cloudposse · Nuru · Dec 10, 2020 · Dec 7, 2020 · Dec 7, 2020 · Dec 7, 2020
@@ -0,0 +1,6 @@
+---
+##########################
+## Hadolint config file ##
+##########################
+ignored:
+  - DL3018
@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: "Handle common commands"
-        uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+        uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
         with:
           token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
       - name: "Checkout commit"
         uses: actions/checkout@v2
       - name: "Run tests"
-        uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+        uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
         with:
           token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}

@@ -0,0 +1,18 @@
+name: Validate Codeowners
+on:
+  pull_request:
+    paths:
+    - '**/CODEOWNERS'
+    - '.github/workflows/validate-codeowners.yml'
+
+jobs:
+  validate-codeowners:
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout source code at current commit"
+      uses: actions/checkout@v2
+    - uses: mszostok/[email protected]
+      with:
+        checks: "files,syntax,owners,duppatterns"
+        # GitHub access token is required only if the `owners` check is enabled
+        github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
@@ -1,46 +1,59 @@
-FROM golang:1.14.4-alpine3.11
+FROM golang:1.15.6-alpine3.12
 LABEL maintainer="Cloud Posse <[email protected]>"
 
 LABEL "com.github.actions.name"="Build Harness"
 LABEL "com.github.actions.description"="Run any build-harness make target"
 LABEL "com.github.actions.icon"="tool"
 LABEL "com.github.actions.color"="blue"
 
-RUN apk update && \
-    apk --update add \
+RUN apk --update --no-cache add \
       bash \
       ca-certificates \
       coreutils \
       curl \
       git \
       gettext \
+      go \
       grep \
       jq \
       libc6-compat \
       make \
       py-pip && \
     git config --global advice.detachedHead false
 
-RUN curl -sSL https://apk.cloudposse.com/install.sh | bash
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN curl -fsSL --retry 3 https://apk.cloudposse.com/install.sh | bash
 
 ## Install as packages
 
 ## Codefresh required additional libraries for alpine
 ## So can not be curl binary
 RUN apk --update --no-cache add \
       chamber@cloudposse \
+      gomplate@cloudposse \
       helm@cloudposse \
       helmfile@cloudposse \
       codefresh@cloudposse \
+      terraform-0.11@cloudposse terraform-0.12@cloudposse terraform-0.13@cloudposse terraform-0.14@cloudposse \
+      terraform-config-inspect@cloudposse \
+      terraform-docs@cloudposse \
+      vert@cloudposse \
       yq@cloudposse && \
     sed -i /PATH=/d /etc/profile
 
-ADD ./ /build-harness/
+# Use Terraform 0.13 by default
+ARG DEFAULT_TERRAFORM_VERSION=0.13
+RUN update-alternatives --set terraform /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform && \
+  mkdir -p /build-harness/vendor && \
+  cp -p /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform /build-harness/vendor/terraform
+
+COPY ./ /build-harness/
 
 ENV INSTALL_PATH /usr/local/bin
 
 WORKDIR /build-harness
 
+ARG PACKAGES_PREFER_HOST=true
 RUN make -s bash/lint make/lint
 RUN make -s template/deps aws/install terraform/install readme/deps
 RUN make -s go/deps-build go/deps-dev

@@ -237,13 +237,14 @@ Available targets:
   slack/notify/deploy                 Send notification to slack using "deploy" template
   template/build                      Create $OUT file by building it from $IN template file
   template/deps                       Install dependencies
+  terraform/bump-tf-12-min-version    Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26'
   terraform/get-modules               Ensure all modules can be fetched
   terraform/get-plugins               Ensure all plugins can be fetched
   terraform/install                   Install terraform
   terraform/lint                      Lint check Terraform
-  terraform/remove-upper-bound        Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
-  terraform/rewrite-module-source     Rewrite the *.tf files to use registry notation for modules sources
-  terraform/upgrade-modules           Upgrade all terraform module sources
+  terraform/loosen-constraints        and convert "~>" constraints to ">=".
+  terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider
+  terraform/upgrade-modules           This target has not been upgraded to handle registry format
   terraform/validate                  Basic terraform sanity check
   travis/docker-login                 Login into docker hub
   travis/docker-tag-and-push          Tag & Push according Travis environment variables

