From d0910026935da61b3aea5f4da8bb96efda2d2577 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 2 Feb 2024 11:47:46 -0600 Subject: [PATCH] fix: update workflow to include id tag, cleanup, new flake, etc Signed-off-by: matttrach --- .envrc | 29 +++-- .github/workflows/cleanup.yaml | 117 ++++++++++++++++++ .github/workflows/release.yaml | 19 +-- .github/workflows/update.yaml | 56 +++++++++ .github/workflows/updatecli.yaml | 45 ------- .../workflows/{tests.yaml => validate.yaml} | 43 ++++++- examples/basic/README.md | 10 -- examples/basic/main.tf | 27 ++-- examples/basic/variables.tf | 3 + examples/override/README.md | 7 -- examples/override/main.tf | 18 ++- examples/override/variables.tf | 3 + examples/personal/README.md | 9 -- examples/personal/main.tf | 22 ++-- examples/personal/variables.tf | 3 + examples/project/README.md | 8 -- examples/project/main.tf | 22 ++-- examples/project/variables.tf | 3 + examples/sgip/main.tf | 14 ++- examples/sgip/variables.tf | 7 +- examples/skipsecuritygroup/main.tf | 19 ++- examples/skipsecuritygroup/variables.tf | 3 + examples/skipssh/main.tf | 15 ++- examples/skipssh/variables.tf | 7 +- examples/skipsubnet/main.tf | 19 ++- examples/skipsubnet/variables.tf | 3 + examples/skipvpc/main.tf | 17 ++- examples/skipvpc/variables.tf | 3 + examples/specifyip/main.tf | 25 ++-- examples/specifyip/variables.tf | 3 + flake.lock | 12 +- flake.nix | 75 ++++++++--- tests/basic_test.go | 11 +- tests/override_test.go | 9 +- tests/personal_test.go | 11 +- tests/project_test.go | 11 +- tests/sgip_test.go | 13 +- tests/skip_test.go | 47 ++++--- tests/specifyip_test.go | 13 +- tests/util_test.go | 9 +- 40 files changed, 555 insertions(+), 235 deletions(-) create mode 100644 .github/workflows/cleanup.yaml create mode 100644 .github/workflows/update.yaml delete mode 100644 .github/workflows/updatecli.yaml rename .github/workflows/{tests.yaml => validate.yaml} (65%) delete mode 100644 examples/basic/README.md delete mode 100644 examples/override/README.md delete mode 100644 examples/personal/README.md delete mode 100644 examples/project/README.md diff --git a/.envrc b/.envrc index 5c974c6..23ea8d5 100644 --- a/.envrc +++ b/.envrc @@ -15,23 +15,30 @@ if [ -z "${NIX_ENV_LOADED}" ]; then --keep AWS_ACCESS_KEY_ID \ --keep AWS_SECRET_ACCESS_KEY \ --keep AWS_SESSION_TOKEN \ - --keep TERM \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ --keep NIX_ENV_LOADED \ + --keep TERM \ $(pwd) else echo "setting up dev environment..." + source .aliases source .functions source .variables source .rcs - source .aliases - - if [ -z "$SSH_AUTH_SOCK" ]; then eval $(ssh-agent -s); fi - - if [ -z "$(env | grep 'AWS')" ]; then - echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS."; - fi - if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then - echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB."; - fi +fi +if [ -z "$SSH_AUTH_SOCK" ]; then + echo "Unable to find SSH_AUTH_SOCK, is your agent running?"; +fi +if [ -z "$(ssh-add -l | grep -v 'The agent has no identities.')" ]; then + echo "Your agent doesn't appear to have any identities loaded, please load a key or forward your agent."; +fi +if [ -z "$(env | grep 'AWS')" ]; then + echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS."; +fi +if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then + echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB."; fi diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml new file mode 100644 index 0000000..2f6f519 --- /dev/null +++ b/.github/workflows/cleanup.yaml @@ -0,0 +1,117 @@ +name: cleanup + +on: + schedule: + # At minute 30 past every 6th hour from 5 through 18 on every day-of-week from Monday through Friday. + # 6:30, 12:30, 18:30 + - cron: '30 5-18/6 * * 1-5' + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: write-all + +env: + AWS_REGION: us-west-1 + AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + +jobs: + leftovers: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: nicknovitski/nix-develop@v1.1.0 + with: + arguments: | + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ + ${{ github.workspace }} + - name: Get Ids + id: get_ids + # 86400 = 24 hours in seconds (24 * 60 * 60) + # you might increase this number if you need to look back further for leftovers + run: | + DATA="$( \ + curl -s \ + --header 'Authorization: Bearer ${{secrets.GITHUB_TOKEN}}' \ + '${{github.api_url}}/repos/${{github.repository}}/actions/runs' \ + | jq -r '.workflow_runs[] | select(.created_at > (now - 86400)) | select(.status != "in_progress") | select((.name |= ascii_downcase | .name) == "release") | "\((.name |= ascii_downcase | .name))-\(.id)-\(.run_number)-\(.run_attempt)"' \ + | jq -R -s -c 'split("\n")[:-1]' \ + )" + echo ids="$DATA" >> "$GITHUB_OUTPUT" + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{env.AWS_ROLE}} + role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} + aws-region: ${{env.AWS_REGION}} + # rather than actually delete things, it errors and notifies so that you can run leftovers interactively + # WARNING! if '--filter=""' then you will find everything in a region + # WARNING! if '-d' is missing you will delete everything that is found + - name: find-leftovers + run: | + check_leftovers() { + local id="$1" + local region="$2" + echo "checking for leftovers in $region for $id" + leftovers -d --iaas=aws --aws-region="$region" --filter="$id" \ + | grep -Pv 'is not authorized to perform|status code:|Access Denied' \ + >> leftovers.output + return $? + } + issue_body() { + local region="$1" + local id="$2" + local output="$3" + local url="$4" + local found="Leftovers were found in region $region with id $id.\n" + local tics='\n```\n' + BODY="$found $url $tics $output $tics" + echo -n "$BODY" + } + post_issue() { + local id="$1" + local region="$2" + local output="$3" + echo "found some leftovers for $id in $region" + echo "please clean up with leftovers tool" + local url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + echo -n '{"title":"Leftovers Found!","body":"' > data.json + issue_body "$region" "$id" "$output" "$url" >> data.json + echo -n '","labels":["leftovers"]}' >> data.json + cat data.json + jq '.' data.json + curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -d @data.json "${{ github.api_url }}/repos/${{ github.repository }}/issues" + } + + ID_LIST='${{ steps.get_ids.outputs.ids }}' + DATA=$(jq -r .[] <<< "$ID_LIST") + echo "" > leftovers.output + REGIONS="us-west-1 us-west-2" + + for id in $DATA; do + for region in $REGIONS; do + if check_leftovers "$id" "$region"; then + output="$(awk '{printf "%s\\n", $0}' leftovers.output)"; + post_issue "$id" "$region" "$output"; + exit 1; + fi + done + done diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f05d791..84cffeb 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,4 +1,4 @@ -name: Release +name: release on: push: @@ -40,12 +40,6 @@ jobs: if: steps.release-please.outputs.pr - run: sudo chmod 0755 /nix/store if: steps.release-please.outputs.pr - - uses: actions/cache/restore@v4 - id: cache-nix-restore - if: steps.release-please.outputs.pr - with: - path: /nix/store - key: nix-${{ hashFiles('**/flake.nix') }} - uses: DeterminateSystems/nix-installer-action@main if: steps.release-please.outputs.pr - uses: nicknovitski/nix-develop@v1.1.0 @@ -64,14 +58,13 @@ jobs: --keep AWS_ACCESS_KEY_ID \ --keep AWS_SECRET_ACCESS_KEY \ --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ --keep TERM \ ${{ github.workspace }} - - uses: actions/cache/save@v4 - id: cache-nix-save - if: steps.release-please.outputs.pr - with: - path: /nix/store - key: ${{ steps.cache-nix-restore.outputs.cache-primary-key }} - uses: aws-actions/configure-aws-credentials@v4 if: steps.release-please.outputs.pr with: diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml new file mode 100644 index 0000000..1fb0611 --- /dev/null +++ b/.github/workflows/update.yaml @@ -0,0 +1,56 @@ +name: update + +on: + schedule: + # Runs at 06 PM UTC + - cron: '0 18 * * *' + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: write-all + +jobs: + updatecli: + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: nicknovitski/nix-develop@v1.1.0 + with: + arguments: | + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ + ${{ github.workspace }} + - name: Updatecli + # Never use '--debug' option, because it might leak the access tokens. + run: | + gpgconf --kill all + echo -n "${{ secrets.GPG_SIGNING_KEY }}" | gpg --import + gpg --list-secret-keys --keyid-format=long + UPDATECLI_GPGTOKEN="$(gpg -q --list-secret-keys --keyid-format=long | grep 'no-reply@github.com>$' -B2 | grep '^sec'| awk '{print $2}' | awk -F '/' '{print $2}')" + UPDATECLI_GPGKEY="$(gpg --armor --export no-reply@github.com)" + export UPDATECLI_GPGTOKEN + export UPDATECLI_GPGKEY + echo "updatecli_gpgtoken is $UPDATECLI_GPGTOKEN" + echo "updatecli_gpgkey is $UPDATECLI_GPGKEY" + updatecli apply --clean --config ./updatecli/updatecli.d/ --values ./updatecli/values.yaml + env: + UPDATECLI_GITHUB_ACTOR: ${{ github.actor }} + UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml deleted file mode 100644 index e61d26c..0000000 --- a/.github/workflows/updatecli.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: "Updatecli" - -on: - schedule: - # Runs at 06 PM UTC - - cron: '0 18 * * *' - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -permissions: write-all - -jobs: - updatecli: - runs-on: ubuntu-latest - if: github.ref == 'refs/heads/main' - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: 'stable' - - uses: updatecli/updatecli-action@v2 - - name: 'Delete leftover UpdateCLI branches' - run: | - gh pr list \ - --search "is:closed is:pr head:updatecli_" \ - --json headRefName \ - --jq ".[].headRefName" | sort -u > closed_prs_branches.txt - gh pr list \ - --search "is:open is:pr head:updatecli_" \ - --json headRefName \ - --jq ".