diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
deleted file mode 100644
index 6f64b5a..0000000
--- a/.github/CODEOWNERS
+++ /dev/null
@@ -1,25 +0,0 @@
-# Use this file to define individuals or teams that are responsible for code in a repository.
-# Read more:
-#
-# Order is important: the last matching pattern has the highest precedence
-
-# These owners will be the default owners for everything
-* @cloudposse/engineering @cloudposse/contributors
-
-# Cloud Posse must review any changes to Makefiles
-**/Makefile @cloudposse/engineering
-**/Makefile.* @cloudposse/engineering
-
-# Cloud Posse must review any changes to GitHub actions
-.github/* @cloudposse/engineering
-
-# Cloud Posse must review any changes to standard context definition,
-# but some changes can be rubber-stamped.
-**/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
-README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
-README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
-docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
-
-# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
-.github/mergify.yml @cloudposse/admins
-.github/CODEOWNERS @cloudposse/admins
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
deleted file mode 100644
index f3df96b..0000000
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: 'bug'
-assignees: ''
-
----
-
-Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help.
-
-[](https://slack.cloudposse.com)
-
-## Describe the Bug
-A clear and concise description of what the bug is.
-
-## Expected Behavior
-A clear and concise description of what you expected to happen.
-
-## Steps to Reproduce
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Run '....'
-3. Enter '....'
-4. See error
-
-## Screenshots
-If applicable, add screenshots or logs to help explain your problem.
-
-## Environment (please complete the following information):
-
-Anything that will help us triage the bug will help. Here are some ideas:
- - OS: [e.g. Linux, OSX, WSL, etc]
- - Version [e.g. 10.15]
-
-## Additional Context
-Add any other context about the problem here.
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
deleted file mode 100644
index 76ae6d6..0000000
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-blank_issues_enabled: false
-
-contact_links:
-
- - name: Community Slack Team
- url: https://cloudposse.com/slack/
- about: |-
- Please ask and answer questions here.
-
- - name: Office Hours
- url: https://cloudposse.com/office-hours/
- about: |-
- Join us every Wednesday for FREE Office Hours (lunch & learn).
-
- - name: DevOps Accelerator Program
- url: https://cloudposse.com/accelerate/
- about: |-
- Own your infrastructure in record time. We build it. You drive it.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
deleted file mode 100644
index 39a8686..0000000
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-name: Feature Request
-about: Suggest an idea for this project
-title: ''
-labels: 'feature request'
-assignees: ''
-
----
-
-Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/).
-
-[](https://slack.cloudposse.com)
-
-## Describe the Feature
-
-A clear and concise description of what the bug is.
-
-## Expected Behavior
-
-A clear and concise description of what you expected to happen.
-
-## Use Case
-
-Is your feature request related to a problem/challenge you are trying to solve? Please provide some additional context of why this feature or capability will be valuable.
-
-## Describe Ideal Solution
-
-A clear and concise description of what you want to happen. If you don't know, that's okay.
-
-## Alternatives Considered
-
-Explain what alternative solutions or features you've considered.
-
-## Additional Context
-
-Add any other context or screenshots about the feature request here.
diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md
deleted file mode 100644
index e69de29..0000000
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
deleted file mode 100644
index 4b8f32d..0000000
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ /dev/null
@@ -1,13 +0,0 @@
-## what
-* Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
-* Use bullet points to be concise and to the point.
-
-## why
-* Provide the justifications for the changes (e.g. business case).
-* Describe why these changes were made (e.g. why do these commits fix the problem?)
-* Use bullet points to be concise and to the point.
