75,7 +75,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write pull-requests: write id-token: write diff --git a/.github/workflows/tacos_detect_drift.yml b/.github/workflows/tacos_detect_drift.yml index fb2568c6..9d45d0e4 100644 --- a/.github/workflows/tacos_detect_drift.yml +++ b/.github/workflows/tacos_detect_drift.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: write + contents: read pull-requests: write steps: @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write pull-requests: write id-token: write diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index c0adbd79..a8dd89dc 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: write + contents: read pull-requests: write steps: @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write pull-requests: write id-token: write From 5a9c76043f13e08dd38c8e681c6e6a9ad599d8b5 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:23:23 -0700 Subject: [PATCH 014/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 36e2191d..de2fa87d 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -9,6 +9,19 @@ TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" cache=.config/tf-lock-info +#todo: make this an artifact instead +# we expect at most 6 slices to be fighting +git_push_aggressively() { + sleep=3 + limit=30 + while ! (set -ex; git push -q) && (( sleep <= limit )); do + echo "failed! trying again after $sleep seconds..." + sleep $sleep + (( sleep += 3 )) + git pull --rebase + done +} + if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire @@ -22,8 +35,8 @@ if "$TACOS_LOCK"; then git checkout -b "$GITHUB_HEAD_REF" ( set -ex git commit -m 'updating tf-lock cache' $cache - git push -q ) + git_push_aggressively fi fi fi From 9c2a255b9a842a631660532ed210853f9af3611e Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:25:59 -0700 Subject: [PATCH 015/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index de2fa87d..d00f15db 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -18,6 +18,7 @@ git_push_aggressively() { echo "failed! trying again after $sleep seconds..." sleep $sleep (( sleep += 3 )) + git status git pull --rebase done } From 60a07e868048de51f32776d633ce8bb9f7a2f573 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:29:19 -0700 Subject: [PATCH 016/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index d00f15db..faf947cf 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -35,6 +35,7 @@ if "$TACOS_LOCK"; then git config --global push.default current git checkout -b "$GITHUB_HEAD_REF" ( set -ex + git add -u git commit -m 'updating tf-lock cache' $cache ) git_push_aggressively From a84de12862eba49b27733f41e9e2d55133008028 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:31:58 -0700 Subject: [PATCH 017/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index faf947cf..01811850 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -35,8 +35,9 @@ if "$TACOS_LOCK"; then git config --global push.default current git checkout -b "$GITHUB_HEAD_REF" ( set -ex + # add .terraform-lock changes git add -u - git commit -m 'updating tf-lock cache' $cache + git commit -m 'updating tf-lock cache' ) git_push_aggressively fi From 2e6c2a4860cde6bbc8732372ec61f00c2439b7ac Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:36:35 -0700 Subject: [PATCH 018/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 01811850..7190353a 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -33,7 +33,7 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current - git checkout -b "$GITHUB_HEAD_REF" + git checkout -b "$GITHUB_HEAD_REF" --track origin/"$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes git add -u From 1ecac3642fda5f0c98616b487d6f6812df9c4f66 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:37:56 -0700 Subject: [PATCH 019/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 7190353a..c4496ad7 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -19,7 +19,7 @@ git_push_aggressively() { sleep $sleep (( sleep += 3 )) git status - git pull --rebase + git pull --rebase origin "$GITHUB_HEAD_REF" done } @@ -33,7 +33,7 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current - git checkout -b "$GITHUB_HEAD_REF" --track origin/"$GITHUB_HEAD_REF" + git checkout -b "$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes git add -u From 866bba9d41351710bedf960a55cd7d32ce4ddb16 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:47:04 -0700 Subject: [PATCH 020/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index c4496ad7..b96515b9 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -36,7 +36,8 @@ if "$TACOS_LOCK"; then git checkout -b "$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes - git add -u + git add -u "$TF_ROOT_MODULE" + git status git commit -m 'updating tf-lock cache' ) git_push_aggressively From 16c6849a360200b6f5eb462c9489711126819087 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 14:49:34 -0700 Subject: [PATCH 021/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index b96515b9..b7f465ef 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -36,7 +36,7 @@ if "$TACOS_LOCK"; then git checkout -b "$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes - git add -u "$TF_ROOT_MODULE" + git add -u . git status git commit -m 'updating tf-lock cache' ) From c14c0b8c365fddf4c97c732a8fb5882e17387ca2 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 22 May 2024 14:55:24 -0700 Subject: [PATCH 022/102] debugging github --- lib/sh/io.py | 3 +-- lib/tacos/plan | 1 + spec/lib/gh/check_run.py | 33 ++++++++++++++++++++------------- spec/lib/slice.py | 2 ++ 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/lib/sh/io.py b/lib/sh/io.py index c116bcd9..d81ee2bd 100644 --- a/lib/sh/io.py +++ b/lib/sh/io.py @@ -22,8 +22,7 @@ # 2 - debug # 3 - trace # note: empty-string vars should be treated as unset -DEBUG: int = int(getenv("DEBUG") or "1") - +DEBUG: int = int(getenv("DEBUG", "1") or "0") T = TypeVar("T") Uniq = set[tuple[object, ...]] UNIQ: Uniq | None = None diff --git a/lib/tacos/plan b/lib/tacos/plan index b7f465ef..53334b0e 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -39,6 +39,7 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m 'updating tf-lock cache' + git log --oneline --graph --decorate --color=always | head ) git_push_aggressively fi diff --git a/spec/lib/gh/check_run.py b/spec/lib/gh/check_run.py index c10f611f..0d9101b3 100644 --- a/spec/lib/gh/check_run.py +++ b/spec/lib/gh/check_run.py @@ -99,9 +99,14 @@ def relevance(self) -> tuple[object, ...]: try: result.append( - ("NEUTRAL", "SUCCESS", "CANCELLED", "", "FAILURE").index( - self.conclusion - ) + ( + "SKIPPED", + "NEUTRAL", + "SUCCESS", + "CANCELLED", + "", + "FAILURE", + ).index(self.conclusion) ) except ValueError as error: raise AssertionError( @@ -132,13 +137,15 @@ def job(self) -> str: def get_runs_json(pr_url: URL) -> Generator[json.Value]: """Get the json of all runs, for the named check.""" # https://docs.github.com/en/graphql/reference/objects#statuscheckrollup - return sh.jq(( - "gh", - "pr", - "view", - pr_url, - "--json", - "statusCheckRollup", - "--jq", - ".statusCheckRollup[]", - )) + return sh.jq( + ( + "gh", + "pr", + "view", + pr_url, + "--json", + "statusCheckRollup", + "--jq", + ".statusCheckRollup[]", + ) + ) diff --git a/spec/lib/slice.py b/spec/lib/slice.py index 06bf75ec..559af5be 100644 --- a/spec/lib/slice.py +++ b/spec/lib/slice.py @@ -101,7 +101,9 @@ def force_unlock(self) -> None: """Unlock these slices, forcefully.""" sh.banner("forcefully unlocking slices") with sh.cd(self.path): + print(self.path) for slice in self: + print("slice", slice) tf_lock.force_unlock(slice) def plan_is_clean(self) -> bool: From e9650da6ee8b28eb44e76ac9f26cb7b126fd2887 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 22 May 2024 15:09:09 -0700 Subject: [PATCH 023/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 53334b0e..41e5ad6f 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -39,7 +39,7 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m 'updating tf-lock cache' - git log --oneline --graph --decorate --color=always | head + git log --stat --oneline --graph --decorate --color=always | head ) git_push_aggressively fi From ecb794669301f5a46947860debbb35257b88fa20 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 10:51:59 -0700 Subject: [PATCH 024/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 41e5ad6f..b7f465ef 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -39,7 +39,6 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m 'updating tf-lock cache' - git log --stat --oneline --graph --decorate --color=always | head ) git_push_aggressively fi From 0406c026daebb7241f437edca19d82b5726569e6 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 14:52:22 -0700 Subject: [PATCH 025/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 6 ++++++ lib/tacos/plan | 1 + 2 files changed, 7 insertions(+) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index a8dd89dc..e83f56b3 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -129,6 +129,12 @@ jobs: run: | "$TACOS_GHA_HOME/"lib/ci/tacos-plan + - name: Start SSH + if: always() + uses: lhotari/action-upterm@v1 + with: + ## limits ssh access and adds the ssh public keys of the listed GitHub users + limit-access-to-users: bukzor,kneeyo - name: Save matrix result # we need to show any errors to end-users if: always() diff --git a/lib/tacos/plan b/lib/tacos/plan index b7f465ef..7aea5332 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -39,6 +39,7 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m 'updating tf-lock cache' + # git log --stat --oneline --graph --decorate --color=always | head ) git_push_aggressively fi From 2ea3a80b780d28167842570229ba0a68091cc33d Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 15:30:25 -0700 Subject: [PATCH 026/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 2 +- lib/tacos/plan | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index e83f56b3..4ea22978 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -134,7 +134,7 @@ jobs: uses: lhotari/action-upterm@v1 with: ## limits ssh access and adds the ssh public keys of the listed GitHub users - limit-access-to-users: bukzor,kneeyo + limit-access-to-users: bukzor, kneeyo1 - name: Save matrix result # we need to show any errors to end-users if: always() diff --git a/lib/tacos/plan b/lib/tacos/plan index 7aea5332..3b15d018 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -19,7 +19,7 @@ git_push_aggressively() { sleep $sleep (( sleep += 3 )) git status - git pull --rebase origin "$GITHUB_HEAD_REF" + (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } From 71ce342d43a5d5c0978b87c452d6b237e42e78fa Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 15:36:31 -0700 Subject: [PATCH 027/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index 3b15d018..92700b7c 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -29,6 +29,8 @@ if "$TACOS_LOCK"; then ) if [[ -d $cache ]]; then git add -f $cache + pwd + echo "$TF_ROOT_MODULE" if ! git diff --cached --exit-code $cache; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" From bf390b2515c24576abacd2d9c2c126faf629cd2f Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 15:43:32 -0700 Subject: [PATCH 028/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 92700b7c..fa412704 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -30,7 +30,7 @@ if "$TACOS_LOCK"; then if [[ -d $cache ]]; then git add -f $cache pwd - echo "$TF_ROOT_MODULE" + echo tf root module: "$TF_ROOT_MODULE" if ! git diff --cached --exit-code $cache; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" From af457a8d21b604ea3a3fc0edd0a393c1ad08a81d Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 15:46:34 -0700 Subject: [PATCH 029/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index fa412704..70484929 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -29,8 +29,10 @@ if "$TACOS_LOCK"; then ) if [[ -d $cache ]]; then git add -f $cache + (set -ex pwd echo tf root module: "$TF_ROOT_MODULE" + ) if ! git diff --cached --exit-code $cache; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" From fcb7c3eae4930ee85122c09ebeb28aee644a00a3 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 16:28:09 -0700 Subject: [PATCH 030/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 70484929..0b892c26 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -19,7 +19,9 @@ git_push_aggressively() { sleep $sleep (( sleep += 3 )) git status - (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") + git fetch --depth=3 origin "$GITHUB_REF" + exit 1 + # (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } From 3081b6d74410d82790db6765f263b29862fb2135 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 16:44:53 -0700 Subject: [PATCH 031/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 0b892c26..f151252b 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -14,13 +14,17 @@ cache=.config/tf-lock-info git_push_aggressively() { sleep=3 limit=30 - while ! (set -ex; git push -q) && (( sleep <= limit )); do + # todo: git push -q + while ! (set -ex; git push) && (( sleep <= limit )); do echo "failed! trying again after $sleep seconds..." sleep $sleep (( sleep += 3 )) git status - git fetch --depth=3 origin "$GITHUB_REF" - exit 1 + git log --oneline --graph --decorate --all FETCH_HEAD + git fetch --depth=1 origin "$GITHUB_REF" + git log --oneline --graph --decorate --all FETCH_HEAD + git rebase FETCH_HEAD + git log --oneline --graph --decorate --all FETCH_HEAD # (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } From 5a4fb5e2ab1d35b10c1eb2ce4812a8d883123c37 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 16:49:04 -0700 Subject: [PATCH 032/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index f151252b..df3292aa 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -19,12 +19,13 @@ git_push_aggressively() { echo "failed! trying again after $sleep seconds..." sleep $sleep (( sleep += 3 )) + (set -ex git status git log --oneline --graph --decorate --all FETCH_HEAD git fetch --depth=1 origin "$GITHUB_REF" git log --oneline --graph --decorate --all FETCH_HEAD git rebase FETCH_HEAD - git log --oneline --graph --decorate --all FETCH_HEAD + git log --oneline --graph --decorate --all FETCH_HEAD) # (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } From a70109b85e97c3d7c44f637fbc06af0ad367e284 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 16:55:08 -0700 Subject: [PATCH 033/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index df3292aa..452aa8f7 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -13,7 +13,7 @@ cache=.config/tf-lock-info # we expect at most 6 slices to be fighting git_push_aggressively() { sleep=3 - limit=30 + limit=20 # 3 min # todo: git push -q while ! (set -ex; git push) && (( sleep <= limit )); do echo "failed! trying again after $sleep seconds..." @@ -22,7 +22,7 @@ git_push_aggressively() { (set -ex git status git log --oneline --graph --decorate --all FETCH_HEAD - git fetch --depth=1 origin "$GITHUB_REF" + git fetch --depth=2 origin "$GITHUB_REF" git log --oneline --graph --decorate --all FETCH_HEAD git rebase FETCH_HEAD git log --oneline --graph --decorate --all FETCH_HEAD) From 9cd064a6a58af1a0635ee23cbbb6192f9b62af7c Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 17:05:16 -0700 Subject: [PATCH 034/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 452aa8f7..a5b1c90a 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -13,7 +13,8 @@ cache=.config/tf-lock-info # we expect at most 6 slices to be fighting git_push_aggressively() { sleep=3 - limit=20 # 3 min + limit=6 + # limit=20 # 3 min # todo: git push -q while ! (set -ex; git push) && (( sleep <= limit )); do echo "failed! trying again after $sleep seconds..." @@ -21,11 +22,11 @@ git_push_aggressively() { (( sleep += 3 )) (set -ex git status - git log --oneline --graph --decorate --all FETCH_HEAD - git fetch --depth=2 origin "$GITHUB_REF" - git log --oneline --graph --decorate --all FETCH_HEAD - git rebase FETCH_HEAD - git log --oneline --graph --decorate --all FETCH_HEAD) + git log --oneline --graph --decorate --all + git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + git log --oneline --graph --decorate --all + git rebase pull.