Adding CI to module (#5)

* CI added through Travis - tests passing
* moved travis badge to official org builds

Author: brandonjbjelland

.travis.yml

@@ -0,0 +1,86 @@
+language: ruby
+
+sudo: false
+
+dist: trusty
+
+rvm:
+  - 2.4.2
+
+services:
+  - docker
+
+before_install:
+  - echo "before_install"
+
+install:
+  - echo "install"
+  - gem install bundler --no-rdoc --no-ri
+  - bundle install
+
+before_script:
+  - echo 'before_script'
+  # Get a random variable from the awscli and use it through the remainder of the test cycle.
+  - export AWS_REGION=$(docker run --env AWS_DEFAULT_REGION=us-east-2 --env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} --env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} garland/aws-cli-docker aws ec2 describe-regions --query 'Regions[].{Name:RegionName}' --output text | shuf | head -n1)
+  - echo "using AWS_REGION=${AWS_REGION}"
+  - export TF_VAR_region=${AWS_REGION}
+  - wget https://releases.hashicorp.com/terraform/0.10.7/terraform_0.10.7_linux_amd64.zip
+  - unzip terraform_0.10.7_linux_amd64
+  - chmod +x terraform
+  - mkdir -p ${HOME}/bin
+  - export PATH=${PATH}:${HOME}/bin
+  - mv terraform ${HOME}/bin/
+  - rm -f terraform_*
+  - terraform -v
+
+script:
+  - echo 'before_script'
+  # no terraform through docker until kitchen-terraform supports it
+  # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light init
+  # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light fmt -check=true
+  # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light validate
+  - terraform init
+  - terraform fmt -check=true
+  - terraform validate -var "region=${AWS_REGION}" -var "certificate_arn=arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" -var "health_check_path=/" -var "subnets=[]" -var "vpc_id=vpc-abcde012" -var "alb_name=my-alb" -var "alb_security_groups=[]"
+  - docker run --rm -v $(pwd):/app/ --workdir=/app/ -t wata727/tflint --error-with-issues
+  - cd examples/test_fixtures
+  # this line is to change the source of the root module to 2 dirs back which works when validating in CI but when running through test kitchen, we need to source from 3 dirs up, oddly
+  - sed -i.bak 's/\.\.\/\.\.\/\.\./\.\.\/\.\./g' main.tf
+  # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light init
+  # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light fmt -check=true
+  # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light validate
+  - terraform init
+  - terraform fmt -check=true
+  - terraform validate
+  # FIXME: tflint is unhappy with sourcing a module from a relative dir here.
+  # - docker run --rm -v $(pwd):/data --workdir=/data -t wata727/tflint --error-with-issues
+  - mv main.tf.bak main.tf
+  - cd -
+  - pwd
+  - ls -lah
+  - terraform -v
+  - kitchen test --destroy always
+
+# after_success:
+#   - echo 'after_success'
+
+# after_failure:
+#   - echo 'after_failure'
+
+before_deploy:
+# check if this is new release and conditionally continue?
+  - echo 'before_deploy phase'
+
+deploy:
+# likely want to publish to the registry
+  provider: script
+  script: ci/deploy.sh
+  on:
+    branch: dev
+
+# after_deploy:
+# notify of success/failure provide links
+#   - echo 'after_deploy'
+
+# after_script:
+#   - echo 'after_script'

CHANGELOG.md

@@ -4,13 +4,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.0.3] - 2017-10-19
+## Added
+* TravisCI configuration added and now passing.
+* badge added to docs.
+* permissions section now in the example readme.
+* placeholder shell script added for CI deployment. Eventually this should conditionally release to the registry when those APIs become available.
+
+## Changed
+* altered tf variable `aws_region` to `region`.
+* replaced hardcoding the region to instead use a random region as retrieved by an awscli docker container within CI.
+* example cert is now a regionally-specific resource enabling tests to run in various regions at once and not collide.
+* ruby version bump means `Rhcl` becomes `rhcl`.
+
 ## [1.0.2] - 2017-10-12
 ### Added
 * moved data sources to dedicated `data.tf` file.
 * `aws_caller_identity` now used to gather account_id rather than using a variable.
 * tests added for `target_group` and expanded for `alb`.
 * input variables added for health checks, bucket policy, force_destroy_log_bucket - increasing flexibility.
-* circle CI config and badge
 
 ### Changed
 * altered structure of module to conform to the new [Terraform registry standards](https://www.terraform.io/docs/registry/modules/publish.html#requirements)
@@ -19,9 +31,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 * pinned examples to provider and terraform versions to harden versioning.
 * self signed cert added to the test fixtures, eliminating the need for manual upload and terraform.tfvars configuration.
 * modules referenced in the test fixture are now sourced from the terraform registry.
-* moved bucket_policy.json and template rending to locals + optional variable input. 
+* removed bucket_policy.json in favor of creating the policy via the `aws_iam_policy_document` resource or optionally a variable.
 * stringed list variables moved to native lists
-* 
 
 ## [1.0.1] - 2017-09-14
 ### Added

README.md

@@ -2,6 +2,10 @@
 A Terraform module containing common configurations for an AWS Application Load
 Balancer (ALB) running over HTTP/HTTPS. Available through the [terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/alb/aws).
 
