Date: Thu, 2 Dec 2021 18:05:26 +0000
Subject: [PATCH 2/4] feat: add origin_request_policy_id variable for default
cache behavior (#193)
* feat: add origin_request_policy_id variable for default cache behavior
* Auto Format
Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
---
README.md | 1 +
docs/terraform.md | 1 +
main.tf | 6 ++++--
variables.tf | 9 +++++++++
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 6bb64f65..051e8c32 100644
--- a/README.md
+++ b/README.md
@@ -480,6 +480,7 @@ Available targets:
| [origin\_force\_destroy](#input\_origin\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no |
| [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.
The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.
If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.
This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | list(object({
primary_origin_id = string
failover_origin_id = string
failover_criteria = list(string)
})) | `[]` | no |
| [origin\_path](#input\_origin\_path) | An optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin. It must begin with a /. Do not add a / at the end of the path. | `string` | `""` | no |
+| [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | The unique identifier of the origin request policy that is attached to the behavior.
Should be used in conjunction with `cache_policy_id`. | `string` | `null` | no |
| [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. | `list(string)` | [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
| no |
| [override\_origin\_bucket\_policy](#input\_override\_origin\_bucket\_policy) | When using an existing origin bucket (through var.origin\_bucket), setting this to 'false' will make it so the existing bucket policy will not be overriden | `bool` | `true` | no |
| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 18ebc09e..c76f7c1f 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -119,6 +119,7 @@
| [origin\_force\_destroy](#input\_origin\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no |
| [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.
The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.
If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.
This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | list(object({
primary_origin_id = string
failover_origin_id = string
failover_criteria = list(string)
})) | `[]` | no |
| [origin\_path](#input\_origin\_path) | An optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin. It must begin with a /. Do not add a / at the end of the path. | `string` | `""` | no |
+| [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | The unique identifier of the origin request policy that is attached to the behavior.
Should be used in conjunction with `cache_policy_id`. | `string` | `null` | no |
| [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. | `list(string)` | [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
| no |
| [override\_origin\_bucket\_policy](#input\_override\_origin\_bucket\_policy) | When using an existing origin bucket (through var.origin\_bucket), setting this to 'false' will make it so the existing bucket policy will not be overriden | `bool` | `true` | no |
| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 702790ff..73c70ddc 100644
--- a/main.tf
+++ b/main.tf
@@ -440,6 +440,7 @@ resource "aws_cloudfront_distribution" "default" {
allowed_methods = var.allowed_methods
cached_methods = var.cached_methods
cache_policy_id = var.cache_policy_id
+ origin_request_policy_id = var.origin_request_policy_id
target_origin_id = local.origin_id
compress = var.compress
trusted_signers = var.trusted_signers
@@ -447,8 +448,9 @@ resource "aws_cloudfront_distribution" "default" {
response_headers_policy_id = var.response_headers_policy_id
dynamic "forwarded_values" {
- # If a cache policy is specified, we cannot include a `forwarded_values` block at all in the API request
- for_each = var.cache_policy_id == null ? [true] : []
+ # If a cache policy or origin request policy is specified,
+ # we cannot include a `forwarded_values` block at all in the API request.
+ for_each = (var.cache_policy_id == null && var.origin_request_policy_id == null) ? [true] : []
content {
query_string = var.forward_query_string
query_string_cache_keys = var.query_string_cache_keys
diff --git a/variables.tf b/variables.tf
index 48608246..4f75899b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -208,6 +208,15 @@ variable "cache_policy_id" {
EOT
}
+variable "origin_request_policy_id" {
+ type = string
+ default = null
+ description = <<-EOT
+ The unique identifier of the origin request policy that is attached to the behavior.
+ Should be used in conjunction with `cache_policy_id`.
+ EOT
+}
+
variable "default_ttl" {
type = number
default = 60
From 5d66fcc57079c598bcae88953db129bba8ab0fe1 Mon Sep 17 00:00:00 2001
From: Yonatan Koren
Date: Mon, 13 Dec 2021 16:53:44 +0200
Subject: [PATCH 3/4] Chore: Update `auto-release` (`release-drafter`) GHA
workflow to latest distribution; fix Terratest (#202)
Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
- Update auto-release (release-drafter) GHA workflow to latest distribution from build-harness.
