Add support for Terraform 0.14

.github/linters/.hadolint.yml

@@ -0,0 +1,6 @@
+---
+##########################
+## Hadolint config file ##
+##########################
+ignored:
+  - DL3018

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.14.4-alpine3.11
+FROM golang:1.15.6-alpine3.12
 LABEL maintainer="Cloud Posse <[email protected]>"
 
 LABEL "com.github.actions.name"="Build Harness"
@@ -7,7 +7,7 @@ LABEL "com.github.actions.icon"="tool"
 LABEL "com.github.actions.color"="blue"
 
 RUN apk update && \
-    apk --update add \
+    apk --no-cache add \
       bash \
       ca-certificates \
       coreutils \
@@ -21,6 +21,7 @@ RUN apk update && \
       py-pip && \
     git config --global advice.detachedHead false
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN curl -sSL https://apk.cloudposse.com/install.sh | bash
 
 ## Install as packages
@@ -32,10 +33,12 @@ RUN apk --update --no-cache add \
       helm@cloudposse \
       helmfile@cloudposse \
       codefresh@cloudposse \
+      terraform-config-inspect@cloudposse \
+      vert@cloudposse \
       yq@cloudposse && \
     sed -i /PATH=/d /etc/profile
 
-ADD ./ /build-harness/
+COPY ./ /build-harness/
 
 ENV INSTALL_PATH /usr/local/bin
 

README.md

@@ -237,12 +237,14 @@ Available targets:
   slack/notify/deploy                 Send notification to slack using "deploy" template
   template/build                      Create $OUT file by building it from $IN template file
   template/deps                       Install dependencies
+  terraform/bump-tf-12-min-version    Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26'
   terraform/get-modules               Ensure all modules can be fetched
   terraform/get-plugins               Ensure all plugins can be fetched
   terraform/install                   Install terraform
   terraform/lint                      Lint check Terraform
   terraform/remove-upper-bound        Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
   terraform/rewrite-module-source     Rewrite the *.tf files to use registry notation for modules sources
+  terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider
   terraform/upgrade-modules           Upgrade all terraform module sources
   terraform/validate                  Basic terraform sanity check
   travis/docker-login                 Login into docker hub

docs/targets.md

@@ -114,12 +114,14 @@ Available targets:
   slack/notify/deploy                 Send notification to slack using "deploy" template
   template/build                      Create $OUT file by building it from $IN template file
   template/deps                       Install dependencies
+  terraform/bump-tf-12-min-version    Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26'
   terraform/get-modules               Ensure all modules can be fetched
   terraform/get-plugins               Ensure all plugins can be fetched
   terraform/install                   Install terraform
   terraform/lint                      Lint check Terraform
   terraform/remove-upper-bound        Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
   terraform/rewrite-module-source     Rewrite the *.tf files to use registry notation for modules sources
+  terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider
   terraform/upgrade-modules           Upgrade all terraform module sources
   terraform/validate                  Basic terraform sanity check
   travis/docker-login                 Login into docker hub

modules/github/Makefile.init

@@ -8,14 +8,22 @@ GITHUB_TEMPLATES = \
 	.github/auto-release.yml \
 	.github/workflows/auto-release.yml
 
-ifneq ($(wildcard *.tf),)
-# Install test workflow for terraform projects
-GITHUB_TEMPLATES += .github/workflows/chatops.yml
-endif
+# Install extra configuration for terraform projects
+GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml
+# ToDo once we can make Mergify a code owner
+#	.github/workflows/auto-context.yml \
+#	.github/workflows/auto-readme.yml \
+#	.github/mergify.yml
+
 
 $(GITHUB_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/, $(GITHUB_TEMPLATES))
 	mkdir -p $(dir $@)
 	cp $(BUILD_HARNESS_PATH)/templates/$@ $@
 	git ls-files --error-unmatch $@ 2>/dev/null || git add $@
 
-github/init: $(GITHUB_TEMPLATES)
+$(GITHUB_TERRAFORM_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/terraform/, $(GITHUB_TERRAFORM_TEMPLATES))
+	mkdir -p $(dir $@)
+	cp $(BUILD_HARNESS_PATH)/templates/terraform/$@ $@
+	git ls-files --error-unmatch $@ 2>/dev/null || git add $@
+
+github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES))

modules/terraform/Makefile

@@ -46,12 +46,39 @@ terraform/upgrade-modules:
 