+| Branch | Build status |
+| --- | --- |
+| master | [![build Status](https://travis-ci.org/terraform-aws-modules/terraform-aws-alb.svg?branch=master)](https://travis-ci.org/terraform-aws-modules/terraform-aws-skeleton) |
+
 ## Assumptions
 * You want to create a set of resources for the ALB: namely an associated target group and listener.
 * You've created a Virtual Private Cloud (VPC) + subnets where you intend to put
@@ -20,7 +24,7 @@ It's recommended you use this module with [terraform-aws-vpc](https://registry.t
 
 ## Why ALB instead of ELB?
 The use-case presented here appears almost identical to how one would use an ELB
-BUT we inherit a few bonuses by moving to ALB. Those are best outlined in [AWS's
+but we inherit a few bonuses by moving to ALB. Those are best outlined in [AWS's
 documentation](https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/).
 For an example of using ALB with ECS look no further than the [hashicorp example](https://github.com/terraform-providers/terraform-provider-aws/blob/master/examples/ecs-alb).
 
@@ -32,12 +36,15 @@ A full example leveraging other community modules is contained in the [examples/
 ```
 module "alb" {
   source              = "terraform-aws-modules/alb/aws"
+  alb_name            = "my-alb"
+  region              = "us-east-2"
+  alb_security_groups = ["sg-edcd9784", "sg-edcd9785"]
   vpc_id              = "vpc-abcde012"
   subnets             = ["subnet-abcde012", "subnet-bcde012a"]
-  alb_security_groups = ["sg-edcd9784", "sg-edcd9785"]
   certificate_arn     = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
   log_bucket          = "logs-us-east-2-123456789012"
   log_prefix          = "my-alb-logs"
+  health_check_path   = "/"
 
   tags {
     "Terraform" = "true"
@@ -55,7 +62,7 @@ This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tes
 ```
 gem install bundler; bundle install
 ```
-3. Configure variables in `test/fixtures/terraform.tfvars`. An example of how this should look is in [terraform.tfvars.example](test/fixtures/terraform.tfvars.example).
+3. Ensure your AWS environment is configured (i.e. credentials and region) for test and set TF_VAR_region to a valid AWS region (e.g. `export TF_VAR_region=${AWS_REGION}`).
 4. Test using `kitchen test` from the root of the repo.
 
 ## Contributing
@@ -70,6 +77,10 @@ individual change made. These are the steps:
 5. Push to the branch (`git push origin my-new-feature`).
 6. Create a new Pull Request and tell us about your changes.
 
+## IAM Permissions
+Testing and using this repo requires a minimum set of IAM permissions. Test permissions
+are listed in the [test_fixtures README](examples/test_fixtures/README.md).
+
 ## Change log
 The [changelog](CHANGELOG.md) captures all important release notes.
 

ci/deploy.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# this file is a placeholder. Not sure that the registry API is available yet.
+echo "Deployment steps should include publishing to terraform registry on new releases. Exiting with success."

examples/test_fixtures/README.md

@@ -2,3 +2,105 @@
 This set of templates serves two purposes:
 0. it shows developers how to use the module in a straightforward way as integrated with other terraform community supported modules.
 1. serves as the test infrastructure for CI on the project.
+
+## IAM Permissions
+The following IAM policy is the minimum needed to execute the module from the test suite.
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1507789535000",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AllocateAddress",
+                "ec2:AssignIpv6Addresses",
+                "ec2:AssignPrivateIpAddresses",
+                "ec2:AssociateAddress",
+                "ec2:AssociateDhcpOptions",
+                "ec2:AssociateRouteTable",
+                "ec2:AttachInternetGateway",
+                "ec2:AttachNetworkInterface",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CreateDhcpOptions",
+                "ec2:CreateInternetGateway",
+                "ec2:CreateNatGateway",
+                "ec2:CreateNetworkAcl",
+                "ec2:CreateNetworkAclEntry",
+                "ec2:CreateNetworkInterface",
+                "ec2:CreateNetworkInterfacePermission",
+                "ec2:CreateRoute",
+                "ec2:CreateRouteTable",
+                "ec2:CreateSecurityGroup",
+                "ec2:CreateSubnet",
+                "ec2:CreateTags",
+                "ec2:CreateVpc",
+                "ec2:DeleteDhcpOptions",
+                "ec2:DeleteInternetGateway",
+                "ec2:DeleteNatGateway",
+                "ec2:DeleteNetworkAcl",
+                "ec2:DeleteNetworkAclEntry",
+                "ec2:DeleteNetworkInterface",
+                "ec2:DeleteRoute",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DeleteSubnet",
+                "ec2:DeleteTags",
+                "ec2:DeleteVpc",
+                "ec2:Describe*",