-
-## references
-* Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
-* Use `closes #123`, if this PR closes a GitHub issue `#123`
-
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
deleted file mode 100644
index b45efb7..0000000
--- a/.github/auto-release.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-name-template: 'v$RESOLVED_VERSION'
-tag-template: '$RESOLVED_VERSION'
-version-template: '$MAJOR.$MINOR.$PATCH'
-version-resolver:
- major:
- labels:
- - 'major'
- minor:
- labels:
- - 'minor'
- - 'enhancement'
- patch:
- labels:
- - 'auto-update'
- - 'patch'
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
- - 'no-release'
- default: 'minor'
-
-categories:
-- title: '🚀 Enhancements'
- labels:
- - 'enhancement'
- - 'patch'
-- title: '🐛 Bug Fixes'
- labels:
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
-- title: '🤖 Automatic Updates'
- labels:
- - 'auto-update'
-
-change-template: |
-
- $TITLE @$AUTHOR (#$NUMBER)
-
- $BODY
-
-
-template: |
- $CHANGES
-
-replacers:
-# Remove irrelevant information from Renovate bot
-- search: '/(?<=---\s)\s*^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
- replace: ''
-# Remove Renovate bot banner image
-- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
- replace: ''
diff --git a/.github/mergify.yml b/.github/mergify.yml
deleted file mode 100644
index ef15545..0000000
--- a/.github/mergify.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-# https://docs.mergify.io/conditions.html
-# https://docs.mergify.io/actions.html
-pull_request_rules:
-- name: "approve automated PRs that have passed checks"
- conditions:
- - "author~=^(cloudpossebot|renovate\\[bot\\])$"
- - "base=master"
- - "-closed"
- - "head~=^(auto-update|renovate)/.*"
- - "check-success=test/bats"
- - "check-success=test/readme"
- - "check-success=test/terratest"
- - "check-success=validate-codeowners"
- actions:
- review:
- type: "APPROVE"
- bot_account: "cloudposse-mergebot"
- message: "We've automatically approved this PR because the checks from the automated Pull Request have passed."
-
-- name: "merge automated PRs when approved and tests pass"
- conditions:
- - "author~=^(cloudpossebot|renovate\\[bot\\])$"
- - "base=master"
- - "-closed"
- - "head~=^(auto-update|renovate)/.*"
- - "check-success=test/bats"
- - "check-success=test/readme"
- - "check-success=test/terratest"
- - "check-success=validate-codeowners"
- - "#approved-reviews-by>=1"
- - "#changes-requested-reviews-by=0"
- - "#commented-reviews-by=0"
- actions:
- merge:
- method: "squash"
-
-- name: "delete the head branch after merge"
- conditions:
- - "merged"
- actions:
- delete_head_branch: {}
-
-- name: "ask to resolve conflict"
- conditions:
- - "conflict"
- - "-closed"
- actions:
- comment:
- message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏"
-
-- name: "remove outdated reviews"
- conditions:
- - "base=master"
- actions:
- dismiss_reviews:
- changes_requested: true
- approved: true
- message: "This Pull Request has been updated, so we're dismissing all reviews."
-
-- name: "close Pull Requests without files changed"
- conditions:
- - "#files=0"
- actions:
- close:
- message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
diff --git a/.github/renovate.json b/.github/renovate.json
deleted file mode 100644
index a780298..0000000
--- a/.github/renovate.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "extends": [
- "config:base",
- ":preserveSemverRanges"
- ],
- "labels": ["auto-update"],
- "dependencyDashboardAutoclose": true,
- "enabledManagers": ["terraform"],
- "terraform": {
- "ignorePaths": ["**/context.tf", "examples/**"]
- }
-}
diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml
deleted file mode 100644
index 665833a..0000000
--- a/.github/workflows/auto-context.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-name: "auto-context"
-on:
- schedule:
- # Update context.tf nightly
- - cron: '0 3 * * *'
-
-jobs:
- update:
- if: github.event_name == 'schedule'
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
-
- - name: Update context.tf
- shell: bash
- id: update
- env:
- GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- run: |
- if [[ -f context.tf ]]; then
- echo "Discovered existing context.tf! Fetching most recent version to see if there is an update."
- curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
- if git diff --no-patch --exit-code context.tf; then
- echo "No changes detected! Exiting the job..."
- else
- echo "context.tf file has changed. Update examples and rebuild README.md."
- make init
- make github/init/context.tf
- make readme/build
- echo "::set-output name=create_pull_request::true"
- fi
- else
- echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates."
- fi
-
- - name: Create Pull Request
- if: steps.update.outputs.create_pull_request == 'true'
- uses: cloudposse/actions/github/create-pull-request@0.30.0
- with:
- token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
- author: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
- commit-message: Update context.tf from origin source
- title: Update context.tf
- body: |-
- ## what
- This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label`
-
- ## why
- To support all the features of the `context` interface.
