Merge pull request #8 from RSS-Engineering/add-terraform-plan-action

Add terraform plan action and docs

Author: explorigin

docs/README.md

@@ -2,14 +2,22 @@
 
 The purpose of this repo is to provide guidance on terraform patterns and also serve as a landing space for generic, sharable modules.
 
-## Setup and Topology
+## [Setup and Topology](topology.md)
 
-How a project is organized can have a large impact on maintainability as the project grows and updates are necessary. [Read More...](topology.md)
+How a project is organized can have a large impact on maintainability as the project grows and updates are necessary.
+
+[Click here for more details...](topology.md)
+
+## [CI/CD Guidance](cicd/README.md)
+
+Terraform manages your infrastructure by doing the best it can to adapt the current state of your infrastructure to the requested state as defined by your Terraform repo. To do this, Terraform creates a _plan_. How this plan is handled in a CI/CD setup is important to maintaining code review accountability and integrity between production deployment and your projects master branch.
+
+[Click here for more details...](cicd/README.md)
 
 ## Reusable Modules
 
 Terraform modules in this repository are designed to be generic and helpful to the majority case of apps.
-They can be included in your Terraform code like this (_kms_secrets_ for example):
+They can be included in your Terraform code like this ([kms_secrets](modules/kms_secrets.md) for example):
 
 ```terraform
 module "secrets" {
@@ -29,6 +37,7 @@ module "secrets" {
 
 Terraform good practice is to specify a commit hash when sourcing an external module to prevent module changes from unexpectly breaking your deployment pipeline.
 
-### kms_secrets
+---
+### [kms_secrets](modules/kms_secrets.md)
 
-[kms_secrets](modules/kms_secrets.md) allows you to store multiple secrets in your repository in encrypted form. This provides secrets that terraform can use without needing them to be stored and managed in a separate secure store such as PasswordSafe, SecretsManager or as an SSM Param.
+The [kms_secrets](modules/kms_secrets.md) module allows you to store multiple secrets in your repository in encrypted form. This provides secrets that terraform can use without needing them to be stored and managed in a separate secure store such as PasswordSafe, SecretsManager or as an SSM Param.

docs/cicd/README.md

@@ -0,0 +1,25 @@
+# Deploying with CI/CD
+
+It is important to consider these CI/CD best practices and how using Terraform interacts with them.
+
+1. All changes should be reviewed and approved prior to deployment.
+2. The *master* branch should be strongly tied to what is deployed to production.
+
+We have well-established patterns for code changes to be reviewed/approved via the pull request process.
+However, a *terraform plan* exists in a gray area between code and state. It is possible for the plan to
+need to change even if the code that drives it does not (for example if another branch is deployed between
+the time a plan is created and when it is to be applied).
+
+## Recommended Terraform State Approval Pattern
+
+The recommended way for terraform plans to be approved is to attach them to the pull request so that
+everything is considered at the same time. You will likely need to use branch protection rules in
+order to ensure that the plan attached accurately reflects the state of the infrastructure.
+
+This method is geared toward [Github Actions](cicd/deploying_with_github_actions.md). If you need a more
+complicated deployment workflow or there are many competing feature branches in your project, you should
+consider [CircleCI](cicd/deploying_with_circleci.md).
+
+NOTE: [CircleCI](cicd/deploying_with_circleci.md) is the technically superior option but is quite a bit more expensive than [Github Actions](cicd/deploying_with_github_actions.md).
+New projects should start using [Github Actions](cicd/deploying_with_github_actions.md) and only consider [CircleCI](cicd/deploying_with_circleci.md) if [Github Actions](cicd/deploying_with_github_actions.md) is not able
+to provide the needed consistency.

docs/cicd/deploying_with_circleci.md

@@ -0,0 +1,33 @@
+# Deploying with CircleCI
+
+Deploying with CircleCI involves 2 workflows.
+
+## PR Testing and Static Analysis
+
+The first will handle all of the automated validation required to merge a pull request.
+
+```mermaid
+graph TB
+    code[PR Created] --> sa[Static Analysis]
+    code --> ut[Unit Tests]
+    sa --Succeeds--> testdeployapproval[CircleCI pauses for approval to deploy to test environment]
