From eb990702e5d65187bedd4056ed8ee402b109cdc6 Mon Sep 17 00:00:00 2001 From: Gerald Schmidt <107404811+geraldschmidtbabylon@users.noreply.github.com> Date: Thu, 10 Aug 2023 11:14:53 +0100 Subject: [PATCH 1/9] Fixed typo in error message (#716) --- terraform_compliance/extensions/terraform.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform_compliance/extensions/terraform.py b/terraform_compliance/extensions/terraform.py index 0c87de77..1e6649c2 100644 --- a/terraform_compliance/extensions/terraform.py +++ b/terraform_compliance/extensions/terraform.py @@ -466,7 +466,7 @@ def _mount_references(self): defaults = Defaults() console_write('{} {}: {}'.format(defaults.warning_icon, defaults.warning_colour('WARNING (mounting)'), - defaults.info_colour('The reference "{}" in resource {} is ambigious.' + defaults.info_colour('The reference "{}" in resource {} is ambiguous.' ' It will be mounted to the following resources:').format(ref, resource))) for i, r in enumerate(ambiguous_references, 1): console_write(defaults.info_colour('{}. {}'.format(i, r))) @@ -475,7 +475,7 @@ def _mount_references(self): else: console_write('{} {}: {}'.format(Defaults().warning_icon, Defaults().warning_colour('WARNING (mounting)'), - Defaults().info_colour('The reference "{}" in resource {} is ambigious. It will not be mounted.'.format(ref, resource)))) + Defaults().info_colour('The reference "{}" in resource {} is ambiguous. It will not be mounted.'.format(ref, resource)))) continue elif key not in ref_list: ref_list[key] = self._find_resource_from_name(ref, current_module_address) From fe5eb76c26e1d4432a921d89a34a58e788a2eca6 Mon Sep 17 00:00:00 2001 From: Emre Erkunt Date: Tue, 10 Oct 2023 10:19:04 +0100 Subject: [PATCH 2/9] Support for terraform 1.6 (#721) --- terraform_compliance/extensions/terraform.py | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform_compliance/extensions/terraform.py b/terraform_compliance/extensions/terraform.py index 1e6649c2..a8a86f43 100644 --- a/terraform_compliance/extensions/terraform.py +++ b/terraform_compliance/extensions/terraform.py @@ -31,6 +31,7 @@ def __init__(self, filename, parse_it=True): '1.3.', '1.4.', '1.5.', + '1.6.', ) self.supported_format_versions = [ '0.1', From d73c73d05a8692f41f91c02fe10b818015876d4f Mon Sep 17 00:00:00 2001 From: Emre Erkunt Date: Tue, 10 Oct 2023 10:19:40 +0100 Subject: [PATCH 3/9] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ea23f42..d436d64a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # CHANGELOG +# 1.3.45 (2023-09-10) +* Support for Terraform v1.6* + # 1.3.42 (2023-03-29) * Fixed an issue where some `tmp` files were not deleted properly. ([#677](https://github.com/terraform-compliance/cli/issues/677)) From e9f37e70f56b461287b1f799ea7711226f429868 Mon Sep 17 00:00:00 2001 From: Chris Penny Date: Fri, 13 Oct 2023 00:33:46 +1300 Subject: [PATCH 4/9] Add documentation for CircleCI and GitHub Actions integrations (#719) * Add documentation for CircleCI integration * Add note and link to Pip requirements format * Add note regarding authentication * Add documentation for Github Actions --------- Co-authored-by: Emre Erkunt --- docs/pages/bdd-references/index.md | 2 +- docs/pages/bdd-references/using_tags.md | 2 +- docs/pages/ci-cd/circle_ci.md | 150 ++++++++++++++++++++++++ docs/pages/ci-cd/github_actions.md | 117 ++++++++++++++++++ docs/pages/ci-cd/index.md | 6 + docs/pages/contribution/index.md | 4 +- 6 files changed, 277 insertions(+), 4 deletions(-) create mode 100644 docs/pages/ci-cd/circle_ci.md create mode 100644 docs/pages/ci-cd/github_actions.md create mode 100644 docs/pages/ci-cd/index.md diff --git a/docs/pages/bdd-references/index.md b/docs/pages/bdd-references/index.md index 37afe939..674c5322 100644 --- a/docs/pages/bdd-references/index.md +++ b/docs/pages/bdd-references/index.md @@ -29,7 +29,7 @@ Feature: Security Groups should be used to protect services/instances We'll use AWS Security Groups as