[].headRefName" | sort -u > open_prs_branches.txt - for branch in $(comm -23 closed_prs_branches.txt open_prs_branches.txt); do - if (git ls-remote --exit-code --heads origin "$branch"); then - echo "Deleting leftover UpdateCLI branch - $branch"; - git push origin --delete "$branch"; - fi - done - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Apply Updatecli - # Never use '--debug' option, because it might leak the access tokens. - run: "updatecli apply --clean --config ./updatecli/updatecli.d/ --values ./updatecli/values.yaml" - env: - UPDATECLI_GITHUB_ACTOR: ${{ github.actor }} - UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/validate.yaml similarity index 65% rename from .github/workflows/tests.yaml rename to .github/workflows/validate.yaml index 60e626c..7f620ba 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/validate.yaml @@ -1,4 +1,4 @@ -name: Tests +name: validate on: pull_request: @@ -27,6 +27,11 @@ jobs: --keep AWS_ACCESS_KEY_ID \ --keep AWS_SECRET_ACCESS_KEY \ --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ --keep TERM \ ${{ github.workspace }} - uses: actions/cache/restore@v4 @@ -64,6 +69,11 @@ jobs: --keep AWS_ACCESS_KEY_ID \ --keep AWS_SECRET_ACCESS_KEY \ --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ --keep TERM \ ${{ github.workspace }} - run: actionlint @@ -93,3 +103,34 @@ jobs: - uses: amannn/action-semantic-pull-request@v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + gitleaks: + name: 'Scan for Secrets' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: nicknovitski/nix-develop@v1.1.0 + with: + arguments: | + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ + ${{ github.workspace }} + - run: gitleaks detect --no-banner -v --no-git + - run: gitleaks detect --no-banner -v diff --git a/examples/basic/README.md b/examples/basic/README.md deleted file mode 100644 index dd445f5..0000000 --- a/examples/basic/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Basic Example - -This example has been validated using [Terratest](https://terratest.gruntwork.io/), a Go sdk and test suite for Terraform. -This example deploys a new VPC in your default region, then a subnet within that VPC, a new SSH key to access servers, and a new security group to restrict server access. - -NOTE: It is important to note that this module doesn't generate an ssh key, it imports a given public key to AWS. -This is because you will need the private key added to your ssh agent, -this module (as well as others we create) rely on the security built into open-ssh to manage ssh keys. - -Check out the `basic_test.go` for a simple way to generate a key to hand to this module using the Terratest ssh module. diff --git a/examples/basic/main.tf b/examples/basic/main.tf index bfd6ffd..2246fe0 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -1,20 +1,27 @@ -# this is given for reference, in most cases you will want to set the region using environment variables -# provider "aws" { -# region = "us-west-1" -# } +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} +locals { + identifier = var.identifier + key = var.key + key_name = var.key_name +} # AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively) module "TestBasic" { source = "../../" owner = "terraform-ci@suse.com" - vpc_name = "terraform-aws-access-test-basic" + vpc_name = "tf-${local.identifier}" vpc_cidr = "10.0.255.0/24" # gives 256 usable addresses from .1 to .254, but AWS reserves .1 to .4 and .255, leaving .5 to .254 - subnet_name = "terraform-aws-access-test-basic" + subnet_name = "tf-${local.identifier}" subnet_cidr = "10.0.255.224/28" # gives 14 usable addresses from .225 to .238, but AWS reserves .225 to .227 and .238, leaving .227 to .237 availability_zone = "us-west-1b" # check what availability zones are available in your region before setting this - security_group_name = "terraform-aws-access-test-basic" + security_group_name = "tf-${local.identifier}" security_group_type = "egress" - public_ssh_key = var.key # I don't normally recommend this, but it allows tests to supply their own key - ssh_key_name = var.key_name # A lot of troubleshooting during critical times can be saved by hard coding variables in root modules - # root modules should be secured properly (including the state), and should represent your running infrastructure + public_ssh_key = local.key + ssh_key_name = local.key_name } diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index 63d0a70..7d75481 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -4,3 +4,6 @@ variable "key" { variable "key_name" { type = string } +variable "identifier" { + type = string +} \ No newline at end of file diff --git a/examples/override/README.md b/examples/override/README.md deleted file mode 100644 index 3cd036f..0000000 --- a/examples/override/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Override Example - -This example has been validated using [Terratest](https://terratest.gruntwork.io/), a Go sdk and test suite for Terraform. - -This example overrides all objects generating nothing, but resulting in similar output as the basic example usage. -It is important to note that this does not import the objects or try to control them, just find them and use data about them. -This module will fail if it is not able to produce expected output. diff --git a/examples/override/main.tf b/examples/override/main.tf index 91b953f..82ff985 100644 --- a/examples/override/main.tf +++ b/examples/override/main.tf @@ -1,9 +1,19 @@ +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} +locals { + security_group_name = var.security_group_name + key_name = var.key_name + identifier = var.identifier +} module "TestOverride" { source = "../../" vpc_name = "default" subnet_name = "default" - security_group_name = var.security_group_name - ssh_key_name = var.key_name # I don't normally recommend using variables in root modules, but it allows tests to supply their own key - # A lot of troubleshooting during critical times can be saved by hard coding variables in root modules - # root