$sleep + git log --oneline --graph --decorate --all) # (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } @@ -49,7 +50,7 @@ if "$TACOS_LOCK"; then # add .terraform-lock changes git add -u . git status - git commit -m 'updating tf-lock cache' + git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" # git log --stat --oneline --graph --decorate --color=always | head ) git_push_aggressively From 9e50240c9c9a970025bf9be5f21480e8ad97a8ce Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 17:20:26 -0700 Subject: [PATCH 035/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 14 ++++++++------ lib/tacos/plan | 16 +++++++++------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 4ea22978..2c384a3c 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -87,6 +87,8 @@ jobs: steps: - name: Checkout IAC uses: actions/checkout@v4 + with: + fetch-depth: 2 - name: Checkout tacos-gha uses: actions/checkout@v4 with: @@ -129,12 +131,12 @@ jobs: run: | "$TACOS_GHA_HOME/"lib/ci/tacos-plan - - name: Start SSH - if: always() - uses: lhotari/action-upterm@v1 - with: - ## limits ssh access and adds the ssh public keys of the listed GitHub users - limit-access-to-users: bukzor, kneeyo1 + # - name: Start SSH + # if: always() + # uses: lhotari/action-upterm@v1 + # with: + # ## limits ssh access and adds the ssh public keys of the listed GitHub users + # limit-access-to-users: bukzor, kneeyo1 - name: Save matrix result # we need to show any errors to end-users if: always() diff --git a/lib/tacos/plan b/lib/tacos/plan index a5b1c90a..6d8dcf79 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -21,12 +21,14 @@ git_push_aggressively() { sleep $sleep (( sleep += 3 )) (set -ex - git status - git log --oneline --graph --decorate --all - git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git log --oneline --graph --decorate --all - git rebase pull.$sleep - git log --oneline --graph --decorate --all) + git pull --rebase + ) + # git status + # git log --oneline --graph --decorate --all + # git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + # git log --oneline --graph --decorate --all + # git rebase pull.$sleep + # git log --oneline --graph --decorate --all) # (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } @@ -45,7 +47,7 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current - git checkout -b "$GITHUB_HEAD_REF" + git checkout "$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes git add -u . From b05e6cb75f363afb00c89d3918f7c3ee05dd59f5 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 23 May 2024 17:41:00 -0700 Subject: [PATCH 036/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 2 -- lib/tacos/plan | 5 +++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 2c384a3c..2e9ad800 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -87,8 +87,6 @@ jobs: steps: - name: Checkout IAC uses: actions/checkout@v4 - with: - fetch-depth: 2 - name: Checkout tacos-gha uses: actions/checkout@v4 with: diff --git a/lib/tacos/plan b/lib/tacos/plan index 6d8dcf79..a42ea8f6 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -21,7 +21,8 @@ git_push_aggressively() { sleep $sleep (( sleep += 3 )) (set -ex - git pull --rebase + git fetch origin + git reset --hard origin ) # git status # git log --oneline --graph --decorate --all @@ -47,7 +48,7 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current - git checkout "$GITHUB_HEAD_REF" + git checkout -b "$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes git add -u . From 4f5ae51ed50d4656386a3d78fa6ea340775387b2 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 11:48:29 -0700 Subject: [PATCH 037/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 5 ++++ lib/tacos/plan | 44 ++++++++++++++++---------------- 2 files changed, 27 insertions(+), 22 deletions(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 2e9ad800..738bcb4a 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -128,6 +128,11 @@ jobs: id: main run: | "$TACOS_GHA_HOME/"lib/ci/tacos-plan + - name: upload cache + uses: actions/upload-artifact@v4 + with: + name: ${{matrix.tf-root-module}} + path: .config/tf-lock-info # - name: Start SSH # if: always() diff --git a/lib/tacos/plan b/lib/tacos/plan index a42ea8f6..eb8613b0 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -7,7 +7,7 @@ exec 3>&1 1>&2 # note: for terragrunt, tfplan must be absolute TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" -cache=.config/tf-lock-info +# cache=.config/tf-lock-info #todo: make this an artifact instead # we expect at most 6 slices to be fighting @@ -38,27 +38,27 @@ if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) - if [[ -d $cache ]]; then - git add -f $cache - (set -ex - pwd - echo tf root module: "$TF_ROOT_MODULE" - ) - if ! git diff --cached --exit-code $cache; then - git config --global user.email "$USER@$HOSTNAME" - git config --global user.name "$USER" - git config --global push.default current - git checkout -b "$GITHUB_HEAD_REF" - ( set -ex - # add .terraform-lock changes - git add -u . - git status - git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - # git log --stat --oneline --graph --decorate --color=always | head - ) - git_push_aggressively - fi - fi + # if [[ -d $cache ]]; then + # git add -f $cache + # (set -ex + # pwd + # echo tf root module: "$TF_ROOT_MODULE" + # ) + # if ! git diff --cached --exit-code $cache; then + # git config --global user.email "$USER@$HOSTNAME" + # git config --global user.name "$USER" + # git config --global push.default current + # git checkout -b "$GITHUB_HEAD_REF" + # ( set -ex + # # add .terraform-lock changes + # git add -u . + # git status + # git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" + # # git log --stat --oneline --graph --decorate --color=always | head + # ) + # git_push_aggressively + # fi + # fi fi quietly sudo-gcp terragrunt run-all init From e8c4ae961f1978a965d5ef6f0d1c272bea5d1e86 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 11:52:43 -0700 Subject: [PATCH 038/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 738bcb4a..141663ac 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -132,7 +132,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: ${{matrix.tf-root-module}} - path: .config/tf-lock-info + path: ${{matrix.tf-root-module}}/.config/tf-lock-info # - name: Start SSH # if: always() From d786221b3a2750bed95d5e9db86595870121b889 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 12:00:44 -0700 Subject: [PATCH 039/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 141663ac..3c4bcdb9 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -128,10 +128,15 @@ jobs: id: main run: | "$TACOS_GHA_HOME/"lib/ci/tacos-plan + - name: Extract slice name + id: extract_slice + run: + echo "slice_name=$(basename ${{ matrix.tf-root-module }})" >> + $GITHUB_ENV - name: upload cache uses: actions/upload-artifact@v4 with: - name: ${{matrix.tf-root-module}} + name: ${{ env.slice_name }} path: ${{matrix.tf-root-module}}/.config/tf-lock-info # - name: Start SSH From 9b755d886b7754d044df0e62508dc5f34f64fa56 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 13:30:52 -0700 Subject: [PATCH 040/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 3c4bcdb9..12d45ecc 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -149,7 +149,40 @@ jobs: # we need to show any errors to end-users if: always() uses: ./tacos-gha/.github/actions/matrix-fan-out + apply_cache: + name: apply cache to PR + needs: tacos_plan + runs-on: ubuntu-latest + if: always() + steps: + - name: Checkout IAC + uses: actions/checkout@v4 + - name: Checkout tacos-gha + uses: actions/checkout@v4 + with: + repository: ${{inputs.tacos_gha_repo}} + ref: ${{inputs.tacos_gha_ref}} + path: tacos-gha + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: ./artifacts # This will create a directory named artifacts + + - name: Apply changes + run: | + mkdir -p .config/tf-lock-info + for dir in ./artifacts/*; do + cp -r $dir/* . + done + git config --global user.email "$USER@$HOSTNAME" + git config --global user.name "$USER" + git config --global push.default current + git checkout -b "$GITHUB_HEAD_REF" + + git add . + git commit -m 'updating tf-lock cache' + git push origin ${{ github.head_ref }} summary: needs: tacos_plan # we need to report failures, too From d214d8be36a0454be89437a743cf1145f20901a9 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 14:09:28 -0700 Subject: [PATCH 041/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_plan.yml | 100 +++++++++++++++---------------- lib/tacos/plan | 51 ++++++++-------- 2 files changed, 77 insertions(+), 74 deletions(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 12d45ecc..8cd4e34c 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -128,61 +128,61 @@ jobs: id: main run: | "$TACOS_GHA_HOME/"lib/ci/tacos-plan - - name: Extract slice name - id: extract_slice - run: - echo "slice_name=$(basename ${{ matrix.tf-root-module }})" >> - $GITHUB_ENV - - name: upload cache - uses: actions/upload-artifact@v4 - with: - name: ${{ env.slice_name }} - path: ${{matrix.tf-root-module}}/.config/tf-lock-info - - # - name: Start SSH - # if: always() - # uses: lhotari/action-upterm@v1 + # - name: Extract slice name + # id: extract_slice + # run: + # echo "slice_name=$(basename ${{ matrix.tf-root-module }})" >> + # $GITHUB_ENV + # - name: upload cache + # uses: actions/upload-artifact@v4 # with: - # ## limits ssh access and adds the ssh public keys of the listed GitHub users - # limit-access-to-users: bukzor, kneeyo1 + # name: ${{ env.slice_name }} + # path: ${{matrix.tf-root-module}}/.config/tf-lock-info + + - name: Start SSH + if: always() + uses: lhotari/action-upterm@v1 + with: + ## limits ssh access and adds the ssh public keys of the listed GitHub users + limit-access-to-users: bukzor, kneeyo1 - name: Save matrix result # we need to show any errors to end-users if: always() uses: ./tacos-gha/.github/actions/matrix-fan-out - apply_cache: - name: apply cache to PR - needs: tacos_plan - runs-on: ubuntu-latest - if: always() - steps: - - name: Checkout IAC - uses: actions/checkout@v4 - - name: Checkout tacos-gha - uses: actions/checkout@v4 - with: - repository: ${{inputs.tacos_gha_repo}} - ref: ${{inputs.tacos_gha_ref}} - path: tacos-gha - - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: ./artifacts # This will create a directory named artifacts - - - name: Apply changes - run: | - mkdir -p .config/tf-lock-info - for dir in ./artifacts/*; do - cp -r $dir/* . - done - git config --global user.email "$USER@$HOSTNAME" - git config --global user.name "$USER" - git config --global push.default current - git checkout -b "$GITHUB_HEAD_REF" - - git add . - git commit -m 'updating tf-lock cache' - git push origin ${{ github.head_ref }} + # apply_cache: + # name: apply cache to PR + # needs: tacos_plan + # runs-on: ubuntu-latest + # if: always() + # steps: + # - name: Checkout IAC + # uses: actions/checkout@v4 + # - name: Checkout tacos-gha + # uses: actions/checkout@v4 + # with: + # repository: ${{inputs.tacos_gha_repo}} + # ref: ${{inputs.tacos_gha_ref}} + # path: tacos-gha + + # - name: Download all artifacts + # uses: actions/download-artifact@v4 + # with: + # path: ./artifacts # This will create a directory named artifacts + + # - name: Apply changes + # run: | + # mkdir -p .config/tf-lock-info + # for dir in ./artifacts/*; do + # cp -r $dir/* . + # done + # git config --global user.email "$USER@$HOSTNAME" + # git config --global user.name "$USER" + # git config --global push.default current + # git checkout -b "$GITHUB_HEAD_REF" + + # git add . + # git commit -m 'updating tf-lock cache' + # git push origin ${{ github.head_ref }} summary: needs: tacos_plan # we need to report failures, too diff --git a/lib/tacos/plan b/lib/tacos/plan index eb8613b0..fabb84ff 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -7,7 +7,7 @@ exec 3>&1 1>&2 # note: for terragrunt, tfplan must be absolute TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" -# cache=.config/tf-lock-info +cache=.config/tf-lock-info #todo: make this an artifact instead # we expect at most 6 slices to be fighting @@ -21,8 +21,11 @@ git_push_aggressively() { sleep $sleep (( sleep += 3 )) (set -ex - git fetch origin - git reset --hard origin + git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep + git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + git log --oneline --graph --decorate --all + git rebase pull.$sleep + git log --oneline --graph --decorate --all ) # git status # git log --oneline --graph --decorate --all @@ -38,27 +41,27 @@ if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) - # if [[ -d $cache ]]; then - # git add -f $cache - # (set -ex - # pwd - # echo tf root module: "$TF_ROOT_MODULE" - # ) - # if ! git diff --cached --exit-code $cache; then - # git config --global user.email "$USER@$HOSTNAME" - # git config --global user.name "$USER" - # git config --global push.default current - # git checkout -b "$GITHUB_HEAD_REF" - # ( set -ex - # # add .terraform-lock changes - # git add -u . - # git status - # git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - # # git log --stat --oneline --graph --decorate --color=always | head - # ) - # git_push_aggressively - # fi - # fi + if [[ -d $cache ]]; then + git add -f $cache + (set -ex + pwd + echo tf root module: "$TF_ROOT_MODULE" + ) + if ! git diff --cached --exit-code $cache; then + git config --global user.email "$USER@$HOSTNAME" + git config --global user.name "$USER" + git config --global push.default current + git checkout -b "$GITHUB_HEAD_REF" + ( set -ex + # add .terraform-lock changes + git add -u . + git status + git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" + # git log --stat --oneline --graph --decorate --color=always | head + ) + git_push_aggressively + fi + fi fi quietly sudo-gcp terragrunt run-all init From 669eff423eb845cb48a2e53fd8c1c9cc653ebb2d Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 14:34:11 -0700 Subject: [PATCH 042/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index fabb84ff..60f45846 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -22,9 +22,9 @@ git_push_aggressively() { (( sleep += 3 )) (set -ex git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep - git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + # git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep git log --oneline --graph --decorate --all - git rebase pull.$sleep + git merge pull.