CODEOWNERS, run docker, mergify, and other updates/fixes

Dockerfile

@@ -36,13 +36,15 @@ RUN apk --update --no-cache add \
       codefresh@cloudposse \
       terraform-0.11@cloudposse terraform-0.12@cloudposse terraform-0.13@cloudposse terraform-0.14@cloudposse \
       terraform-config-inspect@cloudposse \
+      terraform-docs@cloudposse \
       vert@cloudposse \
       yq@cloudposse && \
     sed -i /PATH=/d /etc/profile
 
 # Use Terraform 0.13 by default
 ARG DEFAULT_TERRAFORM_VERSION=0.13
 RUN update-alternatives --set terraform /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform && \
+  mkdir -p /build-harness/vendor && \
   cp -p /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform /build-harness/vendor/terraform
 
 COPY ./ /build-harness/

modules/github/Makefile.init

@@ -6,14 +6,14 @@ GITHUB_TEMPLATES = \
 	.github/ISSUE_TEMPLATE/bug_report.md \
 	.github/ISSUE_TEMPLATE/question.md \
 	.github/auto-release.yml \
-	.github/workflows/auto-release.yml
+	.github/workflows/auto-release.yml \
+	.github/workflows/validate-codeowners.yml
 
 # Install extra configuration for terraform projects
-GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml
-# ToDo once we can make Mergify a code owner
-#	.github/workflows/auto-context.yml \
-#	.github/workflows/auto-readme.yml \
-#	.github/mergify.yml
+GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml \
+	.github/workflows/auto-context.yml \
+	.github/workflows/auto-readme.yml \
+	.github/mergify.yml
 
 
 $(GITHUB_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/, $(GITHUB_TEMPLATES))
@@ -26,4 +26,13 @@ $(GITHUB_TERRAFORM_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/terra
 	cp $(BUILD_HARNESS_PATH)/templates/terraform/$@ $@
 	git ls-files --error-unmatch $@ 2>/dev/null || git add $@
 
-github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES))
+context:
+	curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
+	git ls-files --error-unmatch context.tf 2>/dev/null || git add context.tf
+	@if [[ -d examples/complete ]]; then \
+		cp -p context.tf examples/complete/context.tf ; \
+	fi
+
+.PHONY: $(GITHUB_TEMPLATES) $(GITHUB_TERRAFORM_TEMPLATES) context
+
+github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES) context)

modules/packages/Makefile

@@ -27,9 +27,9 @@ packages/install/%:
   		echo "* Package $$binary already installed"; \
 	elif [[ "$(PACKAGES_PREFER_HOST)" == "true" ]] && installed=$$(command -v $* 2>/dev/null); then \
 			echo Using "$*" from "$$installed" ; \
-			cp -p "$$installed" "$*" ; \
 	else \
 	  	$(MAKE) packages/install && \
+	  	echo "* Installing $* to $(INSTALL_PATH)" && \
 		$(MAKE) -C $(PACKAGES_PATH)/install "$*"; \
 	fi;
 

modules/terraform/Makefile

@@ -41,26 +41,29 @@ else
 endif
 
 ## Upgrade all terraform module sources
+## This target has not been upgraded to handle registry format
 terraform/upgrade-modules:
-	@$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all
+	@echo "* $@ has been disabled because it has not been updated to handle Terraform registry syntax"
+	# @$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all
 
-## Rewrite the *.tf files to use registry notation for modules sources
+# Rewrite the *.tf files to use registry notation for modules sources
 terraform/rewrite-module-source: TERRAFORM = terraform-0.13
 terraform/rewrite-module-source:
-	@sed -i -E 's,\s*source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?(.*?)",  source = "\1/\3/\2"\n  version     = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf')
+	@sed -i -E 's,\s*source\s+=\s+"git::https://github.com/([^/]+)/terraform-([^-]+)-(.+).git\?ref=(tags/)?([0-9.]+)",  source = "\1/\3/\2"\n  version     = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf')
 	@$(TERRAFORM) fmt .
 	@$(TERRAFORM) fmt examples/complete
 
 terraform/rewrite-readme-source: TERRAFORM = terraform-0.13
 terraform/rewrite-readme-source:
-	@sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version     = "x.x.x",g' README.yaml
+	@sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/([^/]+)/terraform-([^-]+)-(.+).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version     = "x.x.x",g' README.yaml
 
 ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
+## and convert "~>" constraints to ">=".
 terraform/loosen-constraints: TERRAFORM = terraform-0.13
 terraform/loosen-constraints:
 	@for v in $$(find . -type f -name 'versions.tf'); do \
   		DIR="$$(dirname $$v)"; \
-		sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' "$$v" ; \
+		sed -i -E 's,\s\=\s*\"(.*[0-9.]+)(\,\s*<.*)", = "\1",g' "$$v" ; \
 		sed -i -E 's,=\s*"\s*~>,= ">=,g' "$$v" ; \
 		$(TERRAFORM) fmt "$$DIR" ; \
 	done
@@ -84,13 +87,13 @@ terraform/bump-tf-12-min-version: terraform/loosen-constraints
 terraform/rewrite-required-providers: TERRAFORM = terraform-0.13
 terraform/rewrite-required-providers: terraform/loosen-constraints
 	@for v in $$(find . -type f -name 'versions.tf'); do \
-  		DIR="$$(dirname $$v)"; \
+  		DIR="$$(dirname $$v)" ; \
 		KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' "$$v" | cut -d '"' -f2) ; \
 		echo upgrading $$v ; \
-		terraform-0.13 0.13upgrade -yes "$$DIR" ; \
+		terraform-0.13 0.13upgrade -yes "$$DIR" >/dev/null ; \
 		sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' "$$v" ; \
 	done
 
 terraform/v14-rewrite: TERRAFORM = terraform-0.13
-terraform/v14-rewrite: terraform/loosen-constraints terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers
+terraform/v14-rewrite: terraform/loosen-constraints terraform/bump-tf-12-min-version terraform/rewrite-required-providers terraform/rewrite-module-source terraform/rewrite-readme-source
 	@git diff --no-patch --exit-code README.yaml || $(MAKE) readme

templates/.github/CODEOWNERS

@@ -1,7 +1,7 @@
 # Use this file to define individuals or teams that are responsible for code in a repository.
 # Read more: <https://help.github.com/articles/about-codeowners/>
 #
-# Order is important: the last matching pattern takes the most precedence
+# Order is important: the last matching pattern has the highest precedence
 
 # These owners will be the default owners for everything
 *             @cloudposse/engineering @cloudposse/contributors
@@ -13,8 +13,11 @@
 # Cloud Posse must review any changes to GitHub actions
 .github/*     @cloudposse/engineering
 
-# Cloud Posse must review any changes to standard context definition
-**/context.tf   @cloudposse/engineering
+# Cloud Posse must review any changes to standard context definition,
+# but some changes can be rubber-stamped.
+**/context.tf   @cloudposse/engineering @cloudposse/approvers
+README.md       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+docs/*.md       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 
 # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
 .github/mergify.yml @cloudposse/admins

templates/.github/auto-release.yml

@@ -4,30 +4,35 @@ version-template: '$MAJOR.$MINOR.$PATCH'
 version-resolver:
   major:
     labels:
-      - 'major'
+    - 'major'
   minor:
     labels:
-      - 'minor'
-      - 'enhancement'
+    - 'minor'
+    - 'enhancement'
   patch:
     labels:
-      - 'patch'
-      - 'fix'
-      - 'bugfix'
-      - 'bug'
-      - 'hotfix'
+    - 'auto-update'
+    - 'patch'
+    - 'fix'
+    - 'bugfix'
+    - 'bug'
+    - 'hotfix'
   default: 'minor'
 
 categories:
-  - title: '🚀 Enhancements'
-    labels:
-      - 'enhancement'
-  - title: '🐛 Bug Fixes'
-    labels:
-      - 'fix'
-      - 'bugfix'
-      - 'bug'
-      - 'hotfix'
+- title: '🚀 Enhancements'
+  labels:
+  - 'enhancement'
+  - 'patch'
+- title: '🐛 Bug Fixes'
+  labels:
+  - 'fix'
+  - 'bugfix'
+  - 'bug'
+  - 'hotfix'
+- title: '🤖 Automatic Updates'
+  labels:
+  - 'auto-update'
 
 change-template: |
   <details>

templates/.github/workflows/auto-release.yml

@@ -1,44 +1,19 @@
-name-template: 'v$RESOLVED_VERSION'
-tag-template: '$RESOLVED_VERSION'
-version-template: '$MAJOR.$MINOR.$PATCH'
-version-resolver:
-  major:
-    labels:
-    - 'major'
-  minor:
-    labels:
-    - 'minor'
-    - 'enhancement'
-  patch:
-    labels:
-    - 'auto-update'
-    - 'patch'
-    - 'fix'
-    - 'bugfix'
-    - 'bug'
-    - 'hotfix'
-  default: 'minor'
+name: auto-release
 
