Convert to TF 0.12. Add tests. Add Codefresh test pipeline (#13)

* Convert to TF 0.12. Add tests. Add Codefresh test pipeline * Update outputs
cloudposse · Jun 26, 2019 · 2cd311c · 2cd311c
1 parent 0d0a773
commit 2cd311c
Show file tree

Hide file tree

Showing 24 changed files with 560 additions and 189 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,13 +5,10 @@
 *.tfstate
 *.tfstate.*
 
-# .tfvars files
-*.tfvars
-
 # IDE files
 .idea
 *.iml
 
 # Build harness files
 .build-harness
-build-harness
+build-harness
diff --git a/.travis.yml b/.travis.yml
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 
 [![Cloud Posse][logo]](https://cpco.io/homepage)
 
-# terraform-aws-s3-bucket [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-s3-bucket.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-s3-bucket) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-bucket.svg)](https://github.com/cloudposse/terraform-aws-s3-bucket/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
+# terraform-aws-s3-bucket [![Codefresh Build Status](https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-s3-bucket?type=cf-1)](https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d13993639efa9451b1a2aa4) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-bucket.svg)](https://github.com/cloudposse/terraform-aws-s3-bucket/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
 
 This module creates an S3 bucket with support of versioning, encryption, ACL and bucket object policy.
@@ -47,16 +47,21 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
 
 ## Usage
 
+
+**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
+Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-s3-bucket/releases).
+
+
 ```hcl
 module "s3_bucket" {
   source                   = "git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=master"
-  enabled                  = "${var.enabled}"
-  user_enabled             = "${var.user_enabled}"
-  versioning_enabled       = "${var.versioning_enabled}"
-  allowed_bucket_actions   = "${var.allowed_bucket_actions}"
-  name                     = "${var.name}"
-  stage                    = "${var.stage}"
-  namespace                = "${var.namespace}"
+  enabled                  = true
+  user_enabled             = true
+  versioning_enabled       = false
+  allowed_bucket_actions   = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
+  name                     = "app"
+  stage                    = "test"
+  namespace                = "eg"
 }
 ```
 
@@ -80,22 +85,22 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no |
-| allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no |
-| allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `<list>` | no |
-| attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
+| allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | bool | `false` | no |
+| allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list(string) | `<list>` | no |
+| attributes | Additional attributes (e.g. `1`) | list(string) | `<list>` | no |
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no |
-| enabled | Set to `false` to prevent the module from creating any resources | string | `true` | no |
-| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | string | `false` | no |
+| enabled | Set to `false` to prevent the module from creating any resources | bool | `true` | no |
+| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | bool | `false` | no |
 | kms_master_key_id | The AWS KMS master key ID used for the `SSE-KMS` encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default aws/s3 AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms` | string | `` | no |
-| name | Name  (e.g. `app` or `db`) | string | - | yes |
-| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
-| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string | `` | no |
-| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | string | `` | no |
+| name | Name  (e.g. `app` or `cluster`) | string | - | yes |
+| namespace | Namespace (e.g. `eg` or `cp`) | string | `` | no |
+| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | string | `` | no |
+| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee | string | `` | no |
 | sse_algorithm | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | string | `AES256` | no |
-| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
-| tags | Additional tags (e.g. `{ BusinessUnit = "XYZ" }` | map | `<map>` | no |
-| user_enabled | Set to `true` to create an S3 user with permission to access the bucket | string | `false` | no |
-| versioning_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket. | string | `false` | no |
+| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | `` | no |
+| tags | Additional tags (e.g. `{ BusinessUnit = "XYZ" }` | map(string) | `<map>` | no |
+| user_enabled | Set to `true` to create an IAM user with permission to access the bucket | bool | `false` | no |
+| versioning_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | bool | `false` | no |
 
 ## Outputs
 

diff --git a/README.yaml b/README.yaml
@@ -33,9 +33,9 @@ github_repo: cloudposse/terraform-aws-s3-bucket
 
 # Badges to display
 badges:
-  - name: "Build Status"
-    image: "https://travis-ci.org/cloudposse/terraform-aws-s3-bucket.svg?branch=master"
-    url: "https://travis-ci.org/cloudposse/terraform-aws-s3-bucket"
+  - name: "Codefresh Build Status"
+    image: "https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-s3-bucket?type=cf-1"
+    url: "https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d13993639efa9451b1a2aa4"
   - name: "Latest Release"
     image: "https://img.shields.io/github/release/cloudposse/terraform-aws-s3-bucket.svg"
     url: "https://github.com/cloudposse/terraform-aws-s3-bucket/releases/latest"
@@ -68,23 +68,23 @@ related:
 description: |-
   This module creates an S3 bucket with support of versioning, encryption, ACL and bucket object policy.
   If `user_enabled` variable is set to `true`, the module will provision a basic IAM user with permissions to access the bucket.
-  
+
   This basic IAM system user is suitable for CI/CD systems (_e.g._ TravisCI, CircleCI) or systems which are *external* to AWS that cannot leverage [AWS IAM Instance Profiles](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html).
-  
+
   We do not recommend creating IAM users this way for any other purpose.
 