$sleep git log --oneline --graph --decorate --all ) # git status From a771655f404c929b97b46d8c1f165c01ead5c4f6 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 14:43:47 -0700 Subject: [PATCH 043/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 60f45846..84348cac 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -16,13 +16,14 @@ git_push_aggressively() { limit=6 # limit=20 # 3 min # todo: git push -q - while ! (set -ex; git push) && (( sleep <= limit )); do + while ! (set -ex; git push); do + if (( sleep > limit )); then exit 1; fi echo "failed! trying again after $sleep seconds..." sleep $sleep (( sleep += 3 )) (set -ex - git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep - # git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep + git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep git log --oneline --graph --decorate --all git merge pull.$sleep git log --oneline --graph --decorate --all From cf010606c03dab78d6144e04e013387986a7dc0a Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 14:47:37 -0700 Subject: [PATCH 044/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 84348cac..81900363 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -23,9 +23,10 @@ git_push_aggressively() { (( sleep += 3 )) (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep - git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep + git fetch --unshallow origin HEAD git log --oneline --graph --decorate --all - git merge pull.$sleep + git rebase pull.$sleep git log --oneline --graph --decorate --all ) # git status From c817650e042ad052c05413d599a88ddda65b1bf6 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 14:51:51 -0700 Subject: [PATCH 045/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 81900363..959dec9c 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -24,7 +24,7 @@ git_push_aggressively() { (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git fetch --unshallow origin HEAD + git fetch --unshallow origin "$GITHUB_REF":refs/heads/pull.$sleep git log --oneline --graph --decorate --all git rebase pull.$sleep git log --oneline --graph --decorate --all From 9c9ac5d4316096a4458dc7ee4e78393fd4028f13 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 14:58:46 -0700 Subject: [PATCH 046/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 959dec9c..e026cece 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -16,6 +16,7 @@ git_push_aggressively() { limit=6 # limit=20 # 3 min # todo: git push -q + git fetch --unshallow origin HEAD while ! (set -ex; git push); do if (( sleep > limit )); then exit 1; fi echo "failed! trying again after $sleep seconds..." @@ -24,7 +25,7 @@ git_push_aggressively() { (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git fetch --unshallow origin "$GITHUB_REF":refs/heads/pull.$sleep + git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep git log --oneline --graph --decorate --all git rebase pull.$sleep git log --oneline --graph --decorate --all From 933876c06e53180e1ce0e96e60121c31f32364c5 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 15:14:59 -0700 Subject: [PATCH 047/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index e026cece..417e5d82 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -16,7 +16,7 @@ git_push_aggressively() { limit=6 # limit=20 # 3 min # todo: git push -q - git fetch --unshallow origin HEAD + # git fetch --unshallow origin HEAD while ! (set -ex; git push); do if (( sleep > limit )); then exit 1; fi echo "failed! trying again after $sleep seconds..." @@ -25,9 +25,7 @@ git_push_aggressively() { (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep - git log --oneline --graph --decorate --all - git rebase pull.$sleep + git pull --rebase --depth=1 git log --oneline --graph --decorate --all ) # git status @@ -54,7 +52,9 @@ if "$TACOS_LOCK"; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" git config --global push.default current - git checkout -b "$GITHUB_HEAD_REF" + #git checkout -b "$GITHUB_HEAD_REF" + git fetch origin --depth=1 "$GITHUB_HEAD_REF" + git checkout "$GITHUB_HEAD_REF" ( set -ex # add .terraform-lock changes git add -u . From ae1bf71b715da29e5495018633265b5be1b5c42b Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 15:22:10 -0700 Subject: [PATCH 048/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/tacos/plan b/lib/tacos/plan index 417e5d82..96637a5a 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -17,6 +17,7 @@ git_push_aggressively() { # limit=20 # 3 min # todo: git push -q # git fetch --unshallow origin HEAD + sleep $sleep # trying to force race condition while ! (set -ex; git push); do if (( sleep > limit )); then exit 1; fi echo "failed! trying again after $sleep seconds..." From 2c72d59735a28418bfeb7658547b729beb343daf Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 15:34:44 -0700 Subject: [PATCH 049/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 96637a5a..de8caedc 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -26,7 +26,7 @@ git_push_aggressively() { (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git pull --rebase --depth=1 + git pull --rebase --shallow-exclude="$graft" origin "$GITHUB_HEAD_REF" git log --oneline --graph --decorate --all ) # git status @@ -56,6 +56,7 @@ if "$TACOS_LOCK"; then #git checkout -b "$GITHUB_HEAD_REF" git fetch origin --depth=1 "$GITHUB_HEAD_REF" git checkout "$GITHUB_HEAD_REF" + graft="$(git rev-parse HEAD)" ( set -ex # add .terraform-lock changes git add -u . From e16a9bdbe23a8b5fc44f656cbea28fe4642b34e0 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 15:59:47 -0700 Subject: [PATCH 050/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index de8caedc..62175d39 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -54,10 +54,10 @@ if "$TACOS_LOCK"; then git config --global user.name "$USER" git config --global push.default current #git checkout -b "$GITHUB_HEAD_REF" + ( set -ex git fetch origin --depth=1 "$GITHUB_HEAD_REF" git checkout "$GITHUB_HEAD_REF" graft="$(git rev-parse HEAD)" - ( set -ex # add .terraform-lock changes git add -u . git status From 3e10fc08e97b5985ee2f0a2790139b2c4387dabd Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 16:05:10 -0700 Subject: [PATCH 051/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 62175d39..8cc53114 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -26,7 +26,7 @@ git_push_aggressively() { (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git pull --rebase --shallow-exclude="$graft" origin "$GITHUB_HEAD_REF" + git pull --rebase # --shallow-exclude="$graft" origin "$GITHUB_HEAD_REF" git log --oneline --graph --decorate --all ) # git status @@ -57,7 +57,7 @@ if "$TACOS_LOCK"; then ( set -ex git fetch origin --depth=1 "$GITHUB_HEAD_REF" git checkout "$GITHUB_HEAD_REF" - graft="$(git rev-parse HEAD)" + # graft="$(git rev-parse HEAD)" # add .terraform-lock changes git add -u . git status From 3741c29685520ba9986df1608fbda2986cb3085a Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 16:09:02 -0700 Subject: [PATCH 052/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index 8cc53114..ff0ca7eb 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -62,7 +62,7 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - # git log --stat --oneline --graph --decorate --color=always | head + git log --stat --oneline --graph --decorate --color=always ) git_push_aggressively fi From afcb02cd015a9c64d22ac267d78c872f73cab789 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 16:12:56 -0700 Subject: [PATCH 053/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index ff0ca7eb..b08489ba 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -26,7 +26,7 @@ git_push_aggressively() { (set -ex #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git pull --rebase # --shallow-exclude="$graft" origin "$GITHUB_HEAD_REF" + git pull --rebase origin "$GITHUB_HEAD_REF" # --shallow-exclude="$graft" git log --oneline --graph --decorate --all ) # git status From 802697f9dc0250991bf090cc1fdb3f4f76150d81 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Tue, 28 May 2024 16:16:04 -0700 Subject: [PATCH 054/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index b08489ba..b191fbc5 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -17,7 +17,7 @@ git_push_aggressively() { # limit=20 # 3 min # todo: git push -q # git fetch --unshallow origin HEAD - sleep $sleep # trying to force race condition + sleep 10 # trying to force race condition while ! (set -ex; git push); do if (( sleep > limit )); then exit 1; fi echo "failed! trying again after $sleep seconds..." @@ -62,7 +62,7 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - git log --stat --oneline --graph --decorate --color=always + git log --oneline --graph --decorate --color=always ) git_push_aggressively fi From ea0ac96ffe73566ef5b62943878b44c65b7d1071 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 29 May 2024 11:30:04 -0700 Subject: [PATCH 055/102] removing the extra stuff --- .github/workflows/tacos_plan.yml | 51 -------------------------------- lib/tacos/plan | 25 ++-------------- 2 files changed, 3 insertions(+), 73 deletions(-) diff --git a/.github/workflows/tacos_plan.yml b/.github/workflows/tacos_plan.yml index 8cd4e34c..d2fa63ec 100644 --- a/.github/workflows/tacos_plan.yml +++ b/.github/workflows/tacos_plan.yml @@ -128,61 +128,10 @@ jobs: id: main run: | "$TACOS_GHA_HOME/"lib/ci/tacos-plan - # - name: Extract slice name - # id: extract_slice - # run: - # echo "slice_name=$(basename ${{ matrix.tf-root-module }})" >> - # $GITHUB_ENV - # - name: upload cache - # uses: actions/upload-artifact@v4 - # with: - # name: ${{ env.slice_name }} - # path: ${{matrix.tf-root-module}}/.config/tf-lock-info - - - name: Start SSH - if: always() - uses: lhotari/action-upterm@v1 - with: - ## limits ssh access and adds the ssh public keys of the listed GitHub users - limit-access-to-users: bukzor, kneeyo1 - name: Save matrix result # we need to show any errors to end-users if: always() uses: ./tacos-gha/.github/actions/matrix-fan-out - # apply_cache: - # name: apply cache to PR - # needs: tacos_plan - # runs-on: ubuntu-latest - # if: always() - # steps: - # - name: Checkout IAC - # uses: actions/checkout@v4 - # - name: Checkout tacos-gha - # uses: actions/checkout@v4 - # with: - # repository: ${{inputs.tacos_gha_repo}} - # ref: ${{inputs.tacos_gha_ref}} - # path: tacos-gha - - # - name: Download all artifacts - # uses: actions/download-artifact@v4 - # with: - # path: ./artifacts # This will create a directory named artifacts - - # - name: Apply changes - # run: | - # mkdir -p .config/tf-lock-info - # for dir in ./artifacts/*; do - # cp -r $dir/* . - # done - # git config --global user.email "$USER@$HOSTNAME" - # git config --global user.name "$USER" - # git config --global push.default current - # git checkout -b "$GITHUB_HEAD_REF" - - # git add . - # git commit -m 'updating tf-lock cache' - # git push origin ${{ github.head_ref }} summary: needs: tacos_plan # we need to report failures, too diff --git a/lib/tacos/plan b/lib/tacos/plan index b191fbc5..6cb6f631 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -13,29 +13,15 @@ cache=.config/tf-lock-info # we expect at most 6 slices to be fighting git_push_aggressively() { sleep=3 - limit=6 - # limit=20 # 3 min - # todo: git push -q - # git fetch --unshallow origin HEAD - sleep 10 # trying to force race condition - while ! (set -ex; git push); do + limit=20 # 3 min + while ! (set -ex; git push -q); do if (( sleep > limit )); then exit 1; fi echo "failed! trying again after $sleep seconds..." sleep $sleep (( sleep += 3 )) (set -ex - #git fetch origin "$GITHUB_REF":refs/heads/pull.$sleep - #git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - git pull --rebase origin "$GITHUB_HEAD_REF" # --shallow-exclude="$graft" - git log --oneline --graph --decorate --all + git pull --rebase origin "$GITHUB_HEAD_REF" ) - # git status - # git log --oneline --graph --decorate --all - # git fetch --depth=2 origin "$GITHUB_REF":refs/heads/pull.$sleep - # git log --oneline --graph --decorate --all - # git rebase pull.$sleep - # git log --oneline --graph --decorate --all) - # (set -ex; git pull --rebase origin "$GITHUB_HEAD_REF") done } @@ -45,10 +31,6 @@ if "$TACOS_LOCK"; then ) if [[ -d $cache ]]; then git add -f $cache - (set -ex - pwd - echo tf root module: "$TF_ROOT_MODULE" - ) if ! git diff --cached --exit-code $cache; then git config --global user.email "$USER@$HOSTNAME" git config --global user.name "$USER" @@ -62,7 +44,6 @@ if "$TACOS_LOCK"; then git add -u . git status git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - git log --oneline --graph --decorate --color=always ) git_push_aggressively fi From 8a2f58a43b236a25a130b61aa0efe674e09ed034 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 29 May 2024 14:32:08 -0700 Subject: [PATCH 056/102] added basic setup, handle-tflock-cache, and python formatting --- .github/actions/basic-setup/action.yml | 65 ++++++++++++++++++++++++++ .github/workflows/tacos_unlock.yml | 40 +++++----------- lib/tacos/handle-tflock-cache | 40 ++++++++++++++++ lib/tacos/plan | 21 +-------- pyproject.toml | 46 ++++++++---------- spec/lib/slice.py | 2 - 6 files changed, 138 insertions(+), 76 deletions(-) create mode 100644 .github/actions/basic-setup/action.yml create mode 100644 lib/tacos/handle-tflock-cache diff --git a/.github/actions/basic-setup/action.yml b/.github/actions/basic-setup/action.yml new file mode 100644 index 00000000..668f3de9 --- /dev/null +++ b/.github/actions/basic-setup/action.yml @@ -0,0 +1,65 @@ +name: Basic-Setup +# This is derived from the Setup github action. +# It omits several steps, and is mainly used by tacos_unlock. + +inputs: + ssh-private-key: + description: "Private SSH key to use for git clone" + type: string + default: "" + user: + description: the username that will be used for following steps + required: false + default: ${{github.triggering_actor}} + shell: + description: "private -- do not use" + default: env ./tacos-gha/lib/ci/default-shell {0} + +runs: + using: composite + + steps: + - uses: ./tacos-gha/.github/actions/just-the-basics + + - name: tell TF username and PR + uses: ./tacos-gha/.github/actions/set-username-and-hostname + with: + user: ${{inputs.user}} + + - name: Set up SSH agent + if: inputs.ssh-private-key != '' + uses: webfactory/ssh-agent@v0.8.0 + with: + ssh-private-key: ${{ inputs.ssh-private-key }} + + # These fix most ownership, permission issues, but the .ssh config files + # still get the wrong ownership, fixed in the next step. + ssh-agent-cmd: |- + ./tacos-gha/lib/ci/bin/sudo-ssh-agent + ssh-add-cmd: |- + ./tacos-gha/lib/ci/bin/sudo-ssh-add + - name: Fix .ssh permissions + shell: ${{inputs.shell}} + if: inputs.ssh-private-key != '' + run: | + : fix ssh config ownership + sudo chown -v -R "$(id -un):$(id -gn)" ~/.ssh + : Show SSH agent pubkeys + ssh-add -L + : ... hashes too + ssh-add -l + # this should really be default behavior: + - shell: ${{inputs.shell}} + run: | + gha-set-env 'TF_VERSION' < "$(nearest-config-file .terraform-version)" + gha-set-env 'TERRAGRUNT_VERSION' < "$(nearest-config-file .terragrunt-version)" + - name: Setup Terragrunt + uses: autero1/action-terragrunt@v1.3.2 + with: + terragrunt_version: ${{env.TERRAGRUNT_VERSION}} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_wrapper: false + terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index b9076984..8c492671 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -32,45 +32,27 @@ env: GETSENTRY_SAC_VERB: state-admin jobs: - determine-tf-root-modules: - name: List Slices + determine-terraformers: + name: list terraformers if: | false || github.event.action != 'labeled' || github.event.label.name == ':taco::unlock' outputs: - slices: ${{ steps.list-slices.outputs.slices }} - + terraformers: ${{ steps.list-terraformers.outputs.terraformers }} runs-on: ubuntu-latest permissions: contents: read pull-requests: write - steps: - - name: Checkout IAC - uses: actions/checkout@v4 - - name: Checkout tacos-gha - uses: actions/checkout@v4 - with: - repository: ${{inputs.tacos_gha_repo}} - ref: ${{inputs.tacos_gha_ref}} - path: tacos-gha - - - name: List Slices - id: list-slices - uses: ./tacos-gha/.github/actions/list-slices - tacos_unlock: name: TACOS Unlock - needs: [determine-tf-root-modules] - if: | - needs.determine-tf-root-modules.outputs.slices != '[]' + needs: [determine-terraformers] strategy: fail-fast: false matrix: - tf-root-module: - ${{ fromJSON(needs.determine-tf-root-modules.outputs.slices) }} - + terraformer: + ${{ fromJSON(needs.determine-terraformers.outputs.terraformers) }} runs-on: ubuntu-latest permissions: contents: read @@ -78,7 +60,9 @@ jobs: id-token: write env: - TF_ROOT_MODULE: ${{matrix.tf-root-module}} + SUDO_GCP_SERVICE_ACCOUNT: ${{fromJSON(matrix.terraformer).SUDO_GCP_SERVICE_ACCOUNT}} + GETSENTRY_SAC_OIDC: ${{fromJSON(matrix.terraformer).GETSENTRY_SAC_OIDC}} + SLICES: ${{toJSON(fromJSON(matrix.terraformer).slices)}} steps: - name: Checkout IAC uses: actions/checkout@v4 @@ -88,8 +72,8 @@ jobs: repository: ${{inputs.tacos_gha_repo}} ref: ${{inputs.tacos_gha_ref}} path: tacos-gha - - name: Setup - uses: ./tacos-gha/.github/actions/setup + - name: basic-setup + uses: ./tacos-gha/.github/actions/basic-setup with: ssh-private-key: ${{ secrets.ssh-private-key }} # We explicitly list the low-concern actions, during which users will @@ -112,7 +96,7 @@ jobs: || github.triggering_actor }} - + # todo: loop through all slices, look for .config, and unlock if match? - name: Unlock id: main run: | diff --git a/lib/tacos/handle-tflock-cache b/lib/tacos/handle-tflock-cache new file mode 100644 index 00000000..b2dfd21a --- /dev/null +++ b/lib/tacos/handle-tflock-cache @@ -0,0 +1,40 @@ +#!