Plan examples workflow (#53)

vara-bonthu · Bonthu · web-flow · commit 0949f5d72048 · 2022-10-21T07:09:17.000+02:00
Co-authored-by: Bonthu &lt;vabonthu@c889f3b8acd3.ant.amazon.com&gt;
diff --git a/.github/workflows/plan-examples.py b/.github/workflows/plan-examples.py
@@ -0,0 +1,25 @@
+import json
+import glob
+import re
+
+
+def get_examples():
+    """
+    Get all Terraform example root directories using their respective `versions.tf`;
+    returning a string formatted json array of the example directories minus those that are excluded
+    """
+    exclude = {
+        '',  # Add examples here to exclude from terraform plan
+    }
+
+    projects = {
+        x.replace('/versions.tf', '')
+        for x in glob.glob('examples/**/versions.tf', recursive=True)
+        if not re.match(r'^.+/_', x)
+    }
+
+    print(json.dumps(list(projects.difference(exclude))))
+
+
+if __name__ == '__main__':
+    get_examples()
diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml
@@ -0,0 +1,103 @@
+name: plan-examples
+
+on:
+  # Review https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ and better understand the risks of using pull_request_target before making major changes to this workflow.
+  pull_request_target:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  getExampleDirectories:
+    name: Get example directories
+    runs-on: ubuntu-latest
+    # Do not remove environment setup without considering changes to pull_request_target and checkout of PR, as it may lead to checks running automatically against malicious code in PRs.
+    environment: Observability Test
+    # Skip running on forks since it won't have access to secrets
+    if: github.repository == 'aws-observability/terraform-aws-observability-accelerator'
+    outputs:
+      directories: ${{ steps.dirs.outputs.directories }}
+    steps:
+      # Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code.
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get Terraform directories for evaluation
+        id: dirs
+        run: |
+          DIRS=$(python3 .github/workflows/plan-examples.py)
+          echo "::set-output name=directories::$DIRS"
+
+  plan:
+    name: Plan examples
+    needs: getExampleDirectories
+    runs-on: ubuntu-latest
+    # Skip running on forks since it won't have access to secrets
+    if: github.repository == 'aws-observability/terraform-aws-observability-accelerator'
+
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }}
+
+    steps:
+      - name: Remove default Terraform
+        run: rm -rf $(which terraform)
+
+      - name: checkout-merge
+        if: "contains(github.event_name, 'pull_request')"
+        uses: actions/checkout@v3
+        with:
+          ref: refs/pull/${{github.event.pull_request.number}}/merge
+
+      - name: checkout
+        if: "!contains(github.event_name, 'pull_request')"
+        uses: actions/checkout@v3
+
+      - uses: dorny/paths-filter@v2
+        id: changes
+        with:
+          # Need to check not only the example directory
+          # but also the supporting module(s) code
+          # for plans (not for pre-commit)
+          filters: |
+            src:
+              - '${{ matrix.directory }}/**/*.(tf|yml|yaml)'
+              - 'modules/**/*.(tf|yml|yaml)'
+              - '*.tf'
+
+      - name: Configure AWS credentials from Test account
+        uses: aws-actions/configure-aws-credentials@v1
+        if: steps.changes.outputs.src== 'true'
+        with:
+          role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+          role-session-name: GithubActions-Session
+
+      - name: Terraform Job
+        uses: hashicorp/setup-terraform@v2
+        if: steps.changes.outputs.src== 'true'
+        with:
+          terraform_version: 1.0.0
+
+      - if: steps.changes.outputs.src== 'true'
+        run: terraform version
+
+      - name: Terraform Init
+        if: steps.changes.outputs.src== 'true'
+        run: terraform init -reconfigure
+        working-directory: ${{ matrix.directory }}
+
+      - name: Terraform Plan
+        if: steps.changes.outputs.src== 'true'
+        working-directory: ${{ matrix.directory }}
+        run: terraform plan -no-color
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -44,10 +44,6 @@ jobs:
       - name: Remove default Terraform
         run: rm -rf $(which terraform)
 
-      - name: Should fail
-        continue-on-error: true
-        run: terraform version
-
       - name: Checkout
         uses: actions/checkout@v3
 
@@ -80,25 +76,22 @@ jobs:
         with:
           directory: ${{ matrix.directory }}
 
-      - name: Pre-commit Terraform 1.1.0 #${{ steps.minMax.outputs.minVersion }}
+      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' && steps.changes.outputs.src== 'true' }}
         with:
-          terraform-version: 1.1.0 # ${{ steps.minMax.outputs.minVersion }}
+          terraform-version: ${{ steps.minMax.outputs.minVersion }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
 
-      - name: Pre-commit Terraform 1.1.0 #${{ steps.minMax.outputs.minVersion }}
+      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' && steps.changes.outputs.src== 'true' }}
         with:
-          terraform-version: 1.1.0 #${{ steps.minMax.outputs.minVersion }}
+          terraform-version: ${{ steps.minMax.outputs.minVersion }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
 
-      - if: steps.changes.outputs.src== 'true'
-        run: terraform version
-
   preCommitMaxVersion:
     name: Max TF pre-commit
     runs-on: ubuntu-latest
@@ -107,10 +100,6 @@ jobs:
       - name: Remove default Terraform
         run: rm -rf $(which terraform)
 
-      - name: Should fail
-        continue-on-error: true
-        run: terraform version
-
       - name: Checkout
         uses: actions/checkout@v3
 
@@ -142,14 +131,10 @@ jobs:
         uses: clowdhaus/terraform-min-max@v1.0.7
         if: steps.changes.outputs.src== 'true'
 
-      # TODO - remove hardcoded version once optional attributes are resolved/removed
-      - name: Pre-commit Terraform 1.2.9  # ${{ steps.minMax.outputs.maxVersion }}
+      - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0
         if: steps.changes.outputs.src== 'true'
         with:
-          terraform-version: 1.2.9 # ${{ steps.minMax.outputs.maxVersion }}
+          terraform-version: ${{ steps.minMax.outputs.maxVersion }}
           terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
-          tflint-version: ${{ env.TFLINT_VERSION }}
-
-      - if: steps.changes.outputs.src== 'true'
-        run: terraform version
+          tflint-version: ${{ env.TFLINT_VERSION }}
diff --git a/.github/workflows/stale_issue_pr.yaml b/.github/workflows/stale_issue_pr.yaml
@@ -0,0 +1,33 @@
+name: 'Stale issue & PR handler'
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@main
+        id: stale
+        with:
+          ascending: true
+          close-issue-message: 'Issue closed due to inactivity.'
+          close-pr-message: 'Pull request closed due to inactivity.'
+          days-before-close: 10
+          days-before-stale: 30
+          stale-issue-label: stale
+          stale-pr-label: stale
+          # Not stale if have this labels
+          exempt-issue-labels: 'bug,enhancement'
+          exempt-pr-labels: 'bug,enhancement'
+          operations-per-run: 100
+          stale-issue-message: |
+            This issue has been automatically marked as stale because it has been open 30 days
+            with no activity. Remove stale label or comment or this issue will be closed in 10 days
+          stale-pr-message: |
+            This PR has been automatically marked as stale because it has been open 30 days
+            with no activity. Remove stale label or comment or this PR will be closed in 10 days