 # How to use this project
 usage: |-
   ```hcl
   module "s3_bucket" {
     source                   = "git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=master"
-    enabled                  = "${var.enabled}"
-    user_enabled             = "${var.user_enabled}"
-    versioning_enabled       = "${var.versioning_enabled}"
-    allowed_bucket_actions   = "${var.allowed_bucket_actions}"
-    name                     = "${var.name}"
-    stage                    = "${var.stage}"
-    namespace                = "${var.namespace}"
+    enabled                  = true
+    user_enabled             = true
+    versioning_enabled       = false
+    allowed_bucket_actions   = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
+    name                     = "app"
+    stage                    = "test"
+    namespace                = "eg"
   }
   ```
 

diff --git a/codefresh/test.yml b/codefresh/test.yml
@@ -0,0 +1,74 @@
+version: '1.0'
+
+stages:
+  - Prepare
+  - Test
+
+steps:
+  wait:
+    title: Wait
+    stage: Prepare
+    image: codefresh/cli:latest
+    commands:
+      - codefresh get builds --pipeline=${{CF_REPO_NAME}} --status running --limit 1000 -o json | jq --arg id ${{CF_BUILD_ID}} -ser 'flatten|.[-1].id==$id'
+    retry:
+      maxAttempts: 10
+      delay: 20
+      exponentialFactor: 1.1
+
+  main_clone:
+    title: "Clone repository"
+    type: git-clone
+    stage: Prepare
+    description: "Initialize"
+    repo: ${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+    git: CF-default
+    revision: ${{CF_REVISION}}
+
+  clean_init:
+    title: Prepare build-harness and test-harness
+    image: ${{TEST_IMAGE}}
+    stage: Prepare
+    commands:
+      - cf_export PATH="/usr/local/terraform/0.12/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+      - make init
+      - git -C build-harness checkout master
+      - make -C test/ clean init TEST_HARNESS_BRANCH=master
+      - make -C test/src clean init
+      - find . -type d -name '.terraform' | xargs rm -rf
+      - find . -type f -name 'terraform.tfstate*' -exec rm -f {} \;
+
+  test:
+    type: "parallel"
+    title: "Run tests"
+    description: "Run all tests in parallel"
+    stage: Test
+    steps:
+      test_readme_lint:
+        title: "Test README.md updated"
+        stage: "Test"
+        image: ${{TEST_IMAGE}}
+        description: Test "readme/lint"
+        commands:
+          - make readme/lint
+
+      test_module:
+        title: Test module with bats
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/ module
+
+      test_examples_complete:
+        title: Test "examples/complete" with bats
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/ examples/complete
+
+      test_examples_complete_terratest:
+        title: Test "examples/complete" with terratest
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/src
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -3,22 +3,22 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no |
-| allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no |
-| allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `<list>` | no |
-| attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
+| allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | bool | `false` | no |
+| allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list(string) | `<list>` | no |
+| attributes | Additional attributes (e.g. `1`) | list(string) | `<list>` | no |
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no |
-| enabled | Set to `false` to prevent the module from creating any resources | string | `true` | no |
-| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | string | `false` | no |
+| enabled | Set to `false` to prevent the module from creating any resources | bool | `true` | no |
+| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | bool | `false` | no |
 | kms_master_key_id | The AWS KMS master key ID used for the `SSE-KMS` encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default aws/s3 AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms` | string | `` | no |
-| name | Name  (e.g. `app` or `db`) | string | - | yes |
-| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
-| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string | `` | no |
-| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | string | `` | no |
+| name | Name  (e.g. `app` or `cluster`) | string | - | yes |
+| namespace | Namespace (e.g. `eg` or `cp`) | string | `` | no |
+| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | string | `` | no |
+| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee | string | `` | no |
 | sse_algorithm | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | string | `AES256` | no |
-| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
-| tags | Additional tags (e.g. `{ BusinessUnit = "XYZ" }` | map | `<map>` | no |
-| user_enabled | Set to `true` to create an S3 user with permission to access the bucket | string | `false` | no |
-| versioning_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket. | string | `false` | no |
+| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | `` | no |
+| tags | Additional tags (e.g. `{ BusinessUnit = "XYZ" }` | map(string) | `<map>` | no |
+| user_enabled | Set to `true` to create an IAM user with permission to access the bucket | bool | `false` | no |
+| versioning_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | bool | `false` | no |
 
 ## Outputs
 

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf
diff --git a/examples/complete/fixtures.us-west-1.tfvars b/examples/complete/fixtures.us-west-1.tfvars
@@ -0,0 +1,17 @@
+region = "us-west-1"
+
+namespace = "eg"
+
+stage = "test"
+
+name = "s3-test"
+
+acl = "private"
+
+force_destroy = true
+
+versioning_enabled = false
+
+allow_encrypted_uploads_only = true
+
+allowed_bucket_actions = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"]
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -0,0 +1,19 @@
+provider "aws" {
+  region = var.region
+}
+
+module "s3_bucket" {
+  source = "../../"
+
+  enabled                      = true
+  user_enabled                 = true
+  region                       = var.region
+  namespace                    = var.namespace
+  stage                        = var.stage
+  name                         = var.name
+  acl                          = var.acl
+  force_destroy                = var.force_destroy
+  versioning_enabled           = var.versioning_enabled
+  allow_encrypted_uploads_only = var.allow_encrypted_uploads_only
+  allowed_bucket_actions       = var.allowed_bucket_actions
+}
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -0,0 +1,29 @@
+output "bucket_domain_name" {
+  value       = module.s3_bucket.bucket_domain_name
+  description = "FQDN of bucket"
+}
+
+output "bucket_id" {
+  value       = module.s3_bucket.bucket_id
+  description = "Bucket Name (aka ID)"
+}
+
+output "bucket_arn" {
+  value       = module.s3_bucket.bucket_arn
+  description = "Bucket ARN"
+}
+
+output "user_name" {
+  value       = module.s3_bucket.user_name
+  description = "Normalized IAM user name"
+}
+
+output "user_arn" {
+  value       = module.s3_bucket.user_arn
+  description = "The ARN assigned by AWS for the user"
+}
+
+output "user_unique_id" {
+  value       = module.s3_bucket.user_unique_id
+  description = "The user unique ID assigned by AWS"
+}