-
- branch: auto-update/context.tf
- base: master
- delete-branch: true
- labels: |
- auto-update
- context
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
deleted file mode 100644
index c600d60..0000000
--- a/.github/workflows/auto-format.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-name: Auto Format
-on:
- pull_request_target:
- types: [opened, synchronize]
-
-jobs:
- auto-format:
- runs-on: ubuntu-latest
- container: cloudposse/build-harness:latest
- steps:
- # Checkout the pull request branch
- # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
- # the repository’s GITHUB_TOKEN, a new workflow will not run even when the repository contains
- # a workflow configured to run when push events occur."
- # However, using a personal access token will cause events to be triggered.
- # We need that to ensure a status gets posted after the auto-format commit.
- # We also want to trigger tests if the auto-format made no changes.
- - uses: actions/checkout@v2
- if: github.event.pull_request.state == 'open'
- name: Privileged Checkout
- with:
- token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- repository: ${{ github.event.pull_request.head.repo.full_name }}
- # Check out the PR commit, not the merge commit
- # Use `ref` instead of `sha` to enable pushing back to `ref`
- ref: ${{ github.event.pull_request.head.ref }}
-
- # Do all the formatting stuff
- - name: Auto Format
- if: github.event.pull_request.state == 'open'
- shell: bash
- env:
- GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
- run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
-
- # Commit changes (if any) to the PR branch
- - name: Commit changes to the PR branch
- if: github.event.pull_request.state == 'open'
- shell: bash
- id: commit
- env:
- SENDER: ${{ github.event.sender.login }}
- run: |
- set -x
- output=$(git diff --name-only)
-
- if [ -n "$output" ]; then
- echo "Changes detected. Pushing to the PR branch"
- git config --global user.name 'cloudpossebot'
- git config --global user.email '11232728+cloudpossebot@users.noreply.github.com'
- git add -A
- git commit -m "Auto Format"
- # Prevent looping by not pushing changes in response to changes from cloudpossebot
- [[ $SENDER == "cloudpossebot" ]] || git push
- # Set status to fail, because the push should trigger another status check,
- # and we use success to indicate the checks are finished.
- printf "::set-output name=%s::%s\n" "changed" "true"
- exit 1
- else
- printf "::set-output name=%s::%s\n" "changed" "false"
- echo "No changes detected"
- fi
-
- - name: Auto Test
- uses: cloudposse/actions/github/repository-dispatch@0.30.0
- # match users by ID because logins (user names) are inconsistent,
- # for example in the REST API Renovate Bot is `renovate[bot]` but
- # in GraphQL it is just `renovate`, plus there is a non-bot
- # user `renovate` with ID 1832810.
- # Mergify bot: 37929162
- # Renovate bot: 29139614
- # Cloudpossebot: 11232728
- # Need to use space separators to prevent "21" from matching "112144"
- if: >
- contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id))
- && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open'
- with:
- token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- repository: cloudposse/actions
- event-type: test-command
- client-payload: |-
- { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}},
- "pull_request": ${{ toJSON(github.event.pull_request) }},
- "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }},
- "comment": {"id": ""}
- }
- }
- }
diff --git a/.github/workflows/auto-readme.yml b/.github/workflows/auto-readme.yml
deleted file mode 100644
index 6f25b8d..0000000
--- a/.github/workflows/auto-readme.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-name: "auto-readme"
-on:
- workflow_dispatch:
-
- schedule:
- # Example of job definition:
- # .---------------- minute (0 - 59)
- # | .------------- hour (0 - 23)
- # | | .---------- day of month (1 - 31)
- # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
- # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
- # | | | | |
- # * * * * * user-name command to be executed
-
- # Update README.md nightly at 4am UTC
- - cron: '0 4 * * *'
-
-jobs:
- update:
- if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
-
- - name: Find default branch name
- id: defaultBranch
- shell: bash
- env:
- GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- run: |
- default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name)
- printf "::set-output name=defaultBranch::%s\n" "${default_branch}"
- printf "defaultBranchRef.name=%s\n" "${default_branch}"
-
- - name: Update readme
- shell: bash
- id: update
- env:
- GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- DEF: "${{ steps.defaultBranch.outputs.defaultBranch }}"
- run: |
- make init
- make readme/build
- # Ignore changes if they are only whitespace
- if ! git diff --quiet README.md && git diff --ignore-all-space --ignore-blank-lines --quiet README.md; then
- git restore README.md
- echo Ignoring whitespace-only changes in README
- fi
-
- - name: Create Pull Request
- # This action will not create or change a pull request if there are no changes to make.
