From 0f51e4b931009b07681a2d70feec1d8670061e38 Mon Sep 17 00:00:00 2001 From: Volodymyr S <26582191+SweetOps@users.noreply.github.com> Date: Wed, 5 Jul 2023 15:39:54 -0400 Subject: [PATCH] feat: introduce new option ignore_changes_enabled and update actions (#7) --- .github/workflows/docs.yml | 8 ++++---- .github/workflows/labeler.yml | 4 ++-- .github/workflows/labels.yml | 6 +++--- .github/workflows/pr-lint.yml | 9 +++++++-- .github/workflows/release.yml | 15 +++++++-------- .github/workflows/stale.yml | 21 ++++++++++----------- .github/workflows/terraform.yml | 4 ++-- .github/workflows/tflint.yml | 4 ++-- .github/workflows/tfsec.yml | 4 ++-- README.md | 3 ++- examples/basic/main.tf | 1 - examples/replicated/main.tf | 1 - main.tf | 20 +++++++++++++++++--- variables.tf | 10 +++++----- 14 files changed, 63 insertions(+), 47 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f198bfc..5cbd7cf 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -6,12 +6,12 @@ jobs: docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} - name: Render terraform docs inside the examples/basic/README.md - uses: terraform-docs/gh-actions@v0.11.0 + uses: terraform-docs/gh-actions@v1.0.0 with: working-dir: ./examples/basic/ git-push: "false" @@ -19,7 +19,7 @@ jobs: config-file: ".terraform-docs.yml" - name: Render terraform docs inside the examples/basic/README.md - uses: terraform-docs/gh-actions@v0.11.0 + uses: terraform-docs/gh-actions@v1.0.0 with: working-dir: ./examples/replicated/ git-push: "false" @@ -27,7 +27,7 @@ jobs: config-file: ".terraform-docs.yml" - name: Render terraform docs inside the README.md - uses: terraform-docs/gh-actions@v0.11.0 + uses: terraform-docs/gh-actions@v1.0.0 with: working-dir: . git-push: "true" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 300e87c..e1edd65 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -8,7 +8,7 @@ jobs: name: Auto Label runs-on: ubuntu-latest steps: - - uses: fuxingloh/multi-labeler@v1.5.0 + - uses: fuxingloh/multi-labeler@v2.0.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} - config-path: .github/labeler.yml \ No newline at end of file + config-path: .github/labeler.yml diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index d50f02a..7cee808 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -12,10 +12,10 @@ jobs: name: Sync labels in the declarative way runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: micnncim/action-label-syncer@v0.3.1 + - uses: actions/checkout@v3 + - uses: micnncim/action-label-syncer@v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_REPOSITORY: ${{ github.repository }} with: - manifest: .github/labels.yml \ No newline at end of file + manifest: .github/labels.yml diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index f138c4d..43c0041 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -2,6 +2,11 @@ name: PR title conformance on: pull_request_target: + types: + - opened + - reopened + - edited + - synchronize jobs: lint-pr: @@ -9,7 +14,7 @@ jobs: steps: - name: Lint PR - uses: aslafy-z/conventional-pr-title-action@v2.4.1 + uses: aslafy-z/conventional-pr-title-action@v3.0.1 with: preset: conventional-changelog-angular@^5.0.6 env: @@ -17,7 +22,7 @@ jobs: - name: Comment for PR title conformance if: failure() - uses: peter-evans/create-or-update-comment@v1 + uses: peter-evans/create-or-update-comment@v3 with: issue-number: ${{tojson(github.event.number)}} body: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1fcfc37..a0db1b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,3 @@ - name: Release Drafter on: @@ -11,10 +10,10 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v5 - with: - publish: true - prerelease: false - config-name: auto-release.yml - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + - uses: release-drafter/release-drafter@v5 + with: + publish: true + prerelease: false + config-name: auto-release.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9447b05..3d7fd49 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -2,20 +2,19 @@ name: Mark stale issues and pull requests on: schedule: - - cron: "0 12 * * *" + - cron: "0 12 * * *" jobs: stale: - runs-on: ubuntu-latest steps: - - uses: actions/stale@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' - stale-pr-message: 'This pull-request is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' - stale-issue-label: 'no-issue-activity' - stale-pr-label: 'no-pr-activity' - days-before-stale: 30 - days-before-close: 5 \ No newline at end of file + - uses: actions/stale@v8 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days" + stale-pr-message: "This pull-request is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days" + stale-issue-label: "no-issue-activity" + stale-pr-label: "no-pr-activity" + days-before-stale: 30 + days-before-close: 5 diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 010bdb6..99e1d12 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -9,10 +9,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v2 with: terraform_version: 1.3.0 diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml index 146a0d8..c32a059 100644 --- a/.github/workflows/tflint.yml +++ b/.github/workflows/tflint.yml @@ -9,10 +9,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v2 with: terraform_version: 1.3.0 diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index d6682ab..aae03e4 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -10,10 +10,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v2 with: terraform_version: 1.3.0 diff --git a/README.md b/README.md index 070a544..61bf4f0 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ module "secrets" { | [aws_secretsmanager_secret.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | | [aws_secretsmanager_secret_rotation.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource | | [aws_secretsmanager_secret_version.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_secretsmanager_secret_version.ignore_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | ## Inputs @@ -96,7 +97,7 @@ module "secrets" { | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [replicas](#input\_replicas) | kms\_key\_id:
ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to.
region:
Region for replicating the secret. |
list(
object(
{
kms_key_id = string
region = string
}
)
)
| `[]` | no | | [rotation](#input\_rotation) | enabled:
Whether to create secret rotation rule.