@@ -114,13 +114,14 @@ Available targets:
   slack/notify/deploy                 Send notification to slack using "deploy" template
   template/build                      Create $OUT file by building it from $IN template file
   template/deps                       Install dependencies
+  terraform/bump-tf-12-min-version    Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26'
   terraform/get-modules               Ensure all modules can be fetched
   terraform/get-plugins               Ensure all plugins can be fetched
   terraform/install                   Install terraform
   terraform/lint                      Lint check Terraform
-  terraform/remove-upper-bound        Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
-  terraform/rewrite-module-source     Rewrite the *.tf files to use registry notation for modules sources
-  terraform/upgrade-modules           Upgrade all terraform module sources
+  terraform/loosen-constraints        and convert "~>" constraints to ">=".
+  terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider
+  terraform/upgrade-modules           This target has not been upgraded to handle registry format
   terraform/validate                  Basic terraform sanity check
   travis/docker-login                 Login into docker hub
   travis/docker-tag-and-push          Tag & Push according Travis environment variables

@@ -6,16 +6,33 @@ GITHUB_TEMPLATES = \
 	.github/ISSUE_TEMPLATE/bug_report.md \
 	.github/ISSUE_TEMPLATE/question.md \
 	.github/auto-release.yml \
-	.github/workflows/auto-release.yml
+	.github/workflows/auto-release.yml \
+	.github/workflows/validate-codeowners.yml
+
+# Install extra configuration for terraform projects
+GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml \
+	.github/workflows/auto-context.yml \
+	.github/workflows/auto-readme.yml \
+	.github/mergify.yml
 
-ifneq ($(wildcard *.tf),)
-# Install test workflow for terraform projects
-GITHUB_TEMPLATES += .github/workflows/chatops.yml
-endif
 
 $(GITHUB_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/, $(GITHUB_TEMPLATES))
 	mkdir -p $(dir $@)
 	cp $(BUILD_HARNESS_PATH)/templates/$@ $@
 	git ls-files --error-unmatch $@ 2>/dev/null || git add $@
 
-github/init: $(GITHUB_TEMPLATES)
+$(GITHUB_TERRAFORM_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/terraform/, $(GITHUB_TERRAFORM_TEMPLATES))
+	mkdir -p $(dir $@)
+	cp $(BUILD_HARNESS_PATH)/templates/terraform/$@ $@
+	git ls-files --error-unmatch $@ 2>/dev/null || git add $@
+
+context:
+	curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
+	git ls-files --error-unmatch context.tf 2>/dev/null || git add context.tf
+	@if [[ -d examples/complete ]]; then \
+		cp -p context.tf examples/complete/context.tf ; \
+	fi
+
+.PHONY: $(GITHUB_TEMPLATES) $(GITHUB_TERRAFORM_TEMPLATES) context
+
+github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES) context)
@@ -1,6 +1,7 @@
 export INSTALL_PATH ?= $(BUILD_HARNESS_PATH)/vendor
 export PACKAGES_VERSION ?= 0.133.0
 export PACKAGES_PATH ?= $(BUILD_HARNESS_PATH)/vendor/packages
+export PACKAGES_PREFER_HOST ?= false
 
 ## Delete packages
 packages/delete:
@@ -13,18 +14,23 @@ packages/reinstall: packages/delete packages/install
 ## Install packages 
 packages/install:
 	@if [ ! -d $(PACKAGES_PATH) ]; then \
-	  echo "Installing packages $(PACKAGES_VERSION)..."; \
+	  echo "* Installing packages $(PACKAGES_VERSION)..."; \
 	  rm -rf $(PACKAGES_PATH); \
 	  $(GIT) clone -c advice.detachedHead=false --depth=1 -b $(PACKAGES_VERSION) https://github.com/cloudposse/packages.git $(PACKAGES_PATH); \
 	  rm -rf $(PACKAGES_PATH)/.git; \
 	fi 
 
