feat: manage destructor creation and activation separately (#66)

Author: gberenice

.github/renovate.json5

@@ -3,35 +3,62 @@
     "config:best-practices",
     "github>aquaproj/aqua-renovate-config#2.7.5"
   ],
-  "schedule": [
-    "after 9am on the first day of the month"
-  ],
-  "assigneesFromCodeOwners": true,
-  "dependencyDashboardAutoclose": true,
-  "addLabels": [
-    "auto-upgrade"
-  ],
   "enabledManagers": [
-    "terraform"
+    "terraform",
+    "github-actions"
   ],
   "terraform": {
     "ignorePaths": [
       "**/context.tf" // Mixin file https://github.com/cloudposse/terraform-null-label/blob/main/exports/context.tf
+    ],
+    "fileMatch": [
+      "\\.tf$",
+      "\\.tofu$"
     ]
   },
+  "schedule": [
+    "after 9am on the first day of the month"
+  ],
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "addLabels": ["{{manager}}"],
   "packageRules": [
     {
-      "matchDepTypes": [
-        "optionalDependencies"
-      ],
-      // Allow auto merge if it's not a major version update
-      "matchUpdateTypes": [
-        "minor",
-        "patch",
-        "pin",
-        "digest"
-      ],
-      "automerge": true
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": true,
+      "automergeType": "branch",
+      "groupName": "github-actions-auto-upgrade",
+      "addLabels": ["auto-upgrade"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major"],
+      "groupName": "github-actions-needs-review",
+      "addLabels": ["needs-review"]
+    },
+    {
+      "matchManagers": ["terraform"],
+      "groupName": "tf",
+      "addLabels": ["needs-review"]
+    },
+    {
+      "matchFileNames": ["**/*.tofu", "**/*.tf"],
+      "matchDatasources": ["terraform-provider", "terraform-module"],
+      "registryUrls": ["https://registry.opentofu.org"],
+      "groupName": "tf"
+    },
+    {
+      "matchFileNames": ["**/*.tofu"],
+      "matchDepTypes": ["required_version"],
+      "registryUrls": ["https://registry.opentofu.org"],
+      "groupName": "tf"
+    },
+    {
+      "matchFileNames": ["**/*.tf"],
+      "matchDepTypes": ["required_version"],
+      "registryUrls": ["https://registry.terraform.io"],
+      "groupName": "tf"
     }
   ]
-}
+}

.github/workflows/lint.yaml

@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
-        uses: trunk-io/trunk-action@v1
+        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19

.github/workflows/test.yaml

@@ -26,25 +26,8 @@ jobs:
       matrix:
         tf: [tofu, terraform]
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Aqua Cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
-
-      - name: Install Aqua
-        uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1
+      - uses: masterpointio/github-action-tf-test@c3b619f3bca9e4f482b9e0fb3166ab3f02d9d54c # v1.0.0
         with:
-          aqua_version: v2.48.1
-
-      - name: Aqua Install
-        shell: bash
-        run: aqua install --tags ${{ matrix.tf }}
-
-      - run: ${{ matrix.tf }} init
-      - run: ${{ matrix.tf }} test
+          tf_type: ${{ matrix.tf }}
+          aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/trunk-upgrade.yaml

@@ -27,8 +27,17 @@ jobs:
           private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
 
       - name: Upgrade
+        id: trunk-upgrade
         uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "
+
+      - name: Merge PR automatically
+        if: steps.trunk-upgrade.outputs.pull-request-number != ''
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
+        run: |
+          gh pr merge "$PR_NUMBER" --squash --auto --delete-branch

.trunk/trunk.yaml

@@ -2,7 +2,7 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.12
+  version: 1.22.15
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
@@ -20,15 +20,16 @@ lint:
     # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331
     - terrascan
   enabled:
+    - renovate@40.0.0
     - tofu@1.9.1
     - actionlint@1.7.7
-    - checkov@3.2.408
+    - checkov@3.2.413
     - git-diff-check
     - markdownlint@0.44.0
     - prettier@3.5.3
     - tflint@0.56.0
     - trivy@0.61.1
-    - trufflehog@3.88.25
+    - trufflehog@3.88.26
     - yamllint@1.37.0
   ignore:
     - linters: [tofu]

