From 70d959aaa8dddc9b52c86204906b18fb773f6056 Mon Sep 17 00:00:00 2001 From: Paul Schwarzenberger Date: Fri, 8 Mar 2024 13:24:18 +0000 Subject: [PATCH 1/5] Trigger pipelines on changes to lambda utils --- .github/workflows/ecdsa_default.yml | 2 +- .github/workflows/rsa_public_crl.yml | 2 +- .gitignore | 2 +- modules/terraform-aws-ca-lambda/main.tf | 4 ++++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ecdsa_default.yml b/.github/workflows/ecdsa_default.yml index adec41e..f5ac5ed 100644 --- a/.github/workflows/ecdsa_default.yml +++ b/.github/workflows/ecdsa_default.yml @@ -100,7 +100,7 @@ jobs: - name: cache built python modules uses: actions/cache@v4 with: - key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_py${{ steps.setup_python.outputs.python-version }} + key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_${{ hashFiles('./modules/terraform-aws-ca-lambda/utils/**') }}_py${{ steps.setup_python.outputs.python-version }} path: ./modules/terraform-aws-ca-lambda/build - name: terraform plan diff --git a/.github/workflows/rsa_public_crl.yml b/.github/workflows/rsa_public_crl.yml index 9e7503e..224c0a4 100644 --- a/.github/workflows/rsa_public_crl.yml +++ b/.github/workflows/rsa_public_crl.yml @@ -103,7 +103,7 @@ jobs: - name: cache built python modules uses: actions/cache@v4 with: - key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_py${{ steps.setup_python.outputs.python-version }} + key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_${{ hashFiles('./modules/terraform-aws-ca-lambda/utils/**') }}_py${{ steps.setup_python.outputs.python-version }} path: ./modules/terraform-aws-ca-lambda/build - name: terraform plan diff --git a/.gitignore b/.gitignore index 2c74459..deb4647 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,7 @@ .idea .vs .venv -.zip +*.src.zip __pycache__ .terraform.lock.hcl .terraform.tfstate diff --git a/modules/terraform-aws-ca-lambda/main.tf b/modules/terraform-aws-ca-lambda/main.tf index 303bc20..dbf4d21 100644 --- a/modules/terraform-aws-ca-lambda/main.tf +++ b/modules/terraform-aws-ca-lambda/main.tf @@ -1,7 +1,11 @@ resource "null_resource" "install_python_dependencies" { triggers = { + # detect changes to Lambda code source_archive_checksum = data.archive_file.lambda_source.output_base64sha256 + # detect changes to files in utils directory + dir_sha1 = sha1(join("", [for f in fileset("${path.module}/utils", "**"): filesha1("${path.module}/utils/${f}")])) + # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.) build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp() } From 2fc64666c8ce93801acb78eff18624ab86c2bd7f Mon Sep 17 00:00:00 2001 From: Paul Schwarzenberger Date: Fri, 8 Mar 2024 13:29:35 +0000 Subject: [PATCH 2/5] Terraform format --- modules/terraform-aws-ca-lambda/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/terraform-aws-ca-lambda/main.tf b/modules/terraform-aws-ca-lambda/main.tf index dbf4d21..c02fb02 100644 --- a/modules/terraform-aws-ca-lambda/main.tf +++ b/modules/terraform-aws-ca-lambda/main.tf @@ -4,8 +4,8 @@ resource "null_resource" "install_python_dependencies" { source_archive_checksum = data.archive_file.lambda_source.output_base64sha256 # detect changes to files in utils directory - dir_sha1 = sha1(join("", [for f in fileset("${path.module}/utils", "**"): filesha1("${path.module}/utils/${f}")])) - + dir_sha1 = sha1(join("", [for f in fileset("${path.module}/utils", "**") : filesha1("${path.module}/utils/${f}")])) + # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.) build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp() } From 48195dc50b417d9f31aabd5f5c767e0f8aeaf04d Mon Sep 17 00:00:00 2001 From: Paul Schwarzenberger Date: Fri, 8 Mar 2024 15:17:12 +0000 Subject: [PATCH 3/5] Remove archive folder and use fileset to detect changes --- modules/terraform-aws-ca-lambda/archive/.gitkeep | 0 modules/terraform-aws-ca-lambda/main.tf | 12 +++--------- 2 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 modules/terraform-aws-ca-lambda/archive/.gitkeep diff --git a/modules/terraform-aws-ca-lambda/archive/.gitkeep b/modules/terraform-aws-ca-lambda/archive/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/modules/terraform-aws-ca-lambda/main.tf b/modules/terraform-aws-ca-lambda/main.tf index c02fb02..036979f 100644 --- a/modules/terraform-aws-ca-lambda/main.tf +++ b/modules/terraform-aws-ca-lambda/main.tf @@ -1,10 +1,10 @@ resource "null_resource" "install_python_dependencies" { triggers = { # detect changes to Lambda code - source_archive_checksum = data.archive_file.lambda_source.output_base64sha256 + lambda_code_sha256 = sha256(join("", sort([for f in fileset("${path.module}/lambda_code/${local.file_name}", "**") : filesha1("${path.module}/lambda_code/${local.file_name}/${f}")]))) # detect changes to files in utils directory - dir_sha1 = sha1(join("", [for f in fileset("${path.module}/utils", "**") : filesha1("${path.module}/utils/${f}")])) + utils_sha256 = sha256(join("", sort([for f in fileset("${path.module}/utils", "**") : filesha1("${path.module}/utils/${f}")]))) # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.) build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp() @@ -26,17 +26,11 @@ resource "null_resource" "install_python_dependencies" { } } -data "archive_file" "lambda_source" { - type = "zip" - source_dir = "${path.module}/lambda_code/${local.file_name}" - output_path = "${path.module}/archive/${local.file_name}.src.zip" -} - data "archive_file" "lambda_zip" { depends_on = [null_resource.install_python_dependencies] type = "zip" source_dir = "${path.module}/build/${local.file_name}" - output_path = "${path.module}/archive/${local.file_name}.zip" + output_path = "${path.module}/build/${local.file_name}.zip" } resource "aws_lambda_function" "lambda" { From f3463a22289cee320d98e90cb35d9fde460a3a85 Mon Sep 17 00:00:00 2001 From: Paul Schwarzenberger Date: Fri, 8 Mar 2024 15:26:43 +0000 Subject: [PATCH 4/5] Address PR comments --- modules/terraform-aws-ca-lambda/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/terraform-aws-ca-lambda/main.tf b/modules/terraform-aws-ca-lambda/main.tf index 036979f..198748b 100644 --- a/modules/terraform-aws-ca-lambda/main.tf +++ b/modules/terraform-aws-ca-lambda/main.tf @@ -1,10 +1,10 @@ resource "null_resource" "install_python_dependencies" { triggers = { # detect changes to Lambda code - lambda_code_sha256 = sha256(join("", sort([for f in fileset("${path.module}/lambda_code/${local.file_name}", "**") : filesha1("${path.module}/lambda_code/${local.file_name}/${f}")]))) + lambda_code_sha256 = sha256(join("", [for f in toset(sort(tolist(fileset("${path.module}/lambda_code/${local.file_name}", "**")))) : filesha256("${path.module}/lambda_code/${local.file_name}/${f}")])) # detect changes to files in utils directory - utils_sha256 = sha256(join("", sort([for f in fileset("${path.module}/utils", "**") : filesha1("${path.module}/utils/${f}")]))) + utils_sha256 = sha256(join("", [for f in toset(sort(tolist(fileset("${path.module}/utils", "**")))) : filesha256("${path.module}/utils/${f}")])) # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.) build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp() From 988c021faecb5a892e29b5df2dee549259ec3faa Mon Sep 17 00:00:00 2001 From: Paul Schwarzenberger Date: Fri, 8 Mar 2024 15:35:08 +0000 Subject: [PATCH 5/5] Remove unnecessary toset function --- modules/terraform-aws-ca-lambda/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/terraform-aws-ca-lambda/main.tf b/modules/terraform-aws-ca-lambda/main.tf index 198748b..8ef0b54 100644 --- a/modules/terraform-aws-ca-lambda/main.tf +++ b/modules/terraform-aws-ca-lambda/main.tf @@ -1,10 +1,10 @@ resource "null_resource" "install_python_dependencies" { triggers = { # detect changes to Lambda code - lambda_code_sha256 = sha256(join("", [for f in toset(sort(tolist(fileset("${path.module}/lambda_code/${local.file_name}", "**")))) : filesha256("${path.module}/lambda_code/${local.file_name}/${f}")])) + lambda_code_sha256 = sha256(join("", [for f in sort(tolist(fileset("${path.module}/lambda_code/${local.file_name}", "**"))) : filesha256("${path.module}/lambda_code/${local.file_name}/${f}")])) # detect changes to files in utils directory - utils_sha256 = sha256(join("", [for f in toset(sort(tolist(fileset("${path.module}/utils", "**")))) : filesha256("${path.module}/utils/${f}")])) + utils_sha256 = sha256(join("", [for f in sort(tolist(fileset("${path.module}/utils", "**"))) : filesha256("${path.module}/utils/${f}")])) # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.) build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp()