From 9c82b456523a377eedab3fe4289d1e91efdc6596 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 12 Oct 2023 12:43:18 +0200 Subject: [PATCH 1/9] chore: Update pre-commit repos to the latest versions --- .pre-commit-config.yaml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0d64bfd..177b998 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,28 +1,33 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - rev: "v0.1.17" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + rev: "v0.1.22" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: + - id: terraform-validate # It should be before tflint hook as it runs terraform init required by tflint + - id: terraform-fmt - id: tflint args: - --module - --config=.tflint.hcl - - id: terraform-validate - - id: terraform-fmt - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.16.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases hooks: - id: terraform-docs-go args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.2.229" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.5.6" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov - args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions + args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision - repo: https://github.com/pre-commit/pre-commit-hooks - rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: check-merge-conflict + args: ["--assume-in-merge"] + - id: mixed-line-ending + args: ["--fix=no"] - id: end-of-file-fixer + - id: check-case-conflict + - id: check-yaml From e9e76dbfa3c4aeaa58599fa767f191980446848e Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 12 Oct 2023 12:43:37 +0200 Subject: [PATCH 2/9] chore: Add Dependabot configuration file (github-actions and terraform) --- .github/dependabot.yml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3ad7457 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,40 @@ +version: 2 +updates: + + # GitHub actions + - package-ecosystem: "github-actions" + directory: "/" # For GitHub Actions "/" must be used for workflow files in ".github/workflows" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + # Terraform + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/complete/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/simple/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" From 01c7dfe0e90c9e66f1a6276258ceb00a8b5a93c7 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 12 Oct 2023 12:43:49 +0200 Subject: [PATCH 3/9] ci: Remove tf-docs workflow --- .github/workflows/documentation.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/workflows/documentation.yml diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml deleted file mode 100644 index 7ec13ba..0000000 --- a/.github/workflows/documentation.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Generate terraform docs -on: - - pull_request -jobs: - docs: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - - - name: Render terraform docs inside the README.md and push changes back to PR branch - uses: terraform-docs/gh-actions@v1.0.0 - with: - working-dir: . - config-file: .terraform-docs.yml - git-push: "true" From acfb9500a37ea2434e4a821997e2055329f23771 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 12 Oct 2023 12:44:10 +0200 Subject: [PATCH 4/9] ci: Change all workflows to call reusable workflows from getindata/github-workflows repository --- .github/workflows/pr-title.yml | 46 +++--------------- .github/workflows/pre-commit.yml | 80 ++------------------------------ .github/workflows/release.yml | 66 +++----------------------- 3 files changed, 17 insertions(+), 175 deletions(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 23b8c9d..9963b1f 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,4 +1,8 @@ -name: 'Validate PR title' +name: Validate PR title + +permissions: + pull-requests: read + statuses: write on: pull_request_target: @@ -9,42 +13,4 @@ on: jobs: main: - name: Validate PR title - runs-on: ubuntu-latest - steps: - # Please look up the latest version from - # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - # Configure which types are allowed. - # Default: https://github.com/commitizen/conventional-commit-types - types: | - feat - fix - improvement - docs - refactor - test - ci - chore - # Configure that a scope must always be provided. - requireScope: false - # Configure additional validation for the subject based on a regex. - # This example ensures the subject starts with an uppercase character. - subjectPattern: ^[A-Z].+$ - # If `subjectPattern` is configured, you can use this property to override - # the default error message that is shown when the pattern doesn't match. - # The variables `subject` and `title` can be used within the message. - subjectPatternError: | - The subject "{subject}" found in the pull request title "{title}" - didn't match the configured pattern. Please ensure that the subject - starts with an uppercase character. - # For work-in-progress PRs you can typically use draft pull requests - # from Github. However, private repositories on the free plan don't have - # this option and therefore this action allows you to opt-in to using the - # special "[WIP]" prefix to indicate this state. This will avoid the - # validation of the PR title and the pull request checks remain pending. - # Note that a second check will be reported if this is enabled. - wip: true + uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v0.3.1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index e94d3d9..dd04c49 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,4 +1,6 @@ -name: Pre-Commit +name: TF Pre-Commit + +permissions: {} on: pull_request: @@ -6,78 +8,6 @@ on: - main - master -env: - TERRAFORM_DOCS_VERSION: v0.16.0 - TFLINT_VERSION: v0.43.0 - jobs: - collectInputs: - name: Collect workflow inputs - runs-on: ubuntu-latest - outputs: - directories: ${{ steps.dirs.outputs.directories }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Get root directories - id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.3.0 - - preCommitMinVersions: - name: Min TF pre-commit - needs: collectInputs - runs-on: ubuntu-latest - strategy: - matrix: - directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - with: - directory: ${{ matrix.directory }} - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: 'terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: 'terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)' - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - - # Step required as tflint pre-commit hook requires module to be initialised - - run: terraform init - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0 - with: - terraform-version: ${{ steps.minMax.outputs.maxVersion }} - terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} - tflint-version: ${{ env.TFLINT_VERSION }} + main: + uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v0.3.