modules should be secured properly (including the state), and should represent your running infrastructure + security_group_name = local.security_group_name + ssh_key_name = local.key_name } diff --git a/examples/override/variables.tf b/examples/override/variables.tf index 60c095f..70b01e9 100644 --- a/examples/override/variables.tf +++ b/examples/override/variables.tf @@ -3,4 +3,7 @@ variable "key_name" { } variable "security_group_name" { type = string +} +variable "identifier" { + type = string } \ No newline at end of file diff --git a/examples/personal/README.md b/examples/personal/README.md deleted file mode 100644 index 9124637..0000000 --- a/examples/personal/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Personal Example - -This example has been validated using [Terratest](https://terratest.gruntwork.io/), a Go sdk and test suite for Terraform. - -This example selects objects not considered "personal", resulting in similar output as the basic example usage. -This module will fail if it is not able to produce expected output. -When working with a team, it is usually true that there is a shared VPC and subnet, - but each team member has their own security group and ssh key for server access. -Therefore this example selects a VPC and subnet by name, then generates an ssh key and server security group. diff --git a/examples/personal/main.tf b/examples/personal/main.tf index ea5d466..fafa62c 100644 --- a/examples/personal/main.tf +++ b/examples/personal/main.tf @@ -1,14 +1,22 @@ -# this test generates objects generally considered personal -# this will generate a security group for your personal ip -# this will generate a ec2 key pair from a provided public key which you have the private key for (making it personal) +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} +locals { + key = var.key + key_name = var.key_name + identifier = var.identifier +} module "TestPersonal" { source = "../../" owner = "terraform-ci@suse.com" # update this to your email or a group email, the resources will be tagged with this vpc_name = "default" # select the default vpc subnet_name = "default" # select the default subnet - security_group_name = "terraform-aws-access-test-personal" + security_group_name = "tf-${local.identifier}" security_group_type = "egress" - public_ssh_key = var.key # I don't normally recommend this, but it allows tests to supply their own key - ssh_key_name = var.key_name # A lot of troubleshooting during critical times can be saved by hard coding variables in root modules - # root modules should be secured properly (including the state), and should represent your running infrastructure + public_ssh_key = local.key + ssh_key_name = local.key_name } diff --git a/examples/personal/variables.tf b/examples/personal/variables.tf index 63d0a70..7d75481 100644 --- a/examples/personal/variables.tf +++ b/examples/personal/variables.tf @@ -4,3 +4,6 @@ variable "key" { variable "key_name" { type = string } +variable "identifier" { + type = string +} \ No newline at end of file diff --git a/examples/project/README.md b/examples/project/README.md deleted file mode 100644 index a717e16..0000000 --- a/examples/project/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Project Example - -This example overrides only objects not considered "project" level, resulting in similar output as the basic example usage. -This module will fail if it is not able to produce expected output. -This example has been validated using [Terratest](https://terratest.gruntwork.io/), a Go sdk and test suite for Terraform. -When starting a new project which you expect to manage with a team, it is often true that you want to use an existing VPC, - but you want to create a new network segment, so you need a new subnet. -You will need a new security group for the new network, but you will want to use your current ssh key. diff --git a/examples/project/main.tf b/examples/project/main.tf index 8707962..aaf95a0 100644 --- a/examples/project/main.tf +++ b/examples/project/main.tf @@ -1,15 +1,21 @@ -# this test generates objects generally needed for a new project which is on its own network -# this will generate a new subnet for your project with the given cidr (this must be an unused block from the vpc's cidr) -# this will generate a security group for your project's cidr +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} +locals { + key_name = var.key_name + identifier = var.identifier +} module "TestProject" { source = "../../" owner = "terraform-ci@suse.com" vpc_name = "default" # select the default vpc - subnet_name = "terraform-aws-access-test-project" + subnet_name = "tf-${local.identifier}" subnet_cidr = "172.31.254.0/24" # this must be an unused block from the vpc's cidr - security_group_name = "terraform-aws-access-test-project" + security_group_name = "tf-${local.identifier}" security_group_type = "egress" - ssh_key_name = var.key_name # I don't normally recommend using variables in a root module, but it allows tests to supply their own key - # A lot of troubleshooting during critical times can be saved by hard coding variables in root modules - # root modules should be secured properly (including the state), and should represent your running infrastructure + ssh_key_name = local.key_name } diff --git