rancher
/
terraform-aws-access
mirror of https://github.com/rancher/terraform-aws-access.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: Fix ip discover (#19) 

* fix: network acl id will be modified by AWS

Signed-off-by: matttrach <matttrach@gmail.com>

* fix: change how IP is discovered, upgrade workflows, upgrade nix

Signed-off-by: matttrach <matttrach@gmail.com>

* fix: tf fmt

Signed-off-by: matttrach <matttrach@gmail.com>

---------

Signed-off-by: matttrach <matttrach@gmail.com>
This commit is contained in:
Matt Trachier 2023-12-12 12:48:14 -06:00 committed by GitHub
parent 436f1d5ef7
commit 4d1867e53e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 172 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.aliases
View File

@ -7,3 +7,4 @@ alias tfp='terraform init || terraform providers && terraform validate && terraf
alias tfr='terraform destroy --auto-approve; terraform apply --auto-approve' alias tfr='terraform destroy --auto-approve; terraform apply --auto-approve'
alias k='kubectl' alias k='kubectl'
alias tt='cd tests; go test -v -parallel=10 -timeout=80m' alias tt='cd tests; go test -v -parallel=10 -timeout=80m'
alias nix='nix --extra-experimental-features nix-command --extra-experimental-features flakes'

28
.envrc
View File

@ -1,7 +1,21 @@
if [ -z "${name}" ]; then if [ -z "${name}" ]; then
echo "entering dev environment..." echo "entering dev environment..."
nix develop . --extra-experimental-features nix-command --extra-experimental-features flakes nix develop \
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
$(pwd)
else else
echo "setting up dev environment..." echo "setting up dev environment..."
@ -10,3 +24,15 @@ else
source .variables source .variables
source .rcs source .rcs
fi fi
if [ -z "$SSH_AUTH_SOCK" ]; then
echo "Unable to find SSH_AUTH_SOCK, is your agent running?";
fi
if [ -z "$(ssh-add -l | grep -v 'The agent has no identities.')" ]; then
echo "Your agent doesn't appear to have any identities loaded, please load a key or forward your agent.";
fi
if [ -z "$(env | grep 'AWS')" ]; then
echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS.";
fi
if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then
echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB.";
fi

