From c9cbe10e1dbd5090574d5e1179a98e04c87a67d6 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 15:33:35 -0500 Subject: [PATCH 01/17] Feat: Harden GHA workflows (#335) --- .github/workflows/aws-auth.yml | 64 ++++ .github/workflows/build-and-deploy.yml | 97 ------ .github/workflows/build.yml | 322 ++++++++++++++++++ .github/workflows/ci.yml | 310 +++++------------ .github/workflows/code-scanning.yml | 57 ++++ .github/workflows/codeql.yml | 33 -- .github/workflows/deploy-production.yml | 216 +++++------- .github/workflows/deploy-staging.yml | 98 +++++- .github/workflows/publish-terraform-plan.yml | 137 ++++++++ .github/workflows/qa.yml | 102 ++++++ .github/workflows/terraform-apply.yml | 131 +++++++ .github/workflows/terraform-plan.yml | 210 ++++++++++++ terraform/local.tfvars | 1 + terraform/main.tf | 10 + .../modules/DownloadFFISSpreadsheet/main.tf | 1 + .../DownloadFFISSpreadsheet/variables.tf | 5 + terraform/modules/DownloadGrantsGovDB/main.tf | 4 +- .../modules/DownloadGrantsGovDB/variables.tf | 5 + terraform/modules/EnqueueFFISDownload/main.tf | 1 + .../modules/EnqueueFFISDownload/variables.tf | 5 + .../modules/ExtractGrantsGovDBToXML/main.tf | 1 + .../ExtractGrantsGovDBToXML/variables.tf | 5 + terraform/modules/PersistFFISData/main.tf | 1 + .../modules/PersistFFISData/variables.tf | 5 + .../modules/PersistGrantsGovXMLDB/main.tf | 1 + .../PersistGrantsGovXMLDB/variables.tf | 5 + terraform/modules/PublishGrantEvents/main.tf | 1 + .../modules/PublishGrantEvents/variables.tf | 5 + terraform/modules/ReceiveFFISEmail/main.tf | 1 + .../modules/ReceiveFFISEmail/variables.tf | 5 + .../modules/SplitFFISSpreadsheet/main.tf | 1 + .../modules/SplitFFISSpreadsheet/variables.tf | 5 + terraform/modules/SplitGrantsGovXMLDB/main.tf | 1 + .../modules/SplitGrantsGovXMLDB/variables.tf | 5 + .../modules/taskfile_lambda_builder/main.tf | 2 + .../taskfile_lambda_builder/variables.tf | 6 + terraform/production.tfvars | 1 + terraform/staging.tfvars | 1 + terraform/variables.tf | 6 + 39 files changed, 1365 insertions(+), 502 deletions(-) create mode 100644 .github/workflows/aws-auth.yml delete mode 100644 .github/workflows/build-and-deploy.yml create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/code-scanning.yml delete mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/publish-terraform-plan.yml create mode 100644 .github/workflows/qa.yml create mode 100644 .github/workflows/terraform-apply.yml create mode 100644 .github/workflows/terraform-plan.yml diff --git a/.github/workflows/aws-auth.yml b/.github/workflows/aws-auth.yml new file mode 100644 index 00000000..d86468f0 --- /dev/null +++ b/.github/workflows/aws-auth.yml @@ -0,0 +1,64 @@ +name: Configure AWS Credentials + +on: + workflow_call: + inputs: + aws-region: + type: string + required: true + secrets: + role-to-assume: + required: true + gpg-passphrase: + required: true + outputs: + aws-access-key-id: + value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }} + aws-secret-access-key: + value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }} + aws-session-token: + value: ${{ jobs.oidc-auth.outputs.aws-session-token }} + +permissions: + contents: read + id-token: write + +jobs: + oidc-auth: + name: OIDC Auth + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + outputs: + aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }} + aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }} + aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }} + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: audit + - id: auth + uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # v3.0.1 + with: + aws-region: us-west-2 + role-to-assume: "${{ secrets.role-to-assume }}" + - id: encrypt-aws-access-key-id + run: | + encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0) + echo "out=$encrypted" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + - id: encrypt-aws-secret-access-key + run: | + encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0) + echo "out=$encrypted" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + - id: encrypt-aws-session-token + run: | + encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0) + echo "out=$encrypted" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml deleted file mode 100644 index 94d824d8..00000000 --- a/.github/workflows/build-and-deploy.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: Build and deploy - -on: - workflow_call: - inputs: - tf_backend_config_file: - type: string - required: true - tf_var_file: - type: string - required: true - secrets: - AWS_ROLE_TO_ASSUME: - required: true - DATADOG_API_KEY: - required: true - DATADOG_APP_KEY: - required: true - -concurrency: - group: ${{ github.workflow_ref }} - -permissions: - contents: read - id-token: write - -jobs: - deploy_terraform: - name: Deploy terraform - runs-on: ubuntu-latest - if: always() - env: - TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache - TF_VAR_version_identifier: ${{ github.sha }} - TF_VAR_git_commit_sha: ${{ github.sha }} - TF_VAR_datadog_api_key: ${{ secrets.DATADOG_API_KEY }} - TF_VAR_datadog_app_key: ${{ secrets.DATADOG_APP_KEY }} - steps: - - uses: actions/checkout@v3 - - uses: actions/cache@v3 - with: - key: ${{ runner.os }}-taskfile - path: | - ~/.task - ~/bin - ~/build - ~/terraform/builds - - uses: actions/cache@v3 - with: - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - path: | - ~/.cache/go-build - ~/go/pkg/mod - - name: Setup Go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - - name: Install Taskfile - uses: arduino/setup-task@v1 - with: - version: 3.x - - name: Pre-build optimization - run: task prebuild-lambda - - name: Get project TF version - id: get_version - run: echo "TF_VERSION=$(cat .terraform-version | tr -d '[:space:]')" | tee -a $GITHUB_OUTPUT - working-directory: terraform - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ steps.get_version.outputs.TF_VERSION }} - - name: Ensure Terraform plugin cache exists - run: mkdir -p $TF_PLUGIN_CACHE_DIR - - name: Save/Restore Terraform plugin cache - uses: actions/cache@v3 - with: - path: ${{ env.TF_PLUGIN_CACHE_DIR }} - key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} - restore-keys: | - ${{ runner.os }}-terraform- - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: us-west-2 - role-to-assume: "${{ secrets.AWS_ROLE_TO_ASSUME }}" - - name: Terraform Init - id: init - run: terraform init -backend-config="${{ inputs.tf_backend_config_file }}" - working-directory: terraform - - name: Terraform Validate - id: validate - run: terraform validate -no-color - working-directory: terraform - - name: Terraform Apply - if: steps.validate.outcome == 'success' - id: apply - run: terraform apply -auto-approve -input=false -no-color -var-file="${{ inputs.tf_var_file }}" - working-directory: terraform diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..36662694 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,322 @@ +name: Build + +on: + workflow_call: + inputs: + ref: + type: string + required: true + artifacts-retention-days: + description: Number of days to retain build artifacts + type: number + default: 90 + build-cli: + type: boolean + default: false + build-lambdas: + type: boolean + default: false + outputs: + build-cli-result: + value: ${{ jobs.build-cli.result }} + build-lambdas-result: + value: ${{ jobs.build-lambdas.result }} + cli-artifacts-key: + value: ${{ jobs.build-cli.outputs.artifacts-key }} + cli-artifacts-path: + value: ${{ jobs.build-cli.outputs.artifacts-path }} + cli-checksums-sha256: + value: ${{ jobs.build-cli.outputs.checksums-sha256 }} + lambda-artifacts-key: + value: ${{ jobs.build-lambdas.outputs.artifacts-key }} + lambda-artifacts-path: + value: ${{ jobs.build-lambdas.outputs.artifacts-path }} + lambda-checksums-sha256: + value: ${{ jobs.build-lambdas.outputs.checksums-sha256 }} + +jobs: + prepare: + runs-on: ubuntu-latest + env: + SOURCES_KEY: go-sources-${{ inputs.ref }} + SOURCES_PATH: | + ${{ github.workspace }}/cli + ${{ github.workspace }}/cmd + ${{ github.workspace }}/internal + ${{ github.workspace }}/pkg + ${{ github.workspace }}/openapi/openapi.yaml + ${{ github.workspace }}/go.mod + ${{ github.workspace }}/go.sum + ${{ github.workspace }}/Taskfile.yml + outputs: + sources-key: ${{ env.SOURCES_KEY }} + sources-path: ${{ env.SOURCES_PATH }} + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + actions-results-receiver-production.githubapp.com:443 + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + storage.googleapis.com:443 + - uses: actions/checkout@v4 + with: + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Pre-build optimization + run: task prebuild-lambda + - name: Store build sources + id: store + uses: actions/upload-artifact@v3 + with: + name: ${{ env.SOURCES_KEY }} + path: ${{ env.SOURCES_PATH }} + if-no-files-found: error + retention-days: ${{ inputs.artifacts-retention-days }} + + build-lambdas: + name: Build Lambdas + if: needs.prepare.result == 'success' && inputs.build-lambdas + runs-on: ubuntu-latest + needs: + - prepare + env: + ARTIFACTS_KEY: lambdas-${{ inputs.ref }} + ARTIFACTS_PATH: ${{ github.workspace }}/bin + outputs: + artifacts-key: ${{ env.ARTIFACTS_KEY }} + artifacts-path: ${{ env.ARTIFACTS_PATH }} + checksums-sha256: ${{ steps.final-checksums.outputs.sha256 }} + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + actions-results-receiver-production.githubapp.com:443 + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + raw.githubusercontent.com:443 + - name: Restore Go build sources + uses: actions/download-artifact@v3 + with: + name: ${{ needs.prepare.outputs.sources-key }} + path: . + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Prepare artifacts output directory + run: | + mkdir -p "$ARTIFACTS_PATH" + rm -rf "$ARTIFACTS_PATH/*" + - name: Build Lambdas + id: build + run: task build + - name: Get compiled checksums + id: compiled-checksums + run: | + COMPILED_CHECKSUMS=$(find "$ARTIFACTS_PATH" -type f -exec sha256sum -b {} \;) + echo "sha256<> $GITHUB_OUTPUT + echo "$COMPILED_CHECKSUMS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Install UPX + uses: crazy-max/ghaction-upx@0fc45e912669ba9e8fa2b430e97c8da2a632e29b # v3.0.0 + with: + version: v4.1.0 + install-only: true + - name: Run UPX + id: pack + run: | + UPX_RESULT=$(upx -5 -q "$ARTIFACTS_PATH"/*/bootstrap) + echo "result<> $GITHUB_OUTPUT + echo "$UPX_RESULT" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Get final checksums + id: final-checksums + run: | + FINAL_CHECKSUMS=$(find "$ARTIFACTS_PATH" -type f -exec sha256sum -b {} \;) + echo "sha256<> $GITHUB_OUTPUT + echo "$FINAL_CHECKSUMS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Publish build results + run: | + REPORT_FILE=$(mktemp -t summary.md.XXXXX) + cat >> $REPORT_FILE << 'ENDOFREPORT' + ## Build Lambdas Summary + +
+ Compiled Checksums (before packing) + + ``` + ${{ env.COMPILED_CHECKSUMS }} + ``` + +
+
+ Final Checksums + + ``` + ${{ env.FINAL_CHECKSUMS }} + ``` + +
+
+ UPX Packing Results + + ``` + ${{ env.UPX_RESULT }} + ``` + +
+ ENDOFREPORT + cat "$REPORT_FILE" >> $GITHUB_STEP_SUMMARY + env: + COMPILED_CHECKSUMS: ${{ steps.compiled-checksums.outputs.sha256 }} + FINAL_CHECKSUMS: ${{ steps.final-checksums.outputs.sha256 }} + UPX_RESULT: ${{ steps.pack.outputs.result }} + - name: Store build artifacts + id: store + uses: actions/upload-artifact@v3 + with: + name: ${{ env.ARTIFACTS_KEY }} + path: ${{ env.ARTIFACTS_PATH }} + if-no-files-found: error + retention-days: ${{ inputs.artifacts-retention-days }} + + build-cli: + name: Build CLI + if: needs.prepare.result == 'success' && inputs.build-cli + runs-on: ubuntu-latest + needs: + - prepare + env: + ARTIFACTS_KEY: cli-${{ inputs.ref }} + ARTIFACTS_PATH: ${{ github.workspace }}/bin/grants-ingest + outputs: + artifacts-key: ${{ env.ARTIFACTS_KEY }} + artifacts-path: ${{ env.ARTIFACTS_PATH }} + checksums-sha256: ${{ steps.final-checksums.outputs.sha256 }} + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + actions-results-receiver-production.githubapp.com:443 + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + raw.githubusercontent.com:443 + - name: Restore Go build sources + uses: actions/download-artifact@v3 + with: + name: ${{ needs.prepare.outputs.sources-key }} + path: . + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Prepare artifacts output directory + run: | + mkdir -p $(dirname $ARTIFACTS_PATH) + rm "$ARTIFACTS_PATH" + - name: Build CLI + id: build + run: task build-cli + - name: Get compiled checksums + id: compiled-checksums + run: | + COMPILED_CHECKSUMS=$(sha256sum -b "$ARTIFACTS_PATH") + echo "sha256<> $GITHUB_OUTPUT + echo "$COMPILED_CHECKSUMS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Install UPX + uses: crazy-max/ghaction-upx@0fc45e912669ba9e8fa2b430e97c8da2a632e29b # v3.0.0 + with: + version: v4.1.0 + install-only: true + - name: Run UPX + id: pack + run: | + UPX_RESULT=$(upx -5 -q "$ARTIFACTS_PATH") + echo "result<> $GITHUB_OUTPUT + echo "$UPX_RESULT" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Get final checksums + id: final-checksums + run: | + FINAL_CHECKSUMS=$(sha256sum -b "$ARTIFACTS_PATH") + echo "sha256<> $GITHUB_OUTPUT + echo "$FINAL_CHECKSUMS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Publish build results + run: | + REPORT_FILE=$(mktemp -t summary.md.XXXXX) + cat >> $REPORT_FILE << 'ENDOFREPORT' + ## Build Lambdas Summary + +
+ Compiled Checksums (before packing) + + ``` + ${{ env.COMPILED_CHECKSUMS }} + ``` + +
+
+ Final Checksums + + ``` + ${{ env.FINAL_CHECKSUMS }} + ``` + +
+
+ UPX Packing Results + + ``` + ${{ env.UPX_RESULT }} + ``` + +
