From 3e16d58af3cba8c5edb9b062bfe6553bb6906815 Mon Sep 17 00:00:00 2001 From: Pepe Barbe Date: Fri, 22 Apr 2022 14:49:42 -0500 Subject: [PATCH] Refactor enable logic to use counts instead of `for_each` (#27) --- .github/auto-release.yml | 2 +- .github/workflows/auto-context.yml | 2 +- .github/workflows/auto-format.yml | 2 +- .github/workflows/auto-readme.yml | 71 +++++++++++++++++++++++ .github/workflows/chatops.yml | 4 +- .github/workflows/validate-codeowners.yml | 6 +- main.tf | 25 ++++---- outputs.tf | 12 ++-- 8 files changed, 100 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/auto-readme.yml diff --git a/.github/auto-release.yml b/.github/auto-release.yml index 9976e10..b45efb7 100644 --- a/.github/auto-release.yml +++ b/.github/auto-release.yml @@ -47,7 +47,7 @@ template: | replacers: # Remove irrelevant information from Renovate bot -- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm' +- search: '/(?<=---\s)\s*^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm' replace: '' # Remove Renovate bot banner image - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm' diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml index ab979e0..665833a 100644 --- a/.github/workflows/auto-context.yml +++ b/.github/workflows/auto-context.yml @@ -35,7 +35,7 @@ jobs: - name: Create Pull Request if: steps.update.outputs.create_pull_request == 'true' - uses: cloudposse/actions/github/create-pull-request@0.22.0 + uses: cloudposse/actions/github/create-pull-request@0.30.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>' diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml index 375d0fd..c600d60 100644 --- a/.github/workflows/auto-format.yml +++ b/.github/workflows/auto-format.yml @@ -62,7 +62,7 @@ jobs: fi - name: Auto Test - uses: cloudposse/actions/github/repository-dispatch@0.22.0 + uses: cloudposse/actions/github/repository-dispatch@0.30.0 # match users by ID because logins (user names) are inconsistent, # for example in the REST API Renovate Bot is `renovate[bot]` but # in GraphQL it is just `renovate`, plus there is a non-bot diff --git a/.github/workflows/auto-readme.yml b/.github/workflows/auto-readme.yml new file mode 100644 index 0000000..6f25b8d --- /dev/null +++ b/.github/workflows/auto-readme.yml @@ -0,0 +1,71 @@ +name: "auto-readme" +on: + workflow_dispatch: + + schedule: + # Example of job definition: + # .---------------- minute (0 - 59) + # | .------------- hour (0 - 23) + # | | .---------- day of month (1 - 31) + # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... + # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat + # | | | | | + # * * * * * user-name command to be executed + + # Update README.md nightly at 4am UTC + - cron: '0 4 * * *' + +jobs: + update: + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Find default branch name + id: defaultBranch + shell: bash + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name) + printf "::set-output name=defaultBranch::%s\n" "${default_branch}" + printf "defaultBranchRef.name=%s\n" "${default_branch}" + + - name: Update readme + shell: bash + id: update + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + DEF: "${{ steps.defaultBranch.outputs.defaultBranch }}" + run: | + make init + make readme/build + # Ignore changes if they are only whitespace + if ! git diff --quiet README.md && git diff --ignore-all-space --ignore-blank-lines --quiet README.md; then + git restore README.md + echo Ignoring whitespace-only changes in README + fi + + - name: Create Pull Request + # This action will not create or change a pull request if there are no changes to make. + # If a PR of the auto-update/readme branch is open, this action will just update it, not create a new PR. + uses: cloudposse/actions/github/create-pull-request@0.30.0 + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + commit-message: Update README.md and docs + title: Update README.md and docs + body: |- + ## what + This is an auto-generated PR that updates the README.md and docs + + ## why + To have most recent changes of README.md and doc from origin templates + + branch: auto-update/readme + base: ${{ steps.defaultBranch.outputs.defaultBranch }} + delete-branch: true + labels: | + auto-update + no-release + readme diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml index 4ddc067..23f96d8 100644 --- a/.github/workflows/chatops.yml +++ b/.github/workflows/chatops.yml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: "Handle common commands" - uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.30.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} @@ -24,7 +24,7 @@ jobs: - name: "Checkout commit" uses: actions/checkout@v2 - name: "Run tests" - uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.30.