 ## Rewrite the *.tf files to use registry notation for modules sources
 terraform/rewrite-module-source:
-	@sed -i -E 's,"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=tags/(.*?)","\1/\3/\2"\n  version     = "\4",g' $$(find . -type f -name '*.tf')
+	@sed -i -E 's,\s*source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?(.*?)",  source = "\1/\3/\2"\n  version     = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf')
 	@$(TERRAFORM) fmt .
 	@$(TERRAFORM) fmt examples/complete
 
+terraform/rewrite-readme-source:
+	@sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version     = "x.x.x",g' README.yaml
+
 ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
 terraform/remove-upper-bound:
 	@sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' $$(find . -type f -name 'versions.tf')
 	@$(TERRAFORM) fmt .
 	@$(TERRAFORM) fmt examples/complete
+
+## Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26'
+terraform/bump-tf-12-min-version:
+	@PIN="$$(terraform-config-inspect --json . | jq -r '.required_core[]')" ; \
+	if vert "$$PIN" 0.12.26 >/dev/null; then \
+		echo Module already pinned to "$$PIN" ; \
+	else \
+		sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12(\.\d+)?)\",required_version = ">= 0.12.26",g' $$(find . -type f -name 'versions.tf') ; \
+		$(TERRAFORM) fmt . ; \
+		$(TERRAFORM) fmt examples/complete ; \
+	fi
+
+## Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider
+terraform/rewrite-required-providers:
+	@KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' versions.tf | cut -d '"' -f2) ; \
+		terraform-0.13 0.13upgrade -yes ./ ; \
+		terraform-0.13 0.13upgrade -yes examples/complete ; \
+		sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' $$(find . -type f -name 'versions.tf')
+	@$(TERRAFORM) fmt .
+	@$(TERRAFORM) fmt examples/complete
+
+terraform/v14-rewrite: TERRAFORM = terraform-0.13
+terraform/v14-rewrite: terraform/remove-upper-bound terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers
+	git diff --no-patch --exit-code README.yaml || $(MAKE) readme

templates/.github/CODEOWNERS

@@ -15,3 +15,7 @@
 
 # Cloud Posse must review any changes to standard context definition
 **/context.tf   @cloudposse/engineering
+
+# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
+.github/mergify.yml @cloudposse/admins
+.github/CODEOWNERS  @cloudposse/admins

templates/.github/workflows/auto-release.yml

@@ -1,19 +1,44 @@
-name: auto-release
+name-template: 'v$RESOLVED_VERSION'
+tag-template: '$RESOLVED_VERSION'
+version-template: '$MAJOR.$MINOR.$PATCH'
+version-resolver:
+  major:
+    labels:
+    - 'major'
+  minor:
+    labels:
+    - 'minor'
+    - 'enhancement'
+  patch:
+    labels:
+    - 'auto-update'
+    - 'patch'
+    - 'fix'
+    - 'bugfix'
+    - 'bug'
+    - 'hotfix'
+  default: 'minor'
 
-on:
-  push:
-    branches:
-    - master
+categories:
+- title: '🚀 Enhancements'
+  labels:
+  - 'enhancement'
+- title: '🐛 Bug Fixes'
+  labels:
+  - 'fix'
+  - 'bugfix'
+  - 'bug'
+  - 'hotfix'
+- title: '🤖 Automatic Update'
+  labels:
+  - 'auto-update'
 
-jobs:
-  semver:
-    runs-on: ubuntu-latest
-    steps:
-    # Drafts your next Release notes as Pull Requests are merged into "master"
-    - uses: release-drafter/release-drafter@v5
-      with:
-        publish: true
-        prerelease: false
-        config-name: auto-release.yml
-      env:
-        GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+change-template: |
+  <details>
+    <summary>$TITLE @$AUTHOR (#$NUMBER)</summary>
+
+    $BODY
+  </details>
+
+template: |
+  $CHANGES

templates/README.md.gotmpl

@@ -89,8 +89,15 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
 ## Usage
 
 {{ if (file.Exists "main.tf") }}
-**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
-Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases]({{ printf "https://github.com/%s/releases" (ds "config").github_repo}}).
+**IMPORTANT:** We do not pin modules to versions in our examples because of the
+difficulty of keeping the versions in the documentation in sync with the latest released versions.
+We highly recommend that in your code you pin the version to the exact version you are
+using so that your infrastructure remains stable, and update versions in a
+systematic way so that they do not catch you by surprise.
+
+Also, because of a bug in the Terraform registry (hashicorp/terraform#21417),
+the registry shows many of our inputs as required when in fact they are optional.
+The table below correctly indicates which inputs are required.
 {{end}}
 
