From 9e9a3c2107fd3d17b93b604af4966cff6f298a04 Mon Sep 17 00:00:00 2001
From: marshall7m <44485531+marshall7m@users.noreply.github.com>
Date: Sat, 18 Jun 2022 17:15:45 -0700
Subject: [PATCH] add codebuild tg/tf version constraint table and implement
 terragrunt latest into version constraint testing

---
 README.md                                          | 14 ++++----------
 .../create_deploy_stack/create_deploy_stack.py     |  2 ++
 tests/unit/buildspecs/README.md                    | 13 +++++++++++++
 tests/unit/buildspecs/conftest.py                  | 12 +++++-------
 tests/unit/buildspecs/test_create_deploy_stack.py  |  5 ++++-
 variables.tf                                       | 14 ++++++++++++--
 6 files changed, 40 insertions(+), 20 deletions(-)
 create mode 100644 tests/unit/buildspecs/README.md

diff --git a/README.md b/README.md
index 751e38df..d52af0d2 100644
--- a/README.md
+++ b/README.md
@@ -338,6 +338,7 @@ Given EventBridge rules and event deliveries are free, the Step Function executi
   ∙ 1 x aws_ses_identity_policy
   ∙ 1 x aws_ses_template
 ```
+
 ## CLI Requirements
  
 Requirements below are needed in order to run `terraform apply` within this module. This module contains null resources that run bash scripts to install pip packages, zip directories, and query the RDS database.
@@ -492,8 +493,8 @@ Requirements below are needed in order to run `terraform apply` within this modu
 | <a name="input_step_function_name"></a> [step\_function\_name](#input\_step\_function\_name) | Name of AWS Step Function machine | `string` | `"deployment-flow"` | no |
 | <a name="input_terra_run_env_vars"></a> [terra\_run\_env\_vars](#input\_terra\_run\_env\_vars) | Environment variables that will be provided for tf plan/apply builds | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_terra_run_vpc_config"></a> [terra\_run\_vpc\_config](#input\_terra\_run\_vpc\_config) | AWS VPC configurations associated with terra\_run CodeBuild project. <br>Ensure that the configuration allows for outgoing HTTPS traffic. | <pre>object({<br>    vpc_id             = string<br>    subnets            = list(string)<br>    security_group_ids = list(string)<br>  })</pre> | `null` | no |
-| <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | Terraform version used for create\_deploy\_stack and terra\_run builds. If repo contains a variety of version constraints, implementing a dynamic version manager (e.g. tfenv) is recommended | `string` | `""` | no |
-| <a name="input_terragrunt_version"></a> [terragrunt\_version](#input\_terragrunt\_version) | Terragrunt version used for create\_deploy\_stack and terra\_run builds | `string` | `""` | no |
+| <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | Terraform version used for create\_deploy\_stack and terra\_run builds.<br>Version must be >= `0.13.0`.<br>If repo contains a variety of version constraints, implementing a <br>version manager is recommended (e.g. tfenv). | `string` | `""` | no |
+| <a name="input_terragrunt_version"></a> [terragrunt\_version](#input\_terragrunt\_version) | Terragrunt version used for create\_deploy\_stack and terra\_run builds.<br>Version must be >= `0.31.0`.<br>If repo contains a variety of version constraints, implementing a <br>version manager is recommended (e.g. tgswitch). | `string` | `""` | no |
 | <a name="input_tf_state_read_access_policy"></a> [tf\_state\_read\_access\_policy](#input\_tf\_state\_read\_access\_policy) | AWS IAM policy ARN that allows create\_deploy\_stack Codebuild project to read from Terraform remote state resource | `string` | n/a | yes |
 
 ## Outputs
@@ -613,11 +614,4 @@ NOTE: All Terraform resources will automatically be deleted during the PyTest se
 ### Improvements:
 
 - [ ] create aesthetically pleasing approval request HTML template
-- [ ] Allow GRAPH_SCAN to be toggled on a PR-level without having to change via Terraform module/CodeBuild console
-
-
-TODO before release:
-
-- make sure all heredocs and documentation is added
-- update gh workflow to use ghcr.io/marshall7m/terrace:v0.1.7
-- implement pre-commit hook changes
\ No newline at end of file
+- [ ] Allow GRAPH_SCAN to be toggled on a PR-level without having to change via Terraform module/CodeBuild console
\ No newline at end of file
diff --git a/buildspecs/create_deploy_stack/create_deploy_stack.py b/buildspecs/create_deploy_stack/create_deploy_stack.py
index 4d902ce5..f6610d87 100644
--- a/buildspecs/create_deploy_stack/create_deploy_stack.py
+++ b/buildspecs/create_deploy_stack/create_deploy_stack.py
@@ -89,6 +89,7 @@ def create_stack(self, path: str, role_arn: str) -> List[map]:
         # if set, use graph-dependencies map to determine target execution directories
         log.debug(f'$GRAPH_SCAN: {os.environ.get("GRAPH_SCAN", "")}')
         if os.environ.get("GRAPH_SCAN", False):
+            log.info("Running Graph Scan")
             target_diff_paths = []