+ ENDOFREPORT + cat "$REPORT_FILE" >> $GITHUB_STEP_SUMMARY + env: + COMPILED_CHECKSUMS: ${{ steps.compiled-checksums.outputs.sha256 }} + FINAL_CHECKSUMS: ${{ steps.final-checksums.outputs.sha256 }} + UPX_RESULT: ${{ steps.pack.outputs.result }} + - name: Store build artifacts + id: store + uses: actions/upload-artifact@v3 + with: + name: ${{ env.ARTIFACTS_KEY }} + path: ${{ env.ARTIFACTS_PATH }} + if-no-files-found: error + retention-days: ${{ inputs.artifacts-retention-days }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ecc8505e..023b9dff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,239 +1,83 @@ name: Continuous Integration on: - pull_request: {} - -permissions: - contents: read - pull-requests: write - id-token: write + pull_request_target: {} jobs: - dependency-review: - name: Dependency Review - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/dependency-review-action@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - qa: - name: QA - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Restore/save Taskfile cache - uses: actions/cache@v3 - with: - key: ${{ runner.os }}-taskfile - path: | - ~/.task - ~/bin - ~/build - ~/cover.out - ~/cover.html - - uses: actions/setup-go@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - go-version-file: go.mod - - uses: arduino/setup-task@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - version: 3.x - - name: Pre-build optimization - run: task prebuild-lambda - - name: Check Formatting - run: test -z "$(go fmt ./...)" || echo "Formatting check failed." - - name: Test - run: task test - - name: Vet - run: go vet ./... - - name: Lint - uses: dominikh/staticcheck-action@v1.3.0 - with: - install-go: false - - name: Build Lambdas - run: task build - - name: Build CLI - run: task build-cli - - tflint: - name: Lint terraform - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - name: Checkout source code - - uses: actions/cache@v3 - name: Cache plugin dir - with: - path: ~/.tflint.d/plugins - key: ${{ runner.os }}-tflint-${{ hashFiles('terraform/.tflint.hcl') }} - - uses: terraform-linters/setup-tflint@v3 - name: Setup TFLint - with: - tflint_version: latest - - name: Show TFLint version - run: tflint --version - - name: Init TFLint - run: tflint --init - working-directory: terraform - env: - GITHUB_TOKEN: ${{ github.token }} - - name: Run TFLint - run: tflint -f compact --recursive - - terraform_validate_plan_report: - name: Validate and plan terraform - runs-on: ubuntu-latest - if: always() - defaults: - run: - working-directory: terraform - env: - TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache - TF_VAR_version_identifier: ${{ github.sha }} - TF_VAR_git_commit_sha: ${{ github.sha }} - TF_VAR_datadog_api_key: ${{ secrets.DATADOG_API_KEY }} - TF_VAR_datadog_app_key: ${{ secrets.DATADOG_APP_KEY }} - concurrency: - group: run_terraform-staging - cancel-in-progress: false - steps: - - uses: actions/checkout@v3 - - uses: actions/cache@v3 - with: - key: ${{ runner.os }}-taskfile - path: | - ~/.task - ~/bin - ~/build - ~/terraform/builds - - uses: actions/cache@v3 - with: - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - path: | - ~/.cache/go-build - ~/go/pkg/mod - - name: Setup Go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - - name: Install Taskfile - uses: arduino/setup-task@v1 - with: - version: 3.x - - name: Pre-build optimization - run: task prebuild-lambda - - name: Get project TF version - id: get_version - run: echo "TF_VERSION=$(cat .terraform-version | tr -d '[:space:]')" | tee -a $GITHUB_OUTPUT - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ steps.get_version.outputs.TF_VERSION }} - - name: Ensure Terraform plugin cache exists - run: mkdir -p $TF_PLUGIN_CACHE_DIR - - name: Save/Restore Terraform plugin cache - uses: actions/cache@v3 - with: - path: ${{ env.TF_PLUGIN_CACHE_DIR }} - key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} - restore-keys: | - ${{ runner.os }}-terraform- - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-region: us-west-2 - role-to-assume: "${{ secrets.CI_ROLE_ARN }}" - - name: Terraform fmt - id: fmt - run: terraform fmt -check -diff -recursive - - name: Ensure Terraform plugin cache still exists - run: mkdir -p $TF_PLUGIN_CACHE_DIR - - name: Terraform Init - id: init - run: terraform init -backend-config="staging.s3.tfbackend" - - name: Terraform Validate - id: validate - run: terraform validate -no-color - - name: Terraform Plan - if: steps.validate.outcome == 'success' - id: plan - run: terraform plan -input=false -no-color -out=tfplan -var-file="staging.tfvars" && terraform show -no-color tfplan - - name: Reformat Plan - if: always() && steps.plan.outcome != 'cancelled' && steps.plan.outcome != 'skipped' - run: | - echo '${{ steps.plan.outputs.stdout || steps.plan.outputs.stderr }}' \ - | sed -E 's/^([[:space:]]+)([-+])/\2\1/g' > plan.txt - PLAN=$(cat plan.txt | head -c 65300) # Observe GitHub's 65535 character limit - echo "PLAN<> $GITHUB_ENV - echo "$PLAN" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - name: Write the report markdown file - if: always() - run: | - REPORT_FILE=$(mktemp -t summary.md.XXXXX ) - echo "REPORT_FILE=$REPORT_FILE" >> $GITHUB_ENV - cat >> $REPORT_FILE << 'ENDOFREPORT' - ## Terraform Summary - - | Step | Result | - |:-----------------------------|:-------:| - | 🖌 Terraform Format & Style | ${{ (steps.fmt.outcome == 'success' && '✅') || (steps.fmt.outcome == 'skipped' && '➖') || '❌' }} | - | ⚙️ Terraform Initialization | ${{ (steps.init.outcome == 'success' && '✅') || (steps.init.outcome == 'skipped' && '➖') || '❌' }} | - | 🤖 Terraform Validation | ${{ (steps.validate.outcome == 'success' && '✅') || (steps.validate.outcome == 'skipped' && '➖') || '❌' }} | - | 📖 Terraform Plan | ${{ (steps.plan.outcome == 'success' && '✅') || (steps.plan.outcome == 'skipped' && '➖') || '❌' }} | - - ### Output - -
- Validation Output - - ``` - ${{ steps.validate.outputs.stdout }} - ``` - -
- -
- Plan Output - - ```diff - ${{ env.PLAN }} - ``` - -
- - *Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Workflow: [`${{ github.workflow }}`](${{ github.server_url}}/${{ github.repository }}/actions/runs/${{ github.run_id }})* - ENDOFREPORT - - - name: Write the step summary - if: always() - run: | - cat $REPORT_FILE >> $GITHUB_STEP_SUMMARY - CONTENT=$(cat $REPORT_FILE) - echo "REPORT_CONTENT<> $GITHUB_ENV - echo "$CONTENT" >> $GITHUB_ENV - echo "ENDOFREPORT" >> $GITHUB_ENV - - name: Find previous report comment - if: always() - uses: peter-evans/find-comment@v2 - id: fc - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: Terraform Summary - - name: Create or update comment - if: always() - uses: peter-evans/create-or-update-comment@v2 - with: - comment-id: ${{ steps.fc.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} - body: ${{ env.REPORT_CONTENT }} - edit-mode: replace - - name: Print zip md5s - if: always() - run: md5sum builds/* - - name: Print bin md5s - if: always() - run: md5sum ../bin/*/* + permissions: + contents: read + uses: ./.github/workflows/qa.yml + with: + ref: ${{ github.event.pull_request.head.sha }} + + build-lambdas: + permissions: + contents: read + name: Build Lambda handlers + uses: ./.github/workflows/build.yml + with: + ref: ${{ github.event.pull_request.head.sha }} + build-cli: false + build-lambdas: true + artifacts-retention-days: 14 + + aws-auth: + name: Configure AWS Credentials + permissions: + contents: read + id-token: write + uses: ./.github/workflows/aws-auth.yml + with: + aws-region: us-west-2 + secrets: + role-to-assume: ${{ secrets.CI_ROLE_ARN }} + gpg-passphrase: ${{ secrets.TFPLAN_SECRET }} + + tf-plan: + name: Plan Terraform + permissions: + contents: read + needs: + - aws-auth + - build-lambdas + uses: ./.github/workflows/terraform-plan.yml + if: always() && needs.build-lambdas.outputs.build-lambdas-result == 'success' && needs.aws-auth.result == 'success' + with: + ref: ${{ github.event.pull_request.head.sha }} + concurrency-group: run_terraform-staging + bin-artifacts-key: ${{ needs.build-lambdas.outputs.lambda-artifacts-key }} + bin-artifacts-path: ${{ needs.build-lambdas.outputs.lambda-artifacts-path }} + aws-region: us-west-2 + environment-key: staging + tf-backend-config-file: staging.s3.tfbackend + tf-var-file: staging.tfvars + upload-artifacts: false + artifacts-retention-days: 14 + secrets: + aws-access-key-id: ${{ needs.aws-auth.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ needs.aws-auth.outputs.aws-secret-access-key }} + aws-session-token: ${{ needs.aws-auth.outputs.aws-session-token }} + datadog-api-key: ${{ secrets.DATADOG_API_KEY }} + datadog-app-key: ${{ secrets.DATADOG_APP_KEY }} + gpg-passphrase: ${{ secrets.TFPLAN_SECRET }} + + publish-tf-plan: + name: Publish Terraform Plan + permissions: + contents: read + pull-requests: write + if: needs.tf-plan.result != 'skipped' || needs.tf-plan.result != 'cancelled' + needs: + - tf-plan + uses: ./.github/workflows/publish-terraform-plan.yml + with: + write-summary: true + write-comment: true + pr-number: ${{ github.event.pull_request.number }} + tf-fmt-outcome: ${{ needs.tf-plan.outputs.fmt-outcome }} + tf-init-outcome: ${{ needs.tf-plan.outputs.init-outcome }} + tf-plan-outcome: ${{ needs.tf-plan.outputs.plan-outcome }} + tf-plan-output: ${{ needs.tf-plan.outputs.plan-output }} + tf-validate-outcome: ${{ needs.tf-plan.outputs.validate-outcome }} + tf-validate-output: ${{ needs.tf-plan.outputs.validate-output }} diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml new file mode 100644 index 00000000..91794f72 --- /dev/null +++ b/.github/workflows/code-scanning.yml @@ -0,0 +1,57 @@ +name: "Code Scanning" + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + - cron: '35 8 * * 1-5' + +jobs: + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@v4 + with: + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/dependency-review-action@v3 + + codeql: + name: CodeQL + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@v4 + with: + show-progress: 'false' + persist-credentials: 'false' + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: go + queries: security-extended,security-and-quality + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:go" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 7083d746..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: - - main - pull_request: - branches: - - main - schedule: - - cron: '35 8 * * 1-5' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - uses: actions/checkout@v3 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: go - queries: security-extended,security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:go" diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index 92b13eff..7a208731 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -6,7 +6,7 @@ on: - 'release/**' concurrency: - group: production + group: deploy-production cancel-in-progress: false permissions: @@ -14,144 +14,102 @@ permissions: id-token: write jobs: - plan: - name: Plan Deployment - runs-on: ubuntu-latest - defaults: - run: - working-directory: terraform - outputs: - terraform_plan_exitcode: ${{ steps.terraform_plan.outputs.exitcode }} - env: - TF_CLI_ARGS: "-no-color" - TF_INPUT: 0 - TF_VAR_version_identifier: ${{ github.ref_name }} - TF_VAR_git_commit_sha: ${{ github.sha }} - TF_VAR_datadog_api_key: ${{ secrets.DATADOG_API_KEY }} - TF_VAR_datadog_app_key: ${{ secrets.DATADOG_APP_KEY }} - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - go-version-file: go.mod - - name: Install Taskfile - uses: arduino/setup-task@v1 - with: - version: 3.x - - name: Pre-plan build optimizations - run: | - task prebuild-lambda - task build - - name: Get project TF version - id: get_version - run: echo "TF_VERSION=$(cat .terraform-version | tr -d '[:space:]')" | tee -a $GITHUB_OUTPUT - working-directory: terraform - - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: true - terraform_version: ${{ steps.get_version.outputs.TF_VERSION }} - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: us-west-2 - role-to-assume: "${{ secrets.PRODUCTION_ROLE_ARN }}" - - name: Terraform Init - run: terraform init -backend-config="production.s3.tfbackend" - - name: Terraform Plan - id: terraform_plan - run: terraform plan -var-file="prod.tfvars" -out="tfplan" -detailed-exitcode - - name: Generate plaintext plan - id: show_plan - run: terraform show tfplan - - name: Reformat plan - run: | - echo '${{ steps.show_plan.outputs.stdout || steps.show_plan.outputs.stderr }}' \ - | sed -E 's/^([[:space:]]+)([-+])/\2\1/g' > plan.txt - PLAN=$(cat plan.txt | head -c 65300) - echo "PLAN<> $GITHUB_ENV - echo "$PLAN" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - name: Write the step summary - run: | - REPORT_FILE=$(mktemp -t summary.md.XXXXX ) - echo "REPORT_FILE=$REPORT_FILE" >> $GITHUB_ENV - cat >> $REPORT_FILE << 'ENDOFREPORT' - ## Terraform Plan Result + build-lambdas: + name: Build Lambda handlers + permissions: + contents: read + uses: ./.github/workflows/build.yml + with: + ref: ${{ github.sha }} + build-cli: true + build-lambdas: true + artifacts-retention-days: 90 -
- Output + aws-auth: + name: Configure AWS Credentials + permissions: + contents: read + id-token: write + uses: ./.github/workflows/aws-auth.yml + with: + aws-region: us-west-2 + secrets: + gpg-passphrase: ${{ secrets.PRODUCTION_GPG_PASSPHRASE }} + role-to-assume: ${{ secrets.PRODUCTION_ROLE_ARN }} - ```diff - ${{ env.PLAN }} - ``` + tf-plan: + name: Plan Terraform + permissions: + contents: read + needs: + - aws-auth + - build-lambdas + uses: ./.github/workflows/terraform-plan.yml + with: + ref: ${{ github.sha }} + concurrency-group: run_terraform-production + bin-artifacts-key: ${{ needs.build-lambdas.outputs.lambda-artifacts-key }} + bin-artifacts-path: ${{ needs.build-lambdas.outputs.lambda-artifacts-path }} + aws-region: us-west-2 + environment-key: production + tf-backend-config-file: production.s3.tfbackend + tf-var-file: production.tfvars + upload-artifacts: true + artifacts-retention-days: 90 + secrets: + aws-access-key-id: ${{ needs.aws-auth.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ needs.aws-auth.outputs.aws-secret-access-key }} + aws-session-token: ${{ needs.aws-auth.outputs.aws-session-token }} + datadog-api-key: ${{ secrets.DATADOG_API_KEY }} + datadog-app-key: ${{ secrets.DATADOG_APP_KEY }} + gpg-passphrase: ${{ secrets.PRODUCTION_GPG_PASSPHRASE }} -
