Summary

Add an option that causes the action to save the .tfplan as a workflow artifact. This can then be used when the PR merges to main to test that the TF plan is still fresh and prevent unexpected infrastructure changes.

Related

• https://itnext.io/github-actions-terraform-deployments-with-a-review-of-planned-changes-30143358bb5c

For the new account factory for terraform repos we are unable to run a tf plan because their isn't a specific backend to be able to run against, however there is still a need for init, validate, and format, and so this action is still useful

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• chore(deps): update actions/checkout action to v4
• chore(deps): update terraform aws to v5
• fix(deps): update dependency @actions/github to v6
• 🔐 Create all pending approval PRs at once 🔐

Pending Status Checks

These updates await pending status checks. To force their creation now, click the checkbox below.

• chore(deps): update dependency @vercel/ncc to v0.38.1

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): lock file maintenance

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Currently the only indicator of a terraform fmt --check step is the failure message in the comment and action run.

Ideally a format error should list the files that have failed.

We've noticed that even with comment-delete: true, we still get duplicate PR comments for the same plans:

In the logs, there is no mention of Deleting comment which we'd expect if that code path was being hit correctly. So either it isn't ever getting to the deleteComment() function, or the comments.find() comes back empty.

Add an option that will do the following:

• Disable PR Commenting (as it will be run as a cron job in a repo)
• Report the drift to a webhook for alerting

Hi,

It'd be useful to have skip-fmt (similar to skip-plan) input. If it's true then terraform fmt --check is not execute so it does not check the code formatting and, as result, does not fail a workflow run.
Please see screenshot

Seems like some colour codes are still making it through

From: cds-snc/covid-alert-metrics-terraform#181

Now that we have some external views on this project we really need to updated the documentation on how to use it.

Use OPA to:

• Determine if there are changes; and
• Get count of all changes for the PR comment.

This just makes life a little easier and means the user doesn't have to look at the action logs to see what it is.

Summary

When one of the Terraform commands produces over 200kb of output, a spawnSync /bin/sh ENOBUFS error is thrown and the command fails.

Problem is explained in this StackOverflow answer:

The problem is that execSync mode execute the command within a shell with a limited buffer (200 Kb) used to forward the execution output. Moreover, the default shell execution option is "pipe", which means that the output must be forwarded to the parent.

The module should report if the folder the action is supposed to run in, does not exist.

This will keep PRs cleaner by removing previous run comments made by the bot.

Instead of having to look at the github action to see that the init failed it should render a message like

✅ Terraform Init: Success
❌ Terraform Init: Failed

And then display the error in a <details> section

Summary

If a terraform plan is truncated because of length:

• make it more obvious in the PR comment; and
• if possible, add a link to the GitHub workflow step with the plan output.

At the moment if we do a commit and the policy files are recompiled or the format is fixed we have to do a second commit after the first with the changes from the git commit hook.

This is an awkward workflow as we are constantly doing two commits when one should work.

Would be nice to either stage the changes from the hook automatically or change it to a test forcing the user to run the changes through NPM command line.

The format step in the action is reporting failures, possibly related to a project structure that has no *.tf files in the directories being planned.

PR and Pipeline run with failure.

terragrunt fmt --check

time=2021-07-08T13:42:25Z level=error msg=Hit multiple errors:
Hit multiple errors:
exit status 3
Command failed with exit code 3
time=2021-07-08T13:42:25Z level=error msg=Hit multiple errors:
Hit multiple errors:
exit status 3

If there are only output changes in a plan, this token should be used to remove all Terraform refresh output:

Changes to Outputs

Summary

The code currently reads the the Nunjucks template from ./src/templates/comment.njk but this fails on remote repos using the action (it attempts to read the template from the repo repo).

Todo

• Include comment.njk template from action repo

Similar to terraform init we can use Terraform plan as well for custom orgs. One of the use cases is to pass -lock=false or -lock-timeout etc..

This is not really needed and the compiling to wasm is not deterministic and is causing extra friction with external contributors.

We should just remove this and replace it with something that parses the plan json directly.

Issue

Current VS Code's devcontainer config with SSH mounts causes an issue to pull/push to GH repo, whether connected to GH CLI or not.

Appears to only be affecting 1 user out of the 3 main users - the key known difference in the setup would be OS version since the device was upgraded during the day to macOS Ventura (13.0).

This thread seems to indicate there could be an issue with OpenSSH installed via Brew but further testing would be required to confirm.

Current setup

Device

Model Name: MacBook Pro
Model Identifier: MacBookPro16,1
Processor Name: 6-Core Intel Core i7
Processor Speed: 2.6 GHz
System Version: macOS 13.0 (22A380)
Kernel Version: Darwin 22.1.0

VS Code

Version: 1.72.2 (Universal)
Commit: d045a5eda657f4d7b676dedbfa7aab8207f8a075
Date: 2022-10-12T22:16:30.254Z
Electron: 19.0.17
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Darwin x64 22.1.0
Sandboxed: No

Error message screenshot

If the terraform --fmt check command fails, make sure the Format comment text only contains *.tf filenames. It's possible for other command failure output to end up in the results.fmt.output.

Related #33

cds-snc/forms-terraform#34 is getting the following error when using the action:

SyntaxError: Unexpected token c in JSON at position 1
    at JSON.parse (<anonymous>)
    at action (/home/runner/work/_actions/cds-snc/terraform-plan/v1.0.4/webpack:/terraform-plan/src/action.js:76:1)
    at /home/runner/work/_actions/cds-snc/terraform-plan/v1.0.4/webpack:/terraform-plan/src/index.js:16:1
    at /home/runner/work/_actions/cds-snc/terraform-plan/v1.0.4/dist/index.js:15326:3
    at Object.<anonymous> (/home/runner/work/_actions/cds-snc/terraform-plan/v1.0.4/dist/index.js:15329:12)
    at Module._compile (internal/modules/cjs/loader.js:959:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:995:10)
    at Module.load (internal/modules/cjs/loader.js:815:32)
    at Function.Module._load (internal/modules/cjs/loader.js:727:14)
    at Function.Module.runMain (internal/modules/cjs/loader.js:1047:10)

Action run with the failure:
https://github.com/cds-snc/forms-staging-terraform/runs/2955722574?check_suite_focus=true

When there is a validation problem with the Terraform commands, the underlying error is not output in the PR comment.

Is it possible to run terraform plan without conftest?

# Setup Terraform, Terragrunt, and Conftest
- name: Setup terraform tools
  uses: cds-snc/terraform-tools-setup@v1
  env:
    #   CONFTEST_VERSION: 0.30.0
    TERRAFORM_VERSION: 1.4.6
    TERRAGRUNT_VERSION: 0.45.10
  #   TF_SUMMARIZE_VERSION: 0.2.3

- name: Terragrunt plan
  uses: cds-snc/terraform-plan@v3
  with:
    directory: ./terraform
    comment-delete: "true"
    github-token: "${{ secrets.GITHUB_TOKEN }}"
    terragrunt: "true"

Resulting in failing pipelines;

Plan changes

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
❌   Conftest: failed

Plan: 5 to add, 0 to change, 0 to destroy

Show summary
Show plan
Show Conftest results

• Fail the action if run on a terraform version that doesn't support sensitive
• push a new build for v1, and for v2 that will add a message to the plan outlining that it's deprecated and stating why.
• push a new v3 build.

This action run has the following error:

 terragrunt init -no-color 

TypeError: Cannot read property 'toString' of null
    at execCommand (/home/runner/work/_actions/cds-snc/terraform-plan/v1/webpack:/terraform-plan/src/command.js:26:1)
Error: Unhandled error: TypeError: Cannot read property 'toString' of null
    at action (/home/runner/work/_actions/cds-snc/terraform-plan/v1/webpack:/terraform-plan/src/action.js:63:1)
    at /home/runner/work/_actions/cds-snc/terraform-plan/v1/webpack:/terraform-plan/src/index.js:16:1
   ...

The cause is on line 26 in command.js where it tries to output the error message:

  } catch (error) {
    exitCode = error.status;
    output = `${error.stdout.toString("utf8")}${error.stderr.toString("utf8")}`;
    console.log(`Command failed: exit code ${exitCode}`);
  }

Checks should be added to make sure error.stdout and error.stderr are not null.

Keep things 🧼 clean.

Make it easier to see that validation failed by commenting directly into the PR instead of forcing them to look at the action page.

✅ Terraform Validate success
❌ Terraform Validate failure

Display the output in a <detail> tag

Summary

Add a version update check to the action that does the following:

1. Checks the current latest version of Terraform/Terragrunt.
2. Checks the versions installed and in use by the GitHub workflow.
3. Adds a comment (non-blocking) to the PR if there is an update available.

The purpose of this will be to remind the team to update their versions of Terraform/Terragrunt.

Related

• cds-snc/forms-terraform#105

Summary

If a user supplies a PAT tied to their account, the action's comments are not deleted because of this filtering:

We should support the delete of non-bot created comments.

Related

• #311

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• chore(deps): update linters (major) (eslint, eslint-plugin-security)

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): lock file maintenance

Pending Status Checks

These updates await pending status checks. To force their creation now, click the checkbox below.

• chore(deps): update dependency prettier to v3.3.1

Detected dependencies

Summary

Terraform v0.14 released the sensitive input variable feature, which prevents variable values from being output in the plan.

Since this action outputs plan results, we should not allow it to run if the Terraform version is < 0.14 to prevent accidental secret leakage in the PR comment.

⚠️ Note

To avoid breaking existing use of the action, this will result in a new major version of the action.

I think either one or both of these don't work and we should validate and add them in.

It needs to be run with -no-color github will render it as bash and so add back in some colours.

This is causing friction with external contributors.

This will allow folks outside of CDS to use this action.

Related to https://github.com/cds-snc/site-reliability-engineering/issues/402

This product would be a lot nicer to work with if we had a dev container to help standardize the dev environment.

Summary

If a TF plan includes a large number of changes, include a warning in the PR comment. This "large number of changes" should have a default value and also be configurable.

The use-case this is attempting to fix is to alert PR reviewers that something unexpected may be occurring.

https://github.com/carboniferio/carbonifer

Summary

Add a summary of changes to the PR plan comment. This could be done using a tool like dineshba/tf-summarize or by parsing the changes from the plan using OPA.

Related

• #112

• JavaScript should have unit tests.
• Integration tests in test.yml to determine if expected comments are being added to the PRs.

See: https://github.com/cds-snc/cds-aws-lz/runs/5512160020?check_suite_focus=true

In aws_api_gateway_integration you can specify a type (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration#type). TF plan does not validate the uri based on the type, (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration#uri

Required if type is AWS, AWS_PROXY, HTTP or HTTP_PROXY. For HTTP integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 specification . For AWS integrations, the URI should be of the form arn:aws:apigateway:{region}:{subdomain.service|service}:{path|action}/{service_api}. region, subdomain and service are used to determine the right endpoint. e.g. arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:012345678901:function:my-func/invocations. For private integrations, the URI parameter is not used for routing requests to your endpoint, but is used for setting the Host header and for certificate validation.

It would be nice if the OPA could do that check :)