             # collects directories that contain new, modified and deleted .hcl/.tf files
             parent = repo.commit(os.environ["CODEBUILD_RESOLVED_SOURCE_VERSION"] + "^")
@@ -120,6 +121,7 @@ def create_stack(self, path: str, role_arn: str) -> List[map]:
 
             diff_paths = list(set(diff_paths))
         else:
+            log.info("Running Plan Scan")
             # use the terraform exitcode for each directory found in the terragrunt run-all plan output to determine target execution directories
             # set check=False to prevent error raise since the -detailed-exitcode flags causes a return code of 2 if diff in tf plan
             run = subprocess_run(
diff --git a/tests/unit/buildspecs/README.md b/tests/unit/buildspecs/README.md
new file mode 100644
index 00000000..265972ca
--- /dev/null
+++ b/tests/unit/buildspecs/README.md
@@ -0,0 +1,13 @@
+# Version Constraints
+
+| Build | Binary | Version | Reason |
+|-------|--------|---------|--------|
+| create_deploy_stack | terraform | >= 0.13.0 | With < 0.13.0, create_stack() return results include `\n` between attributes (fixable) |
+| create_deploy_stack | terragrunt | >= 0.31.0 | With < 0.31.0, create_stack() returns nothing from parsing run-all plan. With < 0.23.7, `terragrunt graph-dependencies` cli arg is not available |
+| terra_run | terraform | >= 0.13.0 | Within older versions, get_new_provider_resources() would need different parsing of the provider attribute from the tfstate file |
+| terra_run | terragrunt | >= 0.31.0 | create_deploy_stack requires `terragrunt run-all` |
+
+
+## Important Terragrunt releases:
+- 0.28.1 introduced `terragrunt run-all`
+- 0.23.7 introduced `terragrunt graph-dependencies`
\ No newline at end of file
diff --git a/tests/unit/buildspecs/conftest.py b/tests/unit/buildspecs/conftest.py
index 874c0b20..77fa7723 100644
--- a/tests/unit/buildspecs/conftest.py
+++ b/tests/unit/buildspecs/conftest.py
@@ -83,16 +83,12 @@ def repo_changes(request, git_repo):
 
 tf_versions = [
     pytest.param("latest"),
-    pytest.param("1.0.0", marks=pytest.mark.skip()),
-    pytest.param("0.15.0", marks=pytest.mark.skip()),
-    pytest.param("0.14.0", marks=pytest.mark.skip()),
+    pytest.param("0.13.0"),
 ]
 
 tg_versions = [
-    pytest.param("0.36.7"),
-    pytest.param("0.36.0", marks=pytest.mark.skip()),
-    pytest.param("0.35.0", marks=pytest.mark.skip()),
-    pytest.param("0.34.0", marks=pytest.mark.skip()),
+    pytest.param("latest"),
+    pytest.param("0.31.0"),
 ]
 
 
@@ -104,6 +100,7 @@ def pytest_generate_tests(metafunc):
             tf_versions,
             scope="function",
             ids=[f"tf_{v.values[0]}" for v in tf_versions],
+            indirect=True,
         )
 
     if "terragrunt_version" in metafunc.fixturenames:
@@ -112,4 +109,5 @@ def pytest_generate_tests(metafunc):
             tg_versions,
             scope="function",
             ids=[f"tg_{v.values[0]}" for v in tg_versions],
+            indirect=True,
         )
diff --git a/tests/unit/buildspecs/test_create_deploy_stack.py b/tests/unit/buildspecs/test_create_deploy_stack.py
index 1d1ba939..257cd610 100644
--- a/tests/unit/buildspecs/test_create_deploy_stack.py
+++ b/tests/unit/buildspecs/test_create_deploy_stack.py
@@ -18,13 +18,16 @@ def scan_type_idfn(val):
 
 
 @pytest.fixture(
-    params=[pytest.param(True), pytest.param(False, marks=pytest.mark.skip())],
+    params=[pytest.param(True), pytest.param(False)],
     ids=scan_type_idfn,
 )
 def scan_type(request):
     """Determiens if Terragrun graph depedencies or run-all plan command is used to detect directories with differences"""
     if request.param:
         os.environ["GRAPH_SCAN"] = "true"
+    else:
+        if "GRAPH_SCAN" in os.environ:
+            del os.environ["GRAPH_SCAN"]
     yield None
 
     if "GRAPH_SCAN" in os.environ:
diff --git a/variables.tf b/variables.tf
index a6ca325a..14b30546 100644
--- a/variables.tf
+++ b/variables.tf
@@ -103,13 +103,23 @@ variable "tf_state_read_access_policy" {
 }
 
 variable "terraform_version" {
-  description = "Terraform version used for create_deploy_stack and terra_run builds. If repo contains a variety of version constraints, implementing a dynamic version manager (e.g. tfenv) is recommended"
+  description = <<EOF
+Terraform version used for create_deploy_stack and terra_run builds.
+Version must be >= `0.13.0`.
+If repo contains a variety of version constraints, implementing a 
+version manager is recommended (e.g. tfenv).
+EOF
   type        = string
   default     = ""
 }
 
 variable "terragrunt_version" {
-  description = "Terragrunt version used for create_deploy_stack and terra_run builds"
+  description = <<EOF
+Terragrunt version used for create_deploy_stack and terra_run builds.
+Version must be >= `0.31.0`.
+If repo contains a variety of version constraints, implementing a 
+version manager is recommended (e.g. tgswitch).
+EOF
   type        = string
   default     = ""
 }