diff --git a/.github/auto-release.yml b/.github/auto-release.yml index 18a1ca62..c78a4d83 100644 --- a/.github/auto-release.yml +++ b/.github/auto-release.yml @@ -43,3 +43,11 @@ change-template: | template: | $CHANGES + +replacers: +# Remove irrelevant information from Renovate bot +- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm' + replace: '' +# Remove Renovate bot banner image +- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm' + replace: '' diff --git a/.github/mergify.yml b/.github/mergify.yml index 485982ff..b0106567 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,12 +1,16 @@ +# https://docs.mergify.io/conditions.html +# https://docs.mergify.io/actions.html pull_request_rules: - name: "approve automated PRs that have passed checks" conditions: - - "check-success~=test/bats" - - "check-success~=test/readme" - - "check-success~=test/terratest" + - "author~=^(cloudpossebot|renovate\\[bot\\])$" - "base=master" - - "author=cloudpossebot" - - "head~=auto-update/.*" + - "-closed" + - "head~=^(auto-update|renovate)/.*" + - "check-success=test/bats" + - "check-success=test/readme" + - "check-success=test/terratest" + - "check-success=validate-codeowners" actions: review: type: "APPROVE" @@ -15,16 +19,17 @@ pull_request_rules: - name: "merge automated PRs when approved and tests pass" conditions: - - "check-success~=test/bats" - - "check-success~=test/readme" - - "check-success~=test/terratest" + - "author~=^(cloudpossebot|renovate\\[bot\\])$" - "base=master" - - "head~=auto-update/.*" + - "-closed" + - "head~=^(auto-update|renovate)/.*" + - "check-success=test/bats" + - "check-success=test/readme" + - "check-success=test/terratest" + - "check-success=validate-codeowners" - "#approved-reviews-by>=1" - "#changes-requested-reviews-by=0" - "#commented-reviews-by=0" - - "base=master" - - "author=cloudpossebot" actions: merge: method: "squash" @@ -38,6 +43,7 @@ pull_request_rules: - name: "ask to resolve conflict" conditions: - "conflict" + - "-closed" actions: comment: message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏" diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 00000000..ae4f0aa5 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,12 @@ +{ + "extends": [ + "config:base", + ":preserveSemverRanges" + ], + "labels": ["auto-update"], + "enabledManagers": ["terraform"], + "terraform": { + "ignorePaths": ["**/context.tf", "examples/**"] + } +} + diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml index 739a3c9e..ab979e0e 100644 --- a/.github/workflows/auto-context.yml +++ b/.github/workflows/auto-context.yml @@ -27,17 +27,19 @@ jobs: make init make github/init/context.tf make readme/build - echo "::set-output name=create_pull_request=true" + echo "::set-output name=create_pull_request::true" fi else echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates." fi - name: Create Pull Request - if: {{ steps.update.outputs.create_pull_request == 'true' }} + if: steps.update.outputs.create_pull_request == 'true' uses: cloudposse/actions/github/create-pull-request@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>' + author: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>' commit-message: Update context.tf from origin source title: Update context.tf body: |- diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml new file mode 100644 index 00000000..990abed6 --- /dev/null +++ b/.github/workflows/auto-format.yml @@ -0,0 +1,86 @@ +name: Auto Format +on: + pull_request_target: + types: [opened, synchronize] + +jobs: + auto-format: + runs-on: ubuntu-latest + container: cloudposse/build-harness:slim-latest + steps: + # Checkout the pull request branch + # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using + # the repository’s GITHUB_TOKEN, a new workflow will not run even when the repository contains + # a workflow configured to run when push events occur." + # However, using a personal access token will cause events to be triggered. + # We need that to ensure a status gets posted after the auto-format commit. + # We also want to trigger tests if the auto-format made no changes. + - uses: actions/checkout@v2 + if: github.event.pull_request.state == 'open' + name: Privileged Checkout + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + # Check out the PR commit, not the merge commit + # Use `ref` instead of `sha` to enable pushing back to `ref` + ref: ${{ github.event.pull_request.head.ref }} + + # Do all the formatting stuff + - name: Auto Format + if: github.event.pull_request.state == 'open' + shell: bash + run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host + + # Commit changes (if any) to the PR branch + - name: Commit changes to the PR branch + if: github.event.pull_request.state == 'open' + shell: bash + id: commit + env: + SENDER: ${{ github.event.sender.login }} + run: | + set -x + output=$(git diff --name-only) + + if [ -n "$output" ]; then + echo "Changes detected. Pushing to the PR branch" + git config --global user.name 'cloudpossebot' + git config --global user.email '11232728+cloudpossebot@users.noreply.github.com' + git add -A + git commit -m "Auto Format" + # Prevent looping by not pushing changes in response to changes from cloudpossebot + [[ $SENDER == "cloudpossebot" ]] || git push + # Set status to fail, because the push should trigger another status check, + # and we use success to indicate the checks are finished. + printf "::set-output name=%s::%s\n" "changed" "true" + exit 1 + else + printf "::set-output name=%s::%s\n" "changed" "false" + echo "No changes detected" + fi + + - name: Auto Test + uses: cloudposse/actions/github/repository-dispatch@0.22.0 + # match users by ID because logins (user names) are inconsistent, + # for example in the REST API Renovate Bot is `renovate[bot]` but + # in GraphQL it is just `renovate`, plus there is a non-bot + # user `renovate` with ID 1832810. + # Mergify bot: 37929162 + # Renovate bot: 29139614 + # Cloudpossebot: 11232728 + # Need to use space separators to prevent "21" from matching "112144" + if: > + contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id)) + && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open' + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + repository: cloudposse/actions + event-type: test-command + client-payload: |- + { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}}, + "pull_request": ${{ toJSON(github.event.pull_request) }}, + "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }}, + "comment": {"id": ""} + } + } + } diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index ccc27be7..3f48017d 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -6,7 +6,7 @@ on: - master jobs: - semver: + publish: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml index 80442891..386eb286 100644 --- a/.github/workflows/validate-codeowners.yml +++ b/.github/workflows/validate-codeowners.yml @@ -9,6 +9,8 @@ jobs: - name: "Checkout source code at current commit" uses: actions/checkout@v2 - uses: mszostok/codeowners-validator@v0.5.0 + if: github.event.pull_request.head.repo.full_name == github.repository + name: "Full check of CODEOWNERS" with: # For now, remove "files" check to allow CODEOWNERS to specify non-existent # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos @@ -16,3 +18,8 @@ jobs: checks: "syntax,owners,duppatterns" # GitHub access token is required only if the `owners` check is enabled github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" + - uses: mszostok/codeowners-validator@v0.5.0 + if: github.event.pull_request.head.repo.full_name != github.repository + name: "Syntax check of CODEOWNERS" + with: + checks: "syntax,duppatterns" diff --git a/.gitignore b/.gitignore index b635cf30..ce573e9d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Local .terraform directories **/.terraform/* +**/.terraform.lock.hcl # .tfstate files *.tfstate diff --git a/README.md b/README.md index def9427f..1d182ff7 100644 --- a/README.md +++ b/README.md @@ -159,8 +159,6 @@ Available targets: |------|---------| | terraform | >= 0.12.26 | | aws | >= 2.0 | -| local | >= 1.2 | -| null | >= 2.0 | ## Providers @@ -215,7 +213,7 @@ Available targets: | standard\_transition\_days | Number of days to persist in the standard storage tier before moving to the infrequent access tier | `number` | `30` | no | | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | | user\_enabled | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no | -| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `false` | no | +| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | ## Outputs diff --git a/docs/terraform.md b/docs/terraform.md index c5e7d411..a5e3339b 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -5,8 +5,6 @@ |------|---------| | terraform | >= 0.12.26 | | aws | >= 2.0 | -| local | >= 1.2 | -| null | >= 2.0 | ## Providers @@ -61,7 +59,7 @@ | standard\_transition\_days | Number of days to persist in the standard storage tier before moving to the infrequent access tier | `number` | `30` | no | | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | | user\_enabled | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no | -| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `false` | no | +| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | ## Outputs diff --git a/main.tf b/main.tf index 4a856de2..e7253491 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,6 @@ resource "aws_s3_bucket" "default" { + #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). + #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). count = module.this.enabled ? 1 : 0 bucket = module.this.id acl = try(length(var.grants), 0) == 0 ? var.acl : null diff --git a/variables.tf b/variables.tf index 63268a0a..e52cb6dd 100644 --- a/variables.tf +++ b/variables.tf @@ -30,7 +30,7 @@ variable "force_destroy" { variable "versioning_enabled" { type = bool - default = false + default = true description = "A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket" } @@ -223,4 +223,3 @@ variable "replication_rules" { default = null description = "Specifies the replication rules if S3 bucket replication is enabled" } - diff --git a/versions.tf b/versions.tf index ee768889..9a98376a 100644 --- a/versions.tf +++ b/versions.tf @@ -6,13 +6,5 @@ terraform { source = "hashicorp/aws" version = ">= 2.0" } - local = { - source = "hashicorp/local" - version = ">= 1.2" - } - null = { - source = "hashicorp/null" - version = ">= 2.0" - } } }