diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 1789989..cdb1383 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -4,64 +4,140 @@ name: Terraform on: pull_request: +permissions: + contents: write + pull-requests: write + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} jobs: - terraform-fmt: + fmt-lint-validate: runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@master + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + + - name: Setup Terraform Linters + uses: terraform-linters/setup-tflint@v4 + with: + github_token: ${{ env.GITHUB_TOKEN }} + - name: Terraform Format - uses: hashicorp/terraform-github-actions@master + id: fmt + run: terraform fmt -check -recursive + + - name: Terraform Init + id: init + run: terraform init + + - name: Terraform Validate + id: validate + run: terraform validate -no-color + + - name: Terraform Lint + id: lint + run: tflint --no-color --recursive --format compact + + - uses: actions/github-script@v6 + if: github.event_name == 'pull_request' || always() with: - tf_actions_version: latest - tf_actions_subcommand: fmt - tf_actions_comment: true + github-token: ${{ env.GITHUB_TOKEN }} + script: | + // 1. Retrieve existing bot comments for the PR + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }) + const botComment = comments.find(comment => { + return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style') + }) - terraform-validate: + // 2. Prepare format of the comment + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Lint 📖\`${{ steps.lint.outcome }}\` + #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` +
Validation Output + + \`\`\`\n + ${{ steps.validate.outputs.stdout }} + \`\`\` + +
`; + + // 3. If we have a comment, update it, otherwise create a new one + if (botComment) { + github.rest.issues.updateComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id, + body: output + }) + } else { + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + } + + tfsec: runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@master - - name: Terraform Init - uses: hashicorp/terraform-github-actions@master + - name: Checkout code + uses: actions/checkout@v4 + + - name: Terraform security scan + uses: aquasecurity/tfsec-action@v1.0.3 with: - tf_actions_version: latest - tf_actions_subcommand: init - tf_actions_comment: true - - name: Terraform Validate - uses: hashicorp/terraform-github-actions@master - env: - AWS_DEFAULT_REGION: eu-west-1 + github_token: ${{ env.GITHUB_TOKEN }} + soft_fail: false + + - name: Terraform pr commenter + uses: aquasecurity/tfsec-pr-commenter-action@v1.3.1 with: - tf_actions_version: latest - tf_actions_subcommand: validate - tf_actions_comment: true + github_token: ${{ env.GITHUB_TOKEN }} + tfsec_args: --concise-output --force-all-dirs - terraform-docs: + checkov: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - - name: Update module usage docs and push any changes back to PR branch - uses: Dirrk/terraform-docs@v1.0.8 + uses: actions/checkout@v4 + + - name: Run Checkov + uses: bridgecrewio/checkov-action@v12.2577.0 with: - tf_docs_args: '--sort-inputs-by-required' - tf_docs_git_commit_message: 'terraform-docs: Update module usage' - tf_docs_git_push: 'true' - tf_docs_output_file: README.md - tf_docs_output_method: inject - tf_docs_find_dir: . + container_user: 1000 + directory: "/" + download_external_modules: false + framework: terraform + output_format: sarif + quiet: true + skip_check: "CKV_TF_1,CKV_AWS_108,CKV_AWS_109,CKV_AWS_111,CKV_AWS_356" + soft_fail: false - tfsec: - name: tfsec + docs: runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Terraform security scan - uses: triat/terraform-security-scan@v3.0.0 + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Render terraform docs inside the README.md and push changes back to PR branch + uses: terraform-docs/gh-actions@v1.0.0 + with: + args: --sort-by required + git-commit-message: "docs(readme): update module usage" + git-push: true + output-file: README.md + output-method: inject + working-dir: . + continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow diff --git a/examples/example.tf b/examples/example.tf index 5928892..b5176a2 100644 --- a/examples/example.tf +++ b/examples/example.tf @@ -1,5 +1,5 @@ module "example_glue_job" { - source = "github.com/komminar/terraform-aws-glue-job?ref=v0.1.0" + source = "github.com/komminarlab/terraform-aws-glue-job?ref=v1.0.0" name = "example-glue-job" max_retries = 1 number_of_workers = 2 diff --git a/iam.tf b/iam.tf new file mode 100644 index 0000000..27b8d91 --- /dev/null +++ b/iam.tf @@ -0,0 +1,29 @@ +data "aws_iam_policy_document" "default" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["glue.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "default" { + count = var.role_arn == null ? 1 : 0 + name = "GlueExecutionRole-${var.name}" + assume_role_policy = data.aws_iam_policy_document.default.json + tags = var.tags +} + +resource "aws_iam_role_policy" "default" { + count = var.role_arn == null && var.role_policy != null ? 1 : 0 + name = "GlueExecutionRole-${var.name}" + role = aws_iam_role.default[0].id + policy = var.role_policy +} + +resource "aws_iam_role_policy_attachment" "default" { + count = var.role_arn == null ? 1 : 0 + role = aws_iam_role.default[0].id + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole" +} diff --git a/main.tf b/main.tf index a4d2c24..fde4977 100644 --- a/main.tf +++ b/main.tf @@ -1,46 +1,15 @@ -data "aws_iam_policy_document" "default" { - statement { - actions = [ - "sts:AssumeRole" - ] - principals { - type = "Service" - identifiers = ["glue.amazonaws.com"] - } - } -} - -resource "aws_iam_role" "default" { - count = var.role_arn == null ? 1 : 0 - name = "GlueRole-${var.name}" - assume_role_policy = data.aws_iam_policy_document.default.json - tags = var.tags -} - -resource "aws_iam_role_policy" "default" { - count = var.role_arn == null && var.role_policy != null ? 1 : 0 - name = "GlueRole-${var.name}" - role = aws_iam_role.default[0].id - policy = var.role_policy -} - -resource "aws_iam_role_policy_attachment" "default" { - count = var.role_arn == null ? 1 : 0 - role = aws_iam_role.default[0].id - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole" -} - resource "aws_glue_job" "default" { - name = var.name - connections = var.connections - default_arguments = var.default_arguments - glue_version = var.glue_version - max_capacity = var.max_capacity - max_retries = var.max_retries - number_of_workers = var.number_of_workers - role_arn = var.role_arn != null ? var.role_arn : aws_iam_role.default[0].arn - worker_type = var.worker_type - tags = var.tags + name = var.name + connections = var.connections + default_arguments = var.default_arguments + glue_version = var.glue_version + max_capacity = var.max_capacity + max_retries = var.max_retries + number_of_workers = var.number_of_workers + role_arn = var.role_arn != null ? var.role_arn : aws_iam_role.default[0].arn + security_configuration = var.security_configuration + worker_type = var.worker_type + tags = var.tags command { name = var.command_name diff --git a/variables.tf b/variables.tf index 2f9c1c4..ad4e01f 100644 --- a/variables.tf +++ b/variables.tf @@ -28,7 +28,7 @@ variable "default_arguments" { variable "glue_version" { type = string - default = "2.0" + default = "4.0" description = "The Glue version to use" } @@ -74,6 +74,12 @@ variable "schedule" { description = "A cron expression used to specify the schedule for the glue trigger" } +variable "security_configuration" { + type = string + default = null + description = "The name of the Security Configuration to be associated with the job" +} + variable "schedule_active" { type = bool default = true diff --git a/versions.tf b/versions.tf index 203cbbb..30b85f7 100644 --- a/versions.tf +++ b/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3" required_providers { - aws = ">= 3.10" + aws = { + source = "hashicorp/aws" + version = ">= 4.62.0" + } } }