feat(cicd): add terraform-min-max validation workflow to validate module changes (#1)

Author: bryantbiggs

.github/workflows/semantic-releaser.yml

@@ -1,25 +1,29 @@
 name: Release
+
 on:
   push:
     branches:
       - master
     paths:
       - '**.tf'
       - '!examples/**.tf'
+
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Setup Node.js
         uses: actions/setup-node@v1
         with:
           node-version: 14
+
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}

.github/workflows/static-checks.yml

@@ -0,0 +1,73 @@
+name: static-checks
+
+on:
+  pull_request:
+
+jobs:
+  versionExtract:
+    name: Get min/max versions
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@main
+    outputs:
+      minVersion: ${{ steps.minMax.outputs.minVersion }}
+      maxVersion: ${{ steps.minMax.outputs.maxVersion }}
+
+  versionEvaluate:
+    name: Evaluate Terraform versions
+    runs-on: ubuntu-latest
+    needs: versionExtract
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - ${{ needs.versionExtract.outputs.minVersion }}
+          - ${{ needs.versionExtract.outputs.maxVersion }}
+        directory: [examples/complete, examples/simple]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Terraform v${{ matrix.version }}
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ matrix.version }}
+
+      - name: Init & validate v${{ matrix.version }}
+        run: |
+          cd ${{ matrix.directory }}
+          terraform init
+          terraform validate
+
+      - name: tflint
+        uses: reviewdog/action-tflint@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          working_directory: ${{ matrix.directory }}
+          fail_on_error: 'true'
+          filter_mode: 'nofilter'
+          flags: '--module'
+
+  format:
+    name: Check code format
+    runs-on: ubuntu-latest
+    needs: versionExtract
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }}
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ needs.versionExtract.outputs.maxVersion }}
+
+      - name: Check Terraform format changes
+        run: terraform fmt --recursive -check=true

.pre-commit-config.yaml

@@ -5,6 +5,6 @@ repos:
       - id: terraform_fmt
       - id: terraform_docs
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.3.0
+    rev: v3.4.0
     hooks:
-      - id: check-merge-conflict
+      - id: check-merge-conflict

examples/complete/main.tf

@@ -52,13 +52,13 @@ data "aws_iam_policy_document" "datadog_cmk" {
 }
 
 resource "aws_kms_alias" "datadog" {
-  name          = "alias/datadog"
+  name          = "alias/datadog/${random_pet.this.id}"
   target_key_id = aws_kms_key.datadog.key_id
 }
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "v2.57.0"
+  version = "~> 2.64"
 
   name = local.name
   cidr = "10.0.0.0/16"
@@ -84,7 +84,7 @@ module "vpc" {
 
 module "security_group" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> v3.16.0"
+  version = "~> 3.17"
 
   name        = local.name
   description = "Example security group"
@@ -114,7 +114,7 @@ module "security_group" {
 
 module "log_bucket_1" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 1.15"
+  version = "~> 1.17"
 
   bucket                         = "logs-1-${random_pet.this.id}"
   acl                            = "log-delivery-write"
@@ -124,7 +124,7 @@ module "log_bucket_1" {
 
 module "log_bucket_2" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 1.15"
+  version = "~> 1.17"
 
   bucket                         = "logs-2-${random_pet.this.id}"
   acl                            = "log-delivery-write"
@@ -252,7 +252,5 @@ module "default" {
   traces_vpce_security_group_ids = [module.security_group.this_security_group_id]
   traces_vpce_tags               = { TracesVpcEndpoint = true }
 
-  depends_on = [aws_kms_alias.datadog]
-
   tags = { Environment = "test" }
 }

examples/simple/README.md

@@ -27,6 +27,7 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | aws | >= 3.0 |
+| random | n/a |
 
 ## Inputs
 

examples/simple/main.tf

@@ -18,6 +18,10 @@ data "aws_caller_identity" "current" {}
 # Supporting Resources
 ################################################################################
 
+resource "random_pet" "this" {
+  length = 2
+}
+
 resource "aws_kms_key" "datadog" {
   description         = "Datadog KMS CMK"
   enable_key_rotation = true
@@ -39,7 +43,7 @@ data "aws_iam_policy_document" "datadog_cmk" {
 }
 
 resource "aws_kms_alias" "datadog" {
-  name          = "alias/datadog"
+  name          = "alias/datadog/${random_pet.this.id}"
   target_key_id = aws_kms_key.datadog.key_id
 }
 
@@ -53,7 +57,5 @@ module "default" {
   kms_alias             = aws_kms_alias.datadog.name
   dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn
 
-  depends_on = [aws_kms_alias.datadog]
-
   tags = { Environment = "test" }
 }

modules/log_forwarder/main.tf

@@ -25,7 +25,7 @@ data "aws_region" "current" {}
 
 module "this_s3_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "v1.15.0"
+  version = "v1.17.0"
 
   create_bucket = var.create && var.create_bucket
   bucket        = local.bucket_name