 ## Install package (e.g. helm, helmfile, kubectl)
-packages/install/%: packages/install
-	@if [ ! -x $(INSTALL_PATH)/$(subst packages/install/,,$@) ]; then \
-		$(MAKE) -C $(PACKAGES_PATH)/install $(subst packages/install/,,$@); \
+packages/install/%:
+	@binary="$*"; \
+	if [[ -x "$(INSTALL_PATH)/$$binary" ]]; then \
+  		echo "* Package $$binary already installed"; \
+	elif [[ "$(PACKAGES_PREFER_HOST)" == "true" ]] && installed=$$(command -v $* 2>/dev/null); then \
+			echo Using "$*" from "$$installed" ; \
 	else \
-		echo "Package $(subst packages/install/,,$@) already installed"; \
+	  	$(MAKE) packages/install && \
+	  	echo "* Installing $* to $(INSTALL_PATH)" && \
+		$(MAKE) -C $(PACKAGES_PATH)/install "$*"; \
 	fi;
 
 ## Reinstall package (e.g. helm, helmfile, kubectl)

@@ -41,17 +41,59 @@ else
 endif
 
 ## Upgrade all terraform module sources
+## This target has not been upgraded to handle registry format
 terraform/upgrade-modules:
-	@$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all
+	@echo "* $@ has been disabled because it has not been updated to handle Terraform registry syntax"
+	# @$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all
 
-## Rewrite the *.tf files to use registry notation for modules sources
+# Rewrite the *.tf files to use registry notation for modules sources
+terraform/rewrite-module-source: TERRAFORM = terraform-0.13
 terraform/rewrite-module-source:
-	@sed -i -E 's,"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=tags/(.*?)","\1/\3/\2"\n  version     = "\4",g' $$(find . -type f -name '*.tf')
+	@sed -i -E 's,\s*source\s+=\s+"git::https://github.com/([^/]+)/terraform-([^-]+)-(.+).git\?ref=(tags/)?([0-9.]+)",  source = "\1/\3/\2"\n  version     = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf')
 	@$(TERRAFORM) fmt .
 	@$(TERRAFORM) fmt examples/complete
 
+terraform/rewrite-readme-source: TERRAFORM = terraform-0.13
+terraform/rewrite-readme-source:
+	@sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/([^/]+)/terraform-([^-]+)-(.+).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version     = "x.x.x",g' README.yaml
+
 ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0")
-terraform/remove-upper-bound:
-	@sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' $$(find . -type f -name 'versions.tf')
-	@$(TERRAFORM) fmt .
-	@$(TERRAFORM) fmt examples/complete
+## and convert "~>" constraints to ">=".
+terraform/loosen-constraints: TERRAFORM = terraform-0.13
+terraform/loosen-constraints:
+	@for v in $$(find . -type f -name 'versions.tf'); do \
+  		DIR="$$(dirname $$v)"; \
+		sed -i -E 's,\s\=\s*\"(.*[0-9.]+)(\,\s*<.*)", = "\1",g' "$$v" ; \
+		sed -i -E 's,=\s*"\s*~>,= ">=,g' "$$v" ; \
+		$(TERRAFORM) fmt "$$DIR" ; \
+	done
+
+## Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26'
+terraform/bump-tf-12-min-version: TERRAFORM = terraform-0.13
+terraform/bump-tf-12-min-version: terraform/loosen-constraints
+	@for v in $$(find . -type f -name 'versions.tf'); do \
+  		DIR="$$(dirname $$v)"; \
+		PIN="$$(terraform-config-inspect --json "$$DIR" | jq -r '.required_core[]')" ; \
+		if vert "$$PIN" 0.12.25 >/dev/null; then \
+		  	echo updating "$$v" ; \
+			sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12(\.\d+)?)\",required_version = ">= 0.12.26",g' "$$v" ; \
+			$(TERRAFORM) fmt $$DIR ; \
+		else \
+			echo "$$v" already pinned to "$$PIN" ; \
+		fi; \
+	done
+
+## Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider
+terraform/rewrite-required-providers: TERRAFORM = terraform-0.13
+terraform/rewrite-required-providers: terraform/loosen-constraints
+	@for v in $$(find . -type f -name 'versions.tf'); do \
+  		DIR="$$(dirname $$v)" ; \
+		KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' "$$v" | cut -d '"' -f2) ; \
+		echo upgrading $$v ; \
+		terraform-0.13 0.13upgrade -yes "$$DIR" >/dev/null ; \
+		sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' "$$v" ; \
+	done
+
+terraform/v14-rewrite: TERRAFORM = terraform-0.13
+terraform/v14-rewrite: terraform/loosen-constraints terraform/bump-tf-12-min-version terraform/rewrite-required-providers terraform/rewrite-module-source terraform/rewrite-readme-source
+	@git diff --no-patch --exit-code README.yaml || $(MAKE) readme
@@ -1,7 +1,7 @@
 # Use this file to define individuals or teams that are responsible for code in a repository.
 # Read more: <https://help.github.com/articles/about-codeowners/>
 #
-# Order is important: the last matching pattern takes the most precedence
+# Order is important: the last matching pattern has the highest precedence
 