-categories:
-- title: '🚀 Enhancements'
-  labels:
-  - 'enhancement'
-- title: '🐛 Bug Fixes'
-  labels:
-  - 'fix'
-  - 'bugfix'
-  - 'bug'
-  - 'hotfix'
-- title: '🤖 Automatic Update'
-  labels:
-  - 'auto-update'
+on:
+  push:
+    branches:
+    - master
 
-change-template: |
-  <details>
-    <summary>$TITLE @$AUTHOR (#$NUMBER)</summary>
-
-    $BODY
-  </details>
-
-template: |
-  $CHANGES
+jobs:
+  semver:
+    runs-on: ubuntu-latest
+    steps:
+    # Drafts your next Release notes as Pull Requests are merged into "master"
+    - uses: release-drafter/release-drafter@v5
+      with:
+        publish: true
+        prerelease: false
+        config-name: auto-release.yml
+      env:
+        GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}

templates/.github/workflows/validate-codeowners.yml

@@ -0,0 +1,18 @@
+name: Validate Codeowners
+on:
+  pull_request:
+    paths:
+    - '**/CODEOWNERS'
+    - '.github/workflows/validate-codeowners.yml'
+
+jobs:
+  validate-codeowners:
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout source code at current commit"
+      uses: actions/checkout@v2
+    - uses: mszostok/[email protected]
+      with:
+        checks: "files,syntax,owners,duppatterns"
+        # GitHub access token is required only if the `owners` check is enabled
+        github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"

templates/Makefile.build-harness

@@ -37,6 +37,11 @@ EXTRA_DOCKER_ENVS ?= AWS_CONFIG_FILE AWS_SHARED_CREDENTIALS_FILE
 MOUNT_HOME ?= $(shell [ -d "$$HOME" ] && printf -- "-e HOME -v \"%s\":\"%s\"" "$$HOME" "$$HOME")
 DOCKER_ENVS ?= $(DEFAULT_DOCKER_ENVS) $(EXTRA_DOCKER_ENVS)
 
+## Start a shell inside of the `build-harness` docker container with `make shell` or `make builder`
+## Run `make` targets inside the shell by setting `TARGETS`, e.g.
+##     make builder TARGETS="github/init readme"
+ARGS := $(if $(TARGETS),$(TARGETS),-l)
+ENTRYPOINT := $(if $(TARGETS),/usr/bin/make,/bin/bash)
 shell builder:
 	$(info Starting $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG))
 	docker run --name build-harness \
@@ -46,5 +51,5 @@ shell builder:
 		$(MOUNT_HOME) \
 		-v $(CURDIR):/opt \
 		--workdir /opt \
-		--entrypoint /bin/bash \
-		$(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG) -l
+		--entrypoint $(ENTRYPOINT) \
+		$(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG) $(ARGS)

templates/README.md.gotmpl

@@ -95,7 +95,7 @@ We highly recommend that in your code you pin the version to the exact version y
 using so that your infrastructure remains stable, and update versions in a
 systematic way so that they do not catch you by surprise.
 
-Also, because of a bug in the Terraform registry (hashicorp/terraform#21417),
+Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
 the registry shows many of our inputs as required when in fact they are optional.
 The table below correctly indicates which inputs are required.
 {{end}}

templates/terraform/.github/mergify.yml

@@ -10,6 +10,7 @@ pull_request_rules:
   actions:
     review:
       type: "APPROVE"
+      bot_account: "cloudposse-mergebot"
       message: "We've automatically approved this PR because the checks from the automated Pull Request have passed."
 
 - name: "merge automated PRs when approved and tests pass"
@@ -39,7 +40,7 @@ pull_request_rules:
   - "conflict"
   actions:
     comment:
-      message: "This pull request is now in conflicts. Could you fix it @{{author}}? 🙏"
+      message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏"
 
 - name: "remove outdated reviews"
   conditions:

templates/terraform/.github/workflows/chatops.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: "Handle common commands"
-        uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+        uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
         with:
           token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
       - name: "Checkout commit"
         uses: actions/checkout@v2
       - name: "Run tests"
-        uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+        uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
         with:
           token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}