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b533188..ae78a7f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,67 +1,13 @@ name: Create new release with changelog +permissions: + contents: write + pull-requests: write + on: - pull_request: + pull_request_target: types: [closed] jobs: release: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 100 - - - name: Check release label - id: release-label - uses: actions-ecosystem/action-release-label@v1 - if: ${{ github.event.pull_request.merged == true }} - - - name: Get latest tag - id: get-latest-tag - uses: actions-ecosystem/action-get-latest-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - - - name: Bump semantic version - id: bump-semver - uses: actions-ecosystem/action-bump-semver@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - current_version: ${{ steps.get-latest-tag.outputs.tag }} - level: ${{ steps.release-label.outputs.level }} - - - name: Tag release - id: tag-relese - uses: actions-ecosystem/action-push-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - tag: ${{ steps.bump-semver.outputs.new_version }} - message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}" - - - name: Generate new release with changelog - id: release-with-changelog - uses: fregante/release-with-changelog@v3 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - token: "${{ secrets.GITHUB_TOKEN }}" - exclude: '^meta|^docs|^document|^lint|^ci|^refactor|readme|workflow|bump|dependencies|yml|^v?\d+\.\d+\.\d+' - tag: "${{ steps.bump-semver.outputs.new_version }}" - title: "Version ${{ steps.bump-semver.outputs.new_version }}" - commit-template: "- {title} ← {hash}" - skip-on-empty: true - template: | - ### Changelog - - {commits} - - {range} - - - name: Comment PR - id: add-comment - uses: actions-ecosystem/action-create-comment@v1 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - number: ${{ steps.get-merged-pull-request.outputs.number }} - body: | - The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada: + uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v0.3.1 From 8ce8353c61d8545aa64a6999e14d2981d6260b98 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 12 Oct 2023 12:45:12 +0200 Subject: [PATCH 5/9] chore: Update min required terraform version to 1.3 in example --- examples/complete/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index 450c502..12ad22a 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3.0" } From 9b214c4aa20f608386c25740d90cc376eeee1f86 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 11:43:35 +0200 Subject: [PATCH 6/9] ci: Update tflint config file --- .tflint.hcl | 38 +++++++++++--------------------------- 1 file changed, 11 insertions(+), 27 deletions(-) diff --git a/.tflint.hcl b/.tflint.hcl index e3aef49..6a33dcb 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -1,32 +1,16 @@ -rule "terraform_deprecated_interpolation" { - enabled = true +config { + ignore_module = { + "Invicton-Labs/deepmerge/null" = true + } } -rule "terraform_documented_outputs" { - enabled = true +plugin "terraform" { + enabled = true + version = "0.5.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" + preset = "all" } -rule "terraform_documented_variables" { - enabled = true -} - -rule "terraform_typed_variables" { - enabled = true -} - -rule "terraform_required_version" { - enabled = true -} - -rule "terraform_required_providers" { - enabled = true -} - -rule "terraform_unused_required_providers" { - enabled = true -} - -rule "terraform_naming_convention" { - enabled = true - format = "snake_case" +rule "terraform_standard_module_structure" { + enabled = false # Fails on context.tf } From 493d209a1e141c3d5e51c66761f4eac0af9263e4 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 11:43:45 +0200 Subject: [PATCH 7/9] docs: Add comments about versions of tflint and pre-commit repo --- .github/workflows/pre-commit.yml | 4 ++++ .pre-commit-config.yaml | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index dd04c49..831a570 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,3 +11,7 @@ on: jobs: main: uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v0.3.1 + with: + # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 + # See .pre-commit-config.yaml for more details. + tflint-version: v0.46.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 177b998..7e759f2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,8 +1,10 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - rev: "v0.1.22" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102 + # When updating, also check if tflint version in pre-commit workflow can be updated. + rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: - - id: terraform-validate # It should be before tflint hook as it runs terraform init required by tflint + - id: terraform-validate # It should be the first step as it runs terraform init required by tflint - id: terraform-fmt - id: tflint args: @@ -16,7 +18,7 @@ repos: args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.5.6" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.5.9" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision From e34f00d1e98d29b00b3b86dcd9b881697e0f5b61 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 17:58:24 +0200 Subject: [PATCH 8/9] ci: Update tflint config file --- .tflint.hcl | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.tflint.hcl b/.tflint.hcl index 6a33dcb..af41919 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -1,9 +1,3 @@ -config { - ignore_module = { - "Invicton-Labs/deepmerge/null" = true - } -} - plugin "terraform" { enabled = true version = "0.5.0" From adf80a66ab4016e6fb9a68114fa4a661f457a4fe Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 19 Oct 2023 11:39:20 +0200 Subject: [PATCH 9/9] chore: Update workflows and pre-commit version --- .github/workflows/pr-title.yml | 2 +- .github/workflows/pre-commit.yml | 5 +++-- .github/workflows/release.yml | 2 +- .pre-commit-config.yaml | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 9963b1f..40f63a1 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -13,4 +13,4 @@ on: jobs: main: - uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v0.3.1 + uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 831a570..652dff0 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,6 +1,7 @@ name: TF Pre-Commit -permissions: {} +permissions: + contents: read on: pull_request: @@ -10,7 +11,7 @@ on: jobs: main: - uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v0.3.1 + uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1 with: # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 # See .pre-commit-config.yaml for more details. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae78a7f..fb52469 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,4 +10,4 @@ on: jobs: release: - uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v0.3.1 + uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7e759f2..2c59029 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,7 @@ repos: args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.5.9" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision