rancher
/
terraform-aws-access
mirror of https://github.com/rancher/terraform-aws-access.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: Fix ip discover (#19) 

* fix: network acl id will be modified by AWS

Signed-off-by: matttrach <matttrach@gmail.com>

* fix: change how IP is discovered, upgrade workflows, upgrade nix

Signed-off-by: matttrach <matttrach@gmail.com>

* fix: tf fmt

Signed-off-by: matttrach <matttrach@gmail.com>

---------

Signed-off-by: matttrach <matttrach@gmail.com>
This commit is contained in:
Matt Trachier 2023-12-12 12:48:14 -06:00 committed by GitHub
parent 436f1d5ef7
commit 4d1867e53e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 172 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.aliases
View File

@ -7,3 +7,4 @@ alias tfp='terraform init || terraform providers && terraform validate && terraf
alias tfr='terraform destroy --auto-approve; terraform apply --auto-approve'
alias k='kubectl'
alias tt='cd tests; go test -v -parallel=10 -timeout=80m'
alias nix='nix --extra-experimental-features nix-command --extra-experimental-features flakes'

30
.envrc
View File

@ -1,7 +1,21 @@
if [ -z "${name}" ]; then
echo "entering dev environment..."
nix develop . --extra-experimental-features nix-command --extra-experimental-features flakes
nix develop \
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
$(pwd)
else
echo "setting up dev environment..."
@ -9,4 +23,16 @@ else
source .functions
source .variables
source .rcs
fi
fi
if [ -z "$SSH_AUTH_SOCK" ]; then
echo "Unable to find SSH_AUTH_SOCK, is your agent running?";
fi
if [ -z "$(ssh-add -l | grep -v 'The agent has no identities.')" ]; then
echo "Your agent doesn't appear to have any identities loaded, please load a key or forward your agent.";
fi
if [ -z "$(env | grep 'AWS')" ]; then
echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS.";
fi
if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then
echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB.";
fi

66
.github/workflows/release.yaml vendored
View File

@ -8,6 +8,7 @@ on:
env:
AWS_REGION: us-west-1
AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
permissions: write-all
@ -19,7 +20,6 @@ jobs:
id: release-please
with:
release-type: terraform-module
pull-request-title-pattern: "chore${scope}: release${component} ${version}"
- uses: peter-evans/create-or-update-comment@v3
name: 'Remind to wait'
if: steps.release-please.outputs.pr
@ -32,52 +32,72 @@ jobs:
if: steps.release-please.outputs.pr
with:
token: ${{secrets.GITHUB_TOKEN}}
- run: sudo rm -rf /nix/store
if: steps.release-please.outputs.pr
- run: sudo install -d /nix/store
if: steps.release-please.outputs.pr
- run: sudo chown -R "$(whoami)" /nix/store
if: steps.release-please.outputs.pr
- run: sudo chmod 0755 /nix/store
if: steps.release-please.outputs.pr
- uses: actions/cache/restore@v3
id: cache-nix-restore
if: steps.release-please.outputs.pr
with:
path: /nix/store
key: nix-${{ hashFiles('**/flake.nix') }}
- uses: DeterminateSystems/nix-installer-action@main
if: steps.release-please.outputs.pr
- name: 'Restore Nix Store Cache'
- uses: nicknovitski/nix-develop@v1.1.0
if: steps.release-please.outputs.pr
with:
arguments: |
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
${{ github.workspace }}
- uses: actions/cache/save@v3
id: cache-nix-save
if: steps.release-please.outputs.pr
id: cache-nix-store-restore
uses: actions/cache/restore@v3
with:
path: /nix/store
key: nix-store
- uses: nicknovitski/nix-develop@v1
if: steps.release-please.outputs.pr
- name: 'Cache Nix Store'
if: steps.release-please.outputs.pr
id: cache-nix-store-save
uses: actions/cache/save@v3
with:
path: /nix/store
key: ${{ steps.cache-nix-store-restore.outputs.cache-primary-key }}
key: ${{ steps.cache-nix-restore.outputs.cache-primary-key }}
- uses: aws-actions/configure-aws-credentials@v4
if: steps.release-please.outputs.pr
with:
role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
aws-region: ${{env.AWS_REGION}}
- name: 'Restore Terraform Cache'
if: steps.release-please.outputs.pr
- uses: actions/cache/restore@v3
id: cache-terraform-restore
uses: actions/cache/restore@v3
if: steps.release-please.outputs.pr
with:
path: ${{ github.workspace }}/.terraform
key: terraform
key: terraform-${{hashFiles('**/versions.tf','**/main.tf')}}
- run: terraform init -upgrade
if: steps.release-please.outputs.pr
- name: 'Cache Terraform'
if: steps.release-please.outputs.pr
- uses: actions/cache/save@v3
id: cache-terraform-save
uses: actions/cache/save@v3
if: steps.release-please.outputs.pr
with:
path: ${{ github.workspace }}/.terraform
key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}
- run: cd ./tests && go test -v -timeout=40m -parallel=10
name: 'Terratest'
- run: go version && cd ${{github.workspace}}/tests && go test -v -timeout=40m -parallel=10 && cd ${{github.workspace}}
if: steps.release-please.outputs.pr
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_OWNER: rancher
IDENTIFIER: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
- uses: peter-evans/create-or-update-comment@v3
name: 'Report Success'
if: steps.release-please.outputs.pr

52
.github/workflows/tests.yaml vendored
View File

@ -12,9 +12,36 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: nicknovitski/nix-develop@v1
- run: cd examples/basic && terraform version && terraform init -upgrade && terraform validate
- uses: nicknovitski/nix-develop@v1.1.0
with:
arguments: |
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
${{ github.workspace }}
- uses: actions/cache/restore@v3
id: cache-terraform-restore
with:
path: ${{ github.workspace }}/.terraform
key: terraform
- run: terraform init -upgrade
- uses: actions/cache/save@v3
id: cache-terraform-save
with:
path: ${{ github.workspace }}/.terraform
key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}
- run: cd ${{ github.workspace }}/examples/basic && terraform version && terraform init -upgrade && terraform validate && cd ${{ github.workspace }}
- run: terraform fmt -check -recursive
actionlint:
name: 'Lint Workflows'
@ -22,8 +49,23 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: nicknovitski/nix-develop@v1
- uses: nicknovitski/nix-develop@v1.1.0
with:
arguments: |
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
${{ github.workspace }}
- run: actionlint
tflint:

24
.github/workflows/updatecli.yaml vendored
View File

@ -1,4 +1,4 @@
name: "Updatecli: Dependency Management"
name: "Updatecli"
on:
schedule:
@ -7,28 +7,19 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
contents: write
issues: write
pull-requests: write
permissions: write-all
jobs:
updatecli:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v5
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 'stable'
- name: Install Updatecli
uses: updatecli/updatecli-action@v2
- name: Delete leftover UpdateCLI branches
- uses: updatecli/updatecli-action@v2
- name: 'Delete leftover UpdateCLI branches'
run: |
gh pr list \
--search "is:closed is:pr head:updatecli_" \
@ -46,10 +37,9 @@ jobs:
done
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Apply Updatecli
# Never use '--debug' option, because it might leak the access tokens.
run: "updatecli apply --clean --config ./updatecli/updatecli.d/ --values ./updatecli/values.yaml"
env:
UPDATECLI_GITHUB_ACTOR: ${{ github.actor }}
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

6
.rcs
View File

@ -1,4 +1,2 @@
# load aws config
source ~/.config/aws/default/rc
# load personal aliases
source ~/.config/alias/default/rc
source ~/.config/aws/default/rc # add personal aws auth vars
source ~/.config/alias/default/rc # add personal aliases

8
examples/basic/outputs.tf
View File

@ -3,17 +3,17 @@ output "vpc" {
}
output "subnet" {
value = module.TestBasic.subnet
value = module.TestBasic.subnet
}
output "cidr" {
value = module.TestBasic.cidr
value = module.TestBasic.cidr
}
output "security_group" {
value = module.TestBasic.security_group
value = module.TestBasic.security_group
}
output "ssh_key" {
value = module.TestBasic.ssh_key
value = module.TestBasic.ssh_key
}

8
examples/override/outputs.tf
View File

@ -3,17 +3,17 @@ output "vpc" {
}
output "subnet" {
value = module.TestOverride.subnet
value = module.TestOverride.subnet
}
output "cidr" {
value = module.TestOverride.cidr
value = module.TestOverride.cidr
}
output "security_group" {
value = module.TestOverride.security_group
value = module.TestOverride.security_group
}
output "ssh_key" {
value = module.TestOverride.ssh_key
value = module.TestOverride.ssh_key
}

8
examples/personal/outputs.tf
View File

@ -3,17 +3,17 @@ output "vpc" {
}
output "subnet" {
value = module.TestPersonal.subnet
value = module.TestPersonal.subnet
}
output "cidr" {
value = module.TestPersonal.cidr
value = module.TestPersonal.cidr
}
output "security_group" {
value = module.TestPersonal.security_group
value = module.TestPersonal.security_group
}
output "ssh_key" {
value = module.TestPersonal.ssh_key
value = module.TestPersonal.ssh_key
}

8
examples/project/outputs.tf
View File

@ -3,17 +3,17 @@ output "vpc" {
}
output "subnet" {
value = module.TestProject.subnet
value = module.TestProject.subnet
}
output "cidr" {
value = module.TestProject.cidr
value = module.TestProject.cidr
}
output "security_group" {
value = module.TestProject.security_group
value = module.TestProject.security_group
}
output "ssh_key" {
value = module.TestProject.ssh_key
value = module.TestProject.ssh_key
}

12
flake.lock
View File

@ -5,11 +5,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1701174899,
"narHash": "sha256-1W+FMe8mWsJKXoBc+QgKmEeRj33kTFnPq7XCjU+bfnA=",
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "010c7296f3b19a58b206fdf7d68d75a5b0a09e9e",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github"
},
"original": {

17
flake.nix
View File

@ -59,13 +59,18 @@
{
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
bashInteractive
git
tflint
shellcheck
tfswitch
actionlint
act
actionlint
bashInteractive
curl
git
gnupg
go
less
openssh
shellcheck
tflint
tfswitch
];
shellHook = ''
rm -rf "/usr/local/bin/switched-terraform"

12
main.tf
View File

@ -15,11 +15,17 @@ locals {
ssh_key_name = var.ssh_key_name
public_ssh_key = var.public_ssh_key # create when public key is given, otherwise select with name
ifconfig_co_json = jsondecode(data.http.my_public_ip[0].response_body)
ip = (local.security_group_ip == "" ? local.ifconfig_co_json.ip : local.security_group_ip)
}
data "http" "get_my_ip" {
data "http" "my_public_ip" {
count = (local.security_group_ip == "" ? 1 : 0)
url = "https://ipinfo.io/ip"
url = "https://ifconfig.co/json"
request_headers = {
Accept = "application/json"
}
}
module "vpc" {
@ -40,7 +46,7 @@ module "subnet" {
module "security_group" {
source = "./modules/security_group"
name = local.security_group_name
ip = (local.security_group_ip == "" ? data.http.get_my_ip[0].response_body : local.security_group_ip)
ip = local.ip
cidr = module.subnet.cidr
owner = local.owner
type = local.security_group_type

4
modules/vpc/main.tf
View File

@ -23,7 +23,7 @@ resource "aws_vpc" "new" {
}
resource "aws_internet_gateway" "new" {
count = local.create
count = local.create
depends_on = [
aws_vpc.new,
]
@ -31,7 +31,7 @@ resource "aws_internet_gateway" "new" {
}
resource "aws_route" "public" {
count = local.create
count = local.create
depends_on = [
aws_internet_gateway.new,
aws_vpc.new,