- ENDOFREPORT - cat $REPORT_FILE >> $GITHUB_STEP_SUMMARY - - name: Encrypt terraform plan file - env: - PASSPHRASE: ${{ secrets.TFPLAN_SECRET }} - run: | - echo "$PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 -c --cipher-algo AES256 tfplan - rm tfplan - - name: Store terraform artifacts - uses: actions/upload-artifact@v3 - with: - name: terraform-${{ github.sha }} - path: | - ${{ github.workspace }}/terraform - !${{ github.workspace }}/terraform/.terraform - - name: Store executable artifacts - uses: actions/upload-artifact@v3 - with: - name: bin-${{ github.sha }} - path: ${{ github.workspace }}/bin + publish-tf-plan: + name: Publish Terraform Plan + permissions: + contents: read + if: needs.tf-plan.result != 'skipped' || needs.tf-plan.result != 'cancelled' + needs: + - tf-plan + uses: ./.github/workflows/publish-terraform-plan.yml + with: + write-summary: true + write-comment: false + tf-fmt-outcome: ${{ needs.tf-plan.outputs.fmt-outcome }} + tf-init-outcome: ${{ needs.tf-plan.outputs.init-outcome }} + tf-plan-outcome: ${{ needs.tf-plan.outputs.plan-outcome }} + tf-plan-output: ${{ needs.tf-plan.outputs.plan-output }} + tf-validate-outcome: ${{ needs.tf-plan.outputs.validate-outcome }} + tf-validate-output: ${{ needs.tf-plan.outputs.validate-output }} - deploy: - name: Deploy to Production - runs-on: ubuntu-latest - environment: production + tf-apply: + name: Deploy to Staging needs: - - plan - if: always() && needs.plan.outputs.terraform_plan_exitcode == 2 - defaults: - run: - working-directory: terraform - env: - TF_CLI_ARGS: "-no-color" - TF_INPUT: 0 - steps: - - uses: hashicorp/setup-terraform@v2 - - name: Restore terraform artifacts - uses: actions/download-artifact@v3 - with: - name: terraform-${{ github.sha }} - path: ${{ github.workspace }}/terraform - - name: Restore executable artifacts - uses: actions/download-artifact@v3 - with: - name: bin-${{ github.sha }} - path: ${{ github.workspace }}/bin - - name: Decrypt terraform plan file - env: - GPG_PASSPHRASE: ${{ secrets.TFPLAN_SECRET }} - run: echo "$GPG_PASSPHRASE" | gpg -qd --batch --yes --passphrase-fd 0 -o tfplan tfplan.gpg - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: us-west-2 - role-to-assume: "${{ secrets.PRODUCTION_ROLE_ARN }}" - - name: Terraform Init - run: terraform init -backend-config="production.s3.tfbackend" - - name: Terraform Apply - run: terraform apply tfplan + - build-lambdas + - aws-auth + - tf-plan + if: needs.tf-plan.outputs.plan-exitcode == 2 + uses: ./.github/workflows/terraform-apply.yml + with: + bin-artifacts-key: ${{ needs.build-lambdas.outputs.lambda-artifacts-key }} + bin-artifacts-path: ${{ needs.build-lambdas.outputs.lambda-artifacts-path }} + tf-plan-artifacts-key: ${{ needs.tf-plan.outputs.artifacts-key }} + aws-region: us-west-2 + concurrency-group: run_terraform-production + tf-backend-config-file: production.s3.tfbackend + secrets: + aws-access-key-id: ${{ needs.aws-auth.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ needs.aws-auth.outputs.aws-secret-access-key }} + aws-session-token: ${{ needs.aws-auth.outputs.aws-session-token }} + datadog-api-key: ${{ secrets.DATADOG_API_KEY }} + datadog-app-key: ${{ secrets.DATADOG_APP_KEY }} + gpg-passphrase: ${{ secrets.PRODUCTION_GPG_PASSPHRASE }} update_release: name: Update release runs-on: ubuntu-latest needs: - - deploy + - tf-apply env: GH_TOKEN: ${{ github.token }} RELEASE_TAG: ${{ github.ref_name }} diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index e0e138b2..2159aca4 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -6,7 +6,7 @@ on: - main concurrency: - group: run_terraform-staging + group: deploy-staging cancel-in-progress: false permissions: @@ -14,13 +14,93 @@ permissions: id-token: write jobs: - build_and_deploy: - name: Build and Deploy to Staging - uses: "./.github/workflows/build-and-deploy.yml" + build-lambdas: + name: Build Lambda handlers + permissions: + contents: read + uses: ./.github/workflows/build.yml with: - tf_backend_config_file: staging.s3.tfbackend - tf_var_file: staging.tfvars + ref: ${{ github.sha }} + build-cli: true + build-lambdas: true + artifacts-retention-days: 30 + + aws-auth: + name: Configure AWS Credentials + permissions: + contents: read + id-token: write + uses: ./.github/workflows/aws-auth.yml + with: + aws-region: us-west-2 + secrets: + gpg-passphrase: ${{ secrets.STAGING_GPG_PASSPHRASE }} + role-to-assume: ${{ secrets.STAGING_ROLE_ARN }} + + tf-plan: + name: Plan Terraform + permissions: + contents: read + needs: + - aws-auth + - build-lambdas + uses: ./.github/workflows/terraform-plan.yml + with: + ref: ${{ github.sha }} + concurrency-group: run_terraform-staging + bin-artifacts-key: ${{ needs.build-lambdas.outputs.lambda-artifacts-key }} + bin-artifacts-path: ${{ needs.build-lambdas.outputs.lambda-artifacts-path }} + aws-region: us-west-2 + environment-key: staging + tf-backend-config-file: staging.s3.tfbackend + tf-var-file: staging.tfvars + upload-artifacts: true + artifacts-retention-days: 30 + secrets: + aws-access-key-id: ${{ needs.aws-auth.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ needs.aws-auth.outputs.aws-secret-access-key }} + aws-session-token: ${{ needs.aws-auth.outputs.aws-session-token }} + datadog-api-key: ${{ secrets.DATADOG_API_KEY }} + datadog-app-key: ${{ secrets.DATADOG_APP_KEY }} + gpg-passphrase: ${{ secrets.STAGING_GPG_PASSPHRASE }} + + publish-tf-plan: + name: Publish Terraform Plan + permissions: + contents: read + if: needs.tf-plan.result != 'skipped' || needs.tf-plan.result != 'cancelled' + needs: + - tf-plan + uses: ./.github/workflows/publish-terraform-plan.yml + with: + write-summary: true + write-comment: false + tf-fmt-outcome: ${{ needs.tf-plan.outputs.fmt-outcome }} + tf-init-outcome: ${{ needs.tf-plan.outputs.init-outcome }} + tf-plan-outcome: ${{ needs.tf-plan.outputs.plan-outcome }} + tf-plan-output: ${{ needs.tf-plan.outputs.plan-output }} + tf-validate-outcome: ${{ needs.tf-plan.outputs.validate-outcome }} + tf-validate-output: ${{ needs.tf-plan.outputs.validate-output }} + + tf-apply: + name: Deploy to Staging + needs: + - build-lambdas + - aws-auth + - tf-plan + if: needs.tf-plan.outputs.plan-exitcode == 2 + uses: ./.github/workflows/terraform-apply.yml + with: + bin-artifacts-key: ${{ needs.build-lambdas.outputs.lambda-artifacts-key }} + bin-artifacts-path: ${{ needs.build-lambdas.outputs.lambda-artifacts-path }} + tf-plan-artifacts-key: ${{ needs.tf-plan.outputs.artifacts-key }} + aws-region: us-west-2 + concurrency-group: run_terraform-staging + tf-backend-config-file: staging.s3.tfbackend secrets: - AWS_ROLE_TO_ASSUME: "${{ secrets.STAGING_ROLE_ARN }}" - DATADOG_API_KEY: "${{ secrets.DATADOG_API_KEY }}" - DATADOG_APP_KEY: "${{ secrets.DATADOG_APP_KEY }}" + aws-access-key-id: ${{ needs.aws-auth.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ needs.aws-auth.outputs.aws-secret-access-key }} + aws-session-token: ${{ needs.aws-auth.outputs.aws-session-token }} + datadog-api-key: ${{ secrets.DATADOG_API_KEY }} + datadog-app-key: ${{ secrets.DATADOG_APP_KEY }} + gpg-passphrase: ${{ secrets.STAGING_GPG_PASSPHRASE }} diff --git a/.github/workflows/publish-terraform-plan.yml b/.github/workflows/publish-terraform-plan.yml new file mode 100644 index 00000000..e9c0b7b9 --- /dev/null +++ b/.github/workflows/publish-terraform-plan.yml @@ -0,0 +1,137 @@ +name: Publish Terraform Plan + +on: + workflow_call: + inputs: + tf-fmt-outcome: + type: string + required: true + tf-init-outcome: + type: string + required: true + tf-plan-outcome: + type: string + required: true + tf-plan-output: + type: string + required: true + tf-validate-outcome: + type: string + required: true + tf-validate-output: + type: string + required: true + pr-number: + type: string + required: false + write-summary: + type: boolean + default: true + write-comment: + type: boolean + default: false + +permissions: + contents: read + pull-requests: write + +jobs: + publish: + name: Publish Terraform Plan + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + - name: Reformat Plan + run: | + PLAN=$(echo "$PLAN_RAW_OUTPUT" | sed -E 's/^([[:space:]]+)([-+])/\2\1/g') + echo "PLAN_REFORMATTED<> $GITHUB_ENV + echo "$PLAN" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + env: + PLAN_RAW_OUTPUT: ${{ inputs.tf-plan-output }} + - name: Write the report markdown file + run: | + REPORT_FILE=$(mktemp -t summary.md.XXXXX) + echo "REPORT_FILE=$REPORT_FILE" >> $GITHUB_ENV + cat >> $REPORT_FILE << 'ENDOFREPORT' + ## Terraform Summary + + | Step | Result | + |:-----------------------------|:-------:| + | 🖌 Terraform Format & Style | ${{ (env.TF_FMT_OUTCOME == 'success' && '✅') || (env.TF_FMT_OUTCOME == 'skipped' && '➖') || '❌' }} | + | ⚙️ Terraform Initialization | ${{ (env.TF_INIT_OUTCOME == 'success' && '✅') || (env.TF_INIT_OUTCOME == 'skipped' && '➖') || '❌' }} | + | 🤖 Terraform Validation | ${{ (env.TF_VALIDATE_OUTCOME == 'success' && '✅') || (env.TF_VALIDATE_OUTCOME == 'skipped' && '➖') || '❌' }} | + | 📖 Terraform Plan | ${{ (env.TF_PLAN_OUTCOME == 'success' && '✅') || (env.TF_PLAN_OUTCOME == 'skipped' && '➖') || '❌' }} | + + ### Output + +
+ Validation Output + + ``` + ${{ env.TF_VALIDATE_OUTPUT }} + ``` + +
+ +
+ Plan Output + + ```diff + ${{ env.TF_PLAN_OUTPUT }} + ``` + +
+ + *Pusher: @${{ env.GH_ACTOR }}, Action: `${{ env.GH_ACTION }}`, Workflow: [`${{ env.GH_WORKFLOW }}`](${{ env.GH_SERVER}}/${{ env.GH_REPO }}/actions/runs/${{ env.GH_RUN_ID }})* + ENDOFREPORT + env: + TF_FMT_OUTCOME: ${{ inputs.tf-fmt-outcome }} + TF_INIT_OUTCOME: ${{ inputs.tf-init-outcome }} + TF_VALIDATE_OUTCOME: ${{ inputs.tf-validate-outcome }} + TF_VALIDATE_OUTPUT: ${{ inputs.tf-validate-output }} + TF_PLAN_OUTCOME: ${{ inputs.tf-plan-outcome }} + TF_PLAN_OUTPUT: ${{ env.PLAN_REFORMATTED }} + GH_ACTOR: ${{ github.actor }} + GH_ACTION: ${{ github.event_name }} + GH_WORKFLOW: ${{ github.workflow }} + GH_SERVER: ${{ github.server_url }} + GH_REPO: ${{ github.repository }} + GH_RUN_ID: ${{ github.run_id }} + - name: Write the step summary + if: inputs.write-summary + run: cat $REPORT_FILE | head -c 65500 >> $GITHUB_STEP_SUMMARY # Observe GitHub's 65535 character limit + - name: Write the comment body + id: comment-body + run: | + CONTENT=$(cat $REPORT_FILE) + echo "REPORT_CONTENT<> $GITHUB_OUTPUT + echo "$CONTENT" >> $GITHUB_OUTPUT + echo "ENDOFREPORT" >> $GITHUB_OUTPUT + - name: Warn on missing comment requirements + if: inputs.write-comment && inputs.pr-number == '' + run: "echo 'WARNING: Cannot write a comment because pr-number is not set'" + - name: Find previous report comment + id: find-comment + if: inputs.write-comment && inputs.pr-number != '' + uses: peter-evans/find-comment@v2 + with: + issue-number: ${{ inputs.pr-number }} + comment-author: 'github-actions[bot]' + body-includes: Terraform Summary + - name: Create or update comment + if: always() + uses: peter-evans/create-or-update-comment@v2 + with: + comment-id: ${{ steps.find-comment.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + body: ${{ steps.comment-body.outputs.REPORT_CONTENT }} + edit-mode: replace diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml new file mode 100644 index 00000000..3b606694 --- /dev/null +++ b/.github/workflows/qa.yml @@ -0,0 +1,102 @@ +name: QA Checks + +on: + workflow_call: + inputs: + ref: + type: string + required: true + +permissions: + contents: read + +jobs: + qa_go: + name: QA for Go + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + actions-results-receiver-production.githubapp.com:443 + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + storage.googleapis.com:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore/save Taskfile cache + uses: actions/cache@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Pre-build optimization + run: task prebuild-lambda + - name: Check Formatting + run: test -z "$(go fmt ./...)" || echo "Formatting check failed." + - name: Test + run: task test + - name: Vet + run: go vet ./... + - name: Lint + uses: dominikh/staticcheck-action@v1.3.0 + with: + install-go: false + - name: Ensure all go binaries compile + run: task build build-cli + + tflint: + name: Lint terraform + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + actions-results-receiver-production.githubapp.com:443 + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/cache@v3 + name: Cache plugin dir + with: + path: .tflint.d/plugins + key: ${{ runner.os }}-tflint-${{ hashFiles('terraform/.tflint.hcl') }} + - uses: terraform-linters/setup-tflint@v3 + name: Setup TFLint + with: + tflint_version: latest + - name: Show TFLint version + run: tflint --version + - name: Init TFLint + run: tflint --init + working-directory: terraform + env: + GITHUB_TOKEN: ${{ github.token }} + - name: Run TFLint + run: tflint -f compact --recursive diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml new file mode 100644 index 00000000..55671a28 --- /dev/null +++ b/.github/workflows/terraform-apply.yml @@ -0,0 +1,131 @@ +name: Terraform Apply + +permissions: + contents: read + +on: + workflow_call: + inputs: + bin-artifacts-key: + type: string + required: true + bin-artifacts-path: + type: string + required: true + tf-plan-artifacts-key: + type: string + required: true + aws-region: + type: string + required: true + tf-backend-config-file: + type: string + required: true + concurrency-group: + description: Name of the concurrency group (avoids simultaneous Terraform execution against the same environment) + type: string + default: run_terraform + secrets: + aws-access-key-id: + required: true + aws-secret-access-key: + required: true + aws-session-token: + required: true + datadog-api-key: + required: true + datadog-app-key: + required: true + gpg-passphrase: + required: true + +jobs: + do: + name: Apply Terraform from Plan + runs-on: ubuntu-latest + permissions: + contents: read + defaults: + run: + working-directory: terraform + env: + AWS_DEFAULT_REGION: ${{ inputs.aws-region }} + AWS_REGION: ${{ inputs.aws-region }} + TF_CLI_ARGS: "-no-color" + TF_IN_AUTOMATION: "true" + TF_INPUT: 0 + TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache + concurrency: + group: ${{ inputs.concurrency-group }} + cancel-in-progress: false + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + *.amazonaws.com:443 + actions-results-receiver-production.githubapp.com:443 + api.datadoghq.com:443 + checkpoint-api.hashicorp.com:443 + github.com:443 + objects.githubusercontent.com:443 + registry.terraform.io:443 + releases.hashicorp.com:443 + - name: Download Terraform artifacts + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.tf-plan-artifacts-key }} + path: ${{ github.workspace }}/terraform + - name: Get project TF version + id: get_tf_version + run: echo "TF_VERSION=$(cat .terraform-version | tr -d '[:space:]')" | tee -a $GITHUB_OUTPUT + - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: ${{ steps.get_tf_version.outputs.TF_VERSION }} + - name: Download Lambda handler artifacts + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.bin-artifacts-key }} + path: ${{ inputs.bin-artifacts-path }} + - name: Decrypt plan file + run: gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o tfplan tfplan.gpg + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + - id: decrypt-aws-access-key-id + run: | + decrypted=$(gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o - <(echo "$VALUE" | base64 -d)) + echo "::add-mask::${decrypted}" + echo "out=${decrypted}" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + VALUE: ${{ secrets.aws-access-key-id }} + - id: decrypt-aws-secret-access-key + run: | + decrypted=$(gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o - <(echo "$VALUE" | base64 -d)) + echo "::add-mask::${decrypted}" + echo "out=${decrypted}" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + VALUE: ${{ secrets.aws-secret-access-key }} + - id: decrypt-aws-session-token + run: | + decrypted=$(gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o - <(echo "$VALUE" | base64 -d)) + echo "::add-mask::${decrypted}" + echo "out=${decrypted}" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + VALUE: ${{ secrets.aws-session-token }} + - name: Terraform Init + run: terraform init + env: + AWS_ACCESS_KEY_ID: "${{ steps.decrypt-aws-access-key-id.outputs.out }}" + AWS_SECRET_ACCESS_KEY: "${{ steps.decrypt-aws-secret-access-key.outputs.out }}" + AWS_SESSION_TOKEN: "${{ steps.decrypt-aws-session-token.outputs.out }}" + TF_CLI_ARGS_init: "-backend-config=${{ inputs.tf-backend-config-file }}" + - name: Terraform Apply + run: terraform apply tfplan + env: + AWS_ACCESS_KEY_ID: "${{ steps.decrypt-aws-access-key-id.outputs.out }}" + AWS_SECRET_ACCESS_KEY: "${{ steps.decrypt-aws-secret-access-key.outputs.out }}" + AWS_SESSION_TOKEN: "${{ steps.decrypt-aws-session-token.outputs.out }}" diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml new file mode 100644 index 00000000..7979854d --- /dev/null +++ b/.github/workflows/terraform-plan.yml @@ -0,0 +1,210 @@ +name: Terraform Plan + +permissions: + contents: read + +on: + workflow_call: + inputs: + ref: + type: string + required: true + bin-artifacts-key: + type: string + required: true + bin-artifacts-path: + type: string + required: true + environment-key: + type: string + required: true + aws-region: + type: string + required: true + tf-backend-config-file: + type: string + required: true + tf-var-file: + type: string + required: true + artifacts-retention-days: + description: Number of days to retain build artifacts + type: number + default: 90 + upload-artifacts: + type: boolean + default: false + concurrency-group: + description: Name of the concurrency group (avoids simultaneous Terraform execution against the same environment) + type: string + default: run_terraform + secrets: + aws-access-key-id: + required: true + aws-secret-access-key: + required: true + aws-session-token: + required: true + datadog-api-key: + required: true + datadog-app-key: + required: true + gpg-passphrase: + required: true + outputs: + artifacts-key: + value: ${{ jobs.do.outputs.artifacts-key }} + fmt-outcome: + value: ${{ jobs.do.outputs.fmt_outcome }} + init-outcome: + value: ${{ jobs.do.outputs.init_outcome }} + validate-outcome: + value: ${{ jobs.do.outputs.validate_outcome }} + validate-output: + value: ${{ jobs.do.outputs.validate_output }} + plan-exitcode: + value: ${{ jobs.do.outputs.plan_exitcode }} + plan-outcome: + value: ${{ jobs.do.outputs.plan_outcome }} + plan-output: + value: ${{ jobs.do.outputs.plan_output }} + +jobs: + do: + name: Validate and plan terraform + runs-on: ubuntu-latest + permissions: + contents: read + defaults: + run: + working-directory: terraform + outputs: + artifacts-key: ${{ env.ARTIFACTS_KEY }} + fmt_outcome: ${{ steps.fmt.outcome }} + init_outcome: ${{ steps.init.outcome }} + validate_outcome: ${{ steps.validate.outcome }} + validate_output: ${{ steps.validate.outputs.stdout }} + plan_exitcode: ${{ steps.plan.outputs.exitcode }} + plan_outcome: ${{ steps.plan.outcome }} + plan_output: ${{ steps.show_plan.outputs.stdout || steps.show_plan.outputs.stderr }} + env: + ARTIFACTS_KEY: terraform-${{ inputs.environment-key }}-${{ inputs.ref }} + AWS_DEFAULT_REGION: ${{ inputs.aws-region }} + AWS_REGION: ${{ inputs.aws-region }} + TF_CLI_ARGS: "-no-color" + TF_IN_AUTOMATION: "true" + TF_INPUT: 0 + TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache + concurrency: + group: ${{ inputs.concurrency-group }} + cancel-in-progress: false + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + *.amazonaws.com:443 + actions-results-receiver-production.githubapp.com:443 + api.datadoghq.com:443 + checkpoint-api.hashicorp.com:443 + github.com:443 + objects.githubusercontent.com:443 + registry.terraform.io:443 + releases.hashicorp.com:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Validate workflow configuration + if: inputs.upload-artifacts && (env.GPG_PASSPHRASE == '') + run: | + echo 'gpg-passphrase is required when upload-artifacts is true' + exit 1 + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + - name: Download Lambda handler artifacts + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.bin-artifacts-key }} + path: ${{ inputs.bin-artifacts-path }} + - name: Get project TF version + id: get_tf_version + run: echo "TF_VERSION=$(cat .terraform-version | tr -d '[:space:]')" | tee -a $GITHUB_OUTPUT + - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: ${{ steps.get_tf_version.outputs.TF_VERSION }} + - name: Terraform fmt + id: fmt + run: terraform fmt -check -diff -recursive + - id: decrypt-aws-access-key-id + run: | + decrypted=$(gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o - <(echo "$VALUE" | base64 -d)) + echo "::add-mask::${decrypted}" + echo "out=${decrypted}" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + VALUE: ${{ secrets.aws-access-key-id }} + - id: decrypt-aws-secret-access-key + run: | + decrypted=$(gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o - <(echo "$VALUE" | base64 -d)) + echo "::add-mask::${decrypted}" + echo "out=${decrypted}" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + VALUE: ${{ secrets.aws-secret-access-key }} + - id: decrypt-aws-session-token + run: | + decrypted=$(gpg -qd --batch --yes --passphrase "$GPG_PASSPHRASE" -o - <(echo "$VALUE" | base64 -d)) + echo "::add-mask::${decrypted}" + echo "out=${decrypted}" >> $GITHUB_OUTPUT + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + VALUE: ${{ secrets.aws-session-token }} + - name: Terraform Init + id: init + run: terraform init + env: + AWS_ACCESS_KEY_ID: "${{ steps.decrypt-aws-access-key-id.outputs.out }}" + AWS_SECRET_ACCESS_KEY: "${{ steps.decrypt-aws-secret-access-key.outputs.out }}" + AWS_SESSION_TOKEN: "${{ steps.decrypt-aws-session-token.outputs.out }}" + TF_CLI_ARGS_init: "-backend-config=${{ inputs.tf-backend-config-file }}" + - name: Terraform Validate + id: validate + run: terraform validate -no-color + - name: Terraform Plan + if: always() && steps.validate.outcome == 'success' + id: plan + run: terraform plan -out="tfplan" -detailed-exitcode + env: + AWS_ACCESS_KEY_ID: "${{ steps.decrypt-aws-access-key-id.outputs.out }}" + AWS_SECRET_ACCESS_KEY: "${{ steps.decrypt-aws-secret-access-key.outputs.out }}" + AWS_SESSION_TOKEN: "${{ steps.decrypt-aws-session-token.outputs.out }}" + GPG_PASSPHRASE: "" # Just in case + TF_CLI_ARGS_plan: "-var-file=${{ inputs.tf-var-file }}" + TF_VAR_version_identifier: ${{ inputs.ref }} + TF_VAR_git_commit_sha: ${{ inputs.ref }} + TF_VAR_datadog_api_key: ${{ secrets.datadog-api-key }} + TF_VAR_datadog_app_key: ${{ secrets.datadog-app-key }} + - name: Generate plaintext plan + id: show_plan + run: terraform show tfplan + - name: Encrypt terraform plan file + id: encrypt_plan + if: success() && inputs.upload-artifacts + env: + GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} + run: | + gpg --batch --yes --passphrase "$GPG_PASSPHRASE" 0 -c --cipher-algo AES256 tfplan + rm tfplan + - name: Store terraform artifacts + if: success() && inputs.upload-artifacts + uses: actions/upload-artifact@v3 + with: + name: ${{ env.ARTIFACTS_KEY }} + path: | + ${{ github.workspace }}/terraform + !${{ github.workspace }}/terraform/.terraform + if-no-files-found: error + retention-days: ${{ inputs.artifacts-retention-days }} diff --git a/terraform/local.tfvars b/terraform/local.tfvars index 6289938f..9dd76ddd 100644 --- a/terraform/local.tfvars +++ b/terraform/local.tfvars @@ -5,6 +5,7 @@ permissions_boundary_policy_name = "" datadog_enabled = false datadog_dashboards_enabled = false datadog_lambda_extension_version = "38" +lambda_binaries_autobuild = true lambda_default_log_retention_in_days = 7 lambda_default_log_level = "DEBUG" eventbridge_scheduler_enabled = false diff --git a/terraform/main.tf b/terraform/main.tf index d159d1ac..3b178c9b 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -478,6 +478,7 @@ module "DownloadGrantsGovDB" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -498,6 +499,7 @@ module "SplitGrantsGovXMLDB" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -517,6 +519,7 @@ module "ReceiveFFISEmail" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -544,6 +547,7 @@ module "EnqueueFFISDownload" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -568,6 +572,7 @@ module "PersistGrantsGovXMLDB" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -588,6 +593,7 @@ module "DownloadFFISSpreadsheet" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -612,6 +618,7 @@ module "SplitFFISSpreadsheet" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -637,6 +644,7 @@ module "PersistFFISData" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -661,6 +669,7 @@ module "ExtractGrantsGovDBToXML" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables @@ -684,6 +693,7 @@ module "PublishGrantEvents" { lambda_artifact_bucket = module.lambda_artifacts_bucket.bucket_id log_retention_in_days = var.lambda_default_log_retention_in_days log_level = var.lambda_default_log_level + lambda_autobuild = var.lambda_binaries_autobuild lambda_binaries_base_path = local.lambda_binaries_base_path lambda_arch = var.lambda_arch additional_environment_variables = local.lambda_environment_variables diff --git a/terraform/modules/DownloadFFISSpreadsheet/main.tf b/terraform/modules/DownloadFFISSpreadsheet/main.tf index c6510d61..dad86cce 100644 --- a/terraform/modules/DownloadFFISSpreadsheet/main.tf +++ b/terraform/modules/DownloadFFISSpreadsheet/main.tf @@ -54,6 +54,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/DownloadFFISSpreadsheet/variables.tf b/terraform/modules/DownloadFFISSpreadsheet/variables.tf index 1637764e..c04dbd12 100644 --- a/terraform/modules/DownloadFFISSpreadsheet/variables.tf +++ b/terraform/modules/DownloadFFISSpreadsheet/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/DownloadGrantsGovDB/main.tf b/terraform/modules/DownloadGrantsGovDB/main.tf index 8656eb86..eb8a766c 100644 --- a/terraform/modules/DownloadGrantsGovDB/main.tf +++ b/terraform/modules/DownloadGrantsGovDB/main.tf @@ -52,7 +52,9 @@ module "lambda_execution_policy" { } module "lambda_artifact" { - source = "../taskfile_lambda_builder" + source = "../taskfile_lambda_builder" + + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/DownloadGrantsGovDB/variables.tf b/terraform/modules/DownloadGrantsGovDB/variables.tf index fdd8da8d..53b87c69 100644 --- a/terraform/modules/DownloadGrantsGovDB/variables.tf +++ b/terraform/modules/DownloadGrantsGovDB/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/EnqueueFFISDownload/main.tf b/terraform/modules/EnqueueFFISDownload/main.tf index b67ee024..63a59594 100644 --- a/terraform/modules/EnqueueFFISDownload/main.tf +++ b/terraform/modules/EnqueueFFISDownload/main.tf @@ -54,6 +54,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/EnqueueFFISDownload/variables.tf b/terraform/modules/EnqueueFFISDownload/variables.tf index 68a30f49..075b0ad9 100644 --- a/terraform/modules/EnqueueFFISDownload/variables.tf +++ b/terraform/modules/EnqueueFFISDownload/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/ExtractGrantsGovDBToXML/main.tf b/terraform/modules/ExtractGrantsGovDBToXML/main.tf index 2d8deecb..93da204e 100644 --- a/terraform/modules/ExtractGrantsGovDBToXML/main.tf +++ b/terraform/modules/ExtractGrantsGovDBToXML/main.tf @@ -68,6 +68,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/ExtractGrantsGovDBToXML/variables.tf b/terraform/modules/ExtractGrantsGovDBToXML/variables.tf index e53c825c..8a1c52f9 100644 --- a/terraform/modules/ExtractGrantsGovDBToXML/variables.tf +++ b/terraform/modules/ExtractGrantsGovDBToXML/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/PersistFFISData/main.tf b/terraform/modules/PersistFFISData/main.tf index 9ffeaf86..5a681644 100644 --- a/terraform/modules/PersistFFISData/main.tf +++ b/terraform/modules/PersistFFISData/main.tf @@ -55,6 +55,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/PersistFFISData/variables.tf b/terraform/modules/PersistFFISData/variables.tf index af94bc83..012b7338 100644 --- a/terraform/modules/PersistFFISData/variables.tf +++ b/terraform/modules/PersistFFISData/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/PersistGrantsGovXMLDB/main.tf b/terraform/modules/PersistGrantsGovXMLDB/main.tf index 47afe596..97f63bab 100644 --- a/terraform/modules/PersistGrantsGovXMLDB/main.tf +++ b/terraform/modules/PersistGrantsGovXMLDB/main.tf @@ -55,6 +55,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/PersistGrantsGovXMLDB/variables.tf b/terraform/modules/PersistGrantsGovXMLDB/variables.tf index af94bc83..012b7338 100644 --- a/terraform/modules/PersistGrantsGovXMLDB/variables.tf +++ b/terraform/modules/PersistGrantsGovXMLDB/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/PublishGrantEvents/main.tf b/terraform/modules/PublishGrantEvents/main.tf index 61169ba1..02af75f9 100644 --- a/terraform/modules/PublishGrantEvents/main.tf +++ b/terraform/modules/PublishGrantEvents/main.tf @@ -41,6 +41,7 @@ data "aws_dynamodb_table" "source" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/PublishGrantEvents/variables.tf b/terraform/modules/PublishGrantEvents/variables.tf index 3c538113..fc0eba44 100644 --- a/terraform/modules/PublishGrantEvents/variables.tf +++ b/terraform/modules/PublishGrantEvents/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/ReceiveFFISEmail/main.tf b/terraform/modules/ReceiveFFISEmail/main.tf index 45af4b7a..c95a2288 100644 --- a/terraform/modules/ReceiveFFISEmail/main.tf +++ b/terraform/modules/ReceiveFFISEmail/main.tf @@ -64,6 +64,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/ReceiveFFISEmail/variables.tf b/terraform/modules/ReceiveFFISEmail/variables.tf index a10649a5..c6775de6 100644 --- a/terraform/modules/ReceiveFFISEmail/variables.tf +++ b/terraform/modules/ReceiveFFISEmail/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/SplitFFISSpreadsheet/main.tf b/terraform/modules/SplitFFISSpreadsheet/main.tf index 2a6db014..1d10cdd9 100644 --- a/terraform/modules/SplitFFISSpreadsheet/main.tf +++ b/terraform/modules/SplitFFISSpreadsheet/main.tf @@ -65,6 +65,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/SplitFFISSpreadsheet/variables.tf b/terraform/modules/SplitFFISSpreadsheet/variables.tf index 0f894226..16660def 100644 --- a/terraform/modules/SplitFFISSpreadsheet/variables.tf +++ b/terraform/modules/SplitFFISSpreadsheet/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/SplitGrantsGovXMLDB/main.tf b/terraform/modules/SplitGrantsGovXMLDB/main.tf index ada9e141..a05825ce 100644 --- a/terraform/modules/SplitGrantsGovXMLDB/main.tf +++ b/terraform/modules/SplitGrantsGovXMLDB/main.tf @@ -66,6 +66,7 @@ module "lambda_execution_policy" { module "lambda_artifact" { source = "../taskfile_lambda_builder" + autobuild = var.lambda_autobuild binary_base_path = var.lambda_binaries_base_path function_name = var.function_name s3_bucket = var.lambda_artifact_bucket diff --git a/terraform/modules/SplitGrantsGovXMLDB/variables.tf b/terraform/modules/SplitGrantsGovXMLDB/variables.tf index 0f894226..16660def 100644 --- a/terraform/modules/SplitGrantsGovXMLDB/variables.tf +++ b/terraform/modules/SplitGrantsGovXMLDB/variables.tf @@ -31,6 +31,11 @@ variable "lambda_binaries_base_path" { type = string } +variable "lambda_autobuild" { + description = "When true, a Lambda handler binary will be compiled when missing or outdated. When false, the compiled Lambda handler binary must already exist under `lambda_binaries_base_path`." + type = bool +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string diff --git a/terraform/modules/taskfile_lambda_builder/main.tf b/terraform/modules/taskfile_lambda_builder/main.tf index 9f95c9ee..91fa7819 100644 --- a/terraform/modules/taskfile_lambda_builder/main.tf +++ b/terraform/modules/taskfile_lambda_builder/main.tf @@ -17,6 +17,8 @@ locals { } data "external" "build_command" { + count = var.autobuild ? 1 : 0 + program = ["${path.module}/script.bash"] query = { task_command = local.task_command } } diff --git a/terraform/modules/taskfile_lambda_builder/variables.tf b/terraform/modules/taskfile_lambda_builder/variables.tf index f33e7fd9..86714795 100644 --- a/terraform/modules/taskfile_lambda_builder/variables.tf +++ b/terraform/modules/taskfile_lambda_builder/variables.tf @@ -31,6 +31,12 @@ variable "override_taskfile_command" { default = null } +variable "autobuild" { + description = "Whether to issue a Taskfile command to compile the Lambda handler binary when missing or outdated. When false, only a preexisting binary will be used. Recommendation: 'true' for development; 'false' for CI/CD." + type = bool + default = true +} + variable "override_path_to_binary" { description = "Explicit path to the file (outputted by the Taskfile command) that will be zipped. Uses '//bootstrap' by default." type = string diff --git a/terraform/production.tfvars b/terraform/production.tfvars index bdfcd2f2..24e934cf 100644 --- a/terraform/production.tfvars +++ b/terraform/production.tfvars @@ -1,6 +1,7 @@ namespace = "grants_ingest" environment = "production" ssm_deployment_parameters_path_prefix = "/grants_ingest/production/deploy-config" +lambda_binaries_autobuild = false lambda_default_log_retention_in_days = 30 lambda_default_log_level = "INFO" ffis_ingest_email_address = "ffis-ingest@grants.usdigitalresponse.org" diff --git a/terraform/staging.tfvars b/terraform/staging.tfvars index 0291b594..7b423897 100644 --- a/terraform/staging.tfvars +++ b/terraform/staging.tfvars @@ -2,6 +2,7 @@ namespace = "grants_ingest" environment = "staging" ssm_deployment_parameters_path_prefix = "/grants_ingest/deploy-config" datadog_enabled = true +lambda_binaries_autobuild = false lambda_default_log_retention_in_days = 30 lambda_default_log_level = "INFO" datadog_draft = true diff --git a/terraform/variables.tf b/terraform/variables.tf index f4afbfde..a761d1ce 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -61,6 +61,12 @@ variable "lambda_binaries_base_path" { default = "" } +variable "lambda_binaries_autobuild" { + description = "Whether to use Taskfile to compile missing/outdated Lambda handler binaries. Set to false during CI/CD." + type = bool + default = false +} + variable "lambda_arch" { description = "The target build architecture for Lambda functions (either x86_64 or arm64)." type = string From 5924ef2e48ef4df803ed7c727fee79844074a95a Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 15:53:16 -0500 Subject: [PATCH 02/17] Add `pull-requests: write` permission to workflows calling "Publish Terraform Plan" (#338) --- .github/workflows/deploy-production.yml | 1 + .github/workflows/deploy-staging.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index 7a208731..aabda62b 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -68,6 +68,7 @@ jobs: name: Publish Terraform Plan permissions: contents: read + pull-requests: write if: needs.tf-plan.result != 'skipped' || needs.tf-plan.result != 'cancelled' needs: - tf-plan diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index 2159aca4..61a899ee 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -68,6 +68,7 @@ jobs: name: Publish Terraform Plan permissions: contents: read + pull-requests: write if: needs.tf-plan.result != 'skipped' || needs.tf-plan.result != 'cancelled' needs: - tf-plan From 5bd7d4f22534d5b58a2dddd6a17f2c077c1de838 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 16:21:28 -0500 Subject: [PATCH 03/17] Fix error when removing nonexistent artifact (#339) * Fix error when removing nonexistent artifact * Limit "Dependency Review" job to PRs --- .github/workflows/build.yml | 2 +- .github/workflows/code-scanning.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 36662694..fcee0799 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -246,7 +246,7 @@ jobs: - name: Prepare artifacts output directory run: | mkdir -p $(dirname $ARTIFACTS_PATH) - rm "$ARTIFACTS_PATH" + rm -f "$ARTIFACTS_PATH" - name: Build CLI id: build run: task build-cli diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 91794f72..6fd7aed5 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -14,6 +14,7 @@ jobs: dependency-review: name: Dependency Review runs-on: ubuntu-latest + if: github.event_name == 'pull_request' steps: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: From 9162139da35c221b17deee1cce5dacfbd4c40ee9 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 16:40:22 -0500 Subject: [PATCH 04/17] Fix typo in command when uploading TF plan (#340) --- .github/workflows/terraform-plan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 7979854d..6ddaf985 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -196,7 +196,7 @@ jobs: env: GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} run: | - gpg --batch --yes --passphrase "$GPG_PASSPHRASE" 0 -c --cipher-algo AES256 tfplan + gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 tfplan rm tfplan - name: Store terraform artifacts if: success() && inputs.upload-artifacts From df4c98f0166de4ffcc954847bedc93fe62943aa3 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 17:31:33 -0500 Subject: [PATCH 05/17] Fix: Bugs during post-plan deployment steps (#341) * Skip writing comments during deployment * Exclude TF_PLUGIN_CACHE_DIR from plan artifacts * Remove any lingering TF_PLUGIN_CACHE_DIR before apply --- .github/workflows/publish-terraform-plan.yml | 2 +- .github/workflows/terraform-apply.yml | 2 ++ .github/workflows/terraform-plan.yml | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-terraform-plan.yml b/.github/workflows/publish-terraform-plan.yml index e9c0b7b9..c15a92e1 100644 --- a/.github/workflows/publish-terraform-plan.yml +++ b/.github/workflows/publish-terraform-plan.yml @@ -128,7 +128,7 @@ jobs: comment-author: 'github-actions[bot]' body-includes: Terraform Summary - name: Create or update comment - if: always() + if: inputs.write-comment && inputs.pr-number != '' uses: peter-evans/create-or-update-comment@v2 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml index 55671a28..5a6054b3 100644 --- a/.github/workflows/terraform-apply.yml +++ b/.github/workflows/terraform-apply.yml @@ -77,6 +77,8 @@ jobs: with: name: ${{ inputs.tf-plan-artifacts-key }} path: ${{ github.workspace }}/terraform + - name: Clear any cached provider plugins in artifact + run: rm -rf "$TF_PLUGIN_CACHE_DIR" - name: Get project TF version id: get_tf_version run: echo "TF_VERSION=$(cat .terraform-version | tr -d '[:space:]')" | tee -a $GITHUB_OUTPUT diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 6ddaf985..48f5b655 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -205,6 +205,7 @@ jobs: name: ${{ env.ARTIFACTS_KEY }} path: | ${{ github.workspace }}/terraform + !${{ env.TF_PLUGIN_CACHE_DIR }} !${{ github.workspace }}/terraform/.terraform if-no-files-found: error retention-days: ${{ inputs.artifacts-retention-days }} From 7e2e3fc51b50841c31645f91ad7ecb271e58870f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 17:46:09 -0500 Subject: [PATCH 06/17] Build(deps): Bump cloudposse/iam-policy/aws in /terraform (#316) Bumps [cloudposse/iam-policy/aws](https://github.com/cloudposse/terraform-aws-iam-policy) from 1.0.1 to 2.0.0. - [Release notes](https://github.com/cloudposse/terraform-aws-iam-policy/releases) - [Commits](https://github.com/cloudposse/terraform-aws-iam-policy/compare/1.0.1...v2) --- updated-dependencies: - dependency-name: cloudposse/iam-policy/aws dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tyler Hendrickson --- terraform/modules/DownloadFFISSpreadsheet/main.tf | 2 +- terraform/modules/DownloadGrantsGovDB/main.tf | 2 +- terraform/modules/EnqueueFFISDownload/main.tf | 2 +- terraform/modules/ExtractGrantsGovDBToXML/main.tf | 2 +- terraform/modules/PersistFFISData/main.tf | 2 +- terraform/modules/PersistGrantsGovXMLDB/main.tf | 2 +- terraform/modules/ReceiveFFISEmail/main.tf | 2 +- terraform/modules/SplitFFISSpreadsheet/main.tf | 2 +- terraform/modules/SplitGrantsGovXMLDB/main.tf | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/modules/DownloadFFISSpreadsheet/main.tf b/terraform/modules/DownloadFFISSpreadsheet/main.tf index dad86cce..eb8ade2d 100644 --- a/terraform/modules/DownloadFFISSpreadsheet/main.tf +++ b/terraform/modules/DownloadFFISSpreadsheet/main.tf @@ -29,7 +29,7 @@ data "aws_sqs_queue" "ffis_downloads" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/DownloadGrantsGovDB/main.tf b/terraform/modules/DownloadGrantsGovDB/main.tf index eb8a766c..e52f0646 100644 --- a/terraform/modules/DownloadGrantsGovDB/main.tf +++ b/terraform/modules/DownloadGrantsGovDB/main.tf @@ -36,7 +36,7 @@ data "aws_s3_bucket" "grants_source_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/EnqueueFFISDownload/main.tf b/terraform/modules/EnqueueFFISDownload/main.tf index 63a59594..9f084b45 100644 --- a/terraform/modules/EnqueueFFISDownload/main.tf +++ b/terraform/modules/EnqueueFFISDownload/main.tf @@ -29,7 +29,7 @@ data "aws_sqs_queue" "ffis_downloads" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/ExtractGrantsGovDBToXML/main.tf b/terraform/modules/ExtractGrantsGovDBToXML/main.tf index 93da204e..11dab449 100644 --- a/terraform/modules/ExtractGrantsGovDBToXML/main.tf +++ b/terraform/modules/ExtractGrantsGovDBToXML/main.tf @@ -26,7 +26,7 @@ data "aws_s3_bucket" "source_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/PersistFFISData/main.tf b/terraform/modules/PersistFFISData/main.tf index 5a681644..92b90dae 100644 --- a/terraform/modules/PersistFFISData/main.tf +++ b/terraform/modules/PersistFFISData/main.tf @@ -25,7 +25,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/PersistGrantsGovXMLDB/main.tf b/terraform/modules/PersistGrantsGovXMLDB/main.tf index 97f63bab..fa20d5cd 100644 --- a/terraform/modules/PersistGrantsGovXMLDB/main.tf +++ b/terraform/modules/PersistGrantsGovXMLDB/main.tf @@ -25,7 +25,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/ReceiveFFISEmail/main.tf b/terraform/modules/ReceiveFFISEmail/main.tf index c95a2288..ee57a2bb 100644 --- a/terraform/modules/ReceiveFFISEmail/main.tf +++ b/terraform/modules/ReceiveFFISEmail/main.tf @@ -33,7 +33,7 @@ data "aws_s3_bucket" "grants_source_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/SplitFFISSpreadsheet/main.tf b/terraform/modules/SplitFFISSpreadsheet/main.tf index 1d10cdd9..c0261a50 100644 --- a/terraform/modules/SplitFFISSpreadsheet/main.tf +++ b/terraform/modules/SplitFFISSpreadsheet/main.tf @@ -29,7 +29,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/SplitGrantsGovXMLDB/main.tf b/terraform/modules/SplitGrantsGovXMLDB/main.tf index a05825ce..ab989e7e 100644 --- a/terraform/modules/SplitGrantsGovXMLDB/main.tf +++ b/terraform/modules/SplitGrantsGovXMLDB/main.tf @@ -29,7 +29,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "1.0.1" + version = "2.0.0" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { From 28778f239f22f8dc8dc7b73d9bacbc7ea19d8661 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 18:05:48 -0500 Subject: [PATCH 07/17] Build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#342) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.18.38 to 1.18.40. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.38...config/v1.18.40) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 15 ++++++++++----- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index a537deee..b0a3eae2 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ require ( github.com/aws/aws-lambda-go v1.41.0 github.com/aws/aws-sdk-go v1.44.332 github.com/aws/aws-sdk-go-v2 v1.21.0 - github.com/aws/aws-sdk-go-v2/config v1.18.38 - github.com/aws/aws-sdk-go-v2/credentials v1.13.36 + github.com/aws/aws-sdk-go-v2/config v1.18.40 + github.com/aws/aws-sdk-go-v2/credentials v1.13.38 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.10.39 github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.4.66 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.82 @@ -58,9 +58,9 @@ require ( github.com/aws/aws-sdk-go-v2/service/kms v1.21.1 // indirect github.com/aws/aws-sdk-go-v2/service/sfn v1.17.9 // indirect github.com/aws/aws-sdk-go-v2/service/sns v1.20.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.14.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.16.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 // indirect github.com/aws/aws-xray-sdk-go v1.8.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect diff --git a/go.sum b/go.sum index d9e03632..9f75877a 100644 --- a/go.sum +++ b/go.sum @@ -41,10 +41,12 @@ github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pf github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= -github.com/aws/aws-sdk-go-v2/config v1.18.38 h1:CByQCELMgm2tM1lAehx3XNg0R/pfeXsYzqn0Aq2chJQ= github.com/aws/aws-sdk-go-v2/config v1.18.38/go.mod h1:vNm9Hf5VgG2fSUWhT3zFrqN/RosGcabFMYgiSoxKFU8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.36 h1:ps0cPswZjpsOk6sLwG6fdXTzrYjCplgPEyG3OUbbdqE= +github.com/aws/aws-sdk-go-v2/config v1.18.40 h1:dbu1llI/nTIL+r6sYHMeVLl99DM8J8/o1I4EPurnhLg= +github.com/aws/aws-sdk-go-v2/config v1.18.40/go.mod h1:JjrCZQwSPGCoZRQzKHyZNNueaKO+kFaEy2sR6mCzd90= github.com/aws/aws-sdk-go-v2/credentials v1.13.36/go.mod h1:sY2phUzxbygoyDtTXhqi7GjGjCQ1S5a5Rj8u3ksBxCg= +github.com/aws/aws-sdk-go-v2/credentials v1.13.38 h1:gDAuCdVlA4lmmgQhvpZlscwicloCqH44vkxLklGkQLA= +github.com/aws/aws-sdk-go-v2/credentials v1.13.38/go.mod h1:sD4G/Ybgp6s89mWIES3Xn97CsRLpxvz9uVSdv0UxY8I= github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.10.39 h1:DX/r3aNL7pIVn0K5a+ESL0Fw9ti7Rj05pblEiIJtPmQ= github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.10.39/go.mod h1:oTk09orqXlwSKnKf+UQhy+4Ci7aCo9x8hn0ZvPCLrns= github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.4.66 h1:DFYIZszf0vsrvC5JjiEK7cmY1sILFF8GlJNJsAMewGc= @@ -94,12 +96,15 @@ github.com/aws/aws-sdk-go-v2/service/sns v1.20.8 h1:wy1jYAot40/Odzpzeq9S3OfSddJJ github.com/aws/aws-sdk-go-v2/service/sns v1.20.8/go.mod h1:HmCFGnmh0Tx4Onh9xUklrVhNcCsBTeDx4n53WGhp+oY= github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 h1:RyDpTOMEJO6ycxw1vU/6s0KLFaH3M0z/z9gXHSndPTk= github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5/go.mod h1:RZBu4jmYz3Nikzpu/VuVvRnTEJ5a+kf36WT2fcl5Q+Q= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd10wi1VfHG5FrW0/g= github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 h1:dnInJb4S0oy8aQuri1mV6ipLlnZPfnsDNB9BGO9PDNY= +github.com/aws/aws-sdk-go-v2/service/sso v1.14.0 h1:AR/hlTsCyk1CwlyKnPFvIMvnONydRjDDRT9OGb0i+/g= +github.com/aws/aws-sdk-go-v2/service/sso v1.14.0/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.16.0 h1:vbgiXuhtn49+erlPrgIvQ+J32rg1HseaPf8lEpKbkxQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.16.0/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= +github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 h1:s4bioTgjSFRwOoyEFzAVCmFmoowBgjTR8gkrF/sQ4wk= +github.com/aws/aws-sdk-go-v2/service/sts v1.22.0/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/aws-xray-sdk-go v1.8.1 h1:O4pXV+hnCskaamGsZnFpzHyAmgPGusBMN6i7nnsy0Fo= github.com/aws/aws-xray-sdk-go v1.8.1/go.mod h1:wMmVYzej3sykAttNBkXQHK/+clAPWTOrPiajEk7Cp3A= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= From 16a438c8f9dd3c11ca4746ae5916a12f7973184f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 18:27:32 -0500 Subject: [PATCH 08/17] Build(deps): Bump github.com/aws/aws-sdk-go-v2/feature/s3/manager (#345) Bumps [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) from 1.11.82 to 1.11.84. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.82...feature/s3/manager/v1.11.84) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index b0a3eae2..34c5e231 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.13.38 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.10.39 github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.4.66 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.82 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.84 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5 github.com/aws/aws-sdk-go-v2/service/eventbridge v1.20.5 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 diff --git a/go.sum b/go.sum index 9f75877a..c3e8c3a6 100644 --- a/go.sum +++ b/go.sum @@ -41,10 +41,8 @@ github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pf github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= -github.com/aws/aws-sdk-go-v2/config v1.18.38/go.mod h1:vNm9Hf5VgG2fSUWhT3zFrqN/RosGcabFMYgiSoxKFU8= github.com/aws/aws-sdk-go-v2/config v1.18.40 h1:dbu1llI/nTIL+r6sYHMeVLl99DM8J8/o1I4EPurnhLg= github.com/aws/aws-sdk-go-v2/config v1.18.40/go.mod h1:JjrCZQwSPGCoZRQzKHyZNNueaKO+kFaEy2sR6mCzd90= -github.com/aws/aws-sdk-go-v2/credentials v1.13.36/go.mod h1:sY2phUzxbygoyDtTXhqi7GjGjCQ1S5a5Rj8u3ksBxCg= github.com/aws/aws-sdk-go-v2/credentials v1.13.38 h1:gDAuCdVlA4lmmgQhvpZlscwicloCqH44vkxLklGkQLA= github.com/aws/aws-sdk-go-v2/credentials v1.13.38/go.mod h1:sD4G/Ybgp6s89mWIES3Xn97CsRLpxvz9uVSdv0UxY8I= github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.10.39 h1:DX/r3aNL7pIVn0K5a+ESL0Fw9ti7Rj05pblEiIJtPmQ= @@ -53,8 +51,8 @@ github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.4.66 h1:DFYIZszf0vsr github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.4.66/go.mod h1:G8zHK3ouHuARBTgMjv5e4QvR9qFtujU5cewhDks4vm0= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.82 h1:gPh2fLhr1kwH2HXFhs1kCblIgHTabqE1N9gwYPhS/fw= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.82/go.mod h1:4pzmxw8ZmkpbvGqrmedWaXuDL2xcABews1VLYqe9Djk= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.84 h1:LENrVcqnWTyI8fbIUCvxAMe+fXbREIaXzcR8WPwco1U= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.84/go.mod h1:LHxCiYAStsgps4srke7HujyADd504MSkNXjLpOtICTc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32/go.mod h1:RudqOgadTWdcS3t/erPQo24pcVEoYyqj/kKW5Vya21I= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= @@ -96,13 +94,10 @@ github.com/aws/aws-sdk-go-v2/service/sns v1.20.8 h1:wy1jYAot40/Odzpzeq9S3OfSddJJ github.com/aws/aws-sdk-go-v2/service/sns v1.20.8/go.mod h1:HmCFGnmh0Tx4Onh9xUklrVhNcCsBTeDx4n53WGhp+oY= github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 h1:RyDpTOMEJO6ycxw1vU/6s0KLFaH3M0z/z9gXHSndPTk= github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5/go.mod h1:RZBu4jmYz3Nikzpu/VuVvRnTEJ5a+kf36WT2fcl5Q+Q= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= github.com/aws/aws-sdk-go-v2/service/sso v1.14.0 h1:AR/hlTsCyk1CwlyKnPFvIMvnONydRjDDRT9OGb0i+/g= github.com/aws/aws-sdk-go-v2/service/sso v1.14.0/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.16.0 h1:vbgiXuhtn49+erlPrgIvQ+J32rg1HseaPf8lEpKbkxQ= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.16.0/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 h1:s4bioTgjSFRwOoyEFzAVCmFmoowBgjTR8gkrF/sQ4wk= github.com/aws/aws-sdk-go-v2/service/sts v1.22.0/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/aws-xray-sdk-go v1.8.1 h1:O4pXV+hnCskaamGsZnFpzHyAmgPGusBMN6i7nnsy0Fo= From 80b68baa280f753882bd6ea4d2abbe8e83312891 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 23:37:55 +0000 Subject: [PATCH 09/17] Build(deps): Bump github.com/aws/aws-sdk-go from 1.44.332 to 1.45.12 (#343) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.332 to 1.45.12. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.332...v1.45.12) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 34c5e231..157db24c 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/Netflix/go-env v0.0.0-20220526054621-78278af1949d github.com/alecthomas/kong v0.8.0 github.com/aws/aws-lambda-go v1.41.0 - github.com/aws/aws-sdk-go v1.44.332 + github.com/aws/aws-sdk-go v1.45.12 github.com/aws/aws-sdk-go-v2 v1.21.0 github.com/aws/aws-sdk-go-v2/config v1.18.40 github.com/aws/aws-sdk-go-v2/credentials v1.13.38 diff --git a/go.sum b/go.sum index c3e8c3a6..1d265d5e 100644 --- a/go.sum +++ b/go.sum @@ -32,8 +32,8 @@ github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHG github.com/aws/aws-lambda-go v1.41.0 h1:l/5fyVb6Ud9uYd411xdHZzSf2n86TakxzpvIoz7l+3Y= github.com/aws/aws-lambda-go v1.41.0/go.mod h1:jwFe2KmMsHmffA1X2R09hH6lFzJQxzI8qK17ewzbQMM= github.com/aws/aws-sdk-go v1.44.256/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go v1.44.332 h1:Ze+98F41+LxoJUdsisAFThV+0yYYLYw17/Vt0++nFYM= -github.com/aws/aws-sdk-go v1.44.332/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.45.12 h1:+bKbbesGNPp+TeGrcqfrWuZoqcIEhjwKyBMHQPp80Jo= +github.com/aws/aws-sdk-go v1.45.12/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go-v2 v1.17.8/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= From 03e137b83e6e6644d6f3be9019fd84da9e044522 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 19:49:21 -0500 Subject: [PATCH 10/17] Set TF lock table name for Prod (#346) --- terraform/production.s3.tfbackend | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/production.s3.tfbackend b/terraform/production.s3.tfbackend index a5451e96..8ccd3946 100644 --- a/terraform/production.s3.tfbackend +++ b/terraform/production.s3.tfbackend @@ -1,5 +1,5 @@ region = "us-west-2" bucket = "729134339726-us-west-2-terraform" key = "usdr/grants_ingest/prod/us-west-2/terraform.tfstate" -dynamodb_table = "grantsingest-prod-terraform-lock" +dynamodb_table = "grantsingest-terraform-lock" encrypt = "true" From 5d920d6ef844f3eead2bbad9b17b4e88e6b7d982 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 20:20:40 -0500 Subject: [PATCH 11/17] Remove env segment from SSM path prefix (#348) --- terraform/production.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/production.tfvars b/terraform/production.tfvars index 24e934cf..36de005f 100644 --- a/terraform/production.tfvars +++ b/terraform/production.tfvars @@ -1,6 +1,6 @@ namespace = "grants_ingest" environment = "production" -ssm_deployment_parameters_path_prefix = "/grants_ingest/production/deploy-config" +ssm_deployment_parameters_path_prefix = "/grants_ingest/deploy-config" lambda_binaries_autobuild = false lambda_default_log_retention_in_days = 30 lambda_default_log_level = "INFO" From 401e08b1a86f8a3b4f5bcfa14969161de938ef92 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 21:04:54 -0500 Subject: [PATCH 12/17] Revert "Build(deps): Bump cloudposse/iam-policy/aws in /terraform (#316)" (#349) This reverts commit 7e2e3fc51b50841c31645f91ad7ecb271e58870f. --- terraform/modules/DownloadFFISSpreadsheet/main.tf | 2 +- terraform/modules/DownloadGrantsGovDB/main.tf | 2 +- terraform/modules/EnqueueFFISDownload/main.tf | 2 +- terraform/modules/ExtractGrantsGovDBToXML/main.tf | 2 +- terraform/modules/PersistFFISData/main.tf | 2 +- terraform/modules/PersistGrantsGovXMLDB/main.tf | 2 +- terraform/modules/ReceiveFFISEmail/main.tf | 2 +- terraform/modules/SplitFFISSpreadsheet/main.tf | 2 +- terraform/modules/SplitGrantsGovXMLDB/main.tf | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/modules/DownloadFFISSpreadsheet/main.tf b/terraform/modules/DownloadFFISSpreadsheet/main.tf index eb8ade2d..dad86cce 100644 --- a/terraform/modules/DownloadFFISSpreadsheet/main.tf +++ b/terraform/modules/DownloadFFISSpreadsheet/main.tf @@ -29,7 +29,7 @@ data "aws_sqs_queue" "ffis_downloads" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/DownloadGrantsGovDB/main.tf b/terraform/modules/DownloadGrantsGovDB/main.tf index e52f0646..eb8a766c 100644 --- a/terraform/modules/DownloadGrantsGovDB/main.tf +++ b/terraform/modules/DownloadGrantsGovDB/main.tf @@ -36,7 +36,7 @@ data "aws_s3_bucket" "grants_source_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/EnqueueFFISDownload/main.tf b/terraform/modules/EnqueueFFISDownload/main.tf index 9f084b45..63a59594 100644 --- a/terraform/modules/EnqueueFFISDownload/main.tf +++ b/terraform/modules/EnqueueFFISDownload/main.tf @@ -29,7 +29,7 @@ data "aws_sqs_queue" "ffis_downloads" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/ExtractGrantsGovDBToXML/main.tf b/terraform/modules/ExtractGrantsGovDBToXML/main.tf index 11dab449..93da204e 100644 --- a/terraform/modules/ExtractGrantsGovDBToXML/main.tf +++ b/terraform/modules/ExtractGrantsGovDBToXML/main.tf @@ -26,7 +26,7 @@ data "aws_s3_bucket" "source_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/PersistFFISData/main.tf b/terraform/modules/PersistFFISData/main.tf index 92b90dae..5a681644 100644 --- a/terraform/modules/PersistFFISData/main.tf +++ b/terraform/modules/PersistFFISData/main.tf @@ -25,7 +25,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/PersistGrantsGovXMLDB/main.tf b/terraform/modules/PersistGrantsGovXMLDB/main.tf index fa20d5cd..97f63bab 100644 --- a/terraform/modules/PersistGrantsGovXMLDB/main.tf +++ b/terraform/modules/PersistGrantsGovXMLDB/main.tf @@ -25,7 +25,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/ReceiveFFISEmail/main.tf b/terraform/modules/ReceiveFFISEmail/main.tf index ee57a2bb..c95a2288 100644 --- a/terraform/modules/ReceiveFFISEmail/main.tf +++ b/terraform/modules/ReceiveFFISEmail/main.tf @@ -33,7 +33,7 @@ data "aws_s3_bucket" "grants_source_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/SplitFFISSpreadsheet/main.tf b/terraform/modules/SplitFFISSpreadsheet/main.tf index c0261a50..1d10cdd9 100644 --- a/terraform/modules/SplitFFISSpreadsheet/main.tf +++ b/terraform/modules/SplitFFISSpreadsheet/main.tf @@ -29,7 +29,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { diff --git a/terraform/modules/SplitGrantsGovXMLDB/main.tf b/terraform/modules/SplitGrantsGovXMLDB/main.tf index ab989e7e..a05825ce 100644 --- a/terraform/modules/SplitGrantsGovXMLDB/main.tf +++ b/terraform/modules/SplitGrantsGovXMLDB/main.tf @@ -29,7 +29,7 @@ data "aws_s3_bucket" "prepared_data" { module "lambda_execution_policy" { source = "cloudposse/iam-policy/aws" - version = "2.0.0" + version = "1.0.1" iam_source_policy_documents = var.additional_lambda_execution_policy_documents iam_policy_statements = { From 506f1b30b1a75b2c7b30852b49c8fc7a0121cc03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 02:54:09 +0000 Subject: [PATCH 13/17] Build(deps): Bump gopkg.in/DataDog/dd-trace-go.v1 from 1.54.0 to 1.55.0 (#352) Bumps gopkg.in/DataDog/dd-trace-go.v1 from 1.54.0 to 1.55.0. --- updated-dependencies: - dependency-name: gopkg.in/DataDog/dd-trace-go.v1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 48 ++++++++++++------------- go.sum | 111 +++++++++++++++++++++++++++++---------------------------- 2 files changed, 80 insertions(+), 79 deletions(-) diff --git a/go.mod b/go.mod index 157db24c..d52cee15 100644 --- a/go.mod +++ b/go.mod @@ -29,16 +29,16 @@ require ( github.com/stretchr/testify v1.8.4 github.com/willabides/kongplete v0.3.0 github.com/xuri/excelize/v2 v2.7.1 - gopkg.in/DataDog/dd-trace-go.v1 v1.54.0 + gopkg.in/DataDog/dd-trace-go.v1 v1.55.0 ) require ( github.com/DataDog/appsec-internal-go v1.0.0 // indirect - github.com/DataDog/datadog-agent/pkg/obfuscate v0.45.0-rc.1 // indirect + github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0 // indirect github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df // indirect github.com/DataDog/datadog-go/v5 v5.3.0 // indirect - github.com/DataDog/go-libddwaf v1.4.2 // indirect - github.com/DataDog/go-tuf v1.0.1-0.5.2 // indirect + github.com/DataDog/go-libddwaf v1.5.0 // indirect + github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect github.com/DataDog/sketches-go v1.4.2 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/andybalholm/brotli v1.0.5 // indirect @@ -54,29 +54,29 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.35 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect - github.com/aws/aws-sdk-go-v2/service/kinesis v1.17.10 // indirect + github.com/aws/aws-sdk-go-v2/service/kinesis v1.18.4 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.21.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sfn v1.17.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sns v1.20.8 // indirect + github.com/aws/aws-sdk-go-v2/service/sfn v1.19.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sns v1.21.4 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.14.0 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.16.0 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 // indirect github.com/aws/aws-xray-sdk-go v1.8.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/ebitengine/purego v0.5.0-alpha // indirect + github.com/ebitengine/purego v0.5.0-alpha.1 // indirect github.com/go-logfmt/logfmt v0.6.0 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/uuid v1.3.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect - github.com/klauspost/compress v1.16.5 // indirect + github.com/klauspost/compress v1.16.7 // indirect github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect - github.com/outcaste-io/ristretto v0.2.1 // indirect + github.com/outcaste-io/ristretto v0.2.3 // indirect github.com/philhofer/fwd v1.1.2 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/richardlehane/mscfb v1.0.4 // indirect github.com/richardlehane/msoleps v1.0.3 // indirect github.com/riywo/loginshell v0.0.0-20200815045211-7d26008be1ab // indirect @@ -86,23 +86,23 @@ require ( github.com/sony/gobreaker v0.5.0 // indirect github.com/tinylib/msgp v1.1.8 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect - github.com/valyala/fasthttp v1.47.0 // indirect + github.com/valyala/fasthttp v1.48.0 // indirect github.com/xuri/efp v0.0.0-20220603152613-6918739fd470 // indirect github.com/xuri/nfp v0.0.0-20220409054826-5e722a1d9e22 // indirect go.uber.org/atomic v1.11.0 // indirect - go4.org/intern v0.0.0-20230205224052-192e9f60865c // indirect - go4.org/unsafe/assume-no-moving-gc v0.0.0-20230426161633-7e06285ff160 // indirect - golang.org/x/crypto v0.11.0 // indirect - golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect + go4.org/intern v0.0.0-20230525184215-6c62f75575cb // indirect + go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect + golang.org/x/crypto v0.12.0 // indirect + golang.org/x/mod v0.12.0 // indirect + golang.org/x/net v0.14.0 // indirect + golang.org/x/sys v0.11.0 // indirect + golang.org/x/text v0.12.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.9.2 // indirect + golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/grpc v1.55.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/grpc v1.57.0 // indirect google.golang.org/protobuf v1.30.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - inet.af/netaddr v0.0.0-20220811202034-502d2d690317 // indirect + inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a // indirect ) diff --git a/go.sum b/go.sum index 1d265d5e..93685988 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,8 @@ github.com/DATA-DOG/go-sqlmock v1.4.1 h1:ThlnYciV1iM/V0OSF/dtkqWb6xo5qITT1TJBG1MRDJM= github.com/DataDog/appsec-internal-go v1.0.0 h1:2u5IkF4DBj3KVeQn5Vg2vjPUtt513zxEYglcqnd500U= github.com/DataDog/appsec-internal-go v1.0.0/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM= -github.com/DataDog/datadog-agent/pkg/obfuscate v0.45.0-rc.1 h1:XyYvstMFpSyZtfJHWJm1Sf1meNyCdfhKJrjB6+rUNOk= -github.com/DataDog/datadog-agent/pkg/obfuscate v0.45.0-rc.1/go.mod h1:e933RWa4kAWuHi5jpzEuOiULlv21HcCFEVIYegmaB5c= +github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0 h1:rUNnUcHC4AlxoImuXmZeOfi6H80BDBHzeagWXWCVhnA= +github.com/DataDog/datadog-agent/pkg/obfuscate v0.46.0/go.mod h1:e933RWa4kAWuHi5jpzEuOiULlv21HcCFEVIYegmaB5c= github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df h1:PbzrhHhs2+RRdKKti7JBSM8ATIeiji2T2cVt/d8GT8k= github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df/go.mod h1:5Q39ZOIOwZMnFyRadp+5gH1bFdjmb+Pgxe+j5XOwaTg= github.com/DataDog/datadog-go/v5 v5.1.1/go.mod h1:KhiYb2Badlv9/rofz+OznKoEF5XKTonWyhx5K83AP8E= @@ -10,11 +10,11 @@ github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPpr github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q= github.com/DataDog/datadog-lambda-go v1.9.0 h1:XtvshiRTzDNVQQAkNuMqUDMyCcfJJ0eLSLCOOKB52jQ= github.com/DataDog/datadog-lambda-go v1.9.0/go.mod h1:TlnzDhuHlkedDvDYEc9Yo+15iAbYakYaIIeySC+Yguw= -github.com/DataDog/go-libddwaf v1.4.2 h1:JgHc+ARmfIzVqEl31HLedVYiNCu3LAQiluvpeNnEx2o= -github.com/DataDog/go-libddwaf v1.4.2/go.mod h1:l2+rV8UlnYANNNECQyBE/a1dgc0qP0vg0xcgBscg7Mw= -github.com/DataDog/go-tuf v1.0.1-0.5.2 h1:gld/e3MXfFVB/O8hc3mloP1ayFk75Mmdkmll/9lyd9I= -github.com/DataDog/go-tuf v1.0.1-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0= -github.com/DataDog/gostackparse v0.5.0 h1:jb72P6GFHPHz2W0onsN51cS3FkaMDcjb0QzgxxA4gDk= +github.com/DataDog/go-libddwaf v1.5.0 h1:lrHP3VrEriy1M5uQuaOcKphf5GU40mBhihMAp6Ik55c= +github.com/DataDog/go-libddwaf v1.5.0/go.mod h1:Fpnmoc2k53h6desQrH1P0/gR52CUzkLNFugE5zWwUBQ= +github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I= +github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0= +github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4= github.com/DataDog/sketches-go v1.4.2 h1:gppNudE9d19cQ98RYABOetxIhpTCl4m7CnbRZjvVA/o= github.com/DataDog/sketches-go v1.4.2/go.mod h1:xJIXldczJyyjnbDop7ZZcLxJdV3+7Kra7H1KMgpgkLk= github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= @@ -34,11 +34,10 @@ github.com/aws/aws-lambda-go v1.41.0/go.mod h1:jwFe2KmMsHmffA1X2R09hH6lFzJQxzI8q github.com/aws/aws-sdk-go v1.44.256/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go v1.45.12 h1:+bKbbesGNPp+TeGrcqfrWuZoqcIEhjwKyBMHQPp80Jo= github.com/aws/aws-sdk-go v1.45.12/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go-v2 v1.17.8/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2 v1.20.3/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= github.com/aws/aws-sdk-go-v2/config v1.18.40 h1:dbu1llI/nTIL+r6sYHMeVLl99DM8J8/o1I4EPurnhLg= @@ -53,12 +52,12 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8D github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.84 h1:LENrVcqnWTyI8fbIUCvxAMe+fXbREIaXzcR8WPwco1U= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.84/go.mod h1:LHxCiYAStsgps4srke7HujyADd504MSkNXjLpOtICTc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32/go.mod h1:RudqOgadTWdcS3t/erPQo24pcVEoYyqj/kKW5Vya21I= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.40/go.mod h1:5kKmFhLeOVy6pwPDpDNA6/hK/d6URC98pqDDqHgdBx4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26/go.mod h1:vq86l7956VgFr0/FWQ2BWnK07QC3WYsepKzy33qqY5U= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.34/go.mod h1:RZP0scceAyhMIQ9JvFp7HvkpcgqjL4l/4C+7RAeGbuM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 h1:GPUcE/Yq7Ur8YSUk6lVkoIMWnJNO0HT18GUzCWCgCI0= @@ -82,16 +81,16 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKi github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 h1:v0jkRigbSD6uOdwcaUQmgEwG1BkPfAPDqaeNt/29ghg= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4/go.mod h1:LhTyt8J04LL+9cIt7pYJ5lbS/U98ZmXovLOR/4LUsk8= -github.com/aws/aws-sdk-go-v2/service/kinesis v1.17.10 h1:bfR+hoEQD1vokNTV1JxSmmaBskT4yI/iF1SjvAYzbvA= -github.com/aws/aws-sdk-go-v2/service/kinesis v1.17.10/go.mod h1:hj0KX0oXSiPyVhjYUqZvC02ElFlp47fe5srakVIVDNU= +github.com/aws/aws-sdk-go-v2/service/kinesis v1.18.4 h1:UohaQds+Puk9BEbvncXkZduIGYImxohbFpVmSoymXck= +github.com/aws/aws-sdk-go-v2/service/kinesis v1.18.4/go.mod h1:HnjgmL8TNmYtGcrA3N6EeCnDvlX6CteCdUbZ1wV8QWQ= github.com/aws/aws-sdk-go-v2/service/kms v1.21.1 h1:Q03Jqh1enA8keCiGZpLetpk58Ll9iGejE5bOErxyGAU= github.com/aws/aws-sdk-go-v2/service/kms v1.21.1/go.mod h1:EEfb4gfSphdVpRo5sGf2W3KvJbelYUno5VaXR5MJ3z4= github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 h1:A42xdtStObqy7NGvzZKpnyNXvoOmm+FENobZ0/ssHWk= github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM= -github.com/aws/aws-sdk-go-v2/service/sfn v1.17.9 h1:u6nKx6nKoDrWVpeLqwMFs2eC4Emn2Fjm+2iZ3+qJQYY= -github.com/aws/aws-sdk-go-v2/service/sfn v1.17.9/go.mod h1:kXJNJcl+dIeh3Hz6XvzzoOVWHjB0lyZHYnxXquHmsa0= -github.com/aws/aws-sdk-go-v2/service/sns v1.20.8 h1:wy1jYAot40/Odzpzeq9S3OfSddJJ5RmpaKujvj5Hz7k= -github.com/aws/aws-sdk-go-v2/service/sns v1.20.8/go.mod h1:HmCFGnmh0Tx4Onh9xUklrVhNcCsBTeDx4n53WGhp+oY= +github.com/aws/aws-sdk-go-v2/service/sfn v1.19.4 h1:yIyFY2kbCOoHvuivf9minqnP2RLYJgmvQRYxakIb2oI= +github.com/aws/aws-sdk-go-v2/service/sfn v1.19.4/go.mod h1:uWCH4ATwNrkRO40j8Dmy7u/Y1/BVWgCM+YjBNYZeOro= +github.com/aws/aws-sdk-go-v2/service/sns v1.21.4 h1:Asj098jPfIZYzAbk4xVFwVBGij5hgMcli0d+5Pe4aZA= +github.com/aws/aws-sdk-go-v2/service/sns v1.21.4/go.mod h1:bbB779DXXOnPXvB7F3dP7AjuV1Eyr7fNyrA058ExuzY= github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 h1:RyDpTOMEJO6ycxw1vU/6s0KLFaH3M0z/z9gXHSndPTk= github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5/go.mod h1:RZBu4jmYz3Nikzpu/VuVvRnTEJ5a+kf36WT2fcl5Q+Q= github.com/aws/aws-sdk-go-v2/service/sso v1.14.0 h1:AR/hlTsCyk1CwlyKnPFvIMvnONydRjDDRT9OGb0i+/g= @@ -111,16 +110,17 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= -github.com/ebitengine/purego v0.5.0-alpha h1:pNZNC8WofBTN3Nm196An50C5taL/87BhFR/RzKy2o4k= -github.com/ebitengine/purego v0.5.0-alpha/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ= +github.com/ebitengine/purego v0.5.0-alpha.1 h1:0gVgWGb8GjKYs7cufvfNSleJAD00m2xWC26FMwOjNrw= +github.com/ebitengine/purego v0.5.0-alpha.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4= @@ -135,7 +135,7 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20230509042627-b1315fad0c5a h1:PEOGDI1kkyW37YqPWHLHc+D20D9+87Wt12TCcfTUo5Q= +github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBBos92HalKpaGKHrp+3Uo6yTodo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= @@ -152,8 +152,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/johannesboyne/gofakes3 v0.0.0-20230506070712-04da935ef877 h1:O7syWuYGzre3s73s+NkgB8e0ZvsIVhT/zxNU7V1gHK8= github.com/johannesboyne/gofakes3 v0.0.0-20230506070712-04da935ef877/go.mod h1:AxgWC4DDX54O2WDoQO1Ceabtn6IbktjU/7bigor+66g= -github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= -github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I= +github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/krolaw/zipstream v0.0.0-20180621105154-0a2661891f94 h1:+AIlO01SKT9sfWU5CLWi0cfHc7dQwgGz3FhFRzXLoMg= @@ -163,15 +163,17 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU= github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= -github.com/outcaste-io/ristretto v0.2.1 h1:KCItuNIGJZcursqHr3ghO7fc5ddZLEHspL9UR0cQM64= github.com/outcaste-io/ristretto v0.2.1/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac= +github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0= +github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac= github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw= github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo= github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= github.com/richardartoul/molecule v1.0.1-0.20221107223329-32cfee06a052 h1:Qp27Idfgi6ACvFQat5+VJvlYToylpM/hcyLBI3WaKPA= @@ -192,12 +194,12 @@ github.com/shabbyrobe/gocovmerge v0.0.0-20230507112040-c3350d9342df/go.mod h1:dc github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sony/gobreaker v0.5.0 h1:dRCvqm0P490vZPmy7ppEk2qCnCieBooFJ+YoXGYB+yg= github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= -github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ= +github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -213,8 +215,8 @@ github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0= github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw= github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.47.0 h1:y7moDoxYzMooFpT5aHgNgVOQDrS3qlkfiP9mDtGGK9c= -github.com/valyala/fasthttp v1.47.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA= +github.com/valyala/fasthttp v1.48.0 h1:oJWvHb9BIZToTQS3MuQ2R3bJZiNSa2KiNdeI8A+79Tc= +github.com/valyala/fasthttp v1.48.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA= github.com/willabides/kongplete v0.3.0 h1:8dJZ0r2a2YnSdYCQk9TjQDKzLrj1zUvIOPIG3bOV75c= github.com/willabides/kongplete v0.3.0/go.mod h1:VPdrG6LY+tP0LMkSBuTgIQ8c6+P8wvIDHVJzDdDh9Fw= github.com/xuri/efp v0.0.0-20220603152613-6918739fd470 h1:6932x8ltq1w4utjmfMPVj09jdMlkY0aiA6+Skbtl3/c= @@ -232,20 +234,18 @@ go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go4.org/intern v0.0.0-20211027215823-ae77deb06f29/go.mod h1:cS2ma+47FKrLPdXFpr7CuxiTW3eyJbWew4qx0qtQWDA= -go4.org/intern v0.0.0-20230205224052-192e9f60865c h1:b8WZ7Ja8nKegYxfwDLLwT00ZKv4lXAQrw8LYPK+cHSI= -go4.org/intern v0.0.0-20230205224052-192e9f60865c/go.mod h1:RJ0SVrOMpxLhgb5noIV+09zI1RsRlMsbUcSxpWHqbrE= +go4.org/intern v0.0.0-20230525184215-6c62f75575cb h1:ae7kzL5Cfdmcecbh22ll7lYP3iuUdnfnhiPcSaDgH/8= +go4.org/intern v0.0.0-20230525184215-6c62f75575cb/go.mod h1:Ycrt6raEcnF5FTsLiLKkhBTO6DPX3RCUCUVnks3gFJU= go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20230204201903-c31fa085b70e/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20230426161633-7e06285ff160 h1:LrTREdITdNDW/JRlUuG3fhXvCK3ZcKXTCf1BbxE8sT4= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20230426161633-7e06285ff160/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= +go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 h1:WJhcL4p+YeDxmZWg141nRm7XC8IDmhz7lk5GpadO1Sg= +go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/image v0.5.0 h1:5JMiNunQeQw++mMOz48/ISeNu3Iweh/JaZU8ZLqHRrI= golang.org/x/image v0.5.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -253,8 +253,9 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -265,14 +266,14 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -291,8 +292,8 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -306,8 +307,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -319,25 +320,25 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= -golang.org/x/tools v0.9.2 h1:UXbndbirwCAx6TULftIfie/ygDNCwxEie+IiNP1IcNc= -golang.org/x/tools v0.9.2/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E= +golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= -google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= -google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -gopkg.in/DataDog/dd-trace-go.v1 v1.54.0 h1:LAFmtVYLnqhsFAsKv3799SYalXD9Hl3K0/pR+3eV/Qc= -gopkg.in/DataDog/dd-trace-go.v1 v1.54.0/go.mod h1:1JqaWiPl1+vHNYuVNmHOG4HDyHbF84z98BW/hwq8FeU= +gopkg.in/DataDog/dd-trace-go.v1 v1.55.0 h1:ozWhUpvrDBtZKcRB5flT0waAfnqWz1f5gOf/Y+QIurg= +gopkg.in/DataDog/dd-trace-go.v1 v1.55.0/go.mod h1:1KvDrWW49v4TPaOAIjZEYdx4ZBrm9sXm5z1s+JIZiWs= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= @@ -347,5 +348,5 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -inet.af/netaddr v0.0.0-20220811202034-502d2d690317 h1:U2fwK6P2EqmopP/hFLTOAjWTki0qgd4GMJn5X8wOleU= -inet.af/netaddr v0.0.0-20220811202034-502d2d690317/go.mod h1:OIezDfdzOgFhuw4HuWapWq2e9l0H9tK4F1j+ETRtF3k= +inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a h1:1XCVEdxrvL6c0TGOhecLuB7U9zYNdxZEjvOqJreKZiM= +inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a/go.mod h1:e83i32mAQOW1LAqEIweALsuK2Uw4mhQadA5r7b0Wobo= From 924378f9dfa8a258b675379c5cb06f8323a70c0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 03:01:35 +0000 Subject: [PATCH 14/17] Build(deps): Bump github.com/aws/aws-sdk-go-v2/service/eventbridge (#353) Bumps [github.com/aws/aws-sdk-go-v2/service/eventbridge](https://github.com/aws/aws-sdk-go-v2) from 1.20.5 to 1.22.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.22.0/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/efs/v1.20.5...service/s3/v1.22.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/eventbridge dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d52cee15..5306308f 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.4.66 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.84 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5 - github.com/aws/aws-sdk-go-v2/service/eventbridge v1.20.5 + github.com/aws/aws-sdk-go-v2/service/eventbridge v1.22.0 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 github.com/aws/smithy-go v1.14.2 diff --git a/go.sum b/go.sum index 93685988..a2746b1b 100644 --- a/go.sum +++ b/go.sum @@ -69,8 +69,8 @@ github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5/go.mod h1:X3ThW5RPV19hi7bn github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.15.5 h1:xoalM/e1YsT6jkLKl6KA9HUiJANwn2ypJsM9lhW2WP0= github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.15.5/go.mod h1:7QtKdGj66zM4g5hPgxHRQgFGLGal4EgwggTw5OZH56c= github.com/aws/aws-sdk-go-v2/service/ec2 v1.93.2 h1:c6a19AjfhEXKlEX63cnlWtSQ4nzENihHZOG0I3wH6BE= -github.com/aws/aws-sdk-go-v2/service/eventbridge v1.20.5 h1:lQZiJvcixKORX1mBb3Fsa0iWuFTrYnQjDezegmUWnxA= -github.com/aws/aws-sdk-go-v2/service/eventbridge v1.20.5/go.mod h1:NgudPBMWkilaPx7oOPoZ4DXjGn0oa0MuClQRdUthUwg= +github.com/aws/aws-sdk-go-v2/service/eventbridge v1.22.0 h1:7jKqbCPZ14W7B5qgZBV3KKWW1X0rriF0gEO64QaY02k= +github.com/aws/aws-sdk-go-v2/service/eventbridge v1.22.0/go.mod h1:NgudPBMWkilaPx7oOPoZ4DXjGn0oa0MuClQRdUthUwg= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 h1:m0QTSI6pZYJTk5WSKx3fm5cNW/DCicVzULBgU/6IyD0= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14/go.mod h1:dDilntgHy9WnHXsh7dDtUPgHKEfTJIBUTHM8OWm0f/0= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 h1:eev2yZX7esGRjqRbnVk1UxMLw4CyVZDpZXRCcy75oQk= From 8b486d83b144813d986afe9d70a8c7f071533ce2 Mon Sep 17 00:00:00 2001 From: Tyler Hendrickson Date: Mon, 18 Sep 2023 22:06:38 -0500 Subject: [PATCH 15/17] Parallelize QA jobs (#347) * Parallelize more jobs in "QA Checks" workflow * Configure Dependabot for github-actions updates * Tweak: Remove unnecessary quotes in yaml * Allow "Deploy Production" workflow to update releases --- .github/dependabot.yml | 10 +- .github/workflows/build.yml | 2 +- .github/workflows/deploy-production.yml | 2 + .github/workflows/qa.yml | 140 ++++++++++++++++++++++-- .github/workflows/terraform-plan.yml | 2 - 5 files changed, 142 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e6703295..3a319f6e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,7 +7,11 @@ updates: directory: / schedule: interval: daily - - package-ecosystem: "terraform" - directory: "/terraform" + - package-ecosystem: terraform + directory: /terraform schedule: - interval: "daily" + interval: daily + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcee0799..e858ecf7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -280,7 +280,7 @@ jobs: run: | REPORT_FILE=$(mktemp -t summary.md.XXXXX) cat >> $REPORT_FILE << 'ENDOFREPORT' - ## Build Lambdas Summary + ## Build CLI Summary
Compiled Checksums (before packing) diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index aabda62b..cd0c1200 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -109,6 +109,8 @@ jobs: update_release: name: Update release runs-on: ubuntu-latest + permissions: + contents: write needs: - tf-apply env: diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 3b606694..2881de5c 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -11,8 +11,8 @@ permissions: contents: read jobs: - qa_go: - name: QA for Go + prepare-go-qa: + name: Prepare for Go QA runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -20,13 +20,11 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 api.github.com:443 github.com:443 objects.githubusercontent.com:443 proxy.golang.org:443 sum.golang.org:443 - storage.googleapis.com:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -53,15 +51,141 @@ jobs: run: task prebuild-lambda - name: Check Formatting run: test -z "$(go fmt ./...)" || echo "Formatting check failed." - - name: Test + + go-test: + name: Run Go Tests + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore Taskfile cache + uses: actions/cache/restore@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Run tests run: task test - - name: Vet + + go-vet: + name: Vet Go Code + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - name: Vet source code run: go vet ./... - - name: Lint + + go-lint: + name: Lint Go Code + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - name: Lint with Staticcheck uses: dominikh/staticcheck-action@v1.3.0 with: install-go: false - - name: Ensure all go binaries compile + + go-build: + name: Ensure Go Builds + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore Taskfile cache + uses: actions/cache/restore@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Ensure all binaries can compile run: task build build-cli tflint: diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 48f5b655..e36cdc0f 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -94,7 +94,6 @@ jobs: TF_CLI_ARGS: "-no-color" TF_IN_AUTOMATION: "true" TF_INPUT: 0 - TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache concurrency: group: ${{ inputs.concurrency-group }} cancel-in-progress: false @@ -205,7 +204,6 @@ jobs: name: ${{ env.ARTIFACTS_KEY }} path: | ${{ github.workspace }}/terraform - !${{ env.TF_PLUGIN_CACHE_DIR }} !${{ github.workspace }}/terraform/.terraform if-no-files-found: error retention-days: ${{ inputs.artifacts-retention-days }} From 159ce6f2b0cb0a7f0ab3d28c0ef55e2482a095c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 03:19:21 +0000 Subject: [PATCH 16/17] Build(deps): Bump aws-actions/configure-aws-credentials (#357) Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 3.0.1 to 4.0.0. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/04b98b3f9e85f563fb061be8751a0352327246b0...8c3f20df09ac63af7b3ae3d7c91f105f857d8497) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/aws-auth.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws-auth.yml b/.github/workflows/aws-auth.yml index d86468f0..11421083 100644 --- a/.github/workflows/aws-auth.yml +++ b/.github/workflows/aws-auth.yml @@ -40,7 +40,7 @@ jobs: disable-sudo: true egress-policy: audit - id: auth - uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # v3.0.1 + uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 with: aws-region: us-west-2 role-to-assume: "${{ secrets.role-to-assume }}" From 29b1f6c2886992aef979049b9b302a7471f6cb89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 03:30:15 +0000 Subject: [PATCH 17/17] Build(deps): Bump github.com/DataDog/datadog-lambda-go (#354) Bumps [github.com/DataDog/datadog-lambda-go](https://github.com/DataDog/datadog-lambda-go) from 1.9.0 to 1.11.0. - [Release notes](https://github.com/DataDog/datadog-lambda-go/releases) - [Commits](https://github.com/DataDog/datadog-lambda-go/compare/v1.9.0...v1.11.0) --- updated-dependencies: - dependency-name: github.com/DataDog/datadog-lambda-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5306308f..3dcfabff 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/usdigitalresponse/grants-ingest go 1.20 require ( - github.com/DataDog/datadog-lambda-go v1.9.0 + github.com/DataDog/datadog-lambda-go v1.11.0 github.com/Netflix/go-env v0.0.0-20220526054621-78278af1949d github.com/alecthomas/kong v0.8.0 github.com/aws/aws-lambda-go v1.41.0 diff --git a/go.sum b/go.sum index a2746b1b..a9d0a976 100644 --- a/go.sum +++ b/go.sum @@ -8,8 +8,8 @@ github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725 github.com/DataDog/datadog-go/v5 v5.1.1/go.mod h1:KhiYb2Badlv9/rofz+OznKoEF5XKTonWyhx5K83AP8E= github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8= github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q= -github.com/DataDog/datadog-lambda-go v1.9.0 h1:XtvshiRTzDNVQQAkNuMqUDMyCcfJJ0eLSLCOOKB52jQ= -github.com/DataDog/datadog-lambda-go v1.9.0/go.mod h1:TlnzDhuHlkedDvDYEc9Yo+15iAbYakYaIIeySC+Yguw= +github.com/DataDog/datadog-lambda-go v1.11.0 h1:7Y/Pcz6tCoIyq8pFLKgU0cTjVDJ2AXJRcwkplUwAYPc= +github.com/DataDog/datadog-lambda-go v1.11.0/go.mod h1:yDYV1eC/P3tzLlumIMf+yzrvIjkuyRfm0KhV1GWLfAs= github.com/DataDog/go-libddwaf v1.5.0 h1:lrHP3VrEriy1M5uQuaOcKphf5GU40mBhihMAp6Ik55c= github.com/DataDog/go-libddwaf v1.5.0/go.mod h1:Fpnmoc2k53h6desQrH1P0/gR52CUzkLNFugE5zWwUBQ= github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I=