- Fix Terratest by ensuring IAM roles created by examples/complete are unique for each run (also increase test timeout).
---
.github/auto-release.yml | 3 ++-
.github/workflows/auto-release.yml | 25 ++++++++++++++++---------
examples/complete/deployment.tf | 27 +++++++++++++++++++--------
test/src/Makefile | 2 +-
4 files changed, 38 insertions(+), 19 deletions(-)
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
index c78a4d83..b45efb7a 100644
--- a/.github/auto-release.yml
+++ b/.github/auto-release.yml
@@ -17,6 +17,7 @@ version-resolver:
- 'bugfix'
- 'bug'
- 'hotfix'
+ - 'no-release'
default: 'minor'
categories:
@@ -46,7 +47,7 @@ template: |
replacers:
# Remove irrelevant information from Renovate bot
-- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+- search: '/(?<=---\s)\s*^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
replace: ''
# Remove Renovate bot banner image
- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 3f48017d..3a38fae0 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -3,17 +3,24 @@ name: auto-release
on:
push:
branches:
- - master
+ - main
+ - master
+ - production
jobs:
publish:
runs-on: ubuntu-latest
steps:
- # Drafts your next Release notes as Pull Requests are merged into "master"
- - uses: release-drafter/release-drafter@v5
- with:
- publish: true
- prerelease: false
- config-name: auto-release.yml
- env:
- GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ # Get PR from merged commit to master
+ - uses: actions-ecosystem/action-get-merged-pull-request@v1
+ id: get-merged-pull-request
+ with:
+ github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ # Drafts your next Release notes as Pull Requests are merged into "main"
+ - uses: release-drafter/release-drafter@v5
+ with:
+ publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }}
+ prerelease: false
+ config-name: auto-release.yml
+ env:
+ GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/examples/complete/deployment.tf b/examples/complete/deployment.tf
index 3ecd6844..95c5dfda 100644
--- a/examples/complete/deployment.tf
+++ b/examples/complete/deployment.tf
@@ -8,18 +8,19 @@ locals {
our_account_id = local.enabled ? data.aws_caller_identity.current[0].account_id : ""
our_role_arn_prefix = "arn:aws:iam::${local.our_account_id}:role"
- deployment_principal_arns = { for k, v in local.test_deployment_role_prefix_map : format("%v/%v", local.our_role_arn_prefix, k) => v }
+ role_names = { for k, v in local.test_deployment_role_prefix_map : k => module.role_labels[k].id }
+ deployment_principal_arns = { for k, v in local.role_names : format("%v/%v", local.our_role_arn_prefix, v) => local.test_deployment_role_prefix_map[k] }
}
data "aws_caller_identity" "current" {
count = local.enabled ? 1 : 0
}
-
-module "statement_ids" {
+# The following instantiations of null-label require Terraform >= 0.13.0
+module "sid_labels" {
for_each = local.test_deployment_role_prefix_map
source = "cloudposse/label/null"
- version = "0.24.1" # requires Terraform >= 0.13.0
+ version = "0.25.0"
attributes = split("-", each.key)
delimiter = ""
@@ -29,11 +30,21 @@ module "statement_ids" {
context = module.this.context
}
-data "aws_iam_policy_document" "assume_role" {
+module "role_labels" {
for_each = local.test_deployment_role_prefix_map
+ source = "cloudposse/label/null"
+ version = "0.25.0"
+
+ attributes = concat(split("-", each.key), module.this.attributes)
+
+ context = module.this.context
+}
+
+data "aws_iam_policy_document" "assume_role" {
+ for_each = module.sid_labels
statement {
- sid = "Enable${module.statement_ids[each.key].id}"
+ sid = "Enable${each.value.id}"
actions = [
"sts:AssumeRole",
"sts:TagSession"
@@ -49,9 +60,9 @@ data "aws_iam_policy_document" "assume_role" {
resource "aws_iam_role" "test_role" {
- for_each = local.test_deployment_role_prefix_map
+ for_each = module.role_labels
- name = each.key
+ name = module.role_labels[each.key].id
assume_role_policy = data.aws_iam_policy_document.assume_role[each.key].json
}
diff --git a/test/src/Makefile b/test/src/Makefile
index b1710da2..53e41087 100644
--- a/test/src/Makefile
+++ b/test/src/Makefile
@@ -16,7 +16,7 @@ init:
## Run tests
test: init
go mod download
- go test -v -timeout 20m -parallel 2 -run TestExamplesComplete
+ go test -v -timeout 30m -parallel 2 -run TestExamplesComplete
## Run tests in docker container
docker/test:
From 1df0af98d803a91ee38d15925e45021a96307a88 Mon Sep 17 00:00:00 2001
From: Yonatan Koren
Date: Mon, 13 Dec 2021 17:55:40 +0200
Subject: [PATCH 4/4] Chore: Bump Dependency Module Versions (#201)
Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
Co-authored-by: Nuru
- Bump `route53-alias` module version to latest.