/bin/bash +set -euo pipefail + +cache=.config/tf-lock-info + +#todo: make this an artifact instead +# we expect at most 6 slices to be fighting +git_push_aggressively() { + sleep=3 + limit=20 # 3 min + while ! (set -ex; git push -q); do + if (( sleep > limit )); then exit 1; fi + echo "failed! trying again after $sleep seconds..." + sleep $sleep + (( sleep += 3 )) + (set -ex + git pull --rebase origin "$GITHUB_HEAD_REF" + ) + done +} + +if [[ -d $cache ]]; then + git add -f $cache + if ! git diff --cached --exit-code $cache; then + git config --global user.email "$USER@$HOSTNAME" + git config --global user.name "$USER" + git config --global push.default current + #git checkout -b "$GITHUB_HEAD_REF" + ( set -ex + git fetch origin --depth=1 "$GITHUB_HEAD_REF" + git checkout "$GITHUB_HEAD_REF" + # graft="$(git rev-parse HEAD)" + # add .terraform-lock changes + git add -u . + git status + git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" + ) + git_push_aggressively + fi + fi \ No newline at end of file diff --git a/lib/tacos/plan b/lib/tacos/plan index 6cb6f631..5e1a6bb7 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -7,7 +7,6 @@ exec 3>&1 1>&2 # note: for terragrunt, tfplan must be absolute TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" -cache=.config/tf-lock-info #todo: make this an artifact instead # we expect at most 6 slices to be fighting @@ -29,25 +28,7 @@ if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) - if [[ -d $cache ]]; then - git add -f $cache - if ! git diff --cached --exit-code $cache; then - git config --global user.email "$USER@$HOSTNAME" - git config --global user.name "$USER" - git config --global push.default current - #git checkout -b "$GITHUB_HEAD_REF" - ( set -ex - git fetch origin --depth=1 "$GITHUB_HEAD_REF" - git checkout "$GITHUB_HEAD_REF" - # graft="$(git rev-parse HEAD)" - # add .terraform-lock changes - git add -u . - git status - git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - ) - git_push_aggressively - fi - fi + handle-tflock-cache fi quietly sudo-gcp terragrunt run-all init diff --git a/pyproject.toml b/pyproject.toml index 649d6689..536b3ee9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,6 +3,8 @@ line-length = 79 target-version = ['py312'] skip-magic-trailing-comma = true preview = true +enable-unstable-feature = ['hug_parens_with_braces_and_square_brackets'] + [tool.isort] profile = "black" @@ -12,9 +14,7 @@ multi_line_output = 3 include_trailing_comma = true sections = ['FUTURE', 'STDLIB', 'THIRDPARTY', 'FIRSTPARTY', 'LOCALFOLDER'] lines_between_sections = 1 -add_imports=[ - "from __future__ import annotations", -] +add_imports = ["from __future__ import annotations"] [tool.coverage.run] plugins = ["covdefaults"] @@ -32,13 +32,13 @@ xfail_strict = true addopts = "-p lib.pytest.plugin.cap1fd -v --durations=0 --durations-min=10 --doctest-modules --last-failed" testpaths = ["."] norecursedirs = [ - "**/__pycache__", - "**/.*", - "venv", - "tmp*", - "*tmp", - "**/bak", - "**/scratch", + "**/__pycache__", + "**/.*", + "venv", + "tmp*", + "*tmp", + "**/bak", + "**/scratch", ] python_files = ["*.py"] python_classes = ["Test", "Describe"] @@ -48,22 +48,20 @@ python_functions = ["test", "it"] [tool.pyright] include = ["."] exclude = [ - "**/__pycache__", - "**/.*", - "venv", - "tmp*", - "*tmp", - "**/bak", - "**/scratch", + "**/__pycache__", + "**/.*", + "venv", + "tmp*", + "*tmp", + "**/bak", + "**/scratch", ] follow_imports_for_stubs = true pythonPlatform = "Linux" pythonVersion = "3.12" -extraPaths = [ - "venv/lib/python3.12/site-packages/" -] +extraPaths = ["venv/lib/python3.12/site-packages/"] typeCheckingMode = "strict" @@ -78,7 +76,7 @@ reportMissingSuperCall = "error" reportPropertyTypeMismatch = "error" reportUninitializedInstanceVariable = "error" reportUnnecessaryTypeIgnoreComment = "error" -reportUnusedCallResult = "none" # too noisy +reportUnusedCallResult = "none" # too noisy # maintainer has an strong anti-idomatic stance on what "constant" means # https://github.com/microsoft/pyright/issues/5265 @@ -89,11 +87,7 @@ reportConstantRedefinition = false python_version = "3.12" files = ["."] -exclude = [ - "(^|/)venv/$", - "(^|/)bak/$", - "(^|/)scratch/$", -] +exclude = ["(^|/)venv/$", "(^|/)bak/$", "(^|/)scratch/$"] scripts_are_modules = true # Strict mode; enables the following flags: (in mypy 1.7.1) diff --git a/spec/lib/slice.py b/spec/lib/slice.py index 559af5be..06bf75ec 100644 --- a/spec/lib/slice.py +++ b/spec/lib/slice.py @@ -101,9 +101,7 @@ def force_unlock(self) -> None: """Unlock these slices, forcefully.""" sh.banner("forcefully unlocking slices") with sh.cd(self.path): - print(self.path) for slice in self: - print("slice", slice) tf_lock.force_unlock(slice) def plan_is_clean(self) -> bool: From 506201730c92958a2e15209c0fecc1fd8ad7c4d0 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 29 May 2024 14:33:56 -0700 Subject: [PATCH 057/102] add the terraformer stuff --- .github/workflows/tacos_unlock.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index 8c492671..75fa5256 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -44,6 +44,21 @@ jobs: permissions: contents: read pull-requests: write + steps: + - name: Checkout IAC + uses: actions/checkout@v4 + - name: Checkout tacos-gha + uses: actions/checkout@v4 + with: + repository: ${{inputs.tacos_gha_repo}} + ref: ${{inputs.tacos_gha_ref}} + path: tacos-gha + - name: basic-setup + uses: ./tacos-gha/.github/actions/basic-setup + - name: List Terraformers + id: list-terraformers + run: | + "$TACOS_GHA_HOME/"lib/ci/list-terraformers tacos_unlock: name: TACOS Unlock From 7cf1c63f2142488c14365a9cff6e0ddcae56cd54 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 29 May 2024 15:51:05 -0700 Subject: [PATCH 058/102] make tf-lock-info use gcloud storage cat --- .github/workflows/tacos_unlock.yml | 1 - lib/ci/list-terraformers | 10 ++++ lib/sh/sh.py | 1 + lib/tacos/terraformers.py | 94 ++++++++++++++++++++++++++++++ lib/tf_lock/TESTING.md | 2 + lib/tf_lock/release.py | 29 +++++---- lib/tf_lock/tf_lock_info.py | 16 +++-- 7 files changed, 137 insertions(+), 16 deletions(-) create mode 100644 lib/ci/list-terraformers create mode 100644 lib/tacos/terraformers.py diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index 75fa5256..b886ce2f 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -111,7 +111,6 @@ jobs: || github.triggering_actor }} - # todo: loop through all slices, look for .config, and unlock if match? - name: Unlock id: main run: | diff --git a/lib/ci/list-terraformers b/lib/ci/list-terraformers new file mode 100644 index 00000000..24e78bf9 --- /dev/null +++ b/lib/ci/list-terraformers @@ -0,0 +1,10 @@ +#!/bin/bash +set -euo pipefail + +python3 -m lib.tacos.terraformers | +jq -R | +jq -cs | +gha-set-output terraformers | +# prettify +jq . \ +; \ No newline at end of file diff --git a/lib/sh/sh.py b/lib/sh/sh.py index 6587cd05..90921aeb 100644 --- a/lib/sh/sh.py +++ b/lib/sh/sh.py @@ -13,6 +13,7 @@ from .core import run as run from .core import stdout as stdout from .core import success as success +from .errors import ShError as ShError from .io import * # info, debug, banner, comment, and 10+ more from .json import jq as jq from .json import json as json diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py new file mode 100644 index 00000000..1fee8c32 --- /dev/null +++ b/lib/tacos/terraformers.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3.12 +from __future__ import annotations + +from dataclasses import dataclass +from typing import Dict +from typing import List +from typing import Union + +from lib.constants import TACOS_GHA_HOME +from lib.sh import sh +from lib.types import Generator +from lib.types import OSPath + +TFLockFile = OSPath + + +@dataclass(frozen=True) +class TerraformerResult: + GETSENTRY_SAC_OIDC: str + SUDO_GCP_SERVICE_ACCOUNT: str + tflock_files: set[OSPath] + + +def list_cached_tflock_files() -> list[TFLockFile]: + from subprocess import check_output + + slices = check_output( + ("find", ".", "-path", "*/.config/tf-lock-info/Path", "-print0"), + encoding="UTF-8", + ) + return sorted([OSPath(slice) for slice in slices.split("\0")]) + + +def list_terraformers() -> Generator[TerraformerResult]: + """List all slices and the oidc provider and terraformer of that slice""" + for tflock_file in list_cached_tflock_files(): + with sh.cd(tflock_file.parents[2]): + oidc_provider = sh.stdout( + (TACOS_GHA_HOME / "lib/getsentry-sac/oidc-provider",) + ) + terraformer = sh.stdout(("sudo-gcp-service-account",)) + + yield TerraformerResult( + oidc_provider, terraformer, set([tflock_file]) + ) + + +def terraformers() -> Generator[TerraformerResult]: + """Which slices need to be unlocked?""" + from collections import defaultdict + + by_terraformer: defaultdict[tuple[str, str], set[TFLockFile]] = ( + defaultdict(set) + ) + + for tf_result in list_terraformers(): + key = ( + tf_result.GETSENTRY_SAC_OIDC, + tf_result.SUDO_GCP_SERVICE_ACCOUNT, + ) + for tflock_file in tf_result.tflock_files: + by_terraformer[key].add(tflock_file) + + for key in by_terraformer: + oidc_provider, terraformer = key + yield TerraformerResult( + oidc_provider, terraformer, by_terraformer[key] + ) + + +def convert_terraform_result( + result: TerraformerResult, +) -> Dict[str, Union[str, List[str]]]: + """Convert TerraformerResult to a JSON-serializable dictionary""" + return { + "GETSENTRY_SAC_OIDC": result.GETSENTRY_SAC_OIDC, + "SUDO_GCP_SERVICE_ACCOUNT": result.SUDO_GCP_SERVICE_ACCOUNT, + # Convert each TopLevelTFModule in the set to a string, then convert the set to a list + "tflock_files": [str(path) for path in result.tflock_files], + } + + +def main() -> int: + import json + + for result in terraformers(): + # use custom conversion here, because json doesn't like sets or OSPaths + print(json.dumps(convert_terraform_result(result))) + + return 0 + + +if __name__ == "__main__": + exit(main()) diff --git a/lib/tf_lock/TESTING.md b/lib/tf_lock/TESTING.md index 4f25c0b7..fb8fde09 100644 --- a/lib/tf_lock/TESTING.md +++ b/lib/tf_lock/TESTING.md @@ -1,3 +1,5 @@ +# TESTING + FIXME: automated testing for lib/tf_lock ```console diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index 50c48af7..90bfaaa4 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -11,11 +11,12 @@ from lib.tf_lock.lib.env import tf_working_dir from lib.types import Environ from lib.types import OSPath -from lib.types import Path from lib.user_error import UserError from .lib.env import get_current_host from .lib.env import get_current_user +from .tf_lock_info import cache_get +from .tf_lock_info import tf_lock_info HERE = sh.get_HERE(__file__) TF_LOCK_EHELD = 3 @@ -89,14 +90,9 @@ def assert_dict_of_strings(json: object) -> dict[str, str]: return cast(dict[str, str], json) -def get_lock_info(root_module: Path) -> Tuple[bool, dict[str, str]]: - try: - result = sh.json((HERE / "tf-lock-info", str(root_module))) - except sh.CalledProcessError as error: - # error message was already printed by subcommand - raise UserError(code=error.returncode) +def get_lock_info(root_module: OSPath) -> Tuple[bool, dict[str, str]]: - assert isinstance(result, dict), result + result = dict(tf_lock_info(root_module)) lock = result.pop("lock") assert isinstance(lock, bool), lock @@ -114,9 +110,20 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: lock_user = lock_info["Who"] if tf_user == lock_user: with sh.cd(tf_working_dir(root_module)): - sh.run( - ("terraform", "force-unlock", "-force", "--", lock_info["ID"]) - ) + cache = cache_get(root_module) + if cache: + try: + sh.json(("gcloud", "storage", "rm", cache)) + except sh.ShError: + pass # it is unlocked + else: + sh.run(( + "terraform", + "force-unlock", + "-force", + "--", + lock_info["ID"], + )) info(f"tf-lock-release: success: {root_module}({lock_user})") diff --git a/lib/tf_lock/tf_lock_info.py b/lib/tf_lock/tf_lock_info.py index 69136c8a..0bd44c18 100755 --- a/lib/tf_lock/tf_lock_info.py +++ b/lib/tf_lock/tf_lock_info.py @@ -46,16 +46,24 @@ def cache_put(tg_root_module: OSPath, path: str) -> None: cache.write_text(path) -def tf_lock_info(tg_root_module: OSPath) -> json.Value: +def tf_lock_info(tg_root_module: OSPath) -> json.Object: with sh.cd(tg_root_module): - lock_info = sh.json((LIB / "tf-lock-info-uncached",)) + path = cache_get(tg_root_module) + lock_info: json.Value + if path is None: + lock_info = sh.json((LIB / "tf-lock-info-uncached",)) + else: + try: + lock_info = sh.json(("gcloud", "storage", "cat", path)) + except sh.ShError: + lock_info = {} assert isinstance(lock_info, dict) - if lock_info["lock"]: + + if lock_info.get("lock", False): path = lock_info["Path"] assert isinstance(path, str) cache_put(tg_root_module, path) else: - path = cache_get(tg_root_module) if path is not None: lock_info.setdefault("Path", path) From 599c30d9115fb667b4886cc6d614962622f57ecd Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 29 May 2024 15:56:30 -0700 Subject: [PATCH 059/102] fix chmod --- lib/tacos/handle-tflock-cache | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 lib/tacos/handle-tflock-cache diff --git a/lib/tacos/handle-tflock-cache b/lib/tacos/handle-tflock-cache old mode 100644 new mode 100755 From 28cb2c29361bdba0be8b664b146c6612726c0651 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 29 May 2024 16:06:48 -0700 Subject: [PATCH 060/102] auto-commit: GHA deps, for test --- lib/tf_lock/tf_lock_info.