README.md

@@ -293,7 +293,8 @@ This is to support easy local and outside-spacelift operations. Keeping variable
 | <a name="input_common_config_file"></a> [common\_config\_file](#input\_common\_config\_file) | Name of the common configuration file for the stack across a root module. | `string` | `"common.yaml"` | no |
 | <a name="input_default_tf_workspace_enabled"></a> [default\_tf\_workspace\_enabled](#input\_default\_tf\_workspace\_enabled) | Enables the use of `default` Terraform workspace instead of managing multiple workspaces within a root module.<br/><br/>NOTE: We encourage the use of Terraform workspaces to manage multiple environments.<br/>However, you will want to disable this behavior if you're utilizing different backends for each instance<br/>of your root modules (we call this "Dynamic Backends"). | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | A description for the created Stacks. This is a template string that will be rendered with the final config object for the stack.<br/>    See the main.tf for full internals of that object and the documentation on templatestring for usage.<br/>    https://opentofu.org/docs/language/functions/templatestring/ | `string` | `"Root Module: ${root_module}\nProject Root: ${project_root}\nWorkspace: ${terraform_workspace}\nManaged by spacelift-automation Terraform root module."` | no |
-| <a name="input_destructor_enabled"></a> [destructor\_enabled](#input\_destructor\_enabled) | Flag to enable/disable the destructor for the Stack. | `bool` | `false` | no |
+| <a name="input_destructor_deactivated"></a> [destructor\_deactivated](#input\_destructor\_deactivated) | Whether to deactivate the stack destructor by default | `bool` | `true` | no |
+| <a name="input_destructor_enabled"></a> [destructor\_enabled](#input\_destructor\_enabled) | Whether to enable the stack destructor by default | `bool` | `true` | no |
 | <a name="input_drift_detection_enabled"></a> [drift\_detection\_enabled](#input\_drift\_detection\_enabled) | Flag to enable/disable Drift Detection configuration for a Stack. | `bool` | `false` | no |
 | <a name="input_drift_detection_ignore_state"></a> [drift\_detection\_ignore\_state](#input\_drift\_detection\_ignore\_state) | Controls whether drift detection should be performed on a stack<br/>in any final state instead of just 'Finished'. | `bool` | `false` | no |
 | <a name="input_drift_detection_reconcile"></a> [drift\_detection\_reconcile](#input\_drift\_detection\_reconcile) | Flag to enable/disable automatic reconciliation of drifts. | `bool` | `false` | no |

aqua.yaml

@@ -8,11 +8,10 @@
 #   - all
 registries:
   - type: standard
-    ref: v4.353.0 # renovate: depName=aquaproj/aqua-registry
+    ref: v4.355.0 # renovate: depName=aquaproj/aqua-registry
 packages:
   - name: terraform-docs/terraform-docs@v0.20.0
   - name: hashicorp/terraform@v1.11.4
     tags: [terraform]
   - name: opentofu/opentofu@v1.9.1
     tags: [tofu]
-  - name: spacelift-io/spacectl@v1.11.0

examples/complete/root-modules/network/stacks/dev.yaml

@@ -3,3 +3,4 @@ stack_settings:
   description: Create the VPC + Subnets for the Dev environment
   labels:
     - dev_stack_specific_label
+  destructor_enabled: true

main.tf

@@ -297,6 +297,11 @@ locals {
     for stack, config in local.stack_configs :
     stack => config if try(config.drift_detection_enabled, var.drift_detection_enabled)
   }
+
+  destructor_stacks = {
+    for stack, config in local.stack_configs :
+    stack => config if try(config.destructor_enabled, var.destructor_enabled)
+  }
 }
 
 check "spaces_enforce_mutual_exclusivity" {
@@ -383,10 +388,10 @@ resource "spacelift_stack" "default" {
 # Use the 'deactivated' attribute to disable the stack destructor functionality instead.
 # https://github.com/spacelift-io/terraform-provider-spacelift/blob/master/spacelift/resource_stack_destructor.go
 resource "spacelift_stack_destructor" "default" {
-  for_each = local.stacks
+  for_each = local.destructor_stacks
 
   stack_id    = spacelift_stack.default[each.key].id
-  deactivated = !try(local.stack_configs[each.key].destructor_enabled, var.destructor_enabled)
+  deactivated = try(local.stack_configs[each.key].destructor_deactivated, var.destructor_deactivated)
 
   # `depends_on` should be used to make sure that all necessary resources (environment variables, roles, integrations, etc.)
   # are still in place when the destruction run is executed.

stack-config.schema.json

@@ -232,6 +232,10 @@
         "destructor_enabled": {
           "type": "boolean",
           "description": "Whether to enable the stack destructor"
+        },
+        "destructor_deactivated": {
+          "type": "boolean",
+          "description": "Whether to deactivate the stack destructor when enabled"
         }
       }
     }