From 95054db7c2d4c5ad2663fdf644756cc6750f5f35 Mon Sep 17 00:00:00 2001
From: Nara Kasbergen <nara.kasbergen@gmail.com>
Date: Wed, 27 Sep 2023 13:26:44 +0200
Subject: [PATCH] feat: automate upgrading Terraform

---
 .github/workflows/diff-cdktf-stacks.yml |  1 +
 .github/workflows/upgrade-terraform.yml | 49 +++++++++++++++++++++++++
 package.json                            |  3 +-
 scripts/.gitignore                      |  1 +
 scripts/check-terraform-version.js      | 22 +++++++++++
 5 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/upgrade-terraform.yml
 create mode 100644 scripts/.gitignore
 create mode 100644 scripts/check-terraform-version.js

diff --git a/.github/workflows/diff-cdktf-stacks.yml b/.github/workflows/diff-cdktf-stacks.yml
index 85f9764..7d9e58e 100644
--- a/.github/workflows/diff-cdktf-stacks.yml
+++ b/.github/workflows/diff-cdktf-stacks.yml
@@ -26,6 +26,7 @@ jobs:
         with:
           terraform_version: 1.4.6
           cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}
+          terraform_wrapper: false
 
       - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
diff --git a/.github/workflows/upgrade-terraform.yml b/.github/workflows/upgrade-terraform.yml
new file mode 100644
index 0000000..8538c34
--- /dev/null
+++ b/.github/workflows/upgrade-terraform.yml
@@ -0,0 +1,49 @@
+name: upgrade-terraform
+on:
+  schedule:
+    - cron: 32 23 * * 0
+  workflow_dispatch: {}
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  upgrade:
+    name: Upgrade Terraform
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Install
+        run: yarn install
+      - name: Get latest Terraform version
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          script: |-
+            const script = require('./scripts/check-terraform-version.js')
+            await script({github, context, core})
+      - name: Parse latest Terraform version into variables
+        id: latest_version
+        run: |-
+          TERRAFORM_VERSION_MINOR=$(cut -d "." -f 2 <<< "$NEW_TERRAFORM_VERSION")
+          echo "NEW_TERRAFORM_VERSION_MINOR=$TERRAFORM_VERSION_MINOR" >> $GITHUB_ENV
+          echo "value=$NEW_TERRAFORM_VERSION" >> $GITHUB_OUTPUT
+          echo "minor=$TERRAFORM_VERSION_MINOR" >> $GITHUB_OUTPUT
+      - name: Update the Terraform version used in GitHub Actions workflows
+        run: |-
+          find ./.github/workflows -type f -name "*.yml" -print0 | xargs -0 sed -i "s/terraform_version: \".*\"/terraform_version: \"$NEW_TERRAFORM_VERSION\"/g"
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666
+        with:
+          base: main
+          branch: auto/upgrade-terraform-1-${{ steps.latest_version.outputs.minor }}
+          commit-message: "chore: upgrade Terraform to ${{ steps.latest_version.outputs.value }}"
+          title: "chore: upgrade Terraform to ${{ steps.latest_version.outputs.value }}"
+          body: |-
+            This PR increases the version of Terraform used by this project's `diff` and `deploy` workflows to version `${{ steps.latest_version.outputs.value }}`.
+            Please carefully inspect the diff output resulting from the checks below before merging this PR.
+          labels: automated,dependencies
+          token: ${{ secrets.GH_TOKEN_ACTIONS_UPDATER }}
+          author: team-tf-cdk <github-team-tf-cdk@hashicorp.com>
+          committer: team-tf-cdk <github-team-tf-cdk@hashicorp.com>
+          signoff: true
+          delete-branch: true
diff --git a/package.json b/package.json
index d74053b..5411fa2 100644
--- a/package.json
+++ b/package.json
@@ -34,7 +34,8 @@
       "plugin:@typescript-eslint/recommended"
     ],
     "ignorePatterns": [
-      "node_modules"
+      "node_modules",
+      "scripts"
     ]
   },
   "dependencies": {
diff --git a/scripts/.gitignore b/scripts/.gitignore
new file mode 100644
index 0000000..d4aa116
--- /dev/null
+++ b/scripts/.gitignore
@@ -0,0 +1 @@
+!*.js
diff --git a/scripts/check-terraform-version.js b/scripts/check-terraform-version.js
new file mode 100644
index 0000000..39374ce
--- /dev/null
+++ b/scripts/check-terraform-version.js
@@ -0,0 +1,22 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: MPL-2.0
+ */
+const fetch = require("node-fetch"); // @TODO this can be removed once we upgrade to Node 18 and use native fetch
+
+async function getLatestVersion() {
+  const response = await fetch(
+    "https://api.releases.hashicorp.com/v1/releases/terraform/latest"
+  );
+  const data = await response.json();
+  // console.debug(data);
+
+  return data.version;
+}
+
+module.exports = async ({ github, context, core }) => {
+  const version = await getLatestVersion();
+  console.log("latest Terraform version", version);
+
+  core.exportVariable("NEW_TERRAFORM_VERSION", version);
+};