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/tf_lock/tf_lock_info.py b/lib/tf_lock/tf_lock_info.py index 0bd44c18..0e6f145c 100755 --- a/lib/tf_lock/tf_lock_info.py +++ b/lib/tf_lock/tf_lock_info.py @@ -57,9 +57,13 @@ def tf_lock_info(tg_root_module: OSPath) -> json.Object: lock_info = sh.json(("gcloud", "storage", "cat", path)) except sh.ShError: lock_info = {} + lock_info["lock"] = False + else: + assert isinstance(lock_info, dict) + lock_info["lock"] = True assert isinstance(lock_info, dict) - if lock_info.get("lock", False): + if lock_info["lock"]: path = lock_info["Path"] assert isinstance(path, str) cache_put(tg_root_module, path) From 04a9d515aa8c1da867bce7726045309d5c5dd712 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 29 May 2024 16:21:34 -0700 Subject: [PATCH 061/102] auto-commit: GHA deps, for test --- lib/tacos/handle-tflock-cache | 40 ----------------------------------- lib/tacos/plan | 18 +--------------- 2 files changed, 1 insertion(+), 57 deletions(-) delete mode 100755 lib/tacos/handle-tflock-cache diff --git a/lib/tacos/handle-tflock-cache b/lib/tacos/handle-tflock-cache deleted file mode 100755 index b2dfd21a..00000000 --- a/lib/tacos/handle-tflock-cache +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash -set -euo pipefail - -cache=.config/tf-lock-info - -#todo: make this an artifact instead -# we expect at most 6 slices to be fighting -git_push_aggressively() { - sleep=3 - limit=20 # 3 min - while ! (set -ex; git push -q); do - if (( sleep > limit )); then exit 1; fi - echo "failed! trying again after $sleep seconds..." - sleep $sleep - (( sleep += 3 )) - (set -ex - git pull --rebase origin "$GITHUB_HEAD_REF" - ) - done -} - -if [[ -d $cache ]]; then - git add -f $cache - if ! git diff --cached --exit-code $cache; then - git config --global user.email "$USER@$HOSTNAME" - git config --global user.name "$USER" - git config --global push.default current - #git checkout -b "$GITHUB_HEAD_REF" - ( set -ex - git fetch origin --depth=1 "$GITHUB_HEAD_REF" - git checkout "$GITHUB_HEAD_REF" - # graft="$(git rev-parse HEAD)" - # add .terraform-lock changes - git add -u . - git status - git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" - ) - git_push_aggressively - fi - fi \ No newline at end of file diff --git a/lib/tacos/plan b/lib/tacos/plan index 5e1a6bb7..eb0da24c 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -8,27 +8,11 @@ exec 3>&1 1>&2 TACOS_TFPLAN="${TACOS_TFPLAN:-$PWD/tfplan}" TACOS_LOCK="${TACOS_LOCK:-false}" -#todo: make this an artifact instead -# we expect at most 6 slices to be fighting -git_push_aggressively() { - sleep=3 - limit=20 # 3 min - while ! (set -ex; git push -q); do - if (( sleep > limit )); then exit 1; fi - echo "failed! trying again after $sleep seconds..." - sleep $sleep - (( sleep += 3 )) - (set -ex - git pull --rebase origin "$GITHUB_HEAD_REF" - ) - done -} - if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) - handle-tflock-cache + "$TACOS_GHA_HOME"/handle-tflock-cache fi quietly sudo-gcp terragrunt run-all init From da2fcc1c114b3fb584f3535de4e6a7edb7e03747 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 30 May 2024 10:45:49 -0700 Subject: [PATCH 062/102] auto-commit: GHA deps, for test --- lib/tacos/plan | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/tacos/plan b/lib/tacos/plan index eb0da24c..2305ead6 100755 --- a/lib/tacos/plan +++ b/lib/tacos/plan @@ -12,9 +12,8 @@ if "$TACOS_LOCK"; then ( set -ex env GETSENTRY_SAC_VERB=state-admin sudo-gcp tf-lock-acquire ) - "$TACOS_GHA_HOME"/handle-tflock-cache + "$TACOS_GHA_HOME"/lib/tacos/lib/handle-tflock-cache fi - quietly sudo-gcp terragrunt run-all init if "$TACOS_LOCK"; then From d4fcea3d42288f28da67f9ddaf037e1b0a7b8952 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Thu, 30 May 2024 10:50:08 -0700 Subject: [PATCH 063/102] oops forgot to add the new file --- lib/tacos/lib/handle-tflock-cache | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100755 lib/tacos/lib/handle-tflock-cache diff --git a/lib/tacos/lib/handle-tflock-cache b/lib/tacos/lib/handle-tflock-cache new file mode 100755 index 00000000..b2dfd21a --- /dev/null +++ b/lib/tacos/lib/handle-tflock-cache @@ -0,0 +1,40 @@ +#!/bin/bash +set -euo pipefail + +cache=.config/tf-lock-info + +#todo: make this an artifact instead +# we expect at most 6 slices to be fighting +git_push_aggressively() { + sleep=3 + limit=20 # 3 min + while ! (set -ex; git push -q); do + if (( sleep > limit )); then exit 1; fi + echo "failed! trying again after $sleep seconds..." + sleep $sleep + (( sleep += 3 )) + (set -ex + git pull --rebase origin "$GITHUB_HEAD_REF" + ) + done +} + +if [[ -d $cache ]]; then + git add -f $cache + if ! git diff --cached --exit-code $cache; then + git config --global user.email "$USER@$HOSTNAME" + git config --global user.name "$USER" + git config --global push.default current + #git checkout -b "$GITHUB_HEAD_REF" + ( set -ex + git fetch origin --depth=1 "$GITHUB_HEAD_REF" + git checkout "$GITHUB_HEAD_REF" + # graft="$(git rev-parse HEAD)" + # add .terraform-lock changes + git add -u . + git status + git commit -m "updating tf-lock cache: $TF_ROOT_MODULE" + ) + git_push_aggressively + fi + fi \ No newline at end of file From d973f6a52f8694c58627d55f448acfbd81f5612c Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 30 May 2024 11:40:59 -0700 Subject: [PATCH 064/102] auto-commit: GHA deps, for test --- lib/ci/list-terraformers | 0 lib/tacos/terraformers.py | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 lib/ci/list-terraformers mode change 100644 => 100755 lib/tacos/terraformers.py diff --git a/lib/ci/list-terraformers b/lib/ci/list-terraformers old mode 100644 new mode 100755 diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py old mode 100644 new mode 100755 From ea3eb66222bc0644e8378ba1fb40ea0f2fce5371 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 30 May 2024 14:09:02 -0700 Subject: [PATCH 065/102] auto-commit: GHA deps, for test --- lib/tacos/terraformers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py index 1fee8c32..1f14c062 100755 --- a/lib/tacos/terraformers.py +++ b/lib/tacos/terraformers.py @@ -34,7 +34,7 @@ def list_cached_tflock_files() -> list[TFLockFile]: def list_terraformers() -> Generator[TerraformerResult]: """List all slices and the oidc provider and terraformer of that slice""" for tflock_file in list_cached_tflock_files(): - with sh.cd(tflock_file.parents[2]): + with sh.cd(tflock_file.parents[1]): oidc_provider = sh.stdout( (TACOS_GHA_HOME / "lib/getsentry-sac/oidc-provider",) ) From 6a89a5346a94357161527ba2946ebbc17e8a0bed Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Thu, 30 May 2024 14:40:24 -0700 Subject: [PATCH 066/102] auto-commit: GHA deps, for test --- lib/tacos/terraformers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py index 1f14c062..dbfb0cb5 100755 --- a/lib/tacos/terraformers.py +++ b/lib/tacos/terraformers.py @@ -25,7 +25,7 @@ def list_cached_tflock_files() -> list[TFLockFile]: from subprocess import check_output slices = check_output( - ("find", ".", "-path", "*/.config/tf-lock-info/Path", "-print0"), + ("find", "$(pwd)", "-path", "*/.config/tf-lock-info/Path", "-print0"), encoding="UTF-8", ) return sorted([OSPath(slice) for slice in slices.split("\0")]) @@ -34,7 +34,7 @@ def list_cached_tflock_files() -> list[TFLockFile]: def list_terraformers() -> Generator[TerraformerResult]: """List all slices and the oidc provider and terraformer of that slice""" for tflock_file in list_cached_tflock_files(): - with sh.cd(tflock_file.parents[1]): + with sh.cd(tflock_file.parents[2]): oidc_provider = sh.stdout( (TACOS_GHA_HOME / "lib/getsentry-sac/oidc-provider",) ) From 89d3a71aee9ecf4746eaed28543b169e3b00ca75 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 09:14:04 -0700 Subject: [PATCH 067/102] auto-commit: GHA deps, for test --- lib/tacos/terraformers.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py index dbfb0cb5..67058b9e 100755 --- a/lib/tacos/terraformers.py +++ b/lib/tacos/terraformers.py @@ -22,10 +22,18 @@ class TerraformerResult: def list_cached_tflock_files() -> list[TFLockFile]: + import os from subprocess import check_output + current_dir = os.getcwd() slices = check_output( - ("find", "$(pwd)", "-path", "*/.config/tf-lock-info/Path", "-print0"), + ( + "find", + current_dir, + "-path", + "*/.config/tf-lock-info/Path", + "-print0", + ), encoding="UTF-8", ) return sorted([OSPath(slice) for slice in slices.split("\0")]) From bf672a9b5c872decc9a96bb27c2a3ae86e7e27a3 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 09:38:17 -0700 Subject: [PATCH 068/102] auto-commit: GHA deps, for test --- lib/tacos/terraformers.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py index 67058b9e..09a60abb 100755 --- a/lib/tacos/terraformers.py +++ b/lib/tacos/terraformers.py @@ -36,7 +36,9 @@ def list_cached_tflock_files() -> list[TFLockFile]: ), encoding="UTF-8", ) - return sorted([OSPath(slice) for slice in slices.split("\0")]) + return sorted([ + OSPath(slice) for slice in slices.split("\0") if slice and slice != "." + ]) def list_terraformers() -> Generator[TerraformerResult]: From 621b0241d6f7b06ba34a4f1a3554655840cf4f30 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 11:20:14 -0700 Subject: [PATCH 069/102] auto-commit: GHA deps, for test --- lib/tf_lock/release.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index 90bfaaa4..de47ed19 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -115,7 +115,9 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: try: sh.json(("gcloud", "storage", "rm", cache)) except sh.ShError: - pass # it is unlocked + pass # already unlocked + tf_log = open("tf-log.hcl", "x") + tf_log.write("success") else: sh.run(( "terraform", From 9ebef7145a8c60f56c11aa9e4f15cdfcd5030eba Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 11:32:07 -0700 Subject: [PATCH 070/102] auto-commit: GHA deps, for test --- lib/tf_lock/release.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index de47ed19..fffb2b06 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -116,8 +116,8 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: sh.json(("gcloud", "storage", "rm", cache)) except sh.ShError: pass # already unlocked - tf_log = open("tf-log.hcl", "x") - tf_log.write("success") + with open("tf-log.hcl", "w") as tf_log: + tf_log.write("success") else: sh.run(( "terraform", From f3c428735a3ddc4c62e0483f869bd9f578a4a2a3 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 12:29:15 -0700 Subject: [PATCH 071/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_unlock.yml | 6 ++++++ lib/tf_lock/release.py | 7 ++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index b886ce2f..ef1abba9 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -111,6 +111,12 @@ jobs: || github.triggering_actor }} + - name: gcp auth + id: auth + uses: google-github-actions/auth@v2.1.1 + with: + workload_identity_provider: ${{env.GETSENTRY_SAC_OIDC}} + service_account: ${{env.SUDO_GCP_SERVICE_ACCOUNT}} - name: Unlock id: main run: | diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index fffb2b06..cb98b1e1 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -116,8 +116,6 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: sh.json(("gcloud", "storage", "rm", cache)) except sh.ShError: pass # already unlocked - with open("tf-log.hcl", "w") as tf_log: - tf_log.write("success") else: sh.run(( "terraform", @@ -126,10 +124,13 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: "--", lock_info["ID"], )) - + with open("tf-log.hcl", "w") as tf_log: + tf_log.write("success") info(f"tf-lock-release: success: {root_module}({lock_user})") else: + with open("tf-log.hcl", "w") as tf_log: + tf_log.write("failure") raise UserError( f"""\ tf-lock-release: failure: not {lock_user}: {root_module}({tf_user}) From 5941b53fb0ba6765f9c75ceaafca11214c14e232 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 12:40:22 -0700 Subject: [PATCH 072/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_unlock.yml | 30 +++--------------------------- 1 file changed, 3 insertions(+), 27 deletions(-) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index ef1abba9..c938a53a 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -120,45 +120,21 @@ jobs: - name: Unlock id: main run: | - tf-step-summary "TACOS Unlock" "$TACOS_GHA_HOME/"lib/tacos/unlock + # release all tfstate locks currently held + jq <<< "$SLICES" -r '.[]' | ./tacos-gha/lib/ci/unlock - name: Save matrix result # we need to show any errors to end-users if: always() uses: ./tacos-gha/.github/actions/matrix-fan-out - summary: - needs: tacos_unlock - # we need to report failures, too - if: always() && needs.tacos_unlock.result != 'skipped' - - runs-on: ubuntu-latest - - steps: - - name: Checkout tacos-gha - uses: actions/checkout@v4 - with: - repository: ${{inputs.tacos_gha_repo}} - ref: ${{inputs.tacos_gha_ref}} - path: tacos-gha - - - name: Setup - uses: ./tacos-gha/.github/actions/just-the-basics - - name: Run matrix-fan-in - uses: ./tacos-gha/.github/actions/matrix-fan-in - - name: Summarize - id: summary - run: | - ./tacos-gha/lib/ci/tacos-unlock-summary | - gha-step-summary - - name: Update PR # we want to report failures, too if: always() uses: thollander/actions-comment-pull-request@v2.4.3 with: - message: ${{ fromJSON(steps.summary.outputs.summary) }} + message: ${{ fromJSON(steps.main.outputs.summary) }} comment_tag: unlock mode: recreate From ecfb4470c858101271c15c3b174d72a939433f07 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 12:41:03 -0700 Subject: [PATCH 073/102] chmod --- lib/ci/unlock | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100755 lib/ci/unlock diff --git a/lib/ci/unlock b/lib/ci/unlock new file mode 100755 index 00000000..e827bcc0 --- /dev/null +++ b/lib/ci/unlock @@ -0,0 +1,31 @@ +#!/bin/bash +set -euo pipefail +set -ex +exec 1>&2 # stdout is reserved for tf plan/apply results +( + echo "### TACOS Unlock" + echo + if results=$(xargs -r -P10 -n10 tf-lock-release 2>&1); then + cat < + +Success! all slices have been unlocked. + +\`\`\`console +$results +\`\`\` + +EOF + else + cat < + +Some slices failed to unlock. + +\`\`\`console +$results +\`\`\` + +EOF + fi +) | gha-step-summary; From ca3e96e81b3961489f8fc1ae8cb95c3b1a99436c Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Fri, 31 May 2024 13:15:45 -0700 Subject: [PATCH 074/102] auto-commit: GHA deps, for test --- .github/workflows/tacos_unlock.yml | 30 ++++++++++++++++++++++--- lib/tf_lock/release.py | 35 ++++++++++++++++++++---------- 2 files changed, 51 insertions(+), 14 deletions(-) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index c938a53a..ef1abba9 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -120,21 +120,45 @@ jobs: - name: Unlock id: main run: | - # release all tfstate locks currently held - jq <<< "$SLICES" -r '.