66
.github/workflows/release.yaml vendored
View File

@ -8,6 +8,7 @@ on:
env: env:
AWS_REGION: us-west-1 AWS_REGION: us-west-1
AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
permissions: write-all permissions: write-all
@ -19,7 +20,6 @@ jobs:
id: release-please id: release-please
with: with:
release-type: terraform-module release-type: terraform-module
pull-request-title-pattern: "chore${scope}: release${component} ${version}"
- uses: peter-evans/create-or-update-comment@v3 - uses: peter-evans/create-or-update-comment@v3
name: 'Remind to wait' name: 'Remind to wait'
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
@ -32,52 +32,72 @@ jobs:
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
with: with:
token: ${{secrets.GITHUB_TOKEN}} token: ${{secrets.GITHUB_TOKEN}}
- run: sudo rm -rf /nix/store
if: steps.release-please.outputs.pr
- run: sudo install -d /nix/store
if: steps.release-please.outputs.pr
- run: sudo chown -R "$(whoami)" /nix/store
if: steps.release-please.outputs.pr
- run: sudo chmod 0755 /nix/store
if: steps.release-please.outputs.pr
- uses: actions/cache/restore@v3
id: cache-nix-restore
if: steps.release-please.outputs.pr
with:
path: /nix/store
key: nix-${{ hashFiles('**/flake.nix') }}
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
- name: 'Restore Nix Store Cache' - uses: nicknovitski/nix-develop@v1.1.0
if: steps.release-please.outputs.pr
with:
arguments: |
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
${{ github.workspace }}
- uses: actions/cache/save@v3
id: cache-nix-save
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
id: cache-nix-store-restore
uses: actions/cache/restore@v3
with: with:
path: /nix/store path: /nix/store
key: nix-store key: ${{ steps.cache-nix-restore.outputs.cache-primary-key }}
- uses: nicknovitski/nix-develop@v1
if: steps.release-please.outputs.pr
- name: 'Cache Nix Store'
if: steps.release-please.outputs.pr
id: cache-nix-store-save
uses: actions/cache/save@v3
with:
path: /nix/store
key: ${{ steps.cache-nix-store-restore.outputs.cache-primary-key }}
- uses: aws-actions/configure-aws-credentials@v4 - uses: aws-actions/configure-aws-credentials@v4
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
with: with:
role-to-assume: ${{env.AWS_ROLE}} role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
aws-region: ${{env.AWS_REGION}} aws-region: ${{env.AWS_REGION}}
- name: 'Restore Terraform Cache' - uses: actions/cache/restore@v3
if: steps.release-please.outputs.pr
id: cache-terraform-restore id: cache-terraform-restore
uses: actions/cache/restore@v3 if: steps.release-please.outputs.pr
with: with:
path: ${{ github.workspace }}/.terraform path: ${{ github.workspace }}/.terraform
key: terraform key: terraform-${{hashFiles('**/versions.tf','**/main.tf')}}
- run: terraform init -upgrade - run: terraform init -upgrade
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
- name: 'Cache Terraform' - uses: actions/cache/save@v3
if: steps.release-please.outputs.pr
id: cache-terraform-save id: cache-terraform-save
uses: actions/cache/save@v3 if: steps.release-please.outputs.pr
with: with:
path: ${{ github.workspace }}/.terraform path: ${{ github.workspace }}/.terraform
key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }} key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}
- run: cd ./tests && go test -v -timeout=40m -parallel=10 - run: go version && cd ${{github.workspace}}/tests && go test -v -timeout=40m -parallel=10 && cd ${{github.workspace}}
name: 'Terratest'
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
env: env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_OWNER: rancher GITHUB_OWNER: rancher
IDENTIFIER: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
- uses: peter-evans/create-or-update-comment@v3 - uses: peter-evans/create-or-update-comment@v3
name: 'Report Success' name: 'Report Success'
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr

52
.github/workflows/tests.yaml vendored
View File

@ -12,9 +12,36 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: nicknovitski/nix-develop@v1.1.0
- uses: nicknovitski/nix-develop@v1 with:
- run: cd examples/basic && terraform version && terraform init -upgrade && terraform validate arguments: |
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
${{ github.workspace }}
- uses: actions/cache/restore@v3
id: cache-terraform-restore
with:
path: ${{ github.workspace }}/.terraform
key: terraform
- run: terraform init -upgrade
- uses: actions/cache/save@v3
id: cache-terraform-save
with:
path: ${{ github.workspace }}/.terraform
key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}
- run: cd ${{ github.workspace }}/examples/basic && terraform version && terraform init -upgrade && terraform validate && cd ${{ github.workspace }}
- run: terraform fmt -check -recursive
actionlint: actionlint:
name: 'Lint Workflows' name: 'Lint Workflows'
@ -22,8 +49,23 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: nicknovitski/nix-develop@v1.1.0
- uses: nicknovitski/nix-develop@v1 with:
arguments: |
--ignore-environment \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
--keep HOME \
--keep SSH_AUTH_SOCK \
--keep GITHUB_TOKEN \
--keep AWS_ROLE \
--keep AWS_REGION \
--keep AWS_DEFAULT_REGION \
--keep AWS_ACCESS_KEY_ID \
--keep AWS_SECRET_ACCESS_KEY \
--keep AWS_SESSION_TOKEN \
--keep TERM \
${{ github.workspace }}
- run: actionlint - run: actionlint
tflint: tflint:

22
.github/workflows/updatecli.yaml vendored
View File

@ -1,4 +1,4 @@
name: "Updatecli: Dependency Management" name: "Updatecli"
on: on:
schedule: schedule:
@ -7,28 +7,19 @@ on:
# Allows you to run this workflow manually from the Actions tab # Allows you to run this workflow manually from the Actions tab
workflow_dispatch: workflow_dispatch:
permissions: permissions: write-all
contents: write
issues: write
pull-requests: write
jobs: jobs:
updatecli: updatecli:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' if: github.ref == 'refs/heads/main'
steps: steps:
- name: Checkout - uses: actions/checkout@v4
uses: actions/checkout@v4 - uses: actions/setup-go@v5
- name: Install Go
uses: actions/setup-go@v5
with: with:
go-version: 'stable' go-version: 'stable'
- uses: updatecli/updatecli-action@v2
- name: Install Updatecli - name: 'Delete leftover UpdateCLI branches'
uses: updatecli/updatecli-action@v2
- name: Delete leftover UpdateCLI branches
run: | run: |
gh pr list \ gh pr list \
--search "is:closed is:pr head:updatecli_" \ --search "is:closed is:pr head:updatecli_" \
@ -46,7 +37,6 @@ jobs:
done done
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Apply Updatecli - name: Apply Updatecli
# Never use '--debug' option, because it might leak the access tokens. # Never use '--debug' option, because it might leak the access tokens.
run: "updatecli apply --clean --config ./updatecli/updatecli.d/ --values ./updatecli/values.yaml" run: "updatecli apply --clean --config ./updatecli/updatecli.d/ --values ./updatecli/values.yaml"

6
.rcs
View File

@ -1,4 +1,2 @@
# load aws config source ~/.config/aws/default/rc # add personal aws auth vars
source ~/.config/aws/default/rc source ~/.config/alias/default/rc # add personal aliases
# load personal aliases
source ~/.config/alias/default/rc

12
flake.lock
View File

@ -5,11 +5,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1694529238, "lastModified": 1701680307,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -20,11 +20,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1701174899, "lastModified": 1702272962,
"narHash": "sha256-1W+FMe8mWsJKXoBc+QgKmEeRj33kTFnPq7XCjU+bfnA=", "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "010c7296f3b19a58b206fdf7d68d75a5b0a09e9e", "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github" "type": "github"
}, },
"original": { "original": {

17
flake.nix
View File

@ -59,13 +59,18 @@
{ {
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
bashInteractive
git
tflint
shellcheck
tfswitch
actionlint
act act
actionlint
bashInteractive
curl
git
gnupg
go
less
openssh
shellcheck
tflint
tfswitch
]; ];
shellHook = '' shellHook = ''
rm -rf "/usr/local/bin/switched-terraform" rm -rf "/usr/local/bin/switched-terraform"

12
main.tf
View File

@ -15,11 +15,17 @@ locals {
ssh_key_name = var.ssh_key_name ssh_key_name = var.ssh_key_name
public_ssh_key = var.public_ssh_key # create when public key is given, otherwise select with name public_ssh_key = var.public_ssh_key # create when public key is given, otherwise select with name
ifconfig_co_json = jsondecode(data.http.my_public_ip[0].response_body)
ip = (local.security_group_ip == "" ? local.ifconfig_co_json.ip : local.security_group_ip)
} }
data "http" "get_my_ip" { data "http" "my_public_ip" {
count = (local.security_group_ip == "" ? 1 : 0) count = (local.security_group_ip == "" ? 1 : 0)
url = "https://ipinfo.io/ip" url = "https://ifconfig.co/json"
request_headers = {
Accept = "application/json"
}
} }
module "vpc" { module "vpc" {
@ -40,7 +46,7 @@ module "subnet" {
module "security_group" { module "security_group" {
source = "./modules/security_group" source = "./modules/security_group"
name = local.security_group_name name = local.security_group_name
ip = (local.security_group_ip == "" ? data.http.get_my_ip[0].response_body : local.security_group_ip) ip = local.ip
cidr = module.subnet.cidr cidr = module.subnet.cidr
owner = local.owner owner = local.owner
type = local.security_group_type type = local.security_group_type