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml index c5193b6..70f829e 100644 --- a/.github/workflows/validate-codeowners.yml +++ b/.github/workflows/validate-codeowners.yml @@ -10,7 +10,7 @@ jobs: steps: - name: "Checkout source code at current commit" uses: actions/checkout@v2 - - uses: mszostok/codeowners-validator@v0.5.0 + - uses: mszostok/codeowners-validator@v0.7.1 if: github.event.pull_request.head.repo.full_name == github.repository name: "Full check of CODEOWNERS" with: @@ -18,10 +18,12 @@ jobs: # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos # checks: "files,syntax,owners,duppatterns" checks: "syntax,owners,duppatterns" + owner_checker_allow_unowned_patterns: "false" # GitHub access token is required only if the `owners` check is enabled github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" - - uses: mszostok/codeowners-validator@v0.5.0 + - uses: mszostok/codeowners-validator@v0.7.1 if: github.event.pull_request.head.repo.full_name != github.repository name: "Syntax check of CODEOWNERS" with: checks: "syntax,duppatterns" + owner_checker_allow_unowned_patterns: "false" diff --git a/main.tf b/main.tf index eb52711..28c3cc0 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ locals { eks_cluster_oidc_issuer = replace(var.eks_cluster_oidc_issuer_url, "https://", "") - aws_account_number = coalesce(var.aws_account_number, data.aws_caller_identity.current.account_id) + aws_account_number = local.enabled ? coalesce(var.aws_account_number, data.aws_caller_identity.current[0].account_id) : "" # If both var.service_account_namespace and var.service_account_name are provided, # then the role ARM will have one of the following formats: @@ -29,9 +29,12 @@ locals { # Try to return the first element, if that doesn't work, try the tostring approach aws_iam_policy_document = try(var.aws_iam_policy_document[0], tostring(var.aws_iam_policy_document), "{}") + iam_policy_enabled = local.enabled && length(var.aws_iam_policy_document) > 0 } -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { + count = local.enabled ? 1 : 0 +} module "service_account_label" { source = "cloudposse/label/null" @@ -48,15 +51,15 @@ module "service_account_label" { } resource "aws_iam_role" "service_account" { - for_each = toset(compact([module.service_account_label.id])) - name = each.value + count = local.enabled ? 1 : 0 + name = module.service_account_label.id description = format("Role assumed by EKS ServiceAccount %s", local.service_account_id) - assume_role_policy = data.aws_iam_policy_document.service_account_assume_role[each.value].json + assume_role_policy = data.aws_iam_policy_document.service_account_assume_role[0].json tags = module.service_account_label.tags } data "aws_iam_policy_document" "service_account_assume_role" { - for_each = toset(compact([module.service_account_label.id])) + count = local.enabled ? 1 : 0 statement { actions = [ @@ -79,15 +82,15 @@ data "aws_iam_policy_document" "service_account_assume_role" { } resource "aws_iam_policy" "service_account" { - for_each = length(var.aws_iam_policy_document) > 0 ? toset(compact([module.service_account_label.id])) : [] - name = each.value + count = local.iam_policy_enabled ? 1 : 0 + name = module.service_account_label.id description = format("Grant permissions to EKS ServiceAccount %s", local.service_account_id) policy = local.aws_iam_policy_document tags = module.service_account_label.tags } resource "aws_iam_role_policy_attachment" "service_account" { - for_each = length(var.aws_iam_policy_document) > 0 ? toset(compact([module.service_account_label.id])) : [] - role = aws_iam_role.service_account[each.value].name - policy_arn = aws_iam_policy.service_account[each.value].arn + count = local.iam_policy_enabled ? 1 : 0 + role = aws_iam_role.service_account[0].name + policy_arn = aws_iam_policy.service_account[0].arn } diff --git a/outputs.tf b/outputs.tf index c8ce452..b3193ad 100644 --- a/outputs.tf +++ b/outputs.tf @@ -9,31 +9,31 @@ output "service_account_name" { } output "service_account_role_name" { - value = local.enabled ? values(aws_iam_role.service_account)[0].name : null + value = local.enabled ? aws_iam_role.service_account[0].name : null description = "IAM role name" } output "service_account_role_unique_id" { - value = local.enabled ? values(aws_iam_role.service_account)[0].unique_id : null + value = local.enabled ? aws_iam_role.service_account[0].unique_id : null description = "IAM role unique ID" } output "service_account_role_arn" { - value = local.enabled ? values(aws_iam_role.service_account)[0].arn : null + value = local.enabled ? aws_iam_role.service_account[0].arn : null description = "IAM role ARN" } output "service_account_policy_name" { - value = local.enabled && length(var.aws_iam_policy_document) > 0 ? values(aws_iam_policy.service_account)[0].name : null + value = local.iam_policy_enabled ? aws_iam_policy.service_account[0].name : null description = "IAM policy name" } output "service_account_policy_id" { - value = local.enabled && length(var.aws_iam_policy_document) > 0 ? values(aws_iam_policy.service_account)[0].id : null + value = local.iam_policy_enabled ? aws_iam_policy.service_account[0].id : null description = "IAM policy ID" } output "service_account_policy_arn" { - value = local.enabled && length(var.aws_iam_policy_document) > 0 ? values(aws_iam_policy.service_account)[0].arn : null + value = local.iam_policy_enabled ? aws_iam_policy.service_account[0].arn : null description = "IAM policy ARN" }