- # If a PR of the auto-update/readme branch is open, this action will just update it, not create a new PR.
- uses: cloudposse/actions/github/create-pull-request@0.30.0
- with:
- token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- commit-message: Update README.md and docs
- title: Update README.md and docs
- body: |-
- ## what
- This is an auto-generated PR that updates the README.md and docs
-
- ## why
- To have most recent changes of README.md and doc from origin templates
-
- branch: auto-update/readme
- base: ${{ steps.defaultBranch.outputs.defaultBranch }}
- delete-branch: true
- labels: |
- auto-update
- no-release
- readme
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
deleted file mode 100644
index 3a38fae..0000000
--- a/.github/workflows/auto-release.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: auto-release
-
-on:
- push:
- branches:
- - main
- - master
- - production
-
-jobs:
- publish:
- runs-on: ubuntu-latest
- steps:
- # Get PR from merged commit to master
- - uses: actions-ecosystem/action-get-merged-pull-request@v1
- id: get-merged-pull-request
- with:
- github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- # Drafts your next Release notes as Pull Requests are merged into "main"
- - uses: release-drafter/release-drafter@v5
- with:
- publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }}
- prerelease: false
- config-name: auto-release.yml
- env:
- GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml
deleted file mode 100644
index 23f96d8..0000000
--- a/.github/workflows/chatops.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-name: chatops
-on:
- issue_comment:
- types: [created]
-
-jobs:
- default:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: "Handle common commands"
- uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
- with:
- token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- reaction-token: ${{ secrets.GITHUB_TOKEN }}
- repository: cloudposse/actions
- commands: rebuild-readme, terraform-fmt
- permission: triage
- issue-type: pull-request
-
- test:
- runs-on: ubuntu-latest
- steps:
- - name: "Checkout commit"
- uses: actions/checkout@v2
- - name: "Run tests"
- uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
- with:
- token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
- reaction-token: ${{ secrets.GITHUB_TOKEN }}
- repository: cloudposse/actions
- commands: test
- permission: triage
- issue-type: pull-request
- reactions: false
-
-
diff --git a/.github/workflows/tag-repository.yml b/.github/workflows/tag-repository.yml
new file mode 100644
index 0000000..a5e0a1f
--- /dev/null
+++ b/.github/workflows/tag-repository.yml
@@ -0,0 +1,20 @@
+name: Tag repository
+on:
+ push:
+ branches:
+ - "main"
+
+jobs:
+ docker:
+ runs-on: humnai-runner
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ steps:
+ - uses: actions/checkout@v2
+ - name: Bump version and push tag
+ id: tag_version
+ uses: mathieudutour/github-tag-action@v6.0
+ with:
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ release_branches: main
+ default_bump: patch
+ tag_prefix: ""
\ No newline at end of file
diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml
new file mode 100644
index 0000000..23ce58b
--- /dev/null
+++ b/.github/workflows/terraform-docs.yaml
@@ -0,0 +1,19 @@
+name: Generate terraform docs
+on:
+ pull_request:
+
+jobs:
+ docs:
+ runs-on: humnai-runner
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+
+ - name: Render terraform docs and push changes back to main
+ uses: terraform-docs/gh-actions@main
+ with:
+ working-dir: .