 # These owners will be the default owners for everything
 *             @cloudposse/engineering @cloudposse/contributors
@@ -13,5 +13,12 @@
 # Cloud Posse must review any changes to GitHub actions
 .github/*     @cloudposse/engineering
 
-# Cloud Posse must review any changes to standard context definition
-**/context.tf   @cloudposse/engineering
+# Cloud Posse must review any changes to standard context definition,
+# but some changes can be rubber-stamped.
+**/context.tf   @cloudposse/engineering @cloudposse/approvers
+README.md       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+docs/*.md       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+
+# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
+.github/mergify.yml @cloudposse/admins
+.github/CODEOWNERS  @cloudposse/admins
@@ -4,30 +4,35 @@ version-template: '$MAJOR.$MINOR.$PATCH'
 version-resolver:
   major:
     labels:
-      - 'major'
+    - 'major'
   minor:
     labels:
-      - 'minor'
-      - 'enhancement'
+    - 'minor'
+    - 'enhancement'
   patch:
     labels:
-      - 'patch'
-      - 'fix'
-      - 'bugfix'
-      - 'bug'
-      - 'hotfix'
+    - 'auto-update'
+    - 'patch'
+    - 'fix'
+    - 'bugfix'
+    - 'bug'
+    - 'hotfix'
   default: 'minor'
 
 categories:
-  - title: '🚀 Enhancements'
-    labels:
-      - 'enhancement'
-  - title: '🐛 Bug Fixes'
-    labels:
-      - 'fix'
-      - 'bugfix'
-      - 'bug'
-      - 'hotfix'
+- title: '🚀 Enhancements'
+  labels:
+  - 'enhancement'
+  - 'patch'
+- title: '🐛 Bug Fixes'
+  labels:
+  - 'fix'
+  - 'bugfix'
+  - 'bug'
+  - 'hotfix'
+- title: '🤖 Automatic Updates'
+  labels:
+  - 'auto-update'
 
 change-template: |
   <details>

@@ -0,0 +1,21 @@
+name: Validate Codeowners
+on:
+  pull_request:
+    paths:
+    - '**/CODEOWNERS'
+    - '.github/workflows/validate-codeowners.yml'
+
+jobs:
+  validate-codeowners:
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout source code at current commit"
+      uses: actions/checkout@v2
+    - uses: mszostok/[email protected]
+      with:
+        # For now, remove "files" check to allow CODEOWNERS to specify non-existent
+        # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
+        #   checks: "files,syntax,owners,duppatterns"
+        checks: "syntax,owners,duppatterns"
+        # GitHub access token is required only if the `owners` check is enabled
+        github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"