diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore new file mode 100644 index 0000000..775d81f --- /dev/null +++ b/.github/.templatesyncignore @@ -0,0 +1,9 @@ +README.md +.github/workflows/* +.terraform-docs.yml +docs/20-badges.md +docs/assets/logo.svg +*.tf +test/* +go.mod +go.sum diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..33587ce --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,32 @@ +--- +############################## +## Dependabot configuration ## +############################## + +# +# Documentation: +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates +# + +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 0 + + # Maintain dependencies for Terraform Providers + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 0 + + # Maintain dependencies for Golang + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 0 diff --git a/.github/labels.yaml b/.github/labels.yaml deleted file mode 100644 index bc0cd30..0000000 --- a/.github/labels.yaml +++ /dev/null @@ -1,34 +0,0 @@ -- name: 'bump:major' - color: ef6bb4 - description: 'Attach to PR to automatically bump major version on merge' - aliases: [ ] - -- name: 'bump:minor' - color: ef6bb4 - description: 'Attach to PR to automatically bump minor version on merge' - aliases: [ ] - -- name: 'bump:patch' - color: ef6bb4 - description: 'Attach to PR to automatically bump patch version on merge' - aliases: [ ] - -- name: 'automation' - color: 3ddd1b - description: 'Removing manual tasks by automating them' - aliases: [ ] - -- name: 'bug' - color: d73a4a - description: 'Something is not working' - aliases: [ ] - -- name: 'documentation' - color: 0075ca - description: 'Improvements or additions to documentation' - aliases: [ ] - -- name: 'enhancement' - color: a2eeef - description: 'New feature or request' - aliases: [ ] diff --git a/.github/pull_request-template.md b/.github/pull_request-template.md index 60761ad..3e2e50d 100644 --- a/.github/pull_request-template.md +++ b/.github/pull_request-template.md @@ -5,10 +5,6 @@ ... -## How this PR fixes it - -... - ## Readiness Checklist ### Author/Contributor diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9f31c92..a66b5c7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,7 +1,7 @@ --- -#################################### -## Draft releases on Push to main ## -#################################### +##################### +## Create releases ## +##################### # # Documentation: @@ -13,9 +13,8 @@ on: push: branches: [ main ] tags: [ 'v*.*.*' ] - -permissions: - contents: write + pull_request: + types: [ labeled ] ################# # Start the job # @@ -26,6 +25,7 @@ jobs: ############### create-release: name: Create Release + if: github.event.action != 'labeled' runs-on: ubuntu-latest timeout-minutes: 10 steps: @@ -75,3 +75,22 @@ jobs: tag_name: ${{ steps.tag.outputs.value }} draft: false prerelease: false + + ########################### + # Release preview comment # + ########################### + release-check: + if: github.event.action == 'labeled' + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ####################### + # Post status comment # + ####################### + - name: Post bumpr status comment + uses: haya14busa/action-bumpr@v1 diff --git a/.github/workflows/sync-templates.yaml b/.github/workflows/sync-templates.yaml index 30bdab5..dfa10ab 100644 --- a/.github/workflows/sync-templates.yaml +++ b/.github/workflows/sync-templates.yaml @@ -10,7 +10,9 @@ name: Sync templates on: - workflow_dispatch: + workflow_dispatch: # Trigger manually + schedule: + - cron: "0 0 1 * *" # Run at 00:00 on the first day of every month ########################## # Prevent duplicate jobs # @@ -36,7 +38,7 @@ jobs: - name: Sync labels uses: EndBug/label-sync@v2.3.1 with: - config-file: https://raw.githubusercontent.com/geekcell/template-terraform-module/main/.github/labels.yaml + config-file: https://gist.githubusercontent.com/Ic3w0lf/f5520c5f19d7098966f692c120f7a197/raw/75b134f76fbc55e2e64bd66f04e571d6d74b815e/terraform-aws-module-labels.yaml ####################### # Sync template files # @@ -50,33 +52,12 @@ jobs: ############################ - name: Checkout Code uses: actions/checkout@v3.1.0 - with: - token: ${{ secrets.GEEKCELL_PAT_WORKFLOWS }} - - ######################## - # Patch template files # - ######################## - - name: Force patching of template files - run: | - yes y | make setup/update-template - - #################### - # Update README.md # - #################### - - name: Terraform docs - uses: terraform-docs/gh-actions@v1.0.0 - with: - config-file: .terraform-docs.yml - git-push: false - ############# - # Create PR # - ############# - - name: Create PR - uses: peter-evans/create-pull-request@v4.2.0 + ####################### + # Sync template files # + ####################### + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v0.7.3 