Default value: `false`
lambda\_arn:
Specifies the ARN of the Lambda function that can rotate the secret.
automatically\_after\_days:
Specifies the number of days between automatic scheduled rotations of the secret. |
object({
enabled = optional(bool, false)
lambda_arn = string
automatically_after_days = number
})
|
{
"automatically_after_days": 0,
"lambda_arn": ""
}
| no | -| [secret\_version](#input\_secret\_version) | enabled:
Whether to create secret version.
Default value: `false`
secret\_string:
Specifies text data that you want to encrypt and store in this version of the secret.
This is required if `secret_binary` is not set.
secret\_binary:
Specifies binary data that you want to encrypt and store in this version of the secret.
This is required if `secret_string` is not set.
Needs to be encoded to base64. |
object({
enabled = optional(bool, true)
secret_string = optional(string)
secret_binary = optional(string)
})
| `{}` | no | +| [secret\_version](#input\_secret\_version) | ignore\_changes\_enabled:
Whether to ignore changes in `secret_string` and `secret_binary`.
Default value: `false`
secret\_string:
Specifies text data that you want to encrypt and store in this version of the secret.
This is required if `secret_binary` is not set.
secret\_binary:
Specifies binary data that you want to encrypt and store in this version of the secret.
This is required if `secret_string` is not set.
Needs to be encoded to base64. |
object({
secret_string = optional(string, "{}")
secret_binary = optional(string)
ignore_changes_enabled = optional(bool, false)
})
| `{}` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 32c5ac2..4ce347e 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -21,7 +21,6 @@ module "secrets" { source = "../../" secret_version = { - enabled = true secret_string = jsonencode( { ssh_public_key = base64encode(module.ssh_key_pair.public_key) diff --git a/examples/replicated/main.tf b/examples/replicated/main.tf index 771aa04..eb2312d 100644 --- a/examples/replicated/main.tf +++ b/examples/replicated/main.tf @@ -56,7 +56,6 @@ module "secrets" { source = "../../" secret_version = { - enabled = true secret_string = jsonencode( { ssh_public_key = base64encode(module.ssh_key_pair.public_key) diff --git a/main.tf b/main.tf index f8636a6..3b35519 100644 --- a/main.tf +++ b/main.tf @@ -3,8 +3,7 @@ locals { secret_name = one(aws_secretsmanager_secret.default[*].name) secret_id = one(aws_secretsmanager_secret.default[*].id) secret_arn = one(aws_secretsmanager_secret.default[*].arn) - version_id = one(aws_secretsmanager_secret_version.default[*].version_id) - secret_version_enabled = local.enabled && var.secret_version["enabled"] + version_id = local.enabled && !var.secret_version["ignore_changes_enabled"] ? one(aws_secretsmanager_secret_version.default[*].version_id) : one(aws_secretsmanager_secret_version.ignore_changes[*].version_id) secret_rotation_enabled = local.enabled && var.rotation["enabled"] kms_key_enabled = local.enabled && var.kms_key["enabled"] kms_key_id = var.kms_key["enabled"] ? module.kms_key.key_id : var.kms_key_id @@ -45,13 +44,28 @@ resource "aws_secretsmanager_secret" "default" { } resource "aws_secretsmanager_secret_version" "default" { - count = local.secret_version_enabled ? 1 : 0 + count = local.enabled && !var.secret_version["ignore_changes_enabled"] ? 1 : 0 secret_id = local.secret_id secret_string = var.secret_version["secret_string"] secret_binary = var.secret_version["secret_binary"] } +resource "aws_secretsmanager_secret_version" "ignore_changes" { + count = local.enabled && var.secret_version["ignore_changes_enabled"] ? 1 : 0 + + secret_id = local.secret_id + secret_string = var.secret_version["secret_string"] + secret_binary = var.secret_version["secret_binary"] + + lifecycle { + ignore_changes = [ + secret_string, + secret_binary, + ] + } +} + resource "aws_secretsmanager_secret_rotation" "default" { count = local.secret_rotation_enabled ? 1 : 0 diff --git a/variables.tf b/variables.tf index c8853b2..8c1540a 100644 --- a/variables.tf +++ b/variables.tf @@ -75,15 +75,15 @@ variable "kms_key" { variable "secret_version" { type = object({ - enabled = optional(bool, true) - secret_string = optional(string) - secret_binary = optional(string) + secret_string = optional(string, "{}") + secret_binary = optional(string) + ignore_changes_enabled = optional(bool, false) }) sensitive = true default = {} description = <<-DOC - enabled: - Whether to create secret version. + ignore_changes_enabled: + Whether to ignore changes in `secret_string` and `secret_binary`. Default value: `false` secret_string: Specifies text data that you want to encrypt and store in this version of the secret.