a Perimeter Defence ``` -This won't effect anything about the test steps, but it will ease the pain for everybody to +This won't affect anything about the test steps, but it will ease the pain for everybody to understand what does that feature aims for. ### Scenario diff --git a/docs/pages/bdd-references/using_tags.md b/docs/pages/bdd-references/using_tags.md index e3d6880a..88deca81 100644 --- a/docs/pages/bdd-references/using_tags.md +++ b/docs/pages/bdd-references/using_tags.md @@ -81,7 +81,7 @@ __Please note that__ - nofail and noskip tags can not be used within the same scenario. ### Case Sensitivity -All steps, under the tagged scenario will use case sensitive matching. This tag also effects regular expressions. +All steps, under the tagged scenario will use case-sensitive matching. This tag also affects regular expressions. > __Possible formats:__ > > ▪ diff --git a/docs/pages/ci-cd/circle_ci.md b/docs/pages/ci-cd/circle_ci.md new file mode 100644 index 00000000..f9c433fe --- /dev/null +++ b/docs/pages/ci-cd/circle_ci.md @@ -0,0 +1,150 @@ +--- +layout: default +title: CircleCI +nav_order: 1 +has_children: false +parent: Using in CI/CD +--- + +# CircleCI + +For this example, we are using the following Orbs to illustrate how you might implement Terraform Compliance into your +CI/CD pipeline. + +- [circleci/terraform](https://circleci.com/developer/orbs/orb/circleci/terraform) +- [circleci/python](https://circleci.com/developer/orbs/orb/circleci/python) + +## Workflow + +We have set up our pipeline to follow this basic workflow: + +1. `terraform validate`: Using the Job provided by the Terraform Orb +2. `terraform plan`: Using a custom Job, we will use the `plan` command that is provided by the Terraform Orb, but we'll also export that plan to json for `terraform-compliance` to access +3. `terraform-compliance`: Using the Python Orb and Pip to install requirements +4. `terraform apply`: Using the Job provided by the Terraform Orb, and only run on the `main` branch + +## Setup + +You will need to add a `requirements.txt` to your project. You can rename this file to anything you would like, but +be sure to update the name in your `.circleci/config.yml`. + +Following [Pip requirements format](https://pip.pypa.io/en/stable/reference/requirements-file-format/). You can specify +any level of requirement that you desire for `terraform-compliance`. + +`requirements.txt`: + +``` +terraform-compliance >= 1.3.0 +``` + +Below is an example of the workflow described above. + +`.circleci/config.yml`: + +```yaml +version: '2.1' + +orbs: + # Orb used for all of our Terraform related commands/jobs + # https://circleci.com/developer/orbs/orb/circleci/terraform for available versions + terraform: circleci/terraform@3.2.1 + # Orb used for installing and running Terraform Compliance + # https://circleci.com/developer/orbs/orb/circleci/python for available versions + python: circleci/python@2.1.1 + +parameters: + terraform-tag: + type: string + description: Specify the Terraform Docker image tag for the executor + # https://hub.docker.com/r/hashicorp/terraform/tags for available versions + # If you also run Terraform locally, then you should use the same version here + default: 1.5.7 + workspace-root: + type: string + description: Path of the workspace to persist to relative to workspace-root + # Can be updated if you desire. The default specified here matches the default used by the CircleCI's Terraform Orb + default: . + workspace-path: + type: string + description: Workspace root path that is either an absolute path or a path relative to the working directory + # Can be updated if you desire. The default specified here matches the default used by the CircleCI's Terraform Orb + default: . + +executors: + # This default executor is used for our custom job that needs to run Terraform + default: + docker: + # Our default executor should match the tag that the Terraform Orb will use + - image: hashicorp/terraform:<< pipeline.parameters.terraform-tag >> + +jobs: + terraform_plan: + executor: default + steps: + - checkout + # Invoke the terraform/plan command that is provided by the Terraform Orb + - terraform/plan: + # And also output that plan + out: plan.out + # Convert our plan to JSON so that terraform-compliance can run without the use of Terraform + - run: + command: terraform show -json plan.out > plan.out.json + name: Convert Terraform plan to JSON + # Persist our workspace so that plan.out.json is available to terraform-compliance + - persist_to_workspace: + paths: + - << pipeline.parameters.workspace-path >> + root: << pipeline.parameters.workspace-root >> + + terraform_compliance: + executor: python/default + steps: + # Attach the workspace so that we have access to plan.out.json from terraform_plan + - attach_workspace: + at: << pipeline.parameters.workspace-root >> + - python/install-packages: + # Update requirements.txt to match the location of your requirements file. This is currently referencing a + # file in the root of your project + pip-dependency-file: requirements.txt + pkg-manager: pip + - run: + command: terraform-compliance -f features -p plan.out.json + name: Terraform Compliance + +workflows: + deploy_infra: + jobs: + # Use the standard validate job that is provided by the CircleCI Orb + - terraform/validate: + checkout: true + # Make sure the CircleCI Orb uses the same version of Terraform as our default executor + tag: << pipeline.parameters.terraform-tag >> + + # For terraform plan we'll use a custom job so that we can run additional commands + - terraform_plan: + requires: + - terraform/validate + + # For terraform-compliance we'll use another custom job, and this will also be using our Python executor + - terraform_compliance: + requires: + - terraform_plan + + # Use the standard apply job that is provided by the CircleCI Orb + - terraform/apply: + attach-workspace: true + # Make sure the CircleCI Orb uses the same version of Terraform as our default executor + tag: << pipeline.parameters.terraform-tag >> + # Update your filters as you require. One provided here as an example + filters: + branches: + only: main + requires: + - terraform_compliance + +``` + +Not provided above is the authentication method for AWS. + +CircleCI provides authentication through [OpenID Connect](https://circleci.com/blog/openid-connect-identity-tokens/) as +well as through AWS user Access Keys. diff --git a/docs/pages/ci-cd/github_actions.md b/docs/pages/ci-cd/github_actions.md new file mode 100644 index 00000000..10fba47f --- /dev/null +++ b/docs/pages/ci-cd/github_actions.md @@ -0,0 +1,117 @@ +--- +layout: default +title: GitHub Actions +nav_order: 2 +has_children: false +parent: Using in CI/CD +--- + +# GitHub Actions + +For this example, we'll use the following GitHub Marketplace Actions to illustrate how you might implement Terraform +Compliance into your CI/CD pipeline. + +## Workflow + +We have set up our job to follow this basic workflow: + +1. `terraform init` +2. `terraform validate` +3. `terraform plan` +4. `terraform-compliance` +5. `terraform apply` (but only on the `main` branch) + +## Setup + +You will need to add a `requirements.txt` to your project. You can rename this file to anything you would like, but +be sure to update the name in your `.github/workflows/main.yml`. + +Following [Pip requirements format](https://pip.pypa.io/en/stable/reference/requirements-file-format/). You can specify +any level of requirement that you desire for `terraform-compliance`. + +`requirements.txt`: + +``` +terraform-compliance >= 1.3.0 +``` + +Below is an example of the workflow described above. + +`.github/workflows/main.yml`: + +```yaml +name: Project Name + +# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow for available triggers +on: + # Run this workflow on all pull requests + pull_request: + # Run this workflow on commits made to the main branch + push: + branches: + - main + +jobs: + test_and_deploy: + name: Deploy Infrastructure + runs-on: ubuntu-latest + # Required by aws-actions/configure-aws-credentials + permissions: + id-token: write + contents: read + + steps: + # Checkout your code + - uses: actions/checkout@v4 + + # Set up our AWS credentials + - name: Configure AWS credentials + # https://github.com/aws-actions/configure-aws-credentials for available versions + uses: aws-actions/configure-aws-credentials@v4 + with: + # Define authentication method + # Check the above repo for authentication methods available + + # Set up Terraform for GitHub Actions + - name: Setup Terraform + # https://github.com/hashicorp/setup-terraform for available versions + uses: hashicorp/setup-terraform@v2 + with: + # https://hub.docker.com/r/hashicorp/terraform/tags for available versions + # If you also run Terraform locally, then you should use the same version here + terraform_version: 1.5.7 + + - name: Terraform Init + run: terraform init + + - name: Terraform Validate + run: terraform validate + + - name: Terraform Plan + # Run terraform plan with an output, and then convert that output to JSON for Terraform Compliance to use later + run: | + terraform plan -out=plan.out + terraform show -json plan.out > plan.out.json + + # Set up Python + - name: Install Python + uses: actions/setup-python@v4 + with: + python-version: 3.11 + cache: 'pip' + + # Install Python requirements + - name: Install Requirements + # Update requirements.txt to match the location of your requirements file. This is currently referencing a + # file in the root of your project + run: pip install -r requirements.txt + + - name: Terraform Compliance + run: terraform-compliance -f compliance -p plan.out.json + + - name: Terraform Apply + # Only trigger this step on the main branch + if: github.ref == 'refs/heads/main' + run: terraform apply -auto-approve + +``` \ No newline at end of file diff --git a/docs/pages/ci-cd/index.md b/docs/pages/ci-cd/index.md new file mode 100644 index 00000000..369bdded --- /dev/null +++ b/docs/pages/ci-cd/index.md @@ -0,0 +1,6 @@ +--- +layout: default +title: Using in CI/CD +nav_order: 6 +has_children: true +--- \ No newline at end of file diff --git a/docs/pages/contribution/index.md b/docs/pages/contribution/index.md index 574b6fab..ce897f0f 100644 --- a/docs/pages/contribution/index.md +++ b/docs/pages/contribution/index.md @@ -30,12 +30,12 @@ If you are going to reporting something else, please create a [General Question] Normally, we expect to have either a [Bug Reporting](https://github.com/eerkunt/terraform-compliance/issues/new?assignees=eerkunt&labels=bug&template=bug_report.md&title=) or a [Feature Request](https://github.com/eerkunt/terraform-compliance/issues/new?assignees=&labels=enhancement&template=feature_request.md&title=) before -having a Pull Request for in the codebase that will effect any functionality. This is not a hard requirement, you are free +having a Pull Request for in the codebase that will affect any functionality. This is not a hard requirement, you are free to create a new Pull Request if you find something is wrong or missing within the codebase or documentation. There is few mandatory requirement for the Pull Requests ; -1. All code changes that effects functionality MUST have [tests](https://github.com/eerkunt/terraform-compliance/tree/master/tests) implemented within the same Pull Request. +1. All code changes that affects functionality MUST have [tests](https://github.com/eerkunt/terraform-compliance/tree/master/tests) implemented within the same Pull Request. 2. Any functionality change must be recorded within the [CHANGELOG](https://github.com/eerkunt/terraform-compliance/blob/master/CHANGELOG.md). 