+ output-file: README.md
+ output-method: inject
+ git-push: "true"
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
new file mode 100644
index 0000000..8e42232
--- /dev/null
+++ b/.github/workflows/terraform.yml
@@ -0,0 +1,83 @@
+# name: static-checks
+
+# on:
+# pull_request:
+
+# jobs:
+# versionExtract:
+# name: Get min/max versions
+# runs-on: ubuntu-latest
+
+# steps:
+# - name: Checkout
+# uses: actions/checkout@v2
+
+# - name: Terraform min/max versions
+# id: minMax
+# uses: clowdhaus/terraform-min-max@main
+# outputs:
+# minVersion: ${{ steps.minMax.outputs.minVersion }}
+# maxVersion: ${{ steps.minMax.outputs.maxVersion }}
+
+
+# versionEvaluate:
+# name: Evaluate Terraform versions
+# runs-on: ubuntu-latest
+# needs: versionExtract
+# strategy:
+# fail-fast: false
+# matrix:
+# version:
+# - ${{ needs.versionExtract.outputs.minVersion }}
+# - ${{ needs.versionExtract.outputs.maxVersion }}
+# directory:
+# - _example/
+
+# steps:
+# - name: Checkout
+# uses: actions/checkout@v2
+
+# - name: Install Terraform v${{ matrix.version }}
+# uses: hashicorp/setup-terraform@v1
+# with:
+# terraform_version: ${{ matrix.version }}
+
+# - name: 'Configure AWS Credentials'
+# uses: clouddrove/configure-aws-credentials@v1
+# with:
+# aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
+# aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
+# aws-region: us-east-2
+
+# - name: Init & validate v${{ matrix.version }}
+# run: |
+# cd ${{ matrix.directory }}
+# terraform init
+# terraform validate
+# terraform plan -input=false -no-color
+
+# - name: tflint
+# uses: reviewdog/action-tflint@master
+# with:
+# github_token: ${{ secrets.GITHUB }}
+# working_directory: ${{ matrix.directory }}
+# fail_on_error: 'true'
+# filter_mode: 'nofilter'
+# flags: '--module'
+
+# format:
+# name: Check code format
+# runs-on: ubuntu-latest
+# needs: versionExtract
+
+# steps:
+# - name: Checkout
+# uses: actions/checkout@v2
+
+# - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }}
+# uses: hashicorp/setup-terraform@v1
+# with:
+# terraform_version: ${{ needs.versionExtract.outputs.maxVersion }}
+
+# - name: Check Terraform format changes
+# run: terraform fmt --recursive
diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
new file mode 100644
index 0000000..780ac8f
--- /dev/null
+++ b/.github/workflows/terratest.yml
@@ -0,0 +1,40 @@
+# name: 'Terratest GitHub Actions'
+# on:
+# pull_request:
+# branches:
+# - master
+# types: [labeled]
+
+# jobs:
+# Terratest:
+# name: 'Terratest'
+# runs-on: ubuntu-latest
+# steps:
+
+# - name: 'Checkout'
+# uses: actions/checkout@v2.3.4
+
+# - name: 'Configure AWS Credentials'
+# uses: clouddrove/configure-aws-credentials@v1
+# with:
+# aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
+# aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
+# aws-region: us-east-2
+
+# - name: 'Terratest'
+# uses: 'clouddrove/github-actions@v8.0'
+# with:
+# actions_subcommand: 'terratest'
+# if: ${{ github.event.label.name == 'terratest' }}
+# tf_actions_working_dir: '_test'
+
+# - name: 'Slack Notification'
+# uses: clouddrove/action-slack@v2
+# with:
+# status: ${{ job.status }}
+# fields: repo,author
+# author_name: 'CloudDrove'
+# env:
+# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required
+# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required
+# if: always()
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
new file mode 100644
index 0000000..3d7f564
--- /dev/null
+++ b/.github/workflows/tfsec.yml
@@ -0,0 +1,25 @@
+# name: tfsec
+# on:
+# pull_request:
+
+# jobs:
+# tfsec:
+# name: tfsec sarif report
+# runs-on: ubuntu-latest
+
+# steps:
+# - name: Clone repo
+# uses: actions/checkout@master
+
+# - name: tfsec
+# uses: aquasecurity/tfsec-sarif-action@v0.1.0
+# with:
+# sarif_file: tfsec.sarif
+# working_directory: _example
+# full_repo_scan: true
+
+# - name: Upload SARIF file
+# uses: github/codeql-action/upload-sarif@v1
+# with:
+# # Path to SARIF file relative to the root of the repository
+# sarif_file: tfsec.sarif