a/examples/project/variables.tf b/examples/project/variables.tf index 5b83d1f..d1d123b 100644 --- a/examples/project/variables.tf +++ b/examples/project/variables.tf @@ -1,3 +1,6 @@ variable "key_name" { type = string } +variable "identifier" { + type = string +} \ No newline at end of file diff --git a/examples/sgip/main.tf b/examples/sgip/main.tf index 1d369e3..1c967e3 100644 --- a/examples/sgip/main.tf +++ b/examples/sgip/main.tf @@ -1,15 +1,21 @@ - +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} locals { - identifier = "sgip" + identifier = var.identifier } module "this" { source = "../../" owner = "terraform-ci@suse.com" - vpc_name = "terraform-aws-access-${local.identifier}" + vpc_name = "tf-aws-${local.identifier}" vpc_cidr = "10.0.255.0/24" # gives 256 usable addresses from .1 to .254, but AWS reserves .1 to .4 and .255, leaving .5 to .254 skip_subnet = true - security_group_name = "terraform-aws-access-${local.identifier}" + security_group_name = "tf-aws-${local.identifier}" security_group_type = "specific" security_group_ip = "192.168.1.1" skip_ssh = true diff --git a/examples/sgip/variables.tf b/examples/sgip/variables.tf index 63d0a70..379bf39 100644 --- a/examples/sgip/variables.tf +++ b/examples/sgip/variables.tf @@ -1,6 +1,3 @@ -variable "key" { +variable "identifier" { type = string -} -variable "key_name" { - type = string -} +} \ No newline at end of file diff --git a/examples/skipsecuritygroup/main.tf b/examples/skipsecuritygroup/main.tf index 3e3544a..65beecd 100644 --- a/examples/skipsecuritygroup/main.tf +++ b/examples/skipsecuritygroup/main.tf @@ -1,16 +1,25 @@ +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} locals { - identifier = "skipsg" + identifier = var.identifier + key = var.key + key_name = var.key_name } # vpc, subnet, and ssh key module "this" { source = "../../" owner = "terraform-ci@suse.com" - vpc_name = "terraform-aws-access-${local.identifier}" + vpc_name = "tf-${local.identifier}" vpc_cidr = "10.0.255.0/24" # gives 256 usable addresses from .1 to .254, but AWS reserves .1 to .4 and .255, leaving .5 to .254 - subnet_name = "terraform-aws-access-${local.identifier}" + subnet_name = "tf-${local.identifier}" subnet_cidr = "10.0.255.224/28" # gives 14 usable addresses from .225 to .238, but AWS reserves .225 to .227 and .238, leaving .227 to .237 availability_zone = "us-west-1b" # check what availability zones are available in your region before setting this skip_security_group = true - public_ssh_key = var.key - ssh_key_name = var.key_name + public_ssh_key = local.key + ssh_key_name = local.key_name } diff --git a/examples/skipsecuritygroup/variables.tf b/examples/skipsecuritygroup/variables.tf index 63d0a70..7d75481 100644 --- a/examples/skipsecuritygroup/variables.tf +++ b/examples/skipsecuritygroup/variables.tf @@ -4,3 +4,6 @@ variable "key" { variable "key_name" { type = string } +variable "identifier" { + type = string +} \ No newline at end of file diff --git a/examples/skipssh/main.tf b/examples/skipssh/main.tf index 970924b..d50d0d5 100644 --- a/examples/skipssh/main.tf +++ b/examples/skipssh/main.tf @@ -1,16 +1,23 @@ +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} locals { - identifier = "skipssh" + identifier = var.identifier } # generate vpc, subnet, and security group, skip ssh keypair module "this" { source = "../../" owner = "terraform-ci@suse.com" - vpc_name = "terraform-aws-access-${local.identifier}" + vpc_name = "tf-${local.identifier}" vpc_cidr = "10.0.255.0/24" # gives 256 usable addresses from .1 to .254, but AWS reserves .1 to .4 and .255, leaving .5 to .254 - subnet_name = "terraform-aws-access-${local.identifier}" + subnet_name = "tf-${local.identifier}" subnet_cidr = "10.0.255.224/28" # gives 14 usable addresses from .225 to .238, but AWS reserves .225 to .227 and .238, leaving .227 to .237 availability_zone = "us-west-1b" # check what availability zones are available in your region before setting this - security_group_name = "terraform-aws-access-test-${local.identifier}" + security_group_name = "tf-${local.identifier}" security_group_type = "egress" skip_ssh = true } diff --git a/examples/skipssh/variables.tf b/examples/skipssh/variables.tf index 63d0a70..379bf39 100644 --- a/examples/skipssh/variables.tf +++ b/examples/skipssh/variables.tf @@ -1,6 +1,3 @@ -variable "key" { +variable "identifier" { type = string -} -variable "key_name" { - type = string -} +} \ No newline at end of file diff --git a/examples/skipsubnet/main.tf b/examples/skipsubnet/main.tf index f35763a..04554bd 100644 --- a/examples/skipsubnet/main.tf +++ b/examples/skipsubnet/main.tf @@ -1,16 +1,25 @@ +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} locals { - identifier = "skipsubnet" + identifier = var.identifier + key = var.key + key_name = var.key_name } # generate vpc, security group, and ssh key module "this" { source = "../../" owner = "terraform-ci@suse.com" - vpc_name = "terraform-aws-access-${local.identifier}" + vpc_name = "tf-${local.identifier}" vpc_cidr = "10.0.255.0/24" # gives 256 usable addresses from .1 to .254, but AWS reserves .1 to .4 and .255, leaving .5 to .254 skip_subnet = true - security_group_name = "terraform-aws-access-${local.identifier}" + security_group_name = "tf-${local.identifier}" security_group_type = "specific" security_group_ip = "192.168.0.1" - public_ssh_key = var.key - ssh_key_name = var.key_name + public_ssh_key = local.key + ssh_key_name = local.key_name } diff --git a/examples/skipsubnet/variables.tf b/examples/skipsubnet/variables.tf index 63d0a70..7d75481 100644 --- a/examples/skipsubnet/variables.tf +++ b/examples/skipsubnet/variables.tf @@ -4,3 +4,6 @@ variable "key" { variable "key_name" { type = string } +variable "identifier" { + type = string +} \ No newline at end of file diff --git a/examples/skipvpc/main.tf b/examples/skipvpc/main.tf index e41686a..3f035bd 100644 --- a/examples/skipvpc/main.tf +++ b/examples/skipvpc/main.tf @@ -1,10 +1,21 @@ -# generate ssh key only +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} +locals { + identifier = var.identifier + key = var.key + key_name = var.key_name +} module "this" { source = "../../" owner = "terraform-ci@suse.com" skip_vpc = true skip_subnet = true # without a vpc selected or created subnet can't be created skip_security_group = true # without a vpc selected of created security group can't be created - public_ssh_key = var.key - ssh_key_name = var.key_name + public_ssh_key = local.key + ssh_key_name = local.key_name } diff --git a/examples/skipvpc/variables.tf b/examples/skipvpc/variables.tf index 63d0a70..7d75481 100644 --- a/examples/skipvpc/variables.tf +++ b/examples/skipvpc/variables.tf @@ -4,3 +4,6 @@ variable "key" { variable "key_name" { type = string } +variable "identifier" { + type = string +} \ No newline at end of file diff --git a/examples/specifyip/main.tf b/examples/specifyip/main.tf index 8e74cf3..03039ee 100644 --- a/examples/specifyip/main.tf +++ b/examples/specifyip/main.tf @@ -1,18 +1,29 @@ +provider "aws" { + default_tags { + tags = { + Id = local.identifier + } + } +} + locals { - identifier = "specifyip" + identifier = var.identifier + key = var.key + key_name = var.key_name + ip = var.ip } module "this" { source = "../../" owner = "terraform-ci@suse.com" - vpc_name = "terraform-aws-access-${local.identifier}" + vpc_name = "tf-${local.identifier}" vpc_cidr = "10.0.255.0/24" # gives 256 usable addresses from .1 to .254, but AWS reserves .1 to .4 and .255, leaving .5 to .254 - subnet_name = "terraform-aws-access-${local.identifier}" + subnet_name = "tf-${local.identifier}" subnet_cidr = "10.0.255.224/28" # gives 14 usable addresses from .225 to .238, but AWS reserves .225 to .227 and .238, leaving .227 to .237 availability_zone = "us-west-1b" # check what availability zones are available in your region before setting this - security_group_name = "terraform-aws-access-${local.identifier}" + security_group_name = "tf-${local.identifier}" security_group_type = "egress" - security_group_ip = chomp(var.ip) - public_ssh_key = var.key - ssh_key_name = var.key_name + security_group_ip = chomp(local.ip) + public_ssh_key = local.key + ssh_key_name = local.key_name } diff --git a/examples/specifyip/variables.tf b/examples/specifyip/variables.tf index 18c5125..ccb7ba4 100644 --- a/examples/specifyip/variables.tf +++ b/examples/specifyip/variables.tf @@ -6,4 +6,7 @@ variable "key_name" { } variable "ip" { type = string +} +variable "identifier" { + type = string } \ No newline at end of file diff --git a/flake.lock b/flake.lock index 0caacc9..770554c 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702272962, - "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "lastModified": 1706683685, + "narHash": "sha256-FtPPshEpxH/ewBOsdKBNhlsL2MLEFv1hEnQ19f/bFsQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "rev": "5ad9903c16126a7d949101687af0aa589b1d7d3d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9f16b8e..12055a3 100644 --- a/flake.nix +++ b/flake.nix @@ -29,26 +29,60 @@ let pkgs = nixpkgs.legacyPackages.${system}; + # get "updatecli" tar from release, unpack it, and add it to shell + updatecli-version = { + "selected" = "v0.66.0"; + }; + updatecli-prep = { + "x86_64-darwin" = { + "url" = "https://github.com/updatecli/updatecli/releases/download/${updatecli-version.selected}/updatecli_Darwin_x86_64.tar.gz"; + "sha" = "sha256-AkYYaCp/a4KkZ4zcYc3GepllyPE6bHb7x7K25JSyljY="; + }; + "aarch64-darwin" = { + "url" = "https://github.com/updatecli/updatecli/releases/download/${updatecli-version.selected}/updatecli_Darwin_arm64.tar.gz"; + "sha" = "sha256-5ctfz4DcHRmjImYzL9hgOaC9pyeYKQxkpdIAr3J1a6g="; + }; + "x86_64-linux" = { + "url" = "https://github.com/updatecli/updatecli/releases/download/${updatecli-version.selected}/updatecli_Linux_x86_64.tar.gz"; + "sha" = "sha256-tmboI0ew+LApo3uLVqebaa8VA/6rgonGJH2onQEbSyk="; + }; + }; + updatecli = pkgs.runCommand "updatecli-${updatecli-version.selected}" {} '' + cp ${pkgs.fetchzip { # when fetching archives use fetchzip instead of fetchurl to automatically unpack + url = updatecli-prep."${system}".url; + sha256 = updatecli-prep."${system}".sha; + stripRoot = false; + }}/updatecli $out + chmod +x $out + ''; + updatecli-wrapper = pkgs.writeShellScriptBin "updatecli" '' + exec ${updatecli} "$@" + ''; + # get "leftovers" bin from release and add it to shell leftovers-version = { # remember when updating the version to also update the shas # to get the sha, download the file and run 'nix hash file ' "selected" = "v0.70.0"; }; - leftovers-urls = { - "x86_64-darwin" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-darwin-amd64"; - "aarch64-darwin" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-darwin-arm64"; - "x86_64-linux" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-linux-amd64"; - }; - leftovers-shas = { - "x86_64-linux" = "sha256-D2OPjLlV5xR3f+dVHu0ld6bQajD5Rv9GLCMCk9hXlu8="; - "x86_64-darwin" = "sha256-HV12kHqB14lGDm1rh9nD1n7Jvw0rCnxmjC9gusw7jfo="; - "aarch64-darwin" = "sha256-Tw7G538RYZrwIauN7kI68u6aKS4d/0Efh+dirL/kzoM="; + leftovers-prep = { + "x86_64-darwin" = { + "url" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-darwin-amd64"; + "sha" = "sha256-HV12kHqB14lGDm1rh9nD1n7Jvw0rCnxmjC9gusw7jfo="; + }; + "aarch64-darwin" = { + "url" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-darwin-arm64"; + "sha" = "sha256-Tw7G538RYZrwIauN7kI68u6aKS4d/0Efh+dirL/kzoM="; + }; + "x86_64-linux" = { + "url" = "https://github.com/genevieve/leftovers/releases/download/${leftovers-version.selected}/leftovers-${leftovers-version.selected}-linux-amd64"; + "sha" = "sha256-D2OPjLlV5xR3f+dVHu0ld6bQajD5Rv9GLCMCk9hXlu8="; + }; }; leftovers = pkgs.runCommand "leftovers-${leftovers-version.selected}" {} '' cp ${pkgs.fetchurl { - url = leftovers-urls."${system}"; - sha256 = leftovers-shas."${system}"; + url = leftovers-prep."${system}".url; + sha256 = leftovers-prep."${system}".sha; }} $out chmod +x $out ''; @@ -59,24 +93,27 @@ { devShells.default = pkgs.mkShell { buildInputs = with pkgs; [ - act actionlint bashInteractive curl git - gnupg - go + gitleaks + go # need go for terratest + gnupg # need gpg for signing commits + jq less - openssh + openssh # need openssh for running remote provisioners shellcheck tflint tfswitch + vim ]; shellHook = '' - rm -rf "/usr/local/bin/switched-terraform" - install -d "/usr/local/bin/switched-terraform" - tfswitch -b "/usr/local/bin/switched-terraform/terraform" -d "1.5.7" 1.5.7 > /dev/null; - export PATH="$PATH:${leftovers-wrapper}/bin:/usr/local/bin/switched-terraform"; + homebin=$HOME/bin; + install -d $homebin; + tfswitch -b $homebin/terraform 1.5.7 &>/dev/null; + export PATH="${updatecli-wrapper}/bin:${leftovers-wrapper}/bin:$homebin:$PATH"; + export PS1="nix:# "; ''; }; } diff --git a/tests/basic_test.go b/tests/basic_test.go index b62aa66..7e25aee 100644 --- a/tests/basic_test.go +++ b/tests/basic_test.go @@ -2,6 +2,7 @@ package test import ( "fmt" + "os" "testing" "github.com/gruntwork-io/terratest/modules/random" @@ -12,15 +13,19 @@ import ( // this test generates all objects, no overrides func TestBasic(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "basic" region := "us-west-1" keyPair := ssh.GenerateRSAKeyPair(t, 2048) keyPairName := fmt.Sprintf("terraform-aws-access-test-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, + "key_name": keyPairName, + "key": keyPair.PublicKey, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) diff --git a/tests/override_test.go b/tests/override_test.go index 0e6d5d5..65659b1 100644 --- a/tests/override_test.go +++ b/tests/override_test.go @@ -1,8 +1,10 @@ package test import ( + "os" "testing" + "github.com/gruntwork-io/terratest/modules/random" "github.com/gruntwork-io/terratest/modules/terraform" ) @@ -11,19 +13,24 @@ import ( // but you want to make sure the access objects exist before building anything else func TestOverride(t *testing.T) { t.Parallel() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "override" region := "us-west-1" owner := "terraform-ci@suse.com" defer teardown(t, directory) - keyPair := setupKeyPair(t, directory, region, owner) + keyPair := setupKeyPair(t, directory, region, owner, uniqueID) defer teardownKeyPair(t, keyPair) securityGroupId, securityGroupName := setupSecurityGroup(t, directory, region, owner) defer teardownSecurityGroup(t, region, securityGroupId) terraformVars := map[string]interface{}{ + "identifier": uniqueID, "key_name": keyPair.Name, "security_group_name": securityGroupName, } diff --git a/tests/personal_test.go b/tests/personal_test.go index 81de1ae..c2035ec 100644 --- a/tests/personal_test.go +++ b/tests/personal_test.go @@ -2,6 +2,7 @@ package test import ( "fmt" + "os" "testing" "github.com/gruntwork-io/terratest/modules/random" @@ -14,15 +15,19 @@ import ( // thus generating only unshared or "personal" objects func TestPersonal(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "personal" region := "us-west-1" keyPair := ssh.GenerateRSAKeyPair(t, 2048) keyPairName := fmt.Sprintf("terraform-aws-access-test-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, + "key_name": keyPairName, + "key": keyPair.PublicKey, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) diff --git a/tests/project_test.go b/tests/project_test.go index 701bdb3..ba5c81d 100644 --- a/tests/project_test.go +++ b/tests/project_test.go @@ -1,8 +1,10 @@ package test import ( + "os" "testing" + "github.com/gruntwork-io/terratest/modules/random" "github.com/gruntwork-io/terratest/modules/terraform" ) @@ -11,14 +13,19 @@ import ( // and the vpc is outside of your control func TestProject(t *testing.T) { t.Parallel() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "project" region := "us-west-1" owner := "terraform-ci@suse.com" - keyPair := setupKeyPair(t, directory, region, owner) + keyPair := setupKeyPair(t, directory, region, owner, uniqueID) defer teardownKeyPair(t, keyPair) terraformVars := map[string]interface{}{ - "key_name": keyPair.Name, + "identifier": uniqueID, + "key_name": keyPair.Name, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) diff --git a/tests/sgip_test.go b/tests/sgip_test.go index b09408d..67f1f16 100644 --- a/tests/sgip_test.go +++ b/tests/sgip_test.go @@ -1,26 +1,25 @@ package test import ( - "fmt" + "os" "testing" "github.com/gruntwork-io/terratest/modules/random" - "github.com/gruntwork-io/terratest/modules/ssh" "github.com/gruntwork-io/terratest/modules/terraform" ) // generate a security group without generating a subnet, specifying an ip func TestSgip(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "sgip" region := "us-west-1" - keyPair := ssh.GenerateRSAKeyPair(t, 2048) - keyPairName := fmt.Sprintf("terraform-aws-access-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) diff --git a/tests/skip_test.go b/tests/skip_test.go index e48290b..2699574 100644 --- a/tests/skip_test.go +++ b/tests/skip_test.go @@ -2,6 +2,7 @@ package test import ( "fmt" + "os" "testing" "github.com/gruntwork-io/terratest/modules/random" @@ -11,15 +12,19 @@ import ( func TestSkipVpc(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "skipvpc" region := "us-west-1" keyPair := ssh.GenerateRSAKeyPair(t, 2048) - keyPairName := fmt.Sprintf("terraform-aws-access-%s-%s", directory, uniqueID) + keyPairName := fmt.Sprintf("tf-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, + "key_name": keyPairName, + "key": keyPair.PublicKey, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) @@ -29,15 +34,19 @@ func TestSkipVpc(t *testing.T) { func TestSkipSubnet(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "skipsubnet" region := "us-west-1" keyPair := ssh.GenerateRSAKeyPair(t, 2048) - keyPairName := fmt.Sprintf("terraform-aws-access-%s-%s", directory, uniqueID) + keyPairName := fmt.Sprintf("tf-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, + "key_name": keyPairName, + "key": keyPair.PublicKey, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) @@ -46,15 +55,19 @@ func TestSkipSubnet(t *testing.T) { } func TestSkipSecurityGroup(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "skipsecuritygroup" region := "us-west-1" keyPair := ssh.GenerateRSAKeyPair(t, 2048) - keyPairName := fmt.Sprintf("terraform-aws-access-%s-%s", directory, uniqueID) + keyPairName := fmt.Sprintf("tf-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, + "key_name": keyPairName, + "key": keyPair.PublicKey, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) @@ -63,15 +76,15 @@ func TestSkipSecurityGroup(t *testing.T) { } func TestSkipSsh(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "skipssh" region := "us-west-1" - keyPair := ssh.GenerateRSAKeyPair(t, 2048) - keyPairName := fmt.Sprintf("terraform-aws-access-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, + "identifier": uniqueID, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) diff --git a/tests/specifyip_test.go b/tests/specifyip_test.go index 1754280..972d572 100644 --- a/tests/specifyip_test.go +++ b/tests/specifyip_test.go @@ -4,6 +4,7 @@ import ( "fmt" "log" "net" + "os" "testing" "github.com/gruntwork-io/terratest/modules/random" @@ -13,7 +14,10 @@ import ( func TestIp(t *testing.T) { t.Parallel() - uniqueID := random.UniqueId() + uniqueID := os.Getenv("IDENTIFIER") + if uniqueID == "" { + uniqueID = random.UniqueId() + } directory := "specifyip" region := "us-west-1" ip := GetOutboundIP().String() @@ -21,9 +25,10 @@ func TestIp(t *testing.T) { keyPair := ssh.GenerateRSAKeyPair(t, 2048) keyPairName := fmt.Sprintf("terraform-aws-access-%s-%s", directory, uniqueID) terraformVars := map[string]interface{}{ - "key_name": keyPairName, - "key": keyPair.PublicKey, - "ip": ip, + "identifier": uniqueID, + "key_name": keyPairName, + "key": keyPair.PublicKey, + "ip": ip, } terraformOptions := setup(t, directory, region, terraformVars) defer teardown(t, directory) diff --git a/tests/util_test.go b/tests/util_test.go index a5874c3..5d40b7d 100644 --- a/tests/util_test.go +++ b/tests/util_test.go @@ -16,6 +16,12 @@ import ( func teardown(t *testing.T, directory string) { err := os.RemoveAll(fmt.Sprintf("../examples/%s/.terraform", directory)) require.NoError(t, err) + err1 := os.RemoveAll(fmt.Sprintf("../examples/%s/.terraform.lock.hcl", directory)) + require.NoError(t, err1) + err2 := os.RemoveAll(fmt.Sprintf("../examples/%s/terraform.tfstate", directory)) + require.NoError(t, err2) + err3 := os.RemoveAll(fmt.Sprintf("../examples/%s/terraform.tfstate.backup", directory)) + require.NoError(t, err3) } func setup(t *testing.T, directory string, region string, terraformVars map[string]interface{}) *terraform.Options { @@ -43,9 +49,8 @@ func setup(t *testing.T, directory string, region string, terraformVars map[stri return terraformOptions } -func setupKeyPair(t *testing.T, directory string, region string, owner string) *aws.Ec2Keypair { +func setupKeyPair(t *testing.T, directory string, region string, owner string, uniqueID string) *aws.Ec2Keypair { // Create an EC2 KeyPair that we can find in the module - uniqueID := random.UniqueId() keyPairName := fmt.Sprintf("terraform-aws-access-test-%s-%s", directory, uniqueID) keyPair := aws.CreateAndImportEC2KeyPair(t, region, keyPairName) // tag the key pair