[]' | ./tacos-gha/lib/ci/unlock + tf-step-summary "TACOS Unlock" "$TACOS_GHA_HOME/"lib/tacos/unlock - name: Save matrix result # we need to show any errors to end-users if: always() uses: ./tacos-gha/.github/actions/matrix-fan-out + summary: + needs: tacos_unlock + # we need to report failures, too + if: always() && needs.tacos_unlock.result != 'skipped' + + runs-on: ubuntu-latest + + steps: + - name: Checkout tacos-gha + uses: actions/checkout@v4 + with: + repository: ${{inputs.tacos_gha_repo}} + ref: ${{inputs.tacos_gha_ref}} + path: tacos-gha + + - name: Setup + uses: ./tacos-gha/.github/actions/just-the-basics + - name: Run matrix-fan-in + uses: ./tacos-gha/.github/actions/matrix-fan-in + - name: Summarize + id: summary + run: | + ./tacos-gha/lib/ci/tacos-unlock-summary | + gha-step-summary + - name: Update PR # we want to report failures, too if: always() uses: thollander/actions-comment-pull-request@v2.4.3 with: - message: ${{ fromJSON(steps.main.outputs.summary) }} + message: ${{ fromJSON(steps.summary.outputs.summary) }} comment_tag: unlock mode: recreate diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index cb98b1e1..ed735688 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -15,7 +15,8 @@ from .lib.env import get_current_host from .lib.env import get_current_user -from .tf_lock_info import cache_get + +# from .tf_lock_info import cache_get from .tf_lock_info import tf_lock_info HERE = sh.get_HERE(__file__) @@ -109,14 +110,25 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: tf_user = f"{get_current_user(env)}@{get_current_host(env)}" lock_user = lock_info["Who"] if tf_user == lock_user: - with sh.cd(tf_working_dir(root_module)): - cache = cache_get(root_module) - if cache: - try: - sh.json(("gcloud", "storage", "rm", cache)) - except sh.ShError: - pass # already unlocked - else: + # with sh.cd(tf_working_dir(root_module)): + # cache = cache_get(root_module) + # if cache: + # try: + # sh.json(("gcloud", "storage", "rm", cache)) + # except sh.ShError: + # pass # already unlocked + # else: + # sh.run(( + # "terraform", + # "force-unlock", + # "-force", + # "--", + # lock_info["ID"], + # )) + # with open("tf-log.hcl", "w") as tf_log: + # tf_log.write("success") + try: + with sh.cd(tf_working_dir(root_module)): sh.run(( "terraform", "force-unlock", @@ -124,8 +136,9 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: "--", lock_info["ID"], )) - with open("tf-log.hcl", "w") as tf_log: - tf_log.write("success") + except sh.CalledProcessError as error: + # error message was already printed by subcommand + raise UserError(code=error.returncode) info(f"tf-lock-release: success: {root_module}({lock_user})") else: From 7a690aaf2826d1433f510d38b00aff4c1e4a7342 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 13:49:55 -0700 Subject: [PATCH 075/102] reformat --- .github/workflows/tacos_unlock.yml | 3 ++- lib/ci/bin/save-matrix-fan-out | 40 +++++++++++++++++++++++++++++ lib/ci/bin/tf-step-summary | 41 +----------------------------- lib/ci/unlock | 2 +- lib/tf_lock/release.py | 35 ++++++++----------------- 5 files changed, 55 insertions(+), 66 deletions(-) create mode 100755 lib/ci/bin/save-matrix-fan-out diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index ef1abba9..4998cff3 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -120,7 +120,8 @@ jobs: - name: Unlock id: main run: | - tf-step-summary "TACOS Unlock" "$TACOS_GHA_HOME/"lib/tacos/unlock + # release all tfstate locks currently held + jq <<< "$SLICES" -r '.[]' | ./tacos-gha/lib/ci/unlock - name: Save matrix result # we need to show any errors to end-users diff --git a/lib/ci/bin/save-matrix-fan-out b/lib/ci/bin/save-matrix-fan-out new file mode 100755 index 00000000..5fc064b5 --- /dev/null +++ b/lib/ci/bin/save-matrix-fan-out @@ -0,0 +1,40 @@ +#!/bin/bash +set -euo pipefail + +save_var() { + path="$1" + var="$2" + + eval 'echo "${'"$var"':-}"' > "$path/$var" +} + +tf_log=tf-log.hcl +console_log=console.log +outdir="matrix-fan-out" +mkdir "$outdir" +cat > "explanation" # put any extended explanation on stdin + +# save any local vars we'll need for analysis during fan-in summary +mkdir -p "$outdir/env" +for var in HOME GITHUB_WORKSPACE TF_ROOT_MODULE TACOS_LOCK; do + save_var "$outdir/env" "$var" +done +for var in tacos_verb title script returncode; do + save_var "$outdir" "$var" +done + +# TODO: why would this fail though? +# > failed to get run: HTTP 403: Resource not accessible by integration +# > (https://api.github.com/repos/getsentry/ops/actions/runs/8327109032?exclude_pull_requests=true) +( gh run --repo "$GITHUB_REPOSITORY" view "$GITHUB_RUN_ID" --json jobs \ + --jq '.jobs[] | select(.name | endswith("'" ($TF_ROOT_MODULE)"'"))' \ + || echo >&2 failed with exit code $? +) > "$outdir/gha-job.json" +( jq .url "$outdir/gha-job.json" -r \ + || echo >&2 failed with exit code $? +) > "$outdir/url" + +# copy any files we want to keep +cp "$tf_log" "$console_log" "$outdir" + +(set -x; tree "$outdir") diff --git a/lib/ci/bin/tf-step-summary b/lib/ci/bin/tf-step-summary index d10e20d0..f8096085 100755 --- a/lib/ci/bin/tf-step-summary +++ b/lib/ci/bin/tf-step-summary @@ -3,45 +3,6 @@ set -euo pipefail title="$1" script="$2" -save_var() { - path="$1" - var="$2" - - eval 'echo "${'"$var"':-}"' > "$path/$var" -} - -save_matrix_fan_out() { - explanation="$1" - - outdir="matrix-fan-out" - mkdir "$outdir" - - # save any local vars we'll need for analysis during fan-in summary - mkdir -p "$outdir/env" - for var in HOME GITHUB_WORKSPACE TF_ROOT_MODULE TACOS_LOCK; do - save_var "$outdir/env" "$var" - done - for var in tacos_verb title script returncode explanation; do - save_var "$outdir" "$var" - done - - # TODO: why would this fail though? - # > failed to get run: HTTP 403: Resource not accessible by integration - # > (https://api.github.com/repos/getsentry/ops/actions/runs/8327109032?exclude_pull_requests=true) - ( gh run --repo "$GITHUB_REPOSITORY" view "$GITHUB_RUN_ID" --json jobs \ - --jq '.jobs[] | select(.name | endswith("'" ($TF_ROOT_MODULE)"'"))' \ - || echo >&2 failed with exit code $? - ) > "$outdir/gha-job.json" - ( jq .url "$outdir/gha-job.json" -r \ - || echo >&2 failed with exit code $? - ) > "$outdir/url" - - # copy any files we want to keep - cp "$tf_log" "$console_log" "$outdir" - - (set -x; tree "$outdir") -} - save_legacy_summary() { explanation="$1" @@ -136,7 +97,7 @@ export DEBUG="${DEBUG:-}" if (( DEBUG > 0 )); then set -x fi -save_matrix_fan_out "$explanation" +save-matrix-fan-out <<< "$explanation" save_legacy_summary "$explanation" if [[ "$tacos_verb" == "plan" ]] && (( returncode == 2 )); then diff --git a/lib/ci/unlock b/lib/ci/unlock index e827bcc0..d3f03c06 100755 --- a/lib/ci/unlock +++ b/lib/ci/unlock @@ -28,4 +28,4 @@ $results EOF fi -) | gha-step-summary; +) | gha-step-summary | save-matrix-fan-out; diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index ed735688..cb98b1e1 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -15,8 +15,7 @@ from .lib.env import get_current_host from .lib.env import get_current_user - -# from .tf_lock_info import cache_get +from .tf_lock_info import cache_get from .tf_lock_info import tf_lock_info HERE = sh.get_HERE(__file__) @@ -110,25 +109,14 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: tf_user = f"{get_current_user(env)}@{get_current_host(env)}" lock_user = lock_info["Who"] if tf_user == lock_user: - # with sh.cd(tf_working_dir(root_module)): - # cache = cache_get(root_module) - # if cache: - # try: - # sh.json(("gcloud", "storage", "rm", cache)) - # except sh.ShError: - # pass # already unlocked - # else: - # sh.run(( - # "terraform", - # "force-unlock", - # "-force", - # "--", - # lock_info["ID"], - # )) - # with open("tf-log.hcl", "w") as tf_log: - # tf_log.write("success") - try: - with sh.cd(tf_working_dir(root_module)): + with sh.cd(tf_working_dir(root_module)): + cache = cache_get(root_module) + if cache: + try: + sh.json(("gcloud", "storage", "rm", cache)) + except sh.ShError: + pass # already unlocked + else: sh.run(( "terraform", "force-unlock", @@ -136,9 +124,8 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: "--", lock_info["ID"], )) - except sh.CalledProcessError as error: - # error message was already printed by subcommand - raise UserError(code=error.returncode) + with open("tf-log.hcl", "w") as tf_log: + tf_log.write("success") info(f"tf-lock-release: success: {root_module}({lock_user})") else: From 5cda44586b879bc17c5899e0b6e7e19262b8bfd2 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 14:36:57 -0700 Subject: [PATCH 076/102] unlock many matrix jobs --- .github/workflows/tacos_unlock.yml | 3 +++ lib/ci/bin/save-matrix-fan-out | 40 ----------------------------- lib/ci/bin/tf-step-summary | 41 +++++++++++++++++++++++++++++- lib/ci/bin/unlock-one | 7 +++++ lib/ci/tacos_summary.py | 33 ++++++++++++++---------- lib/ci/tacos_unlock_summary.py | 10 ++++++-- lib/ci/unlock | 4 +-- 7 files changed, 79 insertions(+), 59 deletions(-) delete mode 100755 lib/ci/bin/save-matrix-fan-out create mode 100644 lib/ci/bin/unlock-one diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index 4998cff3..0bf31bce 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -127,6 +127,9 @@ jobs: # we need to show any errors to end-users if: always() uses: ./tacos-gha/.github/actions/matrix-fan-out + with: + path: | + **/matrix-fan-out summary: needs: tacos_unlock diff --git a/lib/ci/bin/save-matrix-fan-out b/lib/ci/bin/save-matrix-fan-out deleted file mode 100755 index 5fc064b5..00000000 --- a/lib/ci/bin/save-matrix-fan-out +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash -set -euo pipefail - -save_var() { - path="$1" - var="$2" - - eval 'echo "${'"$var"':-}"' > "$path/$var" -} - -tf_log=tf-log.hcl -console_log=console.log -outdir="matrix-fan-out" -mkdir "$outdir" -cat > "explanation" # put any extended explanation on stdin - -# save any local vars we'll need for analysis during fan-in summary -mkdir -p "$outdir/env" -for var in HOME GITHUB_WORKSPACE TF_ROOT_MODULE TACOS_LOCK; do - save_var "$outdir/env" "$var" -done -for var in tacos_verb title script returncode; do - save_var "$outdir" "$var" -done - -# TODO: why would this fail though? -# > failed to get run: HTTP 403: Resource not accessible by integration -# > (https://api.github.com/repos/getsentry/ops/actions/runs/8327109032?exclude_pull_requests=true) -( gh run --repo "$GITHUB_REPOSITORY" view "$GITHUB_RUN_ID" --json jobs \ - --jq '.jobs[] | select(.name | endswith("'" ($TF_ROOT_MODULE)"'"))' \ - || echo >&2 failed with exit code $? -) > "$outdir/gha-job.json" -( jq .url "$outdir/gha-job.json" -r \ - || echo >&2 failed with exit code $? -) > "$outdir/url" - -# copy any files we want to keep -cp "$tf_log" "$console_log" "$outdir" - -(set -x; tree "$outdir") diff --git a/lib/ci/bin/tf-step-summary b/lib/ci/bin/tf-step-summary index f8096085..d10e20d0 100755 --- a/lib/ci/bin/tf-step-summary +++ b/lib/ci/bin/tf-step-summary @@ -3,6 +3,45 @@ set -euo pipefail title="$1" script="$2" +save_var() { + path="$1" + var="$2" + + eval 'echo "${'"$var"':-}"' > "$path/$var" +} + +save_matrix_fan_out() { + explanation="$1" + + outdir="matrix-fan-out" + mkdir "$outdir" + + # save any local vars we'll need for analysis during fan-in summary + mkdir -p "$outdir/env" + for var in HOME GITHUB_WORKSPACE TF_ROOT_MODULE TACOS_LOCK; do + save_var "$outdir/env" "$var" + done + for var in tacos_verb title script returncode explanation; do + save_var "$outdir" "$var" + done + + # TODO: why would this fail though? + # > failed to get run: HTTP 403: Resource not accessible by integration + # > (https://api.github.com/repos/getsentry/ops/actions/runs/8327109032?exclude_pull_requests=true) + ( gh run --repo "$GITHUB_REPOSITORY" view "$GITHUB_RUN_ID" --json jobs \ + --jq '.jobs[] | select(.name | endswith("'" ($TF_ROOT_MODULE)"'"))' \ + || echo >&2 failed with exit code $? + ) > "$outdir/gha-job.json" + ( jq .url "$outdir/gha-job.json" -r \ + || echo >&2 failed with exit code $? + ) > "$outdir/url" + + # copy any files we want to keep + cp "$tf_log" "$console_log" "$outdir" + + (set -x; tree "$outdir") +} + save_legacy_summary() { explanation="$1" @@ -97,7 +136,7 @@ export DEBUG="${DEBUG:-}" if (( DEBUG > 0 )); then set -x fi -save-matrix-fan-out <<< "$explanation" +save_matrix_fan_out "$explanation" save_legacy_summary "$explanation" if [[ "$tacos_verb" == "plan" ]] && (( returncode == 2 )); then diff --git a/lib/ci/bin/unlock-one b/lib/ci/bin/unlock-one new file mode 100644 index 00000000..ba774692 --- /dev/null +++ b/lib/ci/bin/unlock-one @@ -0,0 +1,7 @@ +#!/bin/bash +set -euo pipefail + +export TF_ROOT_MODULE=$1 + +cd "$TF_ROOT_MODULE" +tf-step-summary "TACOS Unlock" tf-lock-release \ No newline at end of file diff --git a/lib/ci/tacos_summary.py b/lib/ci/tacos_summary.py index 1bad1f09..a659fa06 100644 --- a/lib/ci/tacos_summary.py +++ b/lib/ci/tacos_summary.py @@ -25,6 +25,9 @@ FILE_NOT_FOUND = "(file not found: {!r}" SectionFunction = Callable[[Sequence["SliceSummary"], int], Lines] +TacosSummary = Callable[ + [Collection["SliceSummary"], ByteBudget, str, int], Lines +] def ensmallen(lines: Lines, size_limit: int) -> Lines: @@ -318,19 +321,10 @@ def error_section( return mksection(budget, slices, title="Errors", first=True) -def main_helper( - tacos_summary: Callable[ - [Collection[SliceSummary], ByteBudget, str, int], Lines - ], -) -> ExitCode: - from sys import argv - - try: - arg = argv[1] - except IndexError: - arg = "./matrix-fan-out" - - path = OSPath(arg) +def process_matrix_fan_out( + tacos_summary: TacosSummary, matrix_fan_out: OSPath +) -> Iterable[Line]: + path = OSPath(matrix_fan_out) slices = tuple(SliceSummary.from_matrix_fan_in(path)) budget = ByteBudget(COMMENT_SIZE_LIMIT - 1000) @@ -339,7 +333,18 @@ def main_helper( run_id = int(environ["GITHUB_RUN_ID"]) repository = environ["GITHUB_REPOSITORY"] - for line in tacos_summary(slices, budget, repository, run_id): + return tacos_summary(slices, budget, repository, run_id) + + +def main_helper(tacos_summary: TacosSummary) -> ExitCode: + from sys import argv + + try: + arg = argv[1] + except IndexError: + arg = "./matrix-fan-out" + + for line in process_matrix_fan_out(tacos_summary, OSPath(arg)): print(line) return 0 diff --git a/lib/ci/tacos_unlock_summary.py b/lib/ci/tacos_unlock_summary.py index 893b8239..3295433c 100755 --- a/lib/ci/tacos_unlock_summary.py +++ b/lib/ci/tacos_unlock_summary.py @@ -7,13 +7,15 @@ from lib.byte_budget import ByteBudget from lib.byte_budget import Lines from lib.byte_budget import Log +from lib.sh import sh from lib.types import ExitCode +from lib.types import OSPath from .tacos_summary import GHA_RUN_URL from .tacos_summary import SKIPPED_MESSAGE from .tacos_summary import SliceSummary from .tacos_summary import error_section -from .tacos_summary import main_helper +from .tacos_summary import process_matrix_fan_out def header( @@ -77,7 +79,11 @@ def tacos_unlock_summary( def main() -> ExitCode: - return main_helper(tacos_unlock_summary) + + for matrix_fan_out in sh.lines(("find", ".", "-name", "matrix-fan-out")): + process_matrix_fan_out(tacos_unlock_summary, OSPath(matrix_fan_out)) + + return 0 if __name__ == "__main__": diff --git a/lib/ci/unlock b/lib/ci/unlock index d3f03c06..3776b60e 100755 --- a/lib/ci/unlock +++ b/lib/ci/unlock @@ -5,7 +5,7 @@ exec 1>&2 # stdout is reserved for tf plan/apply results ( echo "### TACOS Unlock" echo - if results=$(xargs -r -P10 -n10 tf-lock-release 2>&1); then + if results=$(xargs -r -P20 -n1 unlock-one 2>&1); then cat < @@ -28,4 +28,4 @@ $results EOF fi -) | gha-step-summary | save-matrix-fan-out; +) | gha-step-summary; From c2b03462c22c696d02186acf020e0d06d32a34ee Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Fri, 31 May 2024 17:32:42 -0500 Subject: [PATCH 077/102] list-terraformers now has a gha summary --- .github/workflows/tacos_unlock.