\ No newline at end of file
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
deleted file mode 100644
index 70f829e..0000000
--- a/.github/workflows/validate-codeowners.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-name: Validate Codeowners
-on:
- workflow_dispatch:
-
- pull_request:
-
-jobs:
- validate-codeowners:
- runs-on: ubuntu-latest
- steps:
- - name: "Checkout source code at current commit"
- uses: actions/checkout@v2
- - uses: mszostok/codeowners-validator@v0.7.1
- if: github.event.pull_request.head.repo.full_name == github.repository
- name: "Full check of CODEOWNERS"
- with:
- # For now, remove "files" check to allow CODEOWNERS to specify non-existent
- # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
- # checks: "files,syntax,owners,duppatterns"
- checks: "syntax,owners,duppatterns"
- owner_checker_allow_unowned_patterns: "false"
- # GitHub access token is required only if the `owners` check is enabled
- github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
- - uses: mszostok/codeowners-validator@v0.7.1
- if: github.event.pull_request.head.repo.full_name != github.repository
- name: "Syntax check of CODEOWNERS"
- with:
- checks: "syntax,duppatterns"
- owner_checker_allow_unowned_patterns: "false"
diff --git a/data.tf b/data.tf
new file mode 100644
index 0000000..f4693af
--- /dev/null
+++ b/data.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
diff --git a/dns.tf b/dns.tf
new file mode 100644
index 0000000..0d4dd73
--- /dev/null
+++ b/dns.tf
@@ -0,0 +1,36 @@
+locals {
+ address = "${var.sub_domain}.${var.domain_name}"
+}
+
+
+resource "aws_api_gateway_domain_name" "dns" {
+ for_each = local.enabled && var.create_custom_domain && var.endpoint_type != "PRIVATE" ? toset([local.address]) : toset([])
+ certificate_arn = var.endpoint_type == "EDGE" ? var.certificate_arn : null
+ regional_certificate_arn = var.endpoint_type == "REGIONAL" ? var.certificate_arn : null
+ domain_name = each.value
+ security_policy = var.security_policy
+ endpoint_configuration {
+ types = [var.endpoint_type]
+ }
+ tags = module.this.tags
+}
+
+resource "aws_route53_record" "dns" {
+ for_each = local.enabled && var.create_custom_domain && var.endpoint_type != "PRIVATE" ? toset([local.address]) : toset([])
+ zone_id = var.zone_id
+ name = aws_api_gateway_domain_name.dns[each.value].domain_name
+ type = "A"
+
+ alias {
+ evaluate_target_health = true
+ name = var.endpoint_type == "EDGE" ? aws_api_gateway_domain_name.dns[each.value].cloudfront_domain_name : aws_api_gateway_domain_name.dns[each.value].regional_domain_name
+ zone_id = var.endpoint_type == "EDGE" ? aws_api_gateway_domain_name.dns[each.value].cloudfront_zone_id : aws_api_gateway_domain_name.dns[each.value].regional_zone_id
+ }
+}
+
+resource "aws_api_gateway_base_path_mapping" "dns" {
+ for_each = local.enabled && var.create_custom_domain && var.endpoint_type != "PRIVATE" ? toset([local.address]) : toset([])
+ api_id = aws_api_gateway_rest_api.this[0].id
+ stage_name = aws_api_gateway_stage.this[0].stage_name
+ domain_name = aws_api_gateway_domain_name.dns[each.value].domain_name
+}
diff --git a/main.tf b/main.tf
index 11b82f2..9e84f4e 100644
--- a/main.tf
+++ b/main.tf
@@ -2,30 +2,40 @@ locals {
enabled = module.this.enabled
create_rest_api_policy = local.enabled || var.existing_api_gateway_rest_api != "" && var.rest_api_policy != null
create_log_group = local.enabled && var.logging_level != "OFF"
- log_group_arn = local.create_log_group ? module.cloudwatch_log_group.log_group_arn : null
+ log_group_arn = local.create_log_group ? module.cloudwatch_log_group.0.log_group_arn : null
vpc_link_enabled = local.enabled && length(var.private_link_target_arns) > 0
}
resource "aws_api_gateway_rest_api" "this" {
count = local.enabled ? 1 : 0
- name = module.this.id
- body = jsonencode(var.openapi_config)
- tags = module.this.tags
+ name = module.this.id
+ description = var.description
+ tags = module.this.tags
endpoint_configuration {
- types = [var.endpoint_type]
+ types = [var.endpoint_type]