 {{ (ds "config").usage -}}

templates/terraform/.github/mergify.yml

@@ -0,0 +1,51 @@
+pull_request_rules:
+- name: "approve automated PRs that have passed checks"
+  conditions:
+  - "check-success~=test/bats"
+  - "check-success~=test/readme"
+  - "check-success~=test/terratest"
+  - "base=master"
+  - "author=cloudpossebot"
+  - "head~=auto-update/.*"
+  actions:
+    review:
+      type: "APPROVE"
+      message: "We've automatically approved this PR because the checks from the automated Pull Request have passed."
+
+- name: "merge automated PRs when approved and tests pass"
+  conditions:
+  - "check-success~=test/bats"
+  - "check-success~=test/readme"
+  - "check-success~=test/terratest"
+  - "base=master"
+  - "head~=auto-update/.*"
+  - "#approved-reviews-by>=1"
+  - "#changes-requested-reviews-by=0"
+  - "#commented-reviews-by=0"
+  - "base=master"
+  - "author=cloudpossebot"
+  actions:
+    merge:
+      method: "squash"
+
+- name: "delete the head branch after merge"
+  conditions:
+  - "merged"
+  actions:
+    delete_head_branch: {}
+
+- name: "ask to resolve conflict"
+  conditions:
+  - "conflict"
+  actions:
+    comment:
+      message: "This pull request is now in conflicts. Could you fix it @{{author}}? 🙏"
+
+- name: "remove outdated reviews"
+  conditions:
+  - "base=master"
+  actions:
+    dismiss_reviews:
+      changes_requested: true
+      approved: true
+      message: "This Pull Request has been updated, so we're dismissing all reviews."

templates/terraform/.github/workflows/auto-context.yml

@@ -0,0 +1,54 @@
+name: "auto-context"
+on:
+  schedule:
+  # Update context.tf nightly
+  - cron:  '0 3 * * *'
+
+jobs:
+  update:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Update context.tf
+      shell: bash
+      id: update
+      env:
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      run: |
+        if [[ -f context.tf ]]; then
+          echo "Discovered existing context.tf! Fetching most recent version to see if there is an update."
+          curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
+          if git diff --no-patch --exit-code context.tf; then
+            echo "No changes detected! Exiting the job..."
+          else
+            echo "context.tf file was updated. Need to rebuild README.md."
+            make init
+            make readme/build
+            echo "::set-output name=create_pull_request=true"
+          fi
+        else
+          echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates."
+        fi
+
+    - name: Create Pull Request
+      if: {{ steps.update.outputs.create_pull_request == 'true' }}
+      uses: cloudposse/actions/github/[email protected]
+      with:
+        token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+        commit-message: Update context.tf from origin source
+        title: Update context.tf
+        body: |-
+          ## what
+          This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label`
+
+          ## why
+          To support all the features of the `context` interface.
+
+        branch: auto-update/context.tf
+        base: master
+        delete-branch: true
+        labels: |
+          auto-update
+          context

templates/terraform/.github/workflows/auto-readme.yml

@@ -0,0 +1,41 @@
+name: "auto-readme"
+on:
+  schedule:
+  # Update README.md nightly
+  - cron:  '0 4 * * *'
+
+jobs:
+  update:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Update readme
+      shell: bash
+      id: update
+      env:
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      run: |
+        make init
+        make readme/build
+
+    - name: Create Pull Request
+      uses: cloudposse/actions/github/[email protected]
+      with:
+        token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+        commit-message: Update README.md and docs
+        title: Update README.md and docs
+        body: |-
+          ## what
+          This is an auto-generated PR that updates the README.md and docs
+
+          ## why
+          To have most recent changes of README.md and doc from origin templates
+
+        branch: auto-update/readme
+        base: master
+        delete-branch: true
+        labels: |
+          auto-update
+          readme