- Bump `s3-log-storage` module to latest.
---
.github/CODEOWNERS | 4 ++--
.github/mergify.yml | 7 +++++++
.github/workflows/auto-format.yml | 4 +++-
.github/workflows/validate-codeowners.yml | 2 ++
README.md | 4 ++--
docs/terraform.md | 4 ++--
main.tf | 4 ++--
7 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 2537f2f8..6f64b5a3 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,8 +15,8 @@
# Cloud Posse must review any changes to standard context definition,
# but some changes can be rubber-stamped.
-**/*.tf @cloudposse/engineering @cloudposse/approvers
-README.yaml @cloudposse/engineering @cloudposse/approvers
+**/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
diff --git a/.github/mergify.yml b/.github/mergify.yml
index b0106567..ef15545e 100644
--- a/.github/mergify.yml
+++ b/.github/mergify.yml
@@ -56,3 +56,10 @@ pull_request_rules:
changes_requested: true
approved: true
message: "This Pull Request has been updated, so we're dismissing all reviews."
+
+- name: "close Pull Requests without files changed"
+ conditions:
+ - "#files=0"
+ actions:
+ close:
+ message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
index 990abed6..375d0fd4 100644
--- a/.github/workflows/auto-format.yml
+++ b/.github/workflows/auto-format.yml
@@ -6,7 +6,7 @@ on:
jobs:
auto-format:
runs-on: ubuntu-latest
- container: cloudposse/build-harness:slim-latest
+ container: cloudposse/build-harness:latest
steps:
# Checkout the pull request branch
# "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
@@ -29,6 +29,8 @@ jobs:
- name: Auto Format
if: github.event.pull_request.state == 'open'
shell: bash
+ env:
+ GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
# Commit changes (if any) to the PR branch
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
index 386eb286..c5193b62 100644
--- a/.github/workflows/validate-codeowners.yml
+++ b/.github/workflows/validate-codeowners.yml
@@ -1,5 +1,7 @@
name: Validate Codeowners
on:
+ workflow_dispatch:
+
pull_request:
jobs:
diff --git a/README.md b/README.md
index 051e8c32..f6ff8e17 100644
--- a/README.md
+++ b/README.md
@@ -379,8 +379,8 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
-| [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.12.0 |
-| [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.24.1 |
+| [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.12.1 |
+| [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
| [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
diff --git a/docs/terraform.md b/docs/terraform.md
index c76f7c1f..cbd536af 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -18,8 +18,8 @@
| Name | Source | Version |
|------|--------|---------|
-| [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.12.0 |
-| [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.24.1 |
+| [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.12.1 |
+| [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
| [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
diff --git a/main.tf b/main.tf
index 73c70ddc..cae2c31c 100644
--- a/main.tf
+++ b/main.tf
@@ -295,7 +295,7 @@ resource "aws_s3_bucket_public_access_block" "origin" {
module "logs" {
source = "cloudposse/s3-log-storage/aws"
- version = "0.24.1"
+ version = "0.26.0"
enabled = local.create_cf_log_bucket
attributes = var.extra_logs_attributes
lifecycle_prefix = local.cloudfront_access_log_prefix
@@ -566,7 +566,7 @@ resource "aws_cloudfront_distribution" "default" {
module "dns" {
source = "cloudposse/route53-alias/aws"
- version = "0.12.0"
+ version = "0.12.1"
enabled = (local.enabled && var.dns_alias_enabled)
aliases = var.aliases
parent_zone_id = var.parent_zone_id