+ vpc_endpoint_ids = length(var.vpc_endpoint_ids) > 0 ? var.vpc_endpoint_ids : null
}
}
+resource "aws_api_gateway_resource" "this" {
+ count = local.enabled && length(var.path_parts) > 0 ? length(var.path_parts) : 0
+
+ rest_api_id = aws_api_gateway_rest_api.this.*.id[0]
+ parent_id = aws_api_gateway_rest_api.this.*.root_resource_id[0]
+ path_part = element(var.path_parts, count.index)
+}
+
resource "aws_api_gateway_rest_api_policy" "this" {
- count = local.create_rest_api_policy ? 1 : 0
+ count = local.enabled && local.create_rest_api_policy ? 1 : 0
rest_api_id = var.existing_api_gateway_rest_api != "" ? var.existing_api_gateway_rest_api : aws_api_gateway_rest_api.this[0].id
policy = var.rest_api_policy
}
module "cloudwatch_log_group" {
+ count = local.enabled && local.create_log_group ? 1 : 0
source = "cloudposse/cloudwatch-logs/aws"
version = "0.6.5"
@@ -39,6 +49,10 @@ module "cloudwatch_log_group" {
resource "aws_api_gateway_deployment" "this" {
count = local.enabled ? 1 : 0
rest_api_id = aws_api_gateway_rest_api.this[0].id
+ depends_on = [
+ aws_api_gateway_method.null,
+ aws_api_gateway_integration.null
+ ]
triggers = {
redeployment = sha1(jsonencode(aws_api_gateway_rest_api.this[0].body))
@@ -53,7 +67,7 @@ resource "aws_api_gateway_stage" "this" {
count = local.enabled ? 1 : 0
deployment_id = aws_api_gateway_deployment.this[0].id
rest_api_id = aws_api_gateway_rest_api.this[0].id
- stage_name = var.stage_name != "" ? var.stage_name : module.this.stage
+ stage_name = var.stage_name != "" ? var.stage_name : module.this.environment
xray_tracing_enabled = var.xray_tracing_enabled
tags = module.this.tags
@@ -84,17 +98,32 @@ resource "aws_api_gateway_method_settings" "all" {
}
}
-resource "aws_api_gateway_gateway_response" "default" {
- for_each = length(var.gateway_responses) > 0 ? { for s in var.gateway_responses : s.response_type => s } : {}
+resource "aws_api_gateway_model" "this" {
+ for_each = local.enabled && length(var.models) > 0 ? { for s in var.models : s.name => s } : {}
+ rest_api_id = aws_api_gateway_rest_api.this.*.id[0]
+ name = each.value.name
+ description = each.value.description
+ content_type = each.value.content_type
+
+ schema = each.value.content_type != "" ? each.value.content_type : < 0 ? { for s in var.gateway_responses : s.response_type => s } : {}
rest_api_id = var.existing_api_gateway_rest_api != "" ? var.existing_api_gateway_rest_api : aws_api_gateway_rest_api.this[0].id
status_code = each.value.status_code
response_type = each.value.response_type
response_templates = length(each.value.response_templates) > 0 ? element(each.value.response_templates, 0) : {}
response_parameters = length(each.value.response_parameters) > 0 ? element(each.value.response_parameters, 0) : {}
+}
# Optionally create a VPC Link to allow the API Gateway to communicate with private resources (e.g. ALB)
resource "aws_api_gateway_vpc_link" "this" {
- count = local.vpc_link_enabled ? 1 : 0
+ count = local.enabled && local.vpc_link_enabled ? 1 : 0
name = module.this.id
description = "VPC Link for ${module.this.id}"
target_arns = var.private_link_target_arns
diff --git a/null.tf b/null.tf
new file mode 100644
index 0000000..3d771fc
--- /dev/null
+++ b/null.tf
@@ -0,0 +1,22 @@
+resource "aws_api_gateway_resource" "null" {
+ count = local.enabled ? 1 : 0
+ rest_api_id = aws_api_gateway_rest_api.this[0].id
+ parent_id = aws_api_gateway_rest_api.this[0].root_resource_id
+ path_part = "null"
+}
+
+resource "aws_api_gateway_method" "null" {
+ count = local.enabled ? 1 : 0
+ rest_api_id = aws_api_gateway_rest_api.this[0].id
+ resource_id = aws_api_gateway_resource.null[0].id
+ http_method = "GET"
+ authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "null" {
+ count = local.enabled ? 1 : 0
+ rest_api_id = aws_api_gateway_rest_api.this[0].id
+ resource_id = aws_api_gateway_resource.null[0].id
+ http_method = aws_api_gateway_method.null[0].http_method
+ type = "MOCK"
+}
diff --git a/variables.tf b/variables.tf
index 8a2b790..ab52934 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,14 +1,9 @@
