Merge pull request #5 from ventx/chore/template_sync_a11bc90

chore: upstream merge template repository
ventx · Oct 21, 2023 · 7436552 · 7436552
2 parents 105bbf1 + 7037f8d
commit 7436552
Show file tree

Hide file tree

Showing 11 changed files with 372 additions and 42 deletions.
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,8 +1,12 @@
+ci:
+  - .dependabot/*
+  - .github/workflows/*
+
 documentation:
   - docs/**/*
   - .github/*
   - ./*.md
 
-ci:
-  - .dependabot/*
-  - .github/workflows/*
+terraform:
+  - examples/**/*.tf
+  - ./*.tf
diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml
@@ -0,0 +1,35 @@
+# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
+name: ok-to-test
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  pull-requests: write  # For doing the emoji reaction on a PR comment
+  issues: write  # For doing the emoji reaction on an issue comment
+  contents: write  # For executing the repository_dispatch event
+
+jobs:
+  ok-to-test:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    # Only run for PRs, not issue comments
+    if: ${{ github.event.issue.pull_request }}
+    steps:
+    - name: Generate token
+      id: app-token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.PRIVATE_KEY }}
+
+    - name: Slash Command Dispatch
+      uses: peter-evans/slash-command-dispatch@v3
+      with:
+        token: ${{ steps.app-token.outputs.token }}
+        reaction-token: ${{ secrets.GITHUB_TOKEN }}
+        issue-type: pull-request
+        commands: ok-to-test
+        permission: write
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -4,9 +4,9 @@ on:
   pull_request:
 
 jobs:
-  labeler:
+  pr-labeler:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v2
+    - uses: actions/labeler@v4
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/pr-secrets.yml b/.github/workflows/pr-secrets.yml
@@ -1,15 +1,15 @@
-name: PR - TruffleHog Secrets
+name: Secret scan
 
 on:
   pull_request:
 
 jobs:
   trufflehog:
-    name: Secrets
+    name: trufflehog
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: TruffleHog OSS

diff --git a/.github/workflows/pr-terraform.yml b/.github/workflows/pr-terraform.yml
@@ -1,34 +1,36 @@
-name: PR - Terraform
+name: Terraform
 
 on:
   pull_request:
     paths:
       - 'examples/**'
       - 'tests/**'
       - '**.tf'
-
-permissions:
-  id-token: write
-  pull-requests: write
+  repository_dispatch:
+    types: [ ok-to-test-command ]
 
 jobs:
-  terraform:
-    name: Terraform
+  # Branch-based pull request
+  terraform-pr-branch:
+    name: terraform-pr-branch
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
     timeout-minutes: 15
     env:
-      AWS_DEFAULT_REGION: eu-central-1
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       TF_IN_AUTOMATION: true
       TFDIR: examples
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      - name: Branch based PR checkout
+        uses: actions/checkout@v4
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        if: startsWith(github.repository, 'ventx/terraform-aws-')
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
           role-to-assume: ${{ secrets.AWS_GH_OIDC }}
 
       - name: Set Versions
@@ -37,7 +39,7 @@ jobs:
           echo "TFVERSION=$TFVER" >> $GITHUB_ENV
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ env.TFVERSION }}
 
@@ -46,7 +48,16 @@ jobs:
         run: terraform fmt -check -recursive
         continue-on-error: true
 
-      - name: Terraform Init
+      - name: Terraform Init (test)
+        id: init-test
+        run: terraform init
+
+      - name: Terraform Test
+        id: test
+        run: terraform test -verbose
+        continue-on-error: true
+
+      - name: Terraform Init (examples)
         id: init
         run: terraform -chdir=${{ env.TFDIR }} init
 
