patrickjahns / dependabot-terraform-action Goto Github PK
View Code? Open in Web Editor NEW🔧 Github action for running dependabot on terraform repositories with HCL 2.0
License: MIT License
🔧 Github action for running dependabot on terraform repositories with HCL 2.0
License: MIT License
big thanks for putting this together, I'm a ruby and actions noob so would have been v difficult to get started without this good work.
As per the tests, I'm not certain it was ever in scope to support our use case. We essentially use terragrunt, tf0.12 (for the time being). Which according to https://terragrunt.gruntwork.io/docs/upgrade/upgrading_to_terragrunt_0.19.x/ looks something like
# terragrunt.hcl
terraform {
source = "git blah blah"
}
I tried this and didn't get the expected results. So I downloaded your source, built the image, ran the container, and started to chuck in loads of debug statements. I managed to identify it finds the .hcl files fine, but doesn't build the dependencies. I think something strange is going on in this function https://github.com/patrickjahns/dependabot-core/blob/44f458dba8ce86abca95e858c54d39b53761db55/terraform/lib/dependabot/terraform/file_parser.rb#L51
I was able to get the expected results by going with something like
def parse_terragrunt_file(file)
modules = parsed_file(file).fetch("terraform", {}) || {}
if modules.key?("source")
@dependency_set << build_terragrunt_dependency(file, modules)
end
end
If you were able to review the tests, maybe there is a subtle distinction I've missed or even a test case could be added to explain how it's intended to support terragrunt tf0.12.
Fetching terraform dependency files for myorg/reponame
Parsing dependencies information
bundler: failed to load command: ./dependabot.rb (./dependabot.rb)
KeyError: key not found: "module_calls"
This issue occurred on the latest run.
I'm wondering how I should provide the terraform cloud authentication token to this job since I believe that is what likely triggered this failure.
I am using Terraform Cloud as the module provider for many of my modules and am assuming that this authentication is likely the failure as it needs to communicate with Terraform Cloud which then uses Github app connection to pull modules. Any ideas?
I don't really get, why the providers aren't updated in my modules.
This is basically how my action is looking:
name: Update terraform dependencies
on:
workflow_dispatch:
jobs:
dependabot-terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- uses: patrickjahns/dependabot-terraform-action@v1
with:
target_branch: master
token: ${{ secrets.PAT_TOKEN }}
directory: |
/modules/gcp_folder
/modules/gcp_iam_role
/modules/gcp_log_sink
The output of the action is this:
- Checking /modules/gcp_folder ...
- Parsing dependencies information
- Checking /modules/gcp_iam_role ...
- Parsing dependencies information
- Checking /modules/gcp_log_sink ...
- Parsing dependencies information
- Done
There is nothing happening when it's completed and there is no PR created. The output doesn't state anything either.. so hot can I see if it's failing or is it possible to get a more detailed information when running like "found version XX".
I've added different versions in the providers so it should have triggered on some..
When dependabot-terraform
creates a pull request with the changes, it will not trigger any further actions.
This is currently a limitation from github actions itself
When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
Suggestion from github is to use a personal access token - i.e. from a bot user.
Alternatively it would be possible to create a github app and fetch a app token via https://github.com/marketplace/actions/get-an-app-token-in-an-actions-workflow
Now that dependabot/dependabot-core#1176 is resolved, does it make sense to deprecate this action / archive this repo?
I don't know, perhaps it adds some functionality beyond what Dependabot provides that I'm unaware of, or perhaps some folks simply prefer a GitHub action...
Just thought I'd raise the question.
I'm stoked to use this!
I wanted to ask about being able to specific a root directory and have it look for versions.tf directories. Is this possible.
I don't write Ruby, but in reading the code it seems it expects a single directory right now?
I don't think this should work right?
- uses: patrickjahns/depedanbot-terraform-action@v1
with:
directory:
- 'plans/prod/foo'
- 'plans/prod/terraform-cloud-workspaces'
- 'plans/qa/bar'
- 'plans/qa/terraform-cloud-workspaces'
So if this is the case, maybe I could request if it's easy, 2 things.
versions.tf
or maybe even main.tf
could be evaluated in a directory collection and then each parsed?The main reason I wanted to leverage this is to simplify bumping the version on a plan repo that will continue to grow and need me to occasionally bump the version of providers. Until dependabot handles this, maybe your github action will provide that better fix!
Thanks again for throwing this together. Much appreciated!
Thanks for making an HCL 2.0 compatible dependabot available! ❤️
Is submodule syntax known to be supported? I'm using a block such as
module "sg_http_inbound" {
source = "terraform-aws-modules/security-group/aws//modules/http-80"
version = "3.15.0"
name = "web_inbound_http"
...
}
This seems to be throwing an error of - Updating terraform-aws-modules/security-group/aws (from 3.1.0)…bundler: failed to load command: ./dependabot.rb (./dependabot.rb)
(that 3.1.0 version string is odd as well, which I can't find in my code base).
If this should be working, I'll put some effort into generating a more useful reprex. This is currently in a thicket of private code I'm trying to sort out. Appreciate the time!
My private modules in Terraform cloud aren't showing up (Terraform Cloud has a connection to GitHub, which is where these are stored)
I've set the github_dependency_token
to a token which has read access to all repos, and the action is showing as successful (no errors and it picks up public modules just fine), is there something I'm missing for private ones?
Currently this action fails when it encounters versions like this version = "~> 13, <14"
which should be supported based on the terraform docs.
The full error from the run output
bundler: failed to load command: ./dependabot.rb (./dependabot.rb)
41
Gem::Requirement::BadRequirementError: Illformed requirement ["~> 13, <14"]
42
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/terraform/lib/dependabot/terraform/requirement.rb:15:in `parse'
43
/usr/local/lib/ruby/2.6.0/rubygems/requirement.rb:135:in `block in initialize'
44
/usr/local/lib/ruby/2.6.0/rubygems/requirement.rb:135:in `map!'
45
/usr/local/lib/ruby/2.6.0/rubygems/requirement.rb:135:in `initialize'
46
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/terraform/lib/dependabot/terraform/requirement.rb:27:in `new'
47
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/terraform/lib/dependabot/terraform/requirement.rb:27:in `requirements_array'
48
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `block in version_from_requirements'
49
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `each'
50
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `flat_map'
51
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `version_from_requirements'
52
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:255:in `can_compare_requirements?'
53
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:246:in `requirements_up_to_date?'
54
/usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:29:in `up_to_date?'
55
/usr/src/app/dependabot.rb:103:in `block in update'
56
/usr/src/app/dependabot.rb:93:in `each'
57
/usr/src/app/dependabot.rb:93:in `update'
58
/usr/src/app/dependabot.rb:162:in `block in <top (required)>'
59
/usr/src/app/dependabot.rb:153:in `each'
60
/usr/src/app/dependabot.rb:153:in `<top (required)>'
Complete job
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.