From ca4077795fd6273ddbafffad07806a498e6c9c3e Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 29 Nov 2023 16:57:28 -0600 Subject: [PATCH 1/3] fix: network acl id will be modified by AWS Signed-off-by: matttrach --- modules/vpc/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 30a1636..60be80a 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -20,6 +20,11 @@ resource "aws_vpc" "new" { Name = local.name } assign_generated_ipv6_cidr_block = true + lifecycle { + ignore_changes = [ + default_network_acl_id, + ] + } } resource "aws_internet_gateway" "new" { count = local.create From 1f0dfb200006734054ad49a4f64ead3928abd3f2 Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 29 Nov 2023 17:31:44 -0600 Subject: [PATCH 2/3] fix: update workflows with release please and friends Signed-off-by: matttrach --- .github/workflows/release.yaml | 77 ++++++++++++++++++++------------ .github/workflows/tests.yaml | 52 +++++++++------------ .github/workflows/updatecli.yaml | 2 +- README.md | 7 +-- flake.lock | 25 ++--------- flake.nix | 46 +++++++++++++++---- 6 files changed, 113 insertions(+), 96 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a2d3a88..6d818b0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,58 +7,79 @@ on: env: AWS_REGION: us-west-1 - TERRAFORM_VERSION: 1.5.7 + AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test -permissions: - id-token: write - contents: write - pull-requests: write - issues: write +permissions: write-all jobs: release: runs-on: ubuntu-latest steps: - - name: release-please + - uses: google-github-actions/release-please-action@v3 id: release-please - uses: google-github-actions/release-please-action@v3 with: release-type: terraform-module pull-request-title-pattern: "chore${scope}: release${component} ${version}" - - - name: 'Remind to wait' - uses: peter-evans/create-or-update-comment@v3 + - uses: peter-evans/create-or-update-comment@v3 + name: 'Remind to wait' if: steps.release-please.outputs.pr with: issue-number: ${{ fromJson(steps.release-please.outputs.pr).number }} body: | Please make sure e2e tests pass before merging this PR! ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - - - name: 'Configure AWS credentials' - uses: aws-actions/configure-aws-credentials@v4 + - uses: actions/checkout@v4 + if: steps.release-please.outputs.pr + with: + token: ${{secrets.GITHUB_TOKEN}} + - uses: DeterminateSystems/nix-installer-action@main + if: steps.release-please.outputs.pr + - name: 'Restore Nix Store Cache' + if: steps.release-please.outputs.pr + id: cache-nix-store-restore + uses: actions/cache/restore@v3 + with: + path: /nix/store + key: nix-store + - uses: nicknovitski/nix-develop@v1 + if: steps.release-please.outputs.pr + - name: 'Cache Nix Store' if: steps.release-please.outputs.pr + id: cache-nix-store-save + uses: actions/cache/save@v3 with: - role-to-assume: arn:aws:iam::270074865685:role/terraform-module-ci-test + path: /nix/store + key: ${{ steps.cache-nix-store-restore.outputs.cache-primary-key }} + - uses: aws-actions/configure-aws-credentials@v4 + if: steps.release-please.outputs.pr + with: + role-to-assume: ${{env.AWS_ROLE}} role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} aws-region: ${{env.AWS_REGION}} - - - uses: actions/checkout@v4 + - name: 'Restore Terraform Cache' if: steps.release-please.outputs.pr - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 + id: cache-terraform-restore + uses: actions/cache/restore@v3 + with: + path: ${{ github.workspace }}/.terraform + key: terraform + - run: terraform init -upgrade + if: steps.release-please.outputs.pr + - name: 'Cache Terraform' if: steps.release-please.outputs.pr + id: cache-terraform-save + uses: actions/cache/save@v3 with: - terraform_version: ${{env.TERRAFORM_VERSION}} - terraform_wrapper: false - - - name: 'Run Terratest' + path: ${{ github.workspace }}/.terraform + key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }} + - run: cd ./tests && go test -v -timeout=40m -parallel=10 + name: 'Terratest' if: steps.release-please.outputs.pr - run: cd ./tests && go test -v -timeout=40m -parallel=10 - - - name: 'Report Success' - uses: peter-evans/create-or-update-comment@v3 + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_OWNER: rancher + - uses: peter-evans/create-or-update-comment@v3 + name: 'Report Success' if: steps.release-please.outputs.pr with: issue-number: ${{ fromJson(steps.release-please.outputs.pr).number }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index c4f8754..5157088 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,57 +4,45 @@ on: pull_request: branches: - main -env: - TERRAFORM_VERSION: 1.5.7 jobs: terraform: name: 'Terraform' runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{env.TERRAFORM_VERSION}} - terraform_wrapper: false - - - name: Init Basic - run: cd examples/basic && terraform init -upgrade - - - name: Validate Basic - run: cd examples/basic && terraform validate + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: nicknovitski/nix-develop@v1 + - run: cd examples/basic && terraform version && terraform init -upgrade && terraform validate + + actionlint: + name: 'Lint Workflows' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: nicknovitski/nix-develop@v1 + - run: actionlint tflint: name: 'TFLint' runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - + - uses: actions/checkout@v4 - uses: terraform-linters/setup-tflint@v4 - name: Setup TFLint with: tflint_version: latest - - - name: Show version - run: tflint --version - - - name: Init TFLint - run: tflint --init - - - name: Run TFLint - run: tflint -f compact + - run: tflint --version + - run: tflint --init + - run: tflint -f compact shellcheck: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + - uses: ludeeus/action-shellcheck@master validate-commit-message: name: Validate Commit Message diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml index d501927..04dc9f4 100644 --- a/.github/workflows/updatecli.yaml +++ b/.github/workflows/updatecli.yaml @@ -15,7 +15,7 @@ permissions: jobs: updatecli: runs-on: ubuntu-latest - if: github.ref == 'refs/heads/master' + if: github.ref == 'refs/heads/main' steps: - name: Checkout uses: actions/checkout@v4 diff --git a/README.md b/README.md index e8179fb..55ec536 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,5 @@ # Terraform AWS Access -WARNING! This is a work in progress and not ready to be used. - -This is an "Independent" module, please see [terraform.md](./terraform.md) for more information. - ## AWS Access The first step to using the AWS modules is having an AWS account, [here](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html) is a document describing this process. @@ -48,9 +44,8 @@ These tools are not necessary, but they can make it much simpler to collaborate. * I navigate to the `tests` directory and run `go test -v -timeout=5m -parallel=10` * To run an individual test I nvaigate to the `tests` directory and run `go test -v -timeout=5m -run ` * eg. `go test -v -timeout=5m -run TestBasic` -* I use `override.tf` files to change the values of `examples` to personalized data so that I can run them -Our continuous integration tests in the GitHub [ubuntu-latest runner](https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md), which has many different things installed. +Our continuous integration tests in the GitHub [ubuntu-latest runner](https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md), which has many different things installed, we use nix to add dependencies. ### Override Tests diff --git a/flake.lock b/flake.lock index c9dd6aa..d415d0f 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1698553279, - "narHash": "sha256-T/9P8yBSLcqo/v+FTOBK+0rjzjPMctVymZydbvR/Fak=", + "lastModified": 1701174899, + "narHash": "sha256-1W+FMe8mWsJKXoBc+QgKmEeRj33kTFnPq7XCjU+bfnA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "90e85bc7c1a6fc0760a94ace129d3a1c61c3d035", + "rev": "010c7296f3b19a58b206fdf7d68d75a5b0a09e9e", "type": "github" }, "original": { @@ -34,27 +34,10 @@ "type": "github" } }, - "nixpkgs-terraform": { - "locked": { - "lastModified": 