with: - token: ${{ secrets.GEEKCELL_PAT_WORKFLOWS }} - title: Updated template files - commit-message: Update template files from main repo - branch: update-template-files - delete-branch: true + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_path: geekcell/terraform-aws-module-template diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e7c9291..d96a421 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,16 +1,18 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.80.0 hooks: - id: terraform_docs - id: terraform_fmt - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true exclude: '^[^/]+$' - id: terraform_tflint exclude: ^examples/ - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer diff --git a/.terraform-docs.yml b/.terraform-docs.yml index 0a0cd3e..0953e13 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -2,13 +2,13 @@ formatter: "md table" header-from: main.tf recursive: + # Enable this if your module has submodules enabled: true - path: modules content: |- - {{ include "docs/logo.md" }} + {{ include "docs/10-header.md" }} - {{ include "docs/badges.md" }} + {{ include "docs/20-badges.md" }} {{ .Header }} diff --git a/README.md b/README.md index cb0d252..4b4617a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/template-terraform-module/main/docs/assets/logo.svg)](https://www.geekcell.io/) +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) ### Code Quality [![License](https://img.shields.io/github/license/geekcell/terraform-aws-new-relic-integration)](https://github.com/geekcell/terraform-aws-new-relic-integration/blob/master/LICENSE) @@ -36,7 +36,10 @@ # Terraform AWS New Relic Integration Terraform module which creates resources to integrate AWS with New Relic by using Kinesis Firehose streams. Supports -VPC Flow logs. +VPC Flow logs. Comes with the following sub modules: + +[Fargate PHP Daemon](./modules/fargate\_php\_daemon/README.md) +[SSM License Key](./modules/ssm\_license\_key/README.md) ## Inputs @@ -72,17 +75,17 @@ No outputs. ## Resources -- resource.aws_cloudwatch_metric_stream.main (main.tf#137) -- resource.aws_flow_log.main (main.tf#286) -- resource.aws_kinesis_firehose_delivery_stream.cloudwatch_metrics (main.tf#149) -- resource.aws_kinesis_firehose_delivery_stream.vpc_flow_logs (main.tf#185) -- resource.aws_s3_bucket.main (main.tf#253) -- resource.aws_s3_bucket_acl.main (main.tf#259) -- resource.aws_s3_bucket_public_access_block.main (main.tf#274) -- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#264) -- resource.newrelic_api_access_key.main (main.tf#303) -- resource.newrelic_cloud_aws_link_account.main (main.tf#317) -- data source.aws_caller_identity.current (main.tf#7) +- resource.aws_cloudwatch_metric_stream.main (main.tf#140) +- resource.aws_flow_log.main (main.tf#289) +- resource.aws_kinesis_firehose_delivery_stream.cloudwatch_metrics (main.tf#152) +- resource.aws_kinesis_firehose_delivery_stream.vpc_flow_logs (main.tf#188) +- resource.aws_s3_bucket.main (main.tf#256) +- resource.aws_s3_bucket_acl.main (main.tf#262) +- resource.aws_s3_bucket_public_access_block.main (main.tf#277) +- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#267) +- resource.newrelic_api_access_key.main (main.tf#306) +- resource.newrelic_cloud_aws_link_account.main (main.tf#320) +- data source.aws_caller_identity.current (main.tf#10) # Examples ### Minimal diff --git a/docs/10-header.md b/docs/10-header.md new file mode 100644 index 0000000..3843bbf --- /dev/null +++ b/docs/10-header.md @@ -0,0 +1 @@ +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) diff --git a/docs/badges.md b/docs/20-badges.md similarity index 100% rename from docs/badges.md rename to docs/20-badges.md diff --git a/docs/logo.md b/docs/logo.md deleted file mode 100644 index 50e69d6..0000000 --- a/docs/logo.md +++ /dev/null @@ -1 +0,0 @@ -[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/template-terraform-module/main/docs/assets/logo.svg)](https://www.geekcell.io/) diff --git a/main.tf b/main.tf index a926a1d..3215168 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,10 @@ * # Terraform AWS New Relic Integration * * Terraform module which creates resources to integrate AWS with New Relic by using Kinesis Firehose streams. Supports - * VPC Flow logs. + * VPC Flow logs. Comes with the following sub modules: + * + * [Fargate PHP Daemon](./modules/fargate_php_daemon/README.md) + * [SSM License Key](./modules/ssm_license_key/README.md) */ data "aws_caller_identity" "current" {} @@ -15,13 +18,13 @@ module "iam_integration_role" { name = coalesce(var.ingeration_role_name, "${var.name}-integration") use_name_prefix = var.integration_role_name_prefix - description = "Role for New Relic integration." - policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] + description = "Role for New Relic integration." + policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] assume_roles = { "AWS" : { actions = ["sts:AssumeRole"] identifiers = ["754728514883"] # Unique identifier for New Relic account on AWS - conditions = [ + conditions = [ { test = "StringEquals" variable = "sts:ExternalId" @@ -43,8 +46,8 @@ module "iam_firehose_role" { name = coalesce(var.firehose_role_name, "${var.name}-firehose") use_name_prefix = var.firehose_role_name_prefix - description = "Role for New Relic Firehose." - policy_arns = [module.iam_firehose_policy.arn] + description = "Role for New Relic Firehose." + policy_arns = [module.iam_firehose_policy.arn] assume_roles = { "Service" : { identifiers = ["firehose.amazonaws.com"] @@ -61,10 +64,10 @@ module "iam_firehose_policy" { use_name_prefix = var.firehose_role_name_prefix description = "Policy for New Relic Firehose." - statements = [ + statements = [ { - sid = "BucketList" - effect = "Allow" + sid = "BucketList" + effect = "Allow" actions = [ "s3:GetBucketLocation", "s3:ListBucket" @@ -72,8 +75,8 @@ module "iam_firehose_policy" { resources = [aws_s3_bucket.main.arn] }, { - sid = "BucketWrite" - effect = "Allow" + sid = "BucketWrite" + effect = "Allow" actions = [ "s3:AbortMultipartUpload", "s3:GetObject", @@ -96,8 +99,8 @@ module "iam_metric_stream_role" { name = coalesce(var.metric_stream_role_name, "${var.name}-metric-stream") use_name_prefix = var.metric_stream_role_name_prefix - description = "Role for New Relic Metric Stream." - policy_arns = [module.iam_metric_stream_policy.arn] + description = "Role for New Relic Metric Stream." + policy_arns = [module.iam_metric_stream_policy.arn] assume_roles = { "Service" : { identifiers = ["streams.metrics.cloudwatch.amazonaws.com"] @@ -114,10 +117,10 @@ module "iam_metric_stream_policy" { use_name_prefix = var.metric_stream_role_name_prefix description = "Policy for New Relic Metric Stream." - statements = [ + statements = [ { - sid = "FirehoseWrite" - effect = "Allow" + sid = "FirehoseWrite" + effect = "Allow" actions = [ "firehose:PutRecord", "firehose:PutRecordBatch" diff --git a/modules/fargate_php_daemon/README.md b/modules/fargate_php_daemon/README.md index 4524a6e..a1fe5dd 100644 --- a/modules/fargate_php_daemon/README.md +++ b/modules/fargate_php_daemon/README.md @@ -40,6 +40,6 @@ No outputs. ## Resources -- resource.aws_ecs_service.main (modules/fargate_php_daemon/main.tf#36) -- resource.aws_service_discovery_service.main (modules/fargate_php_daemon/main.tf#66) +- resource.aws_ecs_service.main (modules/fargate_php_daemon/main.tf#38) +- resource.aws_service_discovery_service.main (modules/fargate_php_daemon/main.tf#68) diff --git a/modules/fargate_php_daemon/main.tf b/modules/fargate_php_daemon/main.tf index e25fcc9..e6720d3 100644 --- a/modules/fargate_php_daemon/main.tf +++ b/modules/fargate_php_daemon/main.tf @@ -7,7 +7,8 @@ * https://docs.newrelic.com/docs/apm/agents/php-agent/advanced-installation/docker-other-container-environments-install-php-agent/ */ module "container_definition" { - source = "github.com/geekcell/terraform-aws-ecs-container-definition?ref=main" + source = "geekcell/ecs-container-definition/aws" + version = ">= 1.0.0, < 2.0.0" name = var.container_name image = var.container_image @@ -21,7 +22,8 @@ module "container_definition" { } module "task_definition" { - source = "github.com/geekcell/terraform-aws-ecs-task-definition.git?ref=main" + source = "geekcell/ecs-task-definition/aws" + version = ">= 1.0.0, < 2.0.0" name = var.task_definition_name container_definitions = [module.container_definition.hcl] diff --git a/modules/ssm_license_key/main.tf b/modules/ssm_license_key/main.tf index 6020ac5..5a495b8 100644 --- a/modules/ssm_license_key/main.tf +++ b/modules/ssm_license_key/main.tf @@ -25,7 +25,7 @@ resource "aws_secretsmanager_secret" "main" { # The secret is created with the following structure so it can be used by Lambda as well: # https://github.com/newrelic/newrelic-lambda-extension/blob/main/credentials/credentials.go#L18 resource "aws_secretsmanager_secret_version" "main" { - secret_id = aws_secretsmanager_secret.main.id + secret_id = aws_secretsmanager_secret.main.id secret_string = jsonencode({ NrAccountId = var.new_relic_account_id LicenseKey = newrelic_api_access_key.main.key @@ -39,16 +39,17 @@ resource "aws_secretsmanager_secret_version" "main" { module "read_only_iam_policy" { count = var.create_iam_policy_read_only ? 1 : 0 - source = "github.com/geekcell/terraform-aws-iam-policy?ref=v1" + source = "geekcell/iam-policy/aws" + version = ">= 1.0.0, < 2.0.0" name = coalesce(var.iam_policy_read_only_name, "${aws_secretsmanager_secret.main.name}-read-only") use_name_prefix = var.iam_policy_read_only_use_prefix description = "Read only policy for New Relic SSM Secret." - statements = [ + statements = [ { - sid = "AllowReadSecret" - effect = "Allow" + sid = "AllowReadSecret" + effect = "Allow" actions = [ "secretsmanager:GetSecretValue" ]