From 9557704e52df72082a4b9c0ea8d9b9aeae801dae Mon Sep 17 00:00:00 2001
From: Daniel Hill <dan@mamu.co>
Date: Thu, 4 Mar 2021 12:12:49 +0000
Subject: [PATCH] add pipeline to run `terraform fmt` and `kitchen` tests on
 PRs (#17)

add pipeline to run `terraform fmt` and `kitchen` tests on PRs
these won't run against draft PRs
run a single test scenario for now
use new DWP kitchen terraform GHA

Signed-off-by: Daniel Hill <dan@mamu.co>
---
 .github/workflows/pr.yml                  | 52 +++++++++++++++++++++++
 Gemfile                                   |  4 ++
 examples/hybrid_external_database/iam.tf  |  8 ++--
 examples/hybrid_external_database/main.tf |  5 ++-
 examples/hybrid_external_database/ssm.tf  | 18 ++++----
 5 files changed, 72 insertions(+), 15 deletions(-)
 create mode 100644 .github/workflows/pr.yml
 create mode 100644 Gemfile

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000..55e9717
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,52 @@
+name: PR
+
+on:
+  pull_request:
+    paths-ignore:
+      - '**/*.md'
+env:
+  TERRAFORM_VERSION: 0.14.7
+
+jobs:
+  format:
+    name: Terraform-Format
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -recursive
+        continue-on-error: true
+
+  test:
+    name: Kitchen-Terraform
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    env:
+      GEMFILE_DIR: .
+      AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
+      TF_VAR_region: eu-west-1
+      TF_VAR_vpc_cidr_block: "10.0.0.0/16"
+      TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Kitchen Test hybrid-external-database
+        uses: dwp/github-action-kitchen-terraform@0.14.7
+        with:
+          kitchen-command: test hybrid-external-database --destroy=always
+          aws-account-number: ${{ secrets.AWS_ACCOUNT }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
+          TF_VAR_region: eu-west-1
+          TF_VAR_environment: GHA-${{ env.GITHUB_RUN_NUMBER }}
+          TF_VAR_vpc_cidr_block: "10.0.0.0/16"
+          TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }}
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..47d3d8f
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,4 @@
+ruby '2.7.2'
+source 'https://rubygems.org/' do
+  gem 'kitchen-terraform', '~> 5.6'
+end
diff --git a/examples/hybrid_external_database/iam.tf b/examples/hybrid_external_database/iam.tf
index 038add7..4c0cf44 100644
--- a/examples/hybrid_external_database/iam.tf
+++ b/examples/hybrid_external_database/iam.tf
@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "kong-ssm" {
 
   statement {
     actions   = ["ssm:GetParameter"]
-    resources = ["arn:aws:ssm:*:*:parameter/${var.service}/${var.environment}/*"]
+    resources = ["arn:aws:ssm:*:*:parameter/${var.service}/${local.environment}/*"]
   }
 
   statement {
@@ -16,7 +16,7 @@ data "aws_iam_policy_document" "kong-ssm" {
 }
 
 resource "aws_iam_role_policy" "kong-ssm" {
-  name = format("%s-%s-ssm", var.service, var.environment)
+  name = format("%s-%s-ssm", var.service, local.environment)
   role = aws_iam_role.kong.id
 
   policy = data.aws_iam_policy_document.kong-ssm.json
@@ -34,11 +34,11 @@ data "aws_iam_policy_document" "kong" {
 }
 
 resource "aws_iam_role" "kong" {
-  name               = format("%s-%s", var.service, var.environment)
+  name               = format("%s-%s", var.service, local.environment)
   assume_role_policy = data.aws_iam_policy_document.kong.json
 }
 
 resource "aws_iam_instance_profile" "kong" {
-  name = format("%s-%s", var.service, var.environment)
+  name = format("%s-%s", var.service, local.environment)
   role = aws_iam_role.kong.id
 }
diff --git a/examples/hybrid_external_database/main.tf b/examples/hybrid_external_database/main.tf
index effa797..685e03a 100644
--- a/examples/hybrid_external_database/main.tf
+++ b/examples/hybrid_external_database/main.tf
@@ -132,6 +132,7 @@ resource "aws_instance" "external_postgres" {
 }
 