+    ut --Pass--> testdeployapproval
+    testdeployapproval --> testdeploy[CircleCI deploys to test environment]
+    testdeploy --Success--> acceptance[CircleCI runs acceptance tests]
+    acceptance --Succeeds--> gmu[PR Merge Unlocked]
+```
+
+## Deployment to production
+
+The second will handle deploying to production.
+
+```mermaid
+graph TB
+    prm[PR merged to master branch] --> tfplan[CircleCI generates a Terraform plan]
+    tfplan --> pause[CircleCI pauses for Plan Approval]
+    pause --Approved--> apply[CircleCI applies approved Plan]
+```
+
+## More details
+
+At this time, CircleCI should be reserved for large or complicated projects with special cases due to budget reasons.

docs/cicd/deploying_with_github_actions.md

@@ -0,0 +1,38 @@
+# Deploying with Github Actions
+
+The deployment flow for Github Actions is such that when a Pull Request is created/changed an action will generate a Terraform plan and attach it as a comment to the Pull Request. In order to ensure the consistency of the plan, branch protections should be added to the master branch such that a pull request can only be merged against the latest master commit 
+
+```yaml
+name: Validate Pull Request
+
+on:
+  pull_request:
+
+jobs:
+  check-backend:
+  terraform:
+    name: "Build Terraform Plan"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+
+      - name: Build Terraform Plan
+        uses: RSS-Engineering/terraform/gh_actions/attach_plan_to_pr@v1
+        id: plan
+        env:
+          ENV: prod
+          AWS_REGION: "us-west-2"
+          AWS_ACCESS_KEY_ID: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+        with:
+          terraform_version: 1.0.1
+          root: infrastructure/environments/prod
+          text_artifact_name: tf-plan-${{ github.event.after }}.txt
+          plan_artifact_name: tf-plan-${{ github.event.after }}
+
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+```

docs/index.html

@@ -24,6 +24,8 @@
   <!-- Docsify v4 -->
   <script src="//cdn.jsdelivr.net/npm/docsify@4"></script>
   <script src="//cdn.jsdelivr.net/npm/docsify-copy-code/dist/docsify-copy-code.min.js"></script>
-  <script src="//cdn.jsdelivr.net/npm/docsify-pagination/dist/docsify-pagination.min.js"></script>
+<script src="//unpkg.com/mermaid/dist/mermaid.js"></script>
+<script src="//unpkg.com/docsify-mermaid@latest/dist/docsify-mermaid.js"></script>
+<script>mermaid.initialize({ startOnLoad: true });</script>
 </body>
 </html>

docs/topology.md

@@ -1,21 +1,24 @@
 # Recommended Infrastructure Topology
 
-The recommendations in this repository assume a multiple-account structure where each project/environment has its own provider (AWS) account. In some cases, there may be a master account to hold common resources but projects should try to keep resources as separate as possible for security and asset-management reasons. ([RAX.IO talk](https://web.microsoftstream.com/video/10e4abe9-fcf6-4a01-b1b7-6f4919a0a28b?channelId=3237e715-5c23-4833-a0a5-1690a7437c3a)) ([further reading](https://www.terraform.io/docs/cloud/guides/recommended-practices/part2.html))
+The recommendations in this repository assume a multiple-account structure where each project/environment has its own provider (AWS) account. In some cases, there may be a master account to hold common resources but projects should try to keep resources as separate as possible for security and asset-management reasons.
+
+- [RAX.IO talk](https://web.microsoftstream.com/video/10e4abe9-fcf6-4a01-b1b7-6f4919a0a28b?channelId=3237e715-5c23-4833-a0a5-1690a7437c3a)
+- [further reading](https://www.terraform.io/docs/cloud/guides/recommended-practices/part2.html)
 
 ## Project Repository Structure
 
 To achieve code-reuse and environment segregation, place your terraform code in a sub-directory called _infrastructure_ with a structure like:
 
-```
-- infrastructure
-  - env
-    - staging
+```text
+- infrastructure/
+  - env/
+    - staging/
       - conf.tf
       - main.tf
-    - production
+    - production/
       - conf.tf
       - main.tf
-  - modules
+  - modules/
     - [project-specific modules]
   - main.tf
   - variables.tf
@@ -41,7 +44,7 @@ Terraform needs to store the current state of each environment in a place where
 ### Setting up Remote State
 
 Move the [sample-file](https://github.com/RSS-Engineering/terraform/blob/main/backend_state_init/backend.tf.sample) to terraform file and then remove the sample file. 
-```bash
+```shell
 mv backend_state_init/backend.tf.sample backend_state_init/backend.tf
 ```
 