3. Your Pull Request must pass the CI in order to be processed. From a2fe295069e3c2646997cd27b04ac0f09b4ad943 Mon Sep 17 00:00:00 2001 From: Jan Hentschel Date: Sun, 21 Jan 2024 20:44:41 +0100 Subject: [PATCH 5/9] Support for Terraform 1.7 (#728) Resolves #727 --- terraform_compliance/extensions/terraform.py | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform_compliance/extensions/terraform.py b/terraform_compliance/extensions/terraform.py index a8a86f43..29d27d3e 100644 --- a/terraform_compliance/extensions/terraform.py +++ b/terraform_compliance/extensions/terraform.py @@ -32,6 +32,7 @@ def __init__(self, filename, parse_it=True): '1.4.', '1.5.', '1.6.', + '1.7.', ) self.supported_format_versions = [ '0.1', From b691090a1c4f356a1a5812cc9e4f55e1d690f71b Mon Sep 17 00:00:00 2001 From: Emre Erkunt Date: Sun, 21 Jan 2024 20:11:48 +0000 Subject: [PATCH 6/9] Update cd.yml --- .github/workflows/cd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f6aa29a1..54ab681b 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -47,8 +47,8 @@ jobs: - name: Publish to PyPI env: - TWINE_USERNAME: ${{ secrets.PYPI_USER }} - TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} + TWINE_USERNAME: ${{ secrets.PYPI_API_USER }} + TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} run: twine upload --skip-existing dist/* - name: Publish to Docker Hub From d7e7fa3c3000c9e7e749f9be0e4e678ce6c63f2a Mon Sep 17 00:00:00 2001 From: Mark Adamson <3154635+mungojam@users.noreply.github.com> Date: Thu, 25 Jan 2024 09:35:38 +0000 Subject: [PATCH 7/9] Return system exit code when running as module (#729) --- terraform_compliance/__main__.py | 4 +++- terraform_compliance/main.py | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/terraform_compliance/__main__.py b/terraform_compliance/__main__.py index f9afe44a..72c578d2 100644 --- a/terraform_compliance/__main__.py +++ b/terraform_compliance/__main__.py @@ -1,3 +1,5 @@ +import sys + from .main import cli -cli() +sys.exit(cli()) diff --git a/terraform_compliance/main.py b/terraform_compliance/main.py index 861e6863..fef47051 100644 --- a/terraform_compliance/main.py +++ b/terraform_compliance/main.py @@ -1,3 +1,4 @@ +import sys import os import shutil import atexit @@ -159,4 +160,4 @@ def cli(arghandling=ArgHandling(), argparser=ArgumentParser(prog=__app_name__, if __name__ == '__main__': - cli() + sys.exit(cli()) From e81fa5f3e14eb8bb6d60f55851111647eef4a40f Mon Sep 17 00:00:00 2001 From: Emre Erkunt Date: Fri, 5 Apr 2024 10:19:16 +0100 Subject: [PATCH 8/9] Update terraform.py --- terraform_compliance/extensions/terraform.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform_compliance/extensions/terraform.py b/terraform_compliance/extensions/terraform.py index 29d27d3e..37c92f9e 100644 --- a/terraform_compliance/extensions/terraform.py +++ b/terraform_compliance/extensions/terraform.py @@ -33,6 +33,8 @@ def __init__(self, filename, parse_it=True): '1.5.', '1.6.', '1.7.', + '1.8.', + '1.9.', ) self.supported_format_versions = [ '0.1', From 3a83ec693dff34b64a61a01321f3575bb9b21ace Mon Sep 17 00:00:00 2001 From: Christophe Limpalair Date: Sat, 21 Sep 2024 16:11:16 -0600 Subject: [PATCH 9/9] Update incorrect radish-bdd website URL (#735) I think Radish BDD changed their domain/URL at some point and someone took it over. So the current URL referenced in docs leads to a shady website and is the incorrect URL. Fixing to correct URL. --- docs/pages/bdd-references/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/bdd-references/index.md b/docs/pages/bdd-references/index.md index 674c5322..21dc9bbd 100644 --- a/docs/pages/bdd-references/index.md +++ b/docs/pages/bdd-references/index.md @@ -7,7 +7,7 @@ has_children: true # BDD Reference -`terraform-compliance` utilises [radish](http://radish-bdd.io/) to handle BDD directives. BDD is +`terraform-compliance` utilises [radish](https://github.com/radish-bdd/radish) to handle BDD directives. BDD is used in many development practices from End-to-End testing to FrontEnd testing, provides easy-to-understand context that is self-descriptive and easy-to-understand for someone that is reading the test results.