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index 0bf31bce..c139fe22 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -58,7 +58,8 @@ jobs: - name: List Terraformers id: list-terraformers run: | - "$TACOS_GHA_HOME/"lib/ci/list-terraformers + gha-log-as-step-summary \ + "$TACOS_GHA_HOME/"lib/ci/list-terraformers tacos_unlock: name: TACOS Unlock From 1ef47e9fb468db74af2ba30f30e549bc8ad8c106 Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Fri, 31 May 2024 17:33:42 -0500 Subject: [PATCH 078/102] set missing DEBUG vars --- lib/ci/bin/default-shell-post-sudo | 1 + lib/unix/quietly | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/ci/bin/default-shell-post-sudo b/lib/ci/bin/default-shell-post-sudo index 5cb34696..0260e2ef 100755 --- a/lib/ci/bin/default-shell-post-sudo +++ b/lib/ci/bin/default-shell-post-sudo @@ -5,6 +5,7 @@ set -euo pipefail HERE="$(dirname "$(readlink -f "$0")")" umask 002 # stuff is group-writable by default +export DEBUG="${DEBUG:-}" if (( DEBUG > 0 )); then gha-printenv post-sudo fi diff --git a/lib/unix/quietly b/lib/unix/quietly index 80209134..4cac66ab 100755 --- a/lib/unix/quietly +++ b/lib/unix/quietly @@ -6,7 +6,8 @@ tmp="$(mktemp)" trap 'rm "$tmp"' EXIT exec >&2 # only logging output here -if (( "${DEBUG:-0}" >= 1 )); then +export DEBUG="${DEBUG:-}" +if (( DEBUG >= 1 )); then "$@" elif ( set -x; "$@" >"$tmp" 2>&1 ); then length=$(wc -l <"$tmp") From 7eb7b8b36faf505208c3c86894bb214aad2113f2 Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Fri, 31 May 2024 17:33:58 -0500 Subject: [PATCH 079/102] requirements: bump --- requirements-dev.txt | 46 ++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 4ac245a5..76fdbf90 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -4,11 +4,11 @@ # # pip-compile --strip-extras requirements-dev.in # -astroid==3.1.0 +astroid==3.2.2 # via pylint -black==24.1.1 +black==24.4.2 # via -r requirements-dev.in -build==1.1.1 +build==1.2.1 # via pip-tools cffi==1.16.0 # via cryptography @@ -20,24 +20,24 @@ click==8.1.7 # pip-tools covdefaults==2.3.0 # via -r requirements-dev.in -coverage==7.4.3 +coverage==7.5.1 # via # -r requirements-dev.in # covdefaults # coverage-enable-subprocess coverage-enable-subprocess==1.0 # via -r requirements-dev.in -cryptography==42.0.5 +cryptography==42.0.7 # via pyjwt dill==0.3.8 # via pylint distlib==0.3.8 # via virtualenv -execnet==2.0.2 +execnet==2.1.1 # via pytest-xdist -filelock==3.13.1 +filelock==3.14.0 # via virtualenv -identify==2.5.35 +identify==2.5.36 # via pre-commit iniconfig==2.0.0 # via pytest @@ -47,7 +47,7 @@ isort==5.13.2 # pylint mccabe==0.7.0 # via pylint -mypy==1.8.0 +mypy==1.10.0 # via -r requirements-dev.in mypy-extensions==1.0.0 # via @@ -57,7 +57,7 @@ nodeenv==1.8.0 # via # pre-commit # pyright -packaging==23.2 +packaging==24.0 # via # black # build @@ -66,42 +66,42 @@ pathspec==0.12.1 # via black pip-tools==7.4.1 # via -r requirements-dev.in -platformdirs==4.2.0 +platformdirs==4.2.2 # via # black # pylint # virtualenv -pluggy==1.4.0 +pluggy==1.5.0 # via pytest -pre-commit==3.6.2 +pre-commit==3.7.1 # via -r requirements-dev.in -pycparser==2.21 +pycparser==2.22 # via cffi pyjwt==2.8.0 # via -r requirements-dev.in -pylint==3.1.0 +pylint==3.2.2 # via -r requirements-dev.in -pyproject-hooks==1.0.0 +pyproject-hooks==1.1.0 # via # build # pip-tools -pyright==1.1.352 +pyright==1.1.364 # via -r requirements-dev.in -pytest==8.0.2 +pytest==8.2.1 # via # -r requirements-dev.in # pytest-xdist -pytest-xdist==3.5.0 +pytest-xdist==3.6.1 # via -r requirements-dev.in pyyaml==6.0.1 # via pre-commit -tomlkit==0.12.4 +tomlkit==0.12.5 # via pylint -typing-extensions==4.10.0 +typing-extensions==4.11.0 # via mypy -virtualenv==20.25.1 +virtualenv==20.26.2 # via pre-commit -wheel==0.42.0 +wheel==0.43.0 # via pip-tools # The following packages are considered to be unsafe in a requirements file: From 5e7ea946333a3406473f2aa1578bc0fdbe2d712e Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Fri, 31 May 2024 18:25:17 -0500 Subject: [PATCH 080/102] global is unused --- spec/lib/gh/pr.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/spec/lib/gh/pr.py b/spec/lib/gh/pr.py index 2a0594d6..9885a496 100644 --- a/spec/lib/gh/pr.py +++ b/spec/lib/gh/pr.py @@ -23,11 +23,6 @@ from .types import WorkflowName from .up_to_date import up_to_date -APP_INSTALLATION_REVIEWER = ( - "op://Team Tacos gha dev/tacos-gha-reviewer/installation.json" -) - - Comment = str # a PR comment if TYPE_CHECKING: From d5e5a71af0abc3c269d67dcacfceec71117551a2 Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Fri, 31 May 2024 18:25:59 -0500 Subject: [PATCH 081/102] unlock: list slices, not lockfiles --- .github/workflows/tacos_unlock.yml | 2 + lib/ci/tacos_summary.py | 11 ++-- lib/ci/tacos_unlock_summary.py | 9 ++-- lib/tacos/terraformers.py | 85 +++++++++++++----------------- lib/tf_lock/release.py | 4 -- 5 files changed, 50 insertions(+), 61 deletions(-) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index c139fe22..382658fc 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -112,12 +112,14 @@ jobs: || github.triggering_actor }} + - name: gcp auth id: auth uses: google-github-actions/auth@v2.1.1 with: workload_identity_provider: ${{env.GETSENTRY_SAC_OIDC}} service_account: ${{env.SUDO_GCP_SERVICE_ACCOUNT}} + - name: Unlock id: main run: | diff --git a/lib/ci/tacos_summary.py b/lib/ci/tacos_summary.py index a659fa06..4f172fce 100644 --- a/lib/ci/tacos_summary.py +++ b/lib/ci/tacos_summary.py @@ -321,11 +321,9 @@ def error_section( return mksection(budget, slices, title="Errors", first=True) -def process_matrix_fan_out( - tacos_summary: TacosSummary, matrix_fan_out: OSPath +def process_slices( + tacos_summary: TacosSummary, slices: Collection[SliceSummary] ) -> Iterable[Line]: - path = OSPath(matrix_fan_out) - slices = tuple(SliceSummary.from_matrix_fan_in(path)) budget = ByteBudget(COMMENT_SIZE_LIMIT - 1000) from os import environ @@ -344,7 +342,10 @@ def main_helper(tacos_summary: TacosSummary) -> ExitCode: except IndexError: arg = "./matrix-fan-out" - for line in process_matrix_fan_out(tacos_summary, OSPath(arg)): + path = OSPath(arg) + slices = tuple(SliceSummary.from_matrix_fan_in(path)) + + for line in process_slices(tacos_summary, slices): print(line) return 0 diff --git a/lib/ci/tacos_unlock_summary.py b/lib/ci/tacos_unlock_summary.py index 3295433c..2635c0f8 100755 --- a/lib/ci/tacos_unlock_summary.py +++ b/lib/ci/tacos_unlock_summary.py @@ -15,7 +15,7 @@ from .tacos_summary import SKIPPED_MESSAGE from .tacos_summary import SliceSummary from .tacos_summary import error_section -from .tacos_summary import process_matrix_fan_out +from .tacos_summary import process_slices def header( @@ -79,9 +79,12 @@ def tacos_unlock_summary( def main() -> ExitCode: - + slices: list[SliceSummary] = [] for matrix_fan_out in sh.lines(("find", ".", "-name", "matrix-fan-out")): - process_matrix_fan_out(tacos_unlock_summary, OSPath(matrix_fan_out)) + slices.append(SliceSummary.from_matrix_fan_out(OSPath(matrix_fan_out))) + + for line in process_slices(tacos_unlock_summary, slices): + print(line) return 0 diff --git a/lib/tacos/terraformers.py b/lib/tacos/terraformers.py index 09a60abb..6c99b8d9 100755 --- a/lib/tacos/terraformers.py +++ b/lib/tacos/terraformers.py @@ -2,74 +2,73 @@ from __future__ import annotations from dataclasses import dataclass -from typing import Dict -from typing import List -from typing import Union +from typing import Iterable +from lib import json from lib.constants import TACOS_GHA_HOME from lib.sh import sh from lib.types import Generator from lib.types import OSPath -TFLockFile = OSPath +from .dependent_slices import TFCategorized +from .dependent_slices import TopLevelTFModule @dataclass(frozen=True) class TerraformerResult: GETSENTRY_SAC_OIDC: str SUDO_GCP_SERVICE_ACCOUNT: str - tflock_files: set[OSPath] - - -def list_cached_tflock_files() -> list[TFLockFile]: - import os - from subprocess import check_output - - current_dir = os.getcwd() - slices = check_output( - ( - "find", - current_dir, - "-path", - "*/.config/tf-lock-info/Path", - "-print0", - ), - encoding="UTF-8", - ) - return sorted([ - OSPath(slice) for slice in slices.split("\0") if slice and slice != "." - ]) + slices: set[TopLevelTFModule] + + def to_json(self) -> json.Value: + return { + "GETSENTRY_SAC_OIDC": self.GETSENTRY_SAC_OIDC, + "SUDO_GCP_SERVICE_ACCOUNT": self.SUDO_GCP_SERVICE_ACCOUNT, + # Convert each TopLevelTFModule in the set to a string, then convert the set to a list + "slices": [str(path) for path in self.slices], + } + + +def get_cached_slices() -> Iterable[TopLevelTFModule]: + """List terraform/grunt slices that have a cached tflock path. + Slices without such a file have never been locked. + """ + for slice in sorted(TFCategorized.from_git().slices): + if OSPath(slice / ".config/tf-lock-info/Path").exists(): + yield slice -def list_terraformers() -> Generator[TerraformerResult]: - """List all slices and the oidc provider and terraformer of that slice""" - for tflock_file in list_cached_tflock_files(): - with sh.cd(tflock_file.parents[2]): + +def list_terraformers( + slices: Iterable[TopLevelTFModule], +) -> Iterable[TerraformerResult]: + """List unlockable slices and the oidc provider and terraformer of that slice""" + for slice in slices: + with sh.cd(OSPath(slice)): oidc_provider = sh.stdout( (TACOS_GHA_HOME / "lib/getsentry-sac/oidc-provider",) ) terraformer = sh.stdout(("sudo-gcp-service-account",)) - yield TerraformerResult( - oidc_provider, terraformer, set([tflock_file]) - ) + yield TerraformerResult(oidc_provider, terraformer, set([slice])) def terraformers() -> Generator[TerraformerResult]: """Which slices need to be unlocked?""" from collections import defaultdict - by_terraformer: defaultdict[tuple[str, str], set[TFLockFile]] = ( + by_terraformer: defaultdict[tuple[str, str], set[TopLevelTFModule]] = ( defaultdict(set) ) - for tf_result in list_terraformers(): + slices = get_cached_slices() + for tf_result in list_terraformers(slices): key = ( tf_result.GETSENTRY_SAC_OIDC, tf_result.SUDO_GCP_SERVICE_ACCOUNT, ) - for tflock_file in tf_result.tflock_files: - by_terraformer[key].add(tflock_file) + for slice in tf_result.slices: + by_terraformer[key].add(slice) for key in by_terraformer: oidc_provider, terraformer = key @@ -78,24 +77,12 @@ def terraformers() -> Generator[TerraformerResult]: ) -def convert_terraform_result( - result: TerraformerResult, -) -> Dict[str, Union[str, List[str]]]: - """Convert TerraformerResult to a JSON-serializable dictionary""" - return { - "GETSENTRY_SAC_OIDC": result.GETSENTRY_SAC_OIDC, - "SUDO_GCP_SERVICE_ACCOUNT": result.SUDO_GCP_SERVICE_ACCOUNT, - # Convert each TopLevelTFModule in the set to a string, then convert the set to a list - "tflock_files": [str(path) for path in result.tflock_files], - } - - def main() -> int: import json for result in terraformers(): # use custom conversion here, because json doesn't like sets or OSPaths - print(json.dumps(convert_terraform_result(result))) + print(json.dumps(result.to_json())) return 0 diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index cb98b1e1..3dadd0e6 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -124,13 +124,9 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: "--", lock_info["ID"], )) - with open("tf-log.hcl", "w") as tf_log: - tf_log.write("success") info(f"tf-lock-release: success: {root_module}({lock_user})") else: - with open("tf-log.hcl", "w") as tf_log: - tf_log.write("failure") raise UserError( f"""\ tf-lock-release: failure: not {lock_user}: {root_module}({tf_user}) From 6cffdad4e939e8e65a0546373bd6b7fddd060068 Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Fri, 31 May 2024 18:41:03 -0500 Subject: [PATCH 082/102] debug less noisy --- lib/ci/bin/terragrunt-noninteractive | 4 +++- lib/gcloud/gcloud-auth-export-access-token | 2 +- lib/gcloud/sudo-gcp | 2 +- lib/gcloud/sudo-gcp-service-account | 2 +- lib/tf_lock/lib/env.sh | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/ci/bin/terragrunt-noninteractive b/lib/ci/bin/terragrunt-noninteractive index 29745096..4527b436 100755 --- a/lib/ci/bin/terragrunt-noninteractive +++ b/lib/ci/bin/terragrunt-noninteractive @@ -32,10 +32,12 @@ export DEBUG="${DEBUG:-}" if (( DEBUG >= 1 )); then export TF_LOG=debug export TERRAGRUNT_LOG_LEVEL=info - set -x fi if (( DEBUG >= 3 )); then export TERRAGRUNT_LOG_LEVEL=debug + if (( DEBUG >= 4 )); then + set -x + fi elif (( DEBUG <= 0 )); then export TERRAGRUNT_LOG_LEVEL=error fi diff --git a/lib/gcloud/gcloud-auth-export-access-token b/lib/gcloud/gcloud-auth-export-access-token index 6d651a23..76335e8b 100755 --- a/lib/gcloud/gcloud-auth-export-access-token +++ b/lib/gcloud/gcloud-auth-export-access-token @@ -35,7 +35,7 @@ info() { echo >&2 "$@"; } error() { info "$@"; exit 1; } export DEBUG="${DEBUG:-}" -if (( DEBUG >= 1 )); then +if (( DEBUG >= 5 )); then set -x fi diff --git a/lib/gcloud/sudo-gcp b/lib/gcloud/sudo-gcp index 3a6cc1f2..6896d475 100755 --- a/lib/gcloud/sudo-gcp +++ b/lib/gcloud/sudo-gcp @@ -4,7 +4,7 @@ HERE="$(dirname "$(readlink -f "$0")")" export DEBUG="${DEBUG:-}" -if (( DEBUG >= 1 )); then +if (( DEBUG >= 5 )); then set -x fi diff --git a/lib/gcloud/sudo-gcp-service-account b/lib/gcloud/sudo-gcp-service-account index 519ece40..fa92f85b 100755 --- a/lib/gcloud/sudo-gcp-service-account +++ b/lib/gcloud/sudo-gcp-service-account @@ -23,7 +23,7 @@ interpolate_line() { export DEBUG="${DEBUG:-}" -if (( DEBUG >= 1 )); then +if (( DEBUG >= 5 )); then set -x fi diff --git a/lib/tf_lock/lib/env.sh b/lib/tf_lock/lib/env.sh index cbaa4580..aa980bb7 100644 --- a/lib/tf_lock/lib/env.sh +++ b/lib/tf_lock/lib/env.sh @@ -30,6 +30,6 @@ tf_working_dir() { } export DEBUG="${DEBUG:-}" -if (( DEBUG >= 1 )); then +if (( DEBUG >= 3 )); then set -x fi From 47f3e1b9f8173ec307dd0ad5c7f174e5154865e2 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 16:49:28 -0700 Subject: [PATCH 083/102] give chmod --- lib/ci/bin/unlock-one | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 lib/ci/bin/unlock-one diff --git a/lib/ci/bin/unlock-one b/lib/ci/bin/unlock-one old mode 100644 new mode 100755 From abfc2285e27362d7f88fe2fd867805fd0f527d03 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 16:59:53 -0700 Subject: [PATCH 084/102] add input for matrix --- .github/actions/matrix-fan-out/action.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/actions/matrix-fan-out/action.yml b/.github/actions/matrix-fan-out/action.yml index 3a651a6b..65d998fa 100644 --- a/.github/actions/matrix-fan-out/action.yml +++ b/.github/actions/matrix-fan-out/action.yml @@ -11,6 +11,9 @@ inputs: shell: description: "private -- do not use" default: bash -euxo pipefail {0} + matrix: + description: defaults to toJSON(matrix) + default: ${{ toJSON(matrix) }} runs: using: "composite" @@ -19,7 +22,7 @@ runs: - shell: ${{ inputs.shell }} env: MATRIX_FAN_OUT_PATH: ${{ inputs.path }} - GHA_MATRIX_CONTEXT: ${{ toJSON(matrix) }} + GHA_MATRIX_CONTEXT: ${{ inputs.matrix }} run: | "$GITHUB_ACTION_PATH/"prepare.sh | tee -a "$GITHUB_ENV" From adc491ffe819cd4d79ba7fdb3bd76cd4baf8565b Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 17:03:06 -0700 Subject: [PATCH 085/102] we have shorter matrix name now --- .github/workflows/tacos_unlock.