 locals {
+  environment = "${var.environment}-${terraform.workspace}"
 
   kong_control_plane_config = {
     "KONG_ROLE"              = "control_plane"
@@ -191,7 +192,7 @@ module "create_kong_cp" {
   kong_config       = local.kong_control_plane_config
   kong_hybrid_conf  = local.kong_hybrid_conf
 
-  environment = var.environment
+  environment = local.environment
   service     = var.service
   description = var.description
   tags        = var.tags
@@ -223,7 +224,7 @@ module "create_kong_dp" {
   private_subnets    = module.create_kong_cp.private_subnet_ids
   availability_zones = module.create_kong_cp.private_subnet_azs
 
-  environment = var.environment
+  environment = local.environment
   service     = var.service
   description = var.description
   tags        = var.tags
diff --git a/examples/hybrid_external_database/ssm.tf b/examples/hybrid_external_database/ssm.tf
index 95bbf94..171e6d1 100644
--- a/examples/hybrid_external_database/ssm.tf
+++ b/examples/hybrid_external_database/ssm.tf
@@ -1,10 +1,10 @@
 resource "aws_kms_key" "kong" {
-  description = format("%s-%s", var.service, var.environment)
+  description = format("%s-%s", var.service, local.environment)
 
   tags = merge(
     {
-      "Name"        = format("%s-%s", var.service, var.environment),
-      "Environment" = var.environment,
+      "Name"        = format("%s-%s", var.service, local.environment),
+      "Environment" = local.environment,
       "Description" = var.description,
       "Service"     = var.service,
     },
@@ -13,12 +13,12 @@ resource "aws_kms_key" "kong" {
 }
 
 resource "aws_kms_alias" "kong" {
-  name          = format("alias/%s-%s", var.service, var.environment)
+  name          = format("alias/%s-%s", var.service, local.environment)
   target_key_id = aws_kms_key.kong.key_id
 }
 
 resource "aws_ssm_parameter" "ee-bintray-auth" {
-  name  = format("/%s/%s/ee/bintray-auth", var.service, var.environment)
+  name  = format("/%s/%s/ee/bintray-auth", var.service, local.environment)
   type  = "SecureString"
   value = var.ee_bintray_auth
 
@@ -30,7 +30,7 @@ resource "aws_ssm_parameter" "ee-bintray-auth" {
 }
 
 resource "aws_ssm_parameter" "ee-license" {
-  name  = format("/%s/%s/ee/license", var.service, var.environment)
+  name  = format("/%s/%s/ee/license", var.service, local.environment)
   type  = "SecureString"
   value = var.ee_license
 
@@ -47,7 +47,7 @@ resource "random_string" "admin_token" {
 }
 
 resource "aws_ssm_parameter" "ee-admin-token" {
-  name  = format("/%s/%s/ee/admin/token", var.service, var.environment)
+  name  = format("/%s/%s/ee/admin/token", var.service, local.environment)
   type  = "SecureString"
   value = random_string.admin_token.result
 
@@ -59,7 +59,7 @@ resource "aws_ssm_parameter" "ee-admin-token" {
 }
 
 resource "aws_ssm_parameter" "db-password" {
-  name  = format("/%s/%s/db/password", var.service, var.environment)
+  name  = format("/%s/%s/db/password", var.service, local.environment)
   type  = "SecureString"
   value = var.kong_database_password
 
@@ -78,7 +78,7 @@ resource "random_string" "master_password" {
 }
 
 resource "aws_ssm_parameter" "db-master-password" {
-  name  = format("/%s/%s/db/password/master", var.service, var.environment)
+  name  = format("/%s/%s/db/password/master", var.service, local.environment)
   type  = "SecureString"
   value = random_string.master_password.result