@@ -67,9 +70,8 @@ locals {
   }
 }
 ```
-
 
-```bash
+```shell
 cd backend_state_init/
 # Execute the terraform script for setting backend states in s3 and dynamo db.
 terraform init

gh_actions/attach_plan_to_pr/README.md

@@ -0,0 +1,58 @@
+# Terraform Plan action
+
+This action creates a Terraform plan from the current repository. It will output text and can also post a message to a pull request and save the text and data plan files as artifacts.
+
+## Inputs
+
+### terraform_version
+
+**Required** The terraform version to use.
+
+### root
+    
+**Required** The root directory of the terraform repo (Passed to -chdir)
+
+### validate_format
+
+Validate the *.tf files format. (default: `true`)
+
+### cache_providers
+
+Should the action try to cache Terraform providers (default: `true`)
+
+### add_plan_to_pr
+
+For Pull Request events, add a plan comment to the current PR (default: `true`)
+
+### text_artifact_name
+
+Save the plan text as an artifact with the provided name.
+
+### plan_artifact_name
+
+Save the plan as an artifact with the provided name
+
+## Outputs
+
+## `text`
+
+The terraform plan in human-readable output
+
+## Example usage
+
+```yaml
+      - name: Build Terraform Plan
+        uses: ./.github/actions/attach_plan_to_pr
+        id: plan
+        env:
+          ENV: prod
+          AWS_DEFAULT_REGION: "us-west-2"
+          AWS_ACCESS_KEY_ID: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+        with:
+          terraform_version: 1.0.1
+          root: infrastructure/environments/prod
+          text_artifact_name: tf-plan-${{ github.event.pull_request.head.sha }}.txt
+          plan_artifact_name: tf-plan-${{ github.event.pull_request.head.sha }}
+```
+

gh_actions/attach_plan_to_pr/action.yml

@@ -0,0 +1,128 @@
+# action.yml
+name: 'Build Terraform Plan'
+description: 'Builds a terraform plan'
+author: 'Timothy Farrell'
+
+inputs:
+  terraform_version:
+    description: 'Terraform version'
+    required: true
+  root:
+    description: 'Run terraform in this subdirectory. Passed to -chdir'
+    required: true
+  validate_format:
+    description: 'Validate the tf file format'
+    required: false
+    default: 'true'
+  cache_providers:
+    description: 'Set to "" to not try to cache providers'
+    required: false
+    default: 'true'
+  add_plan_to_pr:
+    description: 'For Pull Request events, add a plan comment to the current PR'
+    required: false
+    default: 'true'
+  text_artifact_name:
+    description: 'Save the plan text as an artifact with the provided name'
+    required: false
+    default: ''
+  plan_artifact_name:
+    description: 'Save the plan as an artifact with the provided name'
+    required: false
+    default: ''
+outputs:
+  text:
+    description: 'Plan text'
+    value: ${{ steps.plan.outputs.stdout }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v1
+      with:
+        terraform_version: ${{ inputs.terraform_version }}
+
+    - name: Hash Lockfile
+      id: lockfile_path
+      if: inputs.cache_providers
+      shell: bash
+      run: echo "${{ inputs.root }}/.terraform.lock.hcl"
+
+    - name: Load cached Terraform Providers
+      uses: actions/cache@v3
+      if: inputs.cache_providers && hashFiles(steps.lockfile_path.output.stdout) != ''
+      with:
+        path: ${{ inputs.root }}/.terraform
+        key: tf-providers-${{ hashFiles(steps.lockfile_path.output.stdout) }}
+
+    - name: Initialize Terraform
+      shell: bash
+      run: terraform -chdir=${{ inputs.root }} init
+
+    - name: Validate Terraform
+      if: inputs.validate_format != 'true'
+      shell: bash
+      run: |
+        terraform fmt -check -recursive -diff infrastructure
+        terraform -chdir=${{ inputs.root }} validate
+
+    - name: Terraform Plan
+      id: plan
+      shell: bash
+      run: terraform -chdir=${{ inputs.root }} plan -out "tf_plan_${{ github.event.after }}" -no-color -input=false
+
+    - name: Save Terraform Plan
+      if: inputs.plan_artifact_name != '' && steps.plan.outcome == 'success'
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ inputs.plan_artifact_name }}
+        path: ${{ inputs.root }}/tf_plan_${{ github.event.after }}
+        if-no-files-found: error
+        retention-days: 7
+
+    - name: Dump Plan Text to File
+      if: inputs.text_artifact_name != '' && steps.plan.outcome == 'success'
+      shell: bash
+      env:
+        PLAN: "${{ steps.plan.outputs.stdout }}"
+      run: echo "${PLAN}" >> tf-plan-${{ github.event.after }}.txt
+
+    - name: Save Terraform Plan Text
+      if: inputs.text_artifact_name != '' && steps.plan.outcome == 'success'
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ inputs.text_artifact_name }}
+        path: ${{ inputs.text_artifact_name }}
+        if-no-files-found: error
+        retention-days: 7
+
+    - uses: actions/github-script@0.9.0
+      if: steps.plan.outcome == 'success' && inputs.add_plan_to_pr && github.event_name == 'pull_request'
+      env:
+        PLAN: "${{ steps.plan.outputs.stdout }}"
+      with:
+        github-token: ${{ github.token }}
+        script: |
+          const output = `#### Terraform Plan 📖 \`${{ steps.plan.outcome }}\`
+          <details><summary>Show Plan</summary>
+
+          \`\`\`terraform\n
+          ${process.env.PLAN}
+          \`\`\`
+
+          </details>
+
+          *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*
+          `;
+          github.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: output
+          })
+
+    - name: Terraform Plan Status
+      if: steps.plan.outcome == 'failure'
+      shell: bash
+      run: exit 1

modules/lambda-layer-deps/README.md

@@ -31,7 +31,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_lambda_layer_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_layer_version) | resource |
-| [external_external.build](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+| [external_data_source.build](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) | data source |
 
 ## Inputs