1694118906, - "narHash": "sha256-XN5GagDT6y+5/+ztPzCn2h0HyWEsyJPZwJrMhmnRPmM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "39ed4b64ba5929e8e9221d06b719a758915e619b", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "39ed4b64ba5929e8e9221d06b719a758915e619b", - "type": "github" - } - }, "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "nixpkgs-terraform": "nixpkgs-terraform" + "nixpkgs": "nixpkgs" } }, "systems": { diff --git a/flake.nix b/flake.nix index 752ae1b..769fda7 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,8 @@ { # validate a flake with 'nix flake check .' # alias the use of flakes with: "alias nix='nix --extra-experimental-features nix-command --extra-experimental-features flakes'" - # you can also set a config file at ~/.config/nix/nix.conf or /etc/nix.conf, but I wanted to remove that dependency + # WARNING! this is linux/mac only! description = "A reliable testing environment"; # https://status.nixos.org/ has the latest channels, it is recommended to use a commit hash @@ -19,29 +19,59 @@ #inputs.nixpkgs.follows = "nixpkgs/0228346f7b58f1a284fdb1b72df6298b06677495"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - nixpkgs-terraform.url = "github:/NixOS/nixpkgs/39ed4b64ba5929e8e9221d06b719a758915e619b"; flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs, nixpkgs-terraform, flake-utils }: + outputs = { self, nixpkgs, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system: # 'legacy' is not bad, it looks for previously imported nixpkgs # this allows idempotent loading of nixpkgs in dependent flakes # https://discourse.nixos.org/t/using-nixpkgs-legacypackages-system-vs-import/17462/8 let pkgs = nixpkgs.legacyPackages.${system}; - pkgs-terraform = nixpkgs-terraform.legacyPackages.${system}; + + # get "leftovers" bin from release and add it to shell + leftovers-version = { + # remember when updating the version to also update the shas + # to get the sha, download the file and run 'nix hash file ' + "selected" = "v0.70.0"; + }; + leftovers-urls = { + "x86_64-darwin" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-darwin-amd64"; + "aarch64-darwin" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-darwin-arm64"; + "x86_64-linux" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-linux-amd64"; + }; + leftovers-shas = { + "x86_64-linux" = "sha256-D2OPjLlV5xR3f+dVHu0ld6bQajD5Rv9GLCMCk9hXlu8="; + "x86_64-darwin" = "sha256-HV12kHqB14lGDm1rh9nD1n7Jvw0rCnxmjC9gusw7jfo="; + "aarch64-darwin" = "sha256-Tw7G538RYZrwIauN7kI68u6aKS4d/0Efh+dirL/kzoM="; + }; + leftovers = pkgs.runCommand "leftovers-${leftovers-version.selected}" {} '' + cp ${pkgs.fetchurl { + url = leftovers-urls."${system}"; + sha256 = leftovers-shas."${system}"; + }} $out + chmod +x $out + ''; + leftovers-wrapper = pkgs.writeShellScriptBin "leftovers" '' + exec ${leftovers} "$@" + ''; in { - devShell = pkgs.mkShell { - buildInputs = with pkgs; with pkgs-terraform; [ + devShells.default = pkgs.mkShell { + buildInputs = with pkgs; [ bashInteractive git - terraform tflint shellcheck + tfswitch + actionlint + act ]; shellHook = '' - source .envrc + rm -rf "/usr/local/bin/switched-terraform" + install -d "/usr/local/bin/switched-terraform" + tfswitch -b "/usr/local/bin/switched-terraform/terraform" -d "1.5.7" 1.5.7 > /dev/null; + export PATH="$PATH:${leftovers-wrapper}/bin:/usr/local/bin/switched-terraform"; ''; }; } From 1e306da0594c9a2bda77c42ec62b32da3f43adbb Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 29 Nov 2023 17:38:00 -0600 Subject: [PATCH 3/3] fix: explicit dependency chain Signed-off-by: matttrach --- modules/vpc/main.tf | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 60be80a..a5a4709 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -20,18 +20,22 @@ resource "aws_vpc" "new" { Name = local.name } assign_generated_ipv6_cidr_block = true - lifecycle { - ignore_changes = [ - default_network_acl_id, - ] - } } + resource "aws_internet_gateway" "new" { count = local.create + depends_on = [ + aws_vpc.new, + ] vpc_id = aws_vpc.new[0].id } + resource "aws_route" "public" { count = local.create + depends_on = [ + aws_internet_gateway.new, + aws_vpc.new, + ] route_table_id = aws_vpc.new[0].default_route_table_id gateway_id = aws_internet_gateway.new[0].id destination_cidr_block = "0.0.0.0/0"