Releases: marshall7m/terraform-aws-infrastructure-live-ci
v0.0.5
Enhancements
- Add the ability to comment on Terraform plan results as diff code blocks within the PR page
- Users can toggle PR plans being displayed via the Terraform variable: var.enable_gh_comment_pr_plan
- Users can toggle deployment plans being displayed via the Terraform variable: var.enable_gh_comment_approval
- Each metadb setup query is now within its own null_resource for easier debugging
v0.4.0
Enhancements
- Slim down e2e tests and move exception cases to the integration directory
- Allow integration tests to run locally while mocking external resources from the Terraform module using a standalone moto server
- Refactor Lambda receiver function to use the FastApi framework
- Refactor Lambda approval response function to use the FastApi framework
- Add
.devcontainer.json
file to use the VsCode dev container extension for development
v0.3.0
Upgrades
- Replace AWS API Gateway resources with Lambda Function URLs. With the recent release of AWS Lambda Function URLs, Lambda Functions can now be invoked by their own HTTPS endpoint. Given the module only needs endpoints for simple webhook events, the Lambda Function URLs are a better fit than the AWS API Gateway. This removes the cost and management of the API Gateway resources within the module.
- With the deletion of the API, comes the removal of the
github_webhook_validator
module. The request authentification logic that was performed within the validator Lambda Function will now be migrated into the receiver Lambda Function.
v0.2.0
Upgrades
-
The most significant upgrade within this release is that all CodeBuild projects are replaced with ECS Fargate tasks. Specifically, this includes the existing Create Deploy Stack and Terra Run jobs.
-
Instead of the module building the container image within the Terraform apply process, users can specify their own Docker image or use the pre-built GitHub registry image attached to the module repo. This gives the ability to install additional dependencies within their provided image that may fall outside the scope of Terraform resources
-
Unlike CodeBuild, ECS tasks don't have integrated GitHub webhook triggers. To work around this limitation, the AWS ApiGateway API now includes an endpoint for both open and merged pull request activity. The API will send the webhook request to a Lambda Function to verify the request's SHA256 signature and check that the GitHub event meets the requirements to trigger the downstream Lambda Function.
Enhancements
-
Replace
deploy_*
withapply_*
variables and resources. Makes more intuitive sense given that the deployments are essentially just Terraform apply actions. -
A new ECS task named PR Plan is implemented for creating Terraform plans for directories that have added and/or modified IaC files within pull requests
-
All ECS task's CPU and memory configurations can be defined via
<task>_cpu
and<task>_memory
Terraform variables -
Change Create Deploy Stack
GRAPH_SCAN
toSCAN_TYPE
env var. The oldGRAPH_SCAN
would use the graph-dependencies scan if the env var were present while the newSCAN_TYPE
env var accepts the name of the scan type. -
The
SCAN_TYPE
value is now stored within an AWS System Manager Parameter Store resource. Users can now quickly update the scan type via the parameter value without editing and reapplying the module. -
Step Function execution and all ECS tasks can send commit statuses specifying the state of the service. This can be toggled by editing the AWS System Manager Parameter Store value's JSON mapping or
var.commit_status_config
variable like so:
commit_status_config = {
PrPlan = true
CreateDeployStack = false
Plan = false
Apply = false
Execution = true
}
-
Add conditional IAM permissions for ECS tasks to access private Docker registry images
-
Add initial Diagram as Code
-
Given that the GitHub permissions needed by individual services within the module are the same, users now have to specify one GitHub token rather than two
Bug Fixes
- To workaround
nfx04/dummy
dummy provider being deleted, I ended up biting the bullet and creating my own very minimal dummy Terraform provider specified undermarshall7m/dummy
within the Terraform registry. This dummy provider is used for integration testing scenarios where the provider block is removed before the resources are deleted
v0.1.0
Enhancements
Module
- Replace prefixing resources with
var.step_function_name
with actualvar.prefix
variable - Use pinned Terraform sub-module source versions instead of using sub-module's possibly unstable master branch
- Remove
module.ecr_common_image
and replace with a ghcr image that has it's own GitHub actions release workflow- This bring the benefit of decoupling the Docker build process from the Terraform module deployment
- Allows the user to pin down a specific version of the image
- Opens up the ability to run an older version of the module with a newer version of the image that may contain updated packages
- Add a common entrypoint script to the create deploy stack and terra run buildspec definitions to install the user-defined Terraform/Terragrunt versions at runtime
- Add the following execution context data to the approval request email template:
LogsUrl: Cloudwatch log stream associated with the Step Function executionPlan
task
ExecutionName: Step Function execution ID
AccountName: AWS account name
PullRequestID: Pull Request # - Replace general
var.github_token_ssm_key
withvar.github_webhook_validator_github_token_ssm_key
formodule.github_webhook_validator
andlocal.merge_lock_github_token_ssm_key
formodule.lambda_merge_lock
- Replace inline local.metadb_setup_script with templated metadb_setup_script.sh
- Add a
random_id
suffix toaws_secretsmanager_secret
to prevent duplicate naming issues with scheduled for deletion secret manager values
Tests
- Add GitHub actions workflow
- Includes a job for pre-commit hooks, unit tests and integration tests
- Implements conditional jobs that allow the Github workflow to run locally via act
- Use ghcr.io/marshall7m/terrace:v0.1.8 for Docker compose unit and integration testing services
- Use handy
dummy_thing
resource from the Terraform providernfx04/dummy
for rollback new provider resouces integration testing. Replaces dummygithub_repository
resource that required additional teardown logic - Add black, flake8, sqlfluff-lint, and shellcheck pre-commit hooks for enforcing style and format checks for .py, .sql and .sh files. Release also includes fixes to adhere to the hooks
- Use authenticated sender email address to actually test approval request Lambda Function logic instead of patching the API request
- Create useful
aws_session_expiration_check
fixture that skips all integration tests if theAWS_SESSION_EXPIRATION
is less than a specified amount of time. No more mid-way expired session token surprises within integration testing! - Add Terraform/Terragrunt version constraint markdown table for create deploy stack and terra run builds
Bug Fixes
- Replace overwritting AWS credentials with dummy values within unit test
aws_credentials
fixture with setting the value if it doesn't not exist. This fixes the case where theaws_credentials
fixture overwrites the GitHub workflow’s actual AWS credentials that causes downstream tests that need valid AWS credentials to fail
v0.1.0-alpha
v0.1.0-alpha
contains a stable version of the Terraform module. Module passes all unit and integrations tests.
Any level of feedback will be very much appreciated.
New tags may be related to the features defined under the #TODO section of the README.md.