+                "ec2:DetachInternetGateway",
+                "ec2:DetachNetworkInterface",
+                "ec2:DisassociateAddress",
+                "ec2:DisassociateRouteTable",
+                "ec2:DisassociateSubnetCidrBlock",
+                "ec2:DisassociateVpcCidrBlock",
+                "ec2:ModifySubnetAttribute",
+                "ec2:ModifyVpcAttribute",
+                "ec2:ModifyVpcEndpoint",
+                "ec2:ReleaseAddress",
+                "ec2:RevokeSecurityGroupEgress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
+                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "Stmt1507789585001",
+            "Effect": "Allow",
+            "Action": [
+                "s3:*",
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "Stmt1507789655000",
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "Stmt1507789655001",
+            "Effect": "Allow",
+            "Action": [
+                "iam:UploadServerCertificate",
+                "iam:DeleteServerCertificate",
+                "iam:GetServerCertificate"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+
+```

examples/test_fixtures/data.tf

@@ -1 +1,3 @@
 data "aws_caller_identity" "fixtures" {}
+
+data "aws_availability_zones" "available" {}

examples/test_fixtures/main.tf

@@ -3,7 +3,7 @@ terraform {
 }
 
 provider "aws" {
-  region  = "${var.aws_region}"
+  region  = "${var.region}"
   version = "~> 1.0.0"
 }
 
@@ -12,7 +12,7 @@ provider "template" {
 }
 
 resource "aws_iam_server_certificate" "fixture_cert" {
-  name             = "test_cert-${data.aws_caller_identity.fixtures.account_id}"
+  name             = "test_cert-${data.aws_caller_identity.fixtures.account_id}-${var.region}"
   certificate_body = "${file("${path.module}/../../../examples/test_fixtures/certs/example.crt.pem")}"
   private_key      = "${file("${path.module}/../../../examples/test_fixtures/certs/example.key.pem")}"
 
@@ -25,9 +25,9 @@ module "vpc" {
   source             = "terraform-aws-modules/vpc/aws"
   name               = "my-vpc"
   cidr               = "10.0.0.0/16"
-  azs                = ["us-east-2a", "us-east-2b", "us-east-2c"]
-  private_subnets    = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets     = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  azs                = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}"]
+  private_subnets    = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets     = ["10.0.101.0/24", "10.0.102.0/24"]
   enable_nat_gateway = true
   single_nat_gateway = true
   tags               = {}
@@ -40,15 +40,15 @@ module "security-group" {
 }
 
 module "alb" {
-  source                   = "../../../"
+  source                   = "../../.."
   alb_name                 = "my-alb"
   alb_security_groups      = ["${module.security-group.this_security_group_id}"]
-  aws_region               = "${var.aws_region}"
+  region                   = "${var.region}"
   vpc_id                   = "${module.vpc.vpc_id}"
   subnets                  = "${module.vpc.public_subnets}"
   certificate_arn          = "${aws_iam_server_certificate.fixture_cert.arn}"
   health_check_path        = "/"
-  log_bucket               = "logs-${var.aws_region}-${data.aws_caller_identity.fixtures.account_id}"
+  log_bucket               = "logs-${var.region}-${data.aws_caller_identity.fixtures.account_id}"
   log_prefix               = "${var.log_prefix}"
   force_destroy_log_bucket = true
 

examples/test_fixtures/variables.tf

@@ -2,6 +2,4 @@ variable "log_prefix" {
   default = "my-alb-logs"
 }
 
-variable "aws_region" {
-  default = "us-east-2"
-}
+variable "region" {}

main.tf

@@ -1,5 +1,10 @@
 ### ALB resources
 
+provider "aws" {
+  region  = "${var.region}"
+  version = "~> 1.0.0"
+}
+
 resource "aws_alb" "main" {
   name            = "${var.alb_name}"
   subnets         = ["${var.subnets}"]

test/integration/default/local_alb.rb

@@ -1,7 +1,6 @@
 require 'awspec'
-require 'Rhcl'
+require 'rhcl'
 
-ENV['AWS_REGION'] = 'us-east-2'
 module_vars = Rhcl.parse(File.open('examples/test_fixtures/variables.tf'))
 log_prefix = module_vars['variable']['log_prefix']['default']
 tf_state = JSON.parse(File.open('.kitchen/kitchen-terraform/default-aws/terraform.tfstate').read)
@@ -11,7 +10,7 @@
 security_group_id = tf_state['modules'][0]['outputs']['sg_id']['value']
 account_id = tf_state['modules'][0]['outputs']['account_id']['value']
 # this must match the format in examples/test_fixtures/locals.tf
-log_bucket = 'logs-' + module_vars['variable']['aws_region']['default'] + '-' + account_id
+log_bucket = 'logs-' + ENV['AWS_REGION'] + '-' + account_id
 # subnet_ids = tf_state['modules'][0]['outputs']['subnet_ids']['value']
 
 describe alb('my-alb') do
@@ -44,6 +43,7 @@
     "Version": "2012-10-17",
     "Statement": [
         {
+            "Sid": "",
             "Effect": "Allow",
             "Principal": {
                 "AWS": "arn:aws:iam::#{principal_account_id}:root"