@@ -88,3 +99,149 @@ jobs:
               repo: context.repo.repo,
               body: output
             })
+
+  # User with write access has commented /ok-to-test on a (fork-based) pull request
+  terraform-pr-fork:
+    name: terraform-pr-fork
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      id-token: write
+      pull-requests: write
+    timeout-minutes: 15
+    env:
+      TF_IN_AUTOMATION: true
+      TFDIR: examples
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    steps:
+      - name: Update skipped check run to in_progress
+        uses: actions/github-script@v6
+        env:
+          job: ${{ github.job }}
+          number: ${{ github.event.client_payload.pull_request.number }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { data: pull } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: process.env.number
+            });
+            const ref = pull.head.sha;
+            const { data: checks } = await github.rest.checks.listForRef({
+              ...context.repo,
+              ref
+            });
+
+            // Filter for the check run with a specific name and a 'skipped' conclusion
+            const check = checks.check_runs.filter(c => c.name === process.env.job && c.conclusion === "skipped");
+
+            if (check.length > 0) {
+              console.log(`Skipped check run found with name: ${check[0].name}`);
+
+              // Update the check run to 'in_progress'
+              const { data: result } = await github.rest.checks.update({
+                ...context.repo,
+                check_run_id: check[0].id,
+                status: 'in_progress',
+              });
+
+              console.log(`Successfully updated check run to 'in_progress'. Name: ${result.name}`);
+              return result;
+            } else {
+              console.log('No skipped check runs found with the specified name.');
+            }
+
+      - name: Fork based /ok-to-test checkout
+        uses: actions/checkout@v4
+        with:
+          ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
+
+      - name: Configure AWS credentials
+        if: startsWith(github.repository, 'ventx/terraform-aws-')
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
+          role-to-assume: ${{ secrets.AWS_GH_OIDC }}
+
+      - name: Set Versions
+        run: |
+          TFVER=$(grep .tool-versions -e "terraform" | sed "s/terraform \(.*\)/\1/")
+          echo "TFVERSION=$TFVER" >> $GITHUB_ENV
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ env.TFVERSION }}
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check -recursive
+        continue-on-error: true
+
+      - name: Terraform Init (test)
+        id: init-test
+        run: terraform init
+
+      - name: Terraform Test
+        id: test
+        run: terraform test -verbose
+        continue-on-error: true
+
+      - name: Terraform Init (examples)
+        id: init
+        run: terraform -chdir=${{ env.TFDIR }} init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform -chdir=${{ env.TFDIR }} validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform -chdir=${{ env.TFDIR }} plan -no-color -input=false
+        continue-on-error: true
+
+      - name: Update Pull Request
+        uses: actions/github-script@v6
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+
+            </details>
+
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Update check run to completed
+        uses: LouisBrunner/[email protected]
+        id: update-check-run-completed
+        if: ${{ always() }}
+        with:
+          sha: ${{ github.sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: ${{ github.job }}
+          status: completed
+          conclusion: ${{ job.status }}
diff --git a/.github/workflows/pr-tflint.yml b/.github/workflows/pr-tflint.yml
@@ -0,0 +1,38 @@
+name: TFLint
+
+on:
+  pull_request:
+    paths:
+      - 'examples/**'
+      - 'tests/**'
+      - '**.tf'
+
+jobs:
+  tflint:
+    name: tflint
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      TF_IN_AUTOMATION: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set Versions
+        run: |
+          TFLINTVER=$(grep .tool-versions -e "tflint" | sed "s/tflint \(.*\)/\1/")
+          echo "TFLINTVERSION=$TFLINTVER" >> $GITHUB_ENV
+
+      - uses: terraform-linters/setup-tflint@v4
+        id: tflintsetup
+        name: Setup TFLint
+        with:
+          tflint_version: v${{ env.TFLINTVERSION }}
+
+      - name: Init TFLint
+        id: tflintinit
+        run: tflint --init
+
+      - name: Run TFLint
+        id: tflint
+        run: tflint -f compact
diff --git a/.github/workflows/pr-tfsec.yml b/.github/workflows/pr-tfsec.yml
@@ -0,0 +1,25 @@
+name: tfsec
+
+on:
+  pull_request:
+    paths:
+      - 'examples/**'
+      - 'tests/**'
+      - '**.tf'
+
+jobs:
+  tfsec:
+    name: tfsec
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      TF_IN_AUTOMATION: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: tfsec
+        id: tfsec
+        uses: tfsec/tfsec-pr-commenter-action@main
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}