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index 382658fc..b9af2464 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -133,6 +133,8 @@ jobs: with: path: | **/matrix-fan-out + matrix: | + { "terraformer": "${{env.SUDO_GCP_SERVICE_ACCOUNT}}" } summary: needs: tacos_unlock From ffe6084054a7192ff8d158f553f49ee38722d21e Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 17:07:13 -0700 Subject: [PATCH 086/102] tf step summary already will cd --- lib/ci/bin/unlock-one | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/ci/bin/unlock-one b/lib/ci/bin/unlock-one index ba774692..74e5f58e 100755 --- a/lib/ci/bin/unlock-one +++ b/lib/ci/bin/unlock-one @@ -3,5 +3,4 @@ set -euo pipefail export TF_ROOT_MODULE=$1 -cd "$TF_ROOT_MODULE" tf-step-summary "TACOS Unlock" tf-lock-release \ No newline at end of file From e4432d7d85ff021fe07fb7773fdbb65dae34cc9d Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 17:27:51 -0700 Subject: [PATCH 087/102] added path to matrix fan in --- .github/workflows/tacos_unlock.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index b9af2464..6357e880 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -155,6 +155,9 @@ jobs: uses: ./tacos-gha/.github/actions/just-the-basics - name: Run matrix-fan-in uses: ./tacos-gha/.github/actions/matrix-fan-in + with: + path: | + **/matrix-fan-out - name: Summarize id: summary run: | From d3a45ff28e1847e237bcf98cfe2c9d46c047ee6b Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Fri, 31 May 2024 17:40:07 -0700 Subject: [PATCH 088/102] added path to matrix fan in --- .github/actions/matrix-fan-in/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index 638acc82..198cbff9 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -31,7 +31,7 @@ runs: uses: actions/download-artifact@v4 with: pattern: ${{ env.artifact_name }} *${{ inputs.pattern }}* - path: matrix-fan-in.tmp + path: ${{ inputs.path }} - name: fix up archive files shell: bash From b91eddb92c187d816f78f58e000f323a9eebac3e Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 16:39:41 -0700 Subject: [PATCH 089/102] debug to see if exists --- .github/actions/matrix-fan-in/rename-tmp-dirs.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh index 3ce91532..85b3a78a 100755 --- a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh +++ b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh @@ -13,6 +13,11 @@ path="$1" mkdir -p "$path" +echo "Debug: Current directory is $(pwd)" +echo "Debug: Listing all files in the current directory:" +ls -al + + : directory name fixup find ./matrix-fan-in.tmp \ -mindepth 1 \ From c93f1a3cd4920c3ba1a6d21f9bfdd456b9c3d064 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 16:51:01 -0700 Subject: [PATCH 090/102] debug to see if exists --- .github/actions/matrix-fan-in/action.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index 198cbff9..b3a382eb 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -33,6 +33,13 @@ runs: pattern: ${{ env.artifact_name }} *${{ inputs.pattern }}* path: ${{ inputs.path }} + - name: Debug artifact download + shell: bash + run: | + echo "Debug: Current directory is $(pwd)" + echo "Debug: Listing all files in the current directory:" + ls -al + - name: fix up archive files shell: bash env: From 0bb32934a7961550271639451c255f5f0e24ff7b Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 16:54:17 -0700 Subject: [PATCH 091/102] debug to see if exists --- .github/actions/matrix-fan-in/rename-tmp-dirs.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh index 85b3a78a..8ff1d57b 100755 --- a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh +++ b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh @@ -13,12 +13,10 @@ path="$1" mkdir -p "$path" +: directory name fixup echo "Debug: Current directory is $(pwd)" echo "Debug: Listing all files in the current directory:" ls -al - - -: directory name fixup find ./matrix-fan-in.tmp \ -mindepth 1 \ -maxdepth 1 \ From 3880d9ab7018c9857e1c4d23c71047bad579cd68 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 16:58:18 -0700 Subject: [PATCH 092/102] debug to see if exists --- .github/actions/matrix-fan-in/action.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index b3a382eb..473d196d 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -39,6 +39,14 @@ runs: echo "Debug: Current directory is $(pwd)" echo "Debug: Listing all files in the current directory:" ls -al + if [ -d "./matrix-fan-in.tmp" ]; then + echo "Debug: matrix-fan-in.tmp directory exists." + echo "Debug: Listing all files in matrix-fan-in.tmp:" + ls -al ./matrix-fan-in.tmp + else + echo "Error: matrix-fan-in.tmp directory does not exist." + exit 1 + fi - name: fix up archive files shell: bash From 0a09b8e9400b2bbde4ac39966b07c3259231dd63 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 17:03:09 -0700 Subject: [PATCH 093/102] debug to see if exists --- .github/actions/matrix-fan-in/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index 473d196d..7424e663 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -22,7 +22,7 @@ runs: steps: - shell: ${{ inputs.shell }} env: - MATRIX_FAN_OUT_PATH: ${{ inputs.path }} + MATRIX_FAN_OUT_PATH: matrix-fan-in.tmp run: | "$GITHUB_ACTION_PATH/"set-artifact-name.sh "$MATRIX_FAN_OUT_PATH" | tee -a "$GITHUB_ENV" From 08fc784e36c817e68df3ddd363d0237ee64e4438 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 17:09:15 -0700 Subject: [PATCH 094/102] debug to see if exists --- .github/actions/matrix-fan-in/action.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index 7424e663..5258fd31 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -22,7 +22,7 @@ runs: steps: - shell: ${{ inputs.shell }} env: - MATRIX_FAN_OUT_PATH: matrix-fan-in.tmp + MATRIX_FAN_OUT_PATH: ${{ inputs.path }} run: | "$GITHUB_ACTION_PATH/"set-artifact-name.sh "$MATRIX_FAN_OUT_PATH" | tee -a "$GITHUB_ENV" @@ -36,15 +36,13 @@ runs: - name: Debug artifact download shell: bash run: | - echo "Debug: Current directory is $(pwd)" - echo "Debug: Listing all files in the current directory:" - ls -al - if [ -d "./matrix-fan-in.tmp" ]; then - echo "Debug: matrix-fan-in.tmp directory exists." - echo "Debug: Listing all files in matrix-fan-in.tmp:" - ls -al ./matrix-fan-in.tmp + echo "Debug: Checking if the ${{ inputs.path }} directory exists:" + if [ -d "${{ inputs.path }}" ]; then + echo "Debug: ${{ inputs.path }} directory exists." + echo "Debug: Listing all files in ${{ inputs.path }}:" + ls -al ${{ inputs.path }} else - echo "Error: matrix-fan-in.tmp directory does not exist." + echo "Error: ${{ inputs.path }} directory does not exist." exit 1 fi From ea62fce96b72d91810d820e710e3aea7372f1f68 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Sun, 2 Jun 2024 17:25:16 -0700 Subject: [PATCH 095/102] auto-commit: GHA deps, for test --- .github/actions/matrix-fan-in/action.yml | 14 -------------- .github/workflows/tacos_unlock.yml | 4 ++-- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index 5258fd31..f83b2326 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -32,20 +32,6 @@ runs: with: pattern: ${{ env.artifact_name }} *${{ inputs.pattern }}* path: ${{ inputs.path }} - - - name: Debug artifact download - shell: bash - run: | - echo "Debug: Checking if the ${{ inputs.path }} directory exists:" - if [ -d "${{ inputs.path }}" ]; then - echo "Debug: ${{ inputs.path }} directory exists." - echo "Debug: Listing all files in ${{ inputs.path }}:" - ls -al ${{ inputs.path }} - else - echo "Error: ${{ inputs.path }} directory does not exist." - exit 1 - fi - - name: fix up archive files shell: bash env: diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index 6357e880..ef746e1a 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -132,7 +132,7 @@ jobs: uses: ./tacos-gha/.github/actions/matrix-fan-out with: path: | - **/matrix-fan-out + /matrix-fan-out matrix: | { "terraformer": "${{env.SUDO_GCP_SERVICE_ACCOUNT}}" } @@ -157,7 +157,7 @@ jobs: uses: ./tacos-gha/.github/actions/matrix-fan-in with: path: | - **/matrix-fan-out + /matrix-fan-out - name: Summarize id: summary run: | From 4665d72e3e93c677597bf863eea61dafb245dbb0 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Sun, 2 Jun 2024 19:38:17 -0700 Subject: [PATCH 096/102] auto-commit: GHA deps, for test --- .github/actions/matrix-fan-in/action.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index f83b2326..f3e31f08 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -40,3 +40,9 @@ runs: # note: "$GITHUB_ACTION_PATH" contains this action directory's path run: | "$GITHUB_ACTION_PATH/"rename-tmp-dirs.sh "$MATRIX_FAN_OUT_PATH" + - name: Start SSH + if: always() + uses: lhotari/action-upterm@v1 + with: + ## limits ssh access and adds the ssh public keys of the listed GitHub users + limit-access-to-users: bukzor,kneeyo1 From 2fa5fe73e929979c815756f3d1c1b9ddbabbb2eb Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Sun, 2 Jun 2024 19:43:03 -0700 Subject: [PATCH 097/102] auto-commit: GHA deps, for test --- .github/actions/matrix-fan-in/rename-tmp-dirs.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh index 8ff1d57b..3ce91532 100755 --- a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh +++ b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh @@ -14,9 +14,6 @@ path="$1" mkdir -p "$path" : directory name fixup -echo "Debug: Current directory is $(pwd)" -echo "Debug: Listing all files in the current directory:" -ls -al find ./matrix-fan-in.tmp \ -mindepth 1 \ -maxdepth 1 \ From bc45373251ff6cda32f120e1cd1f9d48649f4625 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Sun, 2 Jun 2024 19:53:44 -0700 Subject: [PATCH 098/102] hopefully this works? --- .github/actions/matrix-fan-in/action.yml | 12 ++++++------ .github/actions/matrix-fan-in/rename-tmp-dirs.sh | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index f3e31f08..b14896ab 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -40,9 +40,9 @@ runs: # note: "$GITHUB_ACTION_PATH" contains this action directory's path run: | "$GITHUB_ACTION_PATH/"rename-tmp-dirs.sh "$MATRIX_FAN_OUT_PATH" - - name: Start SSH - if: always() - uses: lhotari/action-upterm@v1 - with: - ## limits ssh access and adds the ssh public keys of the listed GitHub users - limit-access-to-users: bukzor,kneeyo1 + # - name: Start SSH + # if: always() + # uses: lhotari/action-upterm@v1 + # with: + # ## limits ssh access and adds the ssh public keys of the listed GitHub users + # limit-access-to-users: bukzor,kneeyo1 diff --git a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh index 3ce91532..e241a2c8 100755 --- a/.github/actions/matrix-fan-in/rename-tmp-dirs.sh +++ b/.github/actions/matrix-fan-in/rename-tmp-dirs.sh @@ -14,7 +14,7 @@ path="$1" mkdir -p "$path" : directory name fixup -find ./matrix-fan-in.tmp \ +find "$path"\ -mindepth 1 \ -maxdepth 1 \ -print0 \ From 2313c6a4ecf190e8e84c37f45dba3a446febaf9c Mon Sep 17 00:00:00 2001 From: Buck Evan Date: Mon, 3 Jun 2024 11:25:42 -0500 Subject: [PATCH 099/102] revert matrix-io path; some comments --- .github/actions/matrix-fan-in/action.yml | 2 ++ .github/workflows/selftest-matrix-io.yml | 2 +- .github/workflows/tacos_unlock.yml | 4 ++-- lib/ci/bin/unlock-one | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/actions/matrix-fan-in/action.yml b/.github/actions/matrix-fan-in/action.yml index b14896ab..b502abc6 100644 --- a/.github/actions/matrix-fan-in/action.yml +++ b/.github/actions/matrix-fan-in/action.yml @@ -40,6 +40,8 @@ runs: # note: "$GITHUB_ACTION_PATH" contains this action directory's path run: | "$GITHUB_ACTION_PATH/"rename-tmp-dirs.sh "$MATRIX_FAN_OUT_PATH" + + ## DEBUG: # - name: Start SSH # if: always() # uses: lhotari/action-upterm@v1 diff --git a/.github/workflows/selftest-matrix-io.yml b/.github/workflows/selftest-matrix-io.yml index ba65cfa6..2c87cc54 100644 --- a/.github/workflows/selftest-matrix-io.yml +++ b/.github/workflows/selftest-matrix-io.yml @@ -32,7 +32,7 @@ jobs: exec >&2 # our only output is logging printf "keys=[10, 27]" >> "$GITHUB_OUTPUT" # for scale testing: - ###seq 30 | shuf | jq -R | jq -cs | tee -a "$GITHUB_OUTPUT" + #seq 30 | shuf | jq -R | jq -cs | tee -a "$GITHUB_OUTPUT" fan-out: name: Compute Squares diff --git a/.github/workflows/tacos_unlock.yml b/.github/workflows/tacos_unlock.yml index ef746e1a..6357e880 100644 --- a/.github/workflows/tacos_unlock.yml +++ b/.github/workflows/tacos_unlock.yml @@ -132,7 +132,7 @@ jobs: uses: ./tacos-gha/.github/actions/matrix-fan-out with: path: | - /matrix-fan-out + **/matrix-fan-out matrix: | { "terraformer": "${{env.SUDO_GCP_SERVICE_ACCOUNT}}" } @@ -157,7 +157,7 @@ jobs: uses: ./tacos-gha/.github/actions/matrix-fan-in with: path: | - /matrix-fan-out + **/matrix-fan-out - name: Summarize id: summary run: | diff --git a/lib/ci/bin/unlock-one b/lib/ci/bin/unlock-one index 74e5f58e..522ccc56 100755 --- a/lib/ci/bin/unlock-one +++ b/lib/ci/bin/unlock-one @@ -3,4 +3,4 @@ set -euo pipefail export TF_ROOT_MODULE=$1 -tf-step-summary "TACOS Unlock" tf-lock-release \ No newline at end of file +tf-step-summary "TACOS Unlock" tf-lock-release From 53ad5470d6c6ff54c304306754eb2e7c2d4049a0 Mon Sep 17 00:00:00 2001 From: TACOS-gha Tester Date: Wed, 5 Jun 2024 14:04:15 -0700 Subject: [PATCH 100/102] auto-commit: GHA deps, for test --- lib/ci/unlock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ci/unlock b/lib/ci/unlock index 3776b60e..cc3cf377 100755 --- a/lib/ci/unlock +++ b/lib/ci/unlock @@ -5,7 +5,7 @@ exec 1>&2 # stdout is reserved for tf plan/apply results ( echo "### TACOS Unlock" echo - if results=$(xargs -r -P20 -n1 unlock-one 2>&1); then + if results=$(xargs -r -P1 -n1 unlock-one 2>&1); then cat < From 0e68854d8816ae5f8fe834a141d30c1bc7e719e4 Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 5 Jun 2024 14:32:29 -0700 Subject: [PATCH 101/102] Move cache before cd --- lib/tf_lock/release.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tf_lock/release.py b/lib/tf_lock/release.py index 3dadd0e6..4b6ba40e 100644 --- a/lib/tf_lock/release.py +++ b/lib/tf_lock/release.py @@ -109,8 +109,8 @@ def tf_lock_release(root_module: OSPath, env: Environ) -> None: tf_user = f"{get_current_user(env)}@{get_current_host(env)}" lock_user = lock_info["Who"] if tf_user == lock_user: + cache = cache_get(root_module) with sh.cd(tf_working_dir(root_module)): - cache = cache_get(root_module) if cache: try: sh.json(("gcloud", "storage", "rm", cache)) From a371bad865c694a3bd2c065bd7be4d62f097dbee Mon Sep 17 00:00:00 2001 From: kneeyo1 Date: Wed, 5 Jun 2024 15:07:47 -0700 Subject: [PATCH 102/102] find the correct lock id --- lib/tf_lock/tf_lock_info.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/tf_lock/tf_lock_info.py b/lib/tf_lock/tf_lock_info.py index 0e6f145c..95608e29 100755 --- a/lib/tf_lock/tf_lock_info.py +++ b/lib/tf_lock/tf_lock_info.py @@ -61,6 +61,18 @@ def tf_lock_info(tg_root_module: OSPath) -> json.Object: else: assert isinstance(lock_info, dict) lock_info["lock"] = True + + # the ID from the lockfile is the UUID, not the actual lock ID. + # https://github.com/hashicorp/terraform/blob/main/internal/backend/remote-state/gcs/client.go#L117 + # We can pull out the lock id from the generation value. + metadata = sh.json(("gcloud", "storage", "ls", path, "--json")) + assert isinstance(metadata, list) + for metadata in metadata: + assert isinstance(metadata, dict) + metadata = metadata["metadata"] + assert isinstance(metadata, dict) + lock_info["ID"] = metadata["generation"] + assert isinstance(lock_info, dict) if lock_info["lock"]: