From b5eff64814c5a550b6e9a2a9f5489edf52c979b7 Mon Sep 17 00:00:00 2001 From: Frank <639906+syphernl@users.noreply.github.com> Date: Tue, 9 Feb 2021 05:26:50 +0100 Subject: [PATCH] fix: mark outputs as sensitive (#118) --- .github/CODEOWNERS | 7 +- .github/auto-release.yml | 8 +++ .github/mergify.yml | 28 +++++--- .github/renovate.json | 12 ++++ .github/workflows/auto-context.yml | 55 --------------- .github/workflows/auto-format.yml | 86 +++++++++++++++++++++++ .github/workflows/auto-release.yml | 2 +- .github/workflows/validate-codeowners.yml | 9 ++- README.md | 6 +- README.yaml | 4 ++ docs/terraform.md | 2 +- examples/complete/versions.tf | 2 +- examples/env_vars_files/versions.tf | 2 +- examples/map_environment/versions.tf | 2 +- examples/multi_port_mappings/versions.tf | 2 +- examples/multi_type_env_vars/versions.tf | 2 +- examples/multiple_definitions/versions.tf | 2 +- examples/string_env_vars/versions.tf | 2 +- outputs.tf | 3 + renovate.json | 5 -- versions.tf | 2 +- 21 files changed, 157 insertions(+), 86 deletions(-) create mode 100644 .github/renovate.json delete mode 100644 .github/workflows/auto-context.yml create mode 100644 .github/workflows/auto-format.yml delete mode 100644 renovate.json diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ceb4644..2537f2f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,9 +15,10 @@ # Cloud Posse must review any changes to standard context definition, # but some changes can be rubber-stamped. -**/context.tf @cloudposse/engineering @cloudposse/approvers -README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers -docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +**/*.tf @cloudposse/engineering @cloudposse/approvers +README.yaml @cloudposse/engineering @cloudposse/approvers +README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration .github/mergify.yml @cloudposse/admins diff --git a/.github/auto-release.yml b/.github/auto-release.yml index 18a1ca6..c78a4d8 100644 --- a/.github/auto-release.yml +++ b/.github/auto-release.yml @@ -43,3 +43,11 @@ change-template: | template: | $CHANGES + +replacers: +# Remove irrelevant information from Renovate bot +- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm' + replace: '' +# Remove Renovate bot banner image +- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm' + replace: '' diff --git a/.github/mergify.yml b/.github/mergify.yml index 485982f..b010656 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,12 +1,16 @@ +# https://docs.mergify.io/conditions.html +# https://docs.mergify.io/actions.html pull_request_rules: - name: "approve automated PRs that have passed checks" conditions: - - "check-success~=test/bats" - - "check-success~=test/readme" - - "check-success~=test/terratest" + - "author~=^(cloudpossebot|renovate\\[bot\\])$" - "base=master" - - "author=cloudpossebot" - - "head~=auto-update/.*" + - "-closed" + - "head~=^(auto-update|renovate)/.*" + - "check-success=test/bats" + - "check-success=test/readme" + - "check-success=test/terratest" + - "check-success=validate-codeowners" actions: review: type: "APPROVE" @@ -15,16 +19,17 @@ pull_request_rules: - name: "merge automated PRs when approved and tests pass" conditions: - - "check-success~=test/bats" - - "check-success~=test/readme" - - "check-success~=test/terratest" + - "author~=^(cloudpossebot|renovate\\[bot\\])$" - "base=master" - - "head~=auto-update/.*" + - "-closed" + - "head~=^(auto-update|renovate)/.*" + - "check-success=test/bats" + - "check-success=test/readme" + - "check-success=test/terratest" + - "check-success=validate-codeowners" - "#approved-reviews-by>=1" - "#changes-requested-reviews-by=0" - "#commented-reviews-by=0" - - "base=master" - - "author=cloudpossebot" actions: merge: method: "squash" @@ -38,6 +43,7 @@ pull_request_rules: - name: "ask to resolve conflict" conditions: - "conflict" + - "-closed" actions: comment: message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏" diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..ae4f0aa --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,12 @@ +{ + "extends": [ + "config:base", + ":preserveSemverRanges" + ], + "labels": ["auto-update"], + "enabledManagers": ["terraform"], + "terraform": { + "ignorePaths": ["**/context.tf", "examples/**"] + } +} + diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml deleted file mode 100644 index 739a3c9..0000000 --- a/.github/workflows/auto-context.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: "auto-context" -on: - schedule: - # Update context.tf nightly - - cron: '0 3 * * *' - -jobs: - update: - if: github.event_name == 'schedule' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Update context.tf - shell: bash - id: update - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - if [[ -f context.tf ]]; then - echo "Discovered existing context.tf! Fetching most recent version to see if there is an update." - curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf - if git diff --no-patch --exit-code context.tf; then - echo "No changes detected! Exiting the job..." - else - echo "context.tf file has changed. Update examples and rebuild README.md." - make init - make github/init/context.tf - make readme/build - echo "::set-output name=create_pull_request=true" - fi - else - echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates." - fi - - - name: Create Pull Request - if: {{ steps.update.outputs.create_pull_request == 'true' }} - uses: cloudposse/actions/github/create-pull-request@0.22.0 - with: - token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} - commit-message: Update context.tf from origin source - title: Update context.tf - body: |- - ## what - This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label` - - ## why - To support all the features of the `context` interface. - - branch: auto-update/context.tf - base: master - delete-branch: true - labels: | - auto-update - context diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml new file mode 100644 index 0000000..990abed --- /dev/null +++ b/.github/workflows/auto-format.yml @@ -0,0 +1,86 @@ +name: Auto Format +on: + pull_request_target: + types: [opened, synchronize] + +jobs: + auto-format: + runs-on: ubuntu-latest + container: cloudposse/build-harness:slim-latest + steps: + # Checkout the pull request branch + # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using + # the repository’s GITHUB_TOKEN, a new workflow will not run even when the repository contains + # a workflow configured to run when push events occur." + # However, using a personal access token will cause events to be triggered. + # We need that to ensure a status gets posted after the auto-format commit. + # We also want to trigger tests if the auto-format made no changes. + - uses: actions/checkout@v2 + if: github.event.pull_request.state == 'open' + name: Privileged Checkout + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + # Check out the PR commit, not the merge commit + # Use `ref` instead of `sha` to enable pushing back to `ref` + ref: ${{ github.event.pull_request.head.ref }} + + # Do all the formatting stuff + - name: Auto Format + if: github.event.pull_request.state == 'open' + shell: bash + run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host + + # Commit changes (if any) to the PR branch + - name: Commit changes to the PR branch + if: github.event.pull_request.state == 'open' + shell: bash + id: commit + env: + SENDER: ${{ github.event.sender.login }} + run: | + set -x + output=$(git diff --name-only) + + if [ -n "$output" ]; then + echo "Changes detected. Pushing to the PR branch" + git config --global user.name 'cloudpossebot' + git config --global user.email '11232728+cloudpossebot@users.noreply.github.com' + git add -A + git commit -m "Auto Format" + # Prevent looping by not pushing changes in response to changes from cloudpossebot + [[ $SENDER == "cloudpossebot" ]] || git push + # Set status to fail, because the push should trigger another status check, + # and we use success to indicate the checks are finished. + printf "::set-output name=%s::%s\n" "changed" "true" + exit 1 + else + printf "::set-output name=%s::%s\n" "changed" "false" + echo "No changes detected" + fi + + - name: Auto Test + uses: cloudposse/actions/github/repository-dispatch@0.22.0 + # match users by ID because logins (user names) are inconsistent, + # for example in the REST API Renovate Bot is `renovate[bot]` but + # in GraphQL it is just `renovate`, plus there is a non-bot + # user `renovate` with ID 1832810. + # Mergify bot: 37929162 + # Renovate bot: 29139614 + # Cloudpossebot: 11232728 + # Need to use space separators to prevent "21" from matching "112144" + if: > + contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id)) + && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open' + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + repository: cloudposse/actions + event-type: test-command + client-payload: |- + { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}}, + "pull_request": ${{ toJSON(github.event.pull_request) }}, + "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }}, + "comment": {"id": ""} + } + } + } diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index ccc27be..3f48017 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -6,7 +6,7 @@ on: - master jobs: - semver: + publish: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml index a35d60e..386eb28 100644 --- a/.github/workflows/validate-codeowners.yml +++ b/.github/workflows/validate-codeowners.yml @@ -8,7 +8,9 @@ jobs: steps: - name: "Checkout source code at current commit" uses: actions/checkout@v2 - - uses: mszostok/codeowners-validator@v0.6.0 + - uses: mszostok/codeowners-validator@v0.5.0 + if: github.event.pull_request.head.repo.full_name == github.repository + name: "Full check of CODEOWNERS" with: # For now, remove "files" check to allow CODEOWNERS to specify non-existent # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos @@ -16,3 +18,8 @@ jobs: checks: "syntax,owners,duppatterns" # GitHub access token is required only if the `owners` check is enabled github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" + - uses: mszostok/codeowners-validator@v0.5.0 + if: github.event.pull_request.head.repo.full_name != github.repository + name: "Syntax check of CODEOWNERS" + with: + checks: "syntax,duppatterns" diff --git a/README.md b/README.md index afd6055..16549db 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,10 @@ The table below correctly indicates which inputs are required. This module is meant to be used as output only, meaning it will be used to create outputs which are consumed as a parameter by Terraform resources or other modules. +Caution: This module, unlike nearly all other Cloud Posse Terraform modules, does not use [terraform-null-label](https://github.com/cloudposse/terraform-null-label/). +Furthermore, it has an input named `environment` which has a completely different meaning than the one in `terraform-null-label`. +Do not call this module with the conventional `context = module.this.context`. See the documentation below for the usage of `environment`. + For complete examples, see - [multi-port mappings](examples/multi_port_mappings) @@ -129,7 +133,7 @@ Available targets: | Name | Version | |------|---------| -| terraform | >= 0.13.0 | +| terraform | >= 0.12.26 | | local | >= 1.2 | ## Providers diff --git a/README.yaml b/README.yaml index bb94fe2..713ac55 100644 --- a/README.yaml +++ b/README.yaml @@ -46,6 +46,10 @@ description: Terraform module to generate well-formed JSON documents that are pa usage: |- This module is meant to be used as output only, meaning it will be used to create outputs which are consumed as a parameter by Terraform resources or other modules. + Caution: This module, unlike nearly all other Cloud Posse Terraform modules, does not use [terraform-null-label](https://github.com/cloudposse/terraform-null-label/). + Furthermore, it has an input named `environment` which has a completely different meaning than the one in `terraform-null-label`. + Do not call this module with the conventional `context = module.this.context`. See the documentation below for the usage of `environment`. + For complete examples, see - [multi-port mappings](examples/multi_port_mappings) diff --git a/docs/terraform.md b/docs/terraform.md index 136ae14..c08fa64 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| terraform | >= 0.13.0 | +| terraform | >= 0.12.26 | | local | >= 1.2 | ## Providers diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index 81ea840..91805f0 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/examples/env_vars_files/versions.tf b/examples/env_vars_files/versions.tf index 0a440ee..86b1b25 100644 --- a/examples/env_vars_files/versions.tf +++ b/examples/env_vars_files/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/examples/map_environment/versions.tf b/examples/map_environment/versions.tf index 0a440ee..86b1b25 100644 --- a/examples/map_environment/versions.tf +++ b/examples/map_environment/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/examples/multi_port_mappings/versions.tf b/examples/multi_port_mappings/versions.tf index 0a440ee..86b1b25 100644 --- a/examples/multi_port_mappings/versions.tf +++ b/examples/multi_port_mappings/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/examples/multi_type_env_vars/versions.tf b/examples/multi_type_env_vars/versions.tf index 0a440ee..86b1b25 100644 --- a/examples/multi_type_env_vars/versions.tf +++ b/examples/multi_type_env_vars/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/examples/multiple_definitions/versions.tf b/examples/multiple_definitions/versions.tf index 81ea840..91805f0 100644 --- a/examples/multiple_definitions/versions.tf +++ b/examples/multiple_definitions/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/examples/string_env_vars/versions.tf b/examples/string_env_vars/versions.tf index 0a440ee..86b1b25 100644 --- a/examples/string_env_vars/versions.tf +++ b/examples/string_env_vars/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = { diff --git a/outputs.tf b/outputs.tf index f265f20..ed2d00d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,14 +1,17 @@ output "json_map_encoded_list" { description = "JSON string encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition" value = "[${local.json_map}]" + sensitive = true } output "json_map_encoded" { description = "JSON string encoded container definitions for use with other terraform resources such as aws_ecs_task_definition" value = local.json_map + sensitive = true } output "json_map_object" { description = "JSON map encoded container definition" value = jsondecode(local.json_map) + sensitive = true } diff --git a/renovate.json b/renovate.json deleted file mode 100644 index f45d8f1..0000000 --- a/renovate.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "extends": [ - "config:base" - ] -} diff --git a/versions.tf b/versions.tf index 0a440ee..86b1b25 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 0.12.26" required_providers { local = {