# See https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions.html for additional
# configuration information.
-variable "openapi_config" {
- description = "The OpenAPI specification for the API"
- type = any
- default = {}
-}
variable "endpoint_type" {
type = string
- description = "The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL"
+ description = "The type of the endpoint. One of - EDGE, PRIVATE, REGIONAL"
default = "REGIONAL"
validation {
@@ -78,6 +73,12 @@ variable "access_log_format" {
EOF
}
+variable "path_parts" {
+ type = list(any)
+ default = []
+ description = "The last path segment of this API resource."
+}
+
variable "rest_api_policy" {
description = "The IAM policy document for the API."
type = string
@@ -94,6 +95,17 @@ variable "gateway_responses" {
}))
}
+variable "models" {
+ description = "(Optional) - A list of objects that contain the desired Models for a REST API Gateway."
+ type = list(object({
+ name = optional(string)
+ description = optional(string)
+ content_type = optional(string)
+ response_parameters = optional(string)
+ }))
+}
+
+
variable "private_link_target_arns" {
type = list(string)
description = "A list of target ARNs for VPC Private Link"
@@ -117,3 +129,69 @@ variable "stage_name" {
default = ""
description = "The name of the stage"
}
+
+variable "aws_region" {
+ description = "The AWS region (e.g. ap-southeast-2). Autoloaded from region.tfvars."
+ type = string
+ default = ""
+}
+
+variable "aws_account_id" {
+ description = "The AWS account id of the provider being deployed to (e.g. 12345678). Autoloaded from account.tfvars."
+ type = string
+ default = ""
+}
+
+variable "aws_assume_role_arn" {
+ description = "(Optional) - ARN of the IAM role when optionally connecting to AWS via assumed role. Autoloaded from account.tfvars."
+ type = string
+ default = ""
+}
+
+variable "create_custom_domain" {
+ description = "Conditional trigger represented as a bool to create a custom DNS, default is 'false'."
+ type = bool
+ default = false
+}
+
+variable "certificate_arn" {
+ description = "The ARN for an AWS-managed certificate. AWS Certificate Manager is the only supported source. Used when an edge-optimized domain name is desired."
+ type = string
+ default = ""
+}
+
+variable "zone_id" {
+ description = "The ID of the Route 53 Hosted Zone."
+ type = string
+ default = ""
+}
+
+variable "sub_domain" {
+ description = "The subdomain of the api gateway."
+ type = string
+ default = ""
+}
+
+variable "domain_name" {
+ description = "The fully-qualified domain name to register."
+ type = string
+ default = ""
+}
+
+variable "security_policy" {
+ default = "TLS_1_2"
+ description = "The Transport Layer Security (TLS) version + cipher suite for this DomainName. The valid values are TLS_1_0 and TLS_1_2. Must be configured to perform drift detection."
+ type = string
+}
+
+variable "description" {
+ default = "Managed by Terraform"
+ type = string
+ description = "Description of the REST API. If importing an OpenAPI specification via the body argument, this corresponds to the info.description field. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value."
+}
+
+variable "vpc_endpoint_ids" {
+ default = []
+ description = "Set of VPC Endpoint identifiers. It is only supported for PRIVATE endpoint type."
+ type = list(any)
+}
diff --git a/versions.tf b/versions.tf
index 34260e6..8c39ca3 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,10 +1,22 @@
terraform {
- required_version = ">= 0.13"
-
+ experiments = [module_variable_optional_attrs]
+ backend "s3" {}
+ required_version = ">= 1.1.8"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.0"
}
+ null = {
+ source = "hashicorp/null"
+ version = ">= 2.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ assume_role {
+ role_arn = var.aws_assume_role_arn
}
}