patrickjahns / dependabot-terraform-action Goto Github PK

big thanks for putting this together, I'm a ruby and actions noob so would have been v difficult to get started without this good work.

As per the tests, I'm not certain it was ever in scope to support our use case. We essentially use terragrunt, tf0.12 (for the time being). Which according to https://terragrunt.gruntwork.io/docs/upgrade/upgrading_to_terragrunt_0.19.x/ looks something like

# terragrunt.hcl
terraform {
  source = "git blah blah"
}

I tried this and didn't get the expected results. So I downloaded your source, built the image, ran the container, and started to chuck in loads of debug statements. I managed to identify it finds the .hcl files fine, but doesn't build the dependencies. I think something strange is going on in this function https://github.com/patrickjahns/dependabot-core/blob/44f458dba8ce86abca95e858c54d39b53761db55/terraform/lib/dependabot/terraform/file_parser.rb#L51

I was able to get the expected results by going with something like

      def parse_terragrunt_file(file)                                                                                                                                                                                                                                           
        modules = parsed_file(file).fetch("terraform", {}) || {}

        if modules.key?("source")
          @dependency_set << build_terragrunt_dependency(file, modules)
        end

      end

If you were able to review the tests, maybe there is a subtle distinction I've missed or even a test case could be added to explain how it's intended to support terragrunt tf0.12.

Fetching terraform dependency files for myorg/reponame
Parsing dependencies information
bundler: failed to load command: ./dependabot.rb (./dependabot.rb)
KeyError: key not found: "module_calls"

This issue occurred on the latest run.
I'm wondering how I should provide the terraform cloud authentication token to this job since I believe that is what likely triggered this failure.
I am using Terraform Cloud as the module provider for many of my modules and am assuming that this authentication is likely the failure as it needs to communicate with Terraform Cloud which then uses Github app connection to pull modules. Any ideas?

I don't really get, why the providers aren't updated in my modules.

This is basically how my action is looking:

name: Update terraform dependencies
on:
  workflow_dispatch:
jobs:
  dependabot-terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - uses: patrickjahns/dependabot-terraform-action@v1
        with:
          target_branch: master
          token: ${{ secrets.PAT_TOKEN }}
          directory: |
            /modules/gcp_folder
            /modules/gcp_iam_role
            /modules/gcp_log_sink

The output of the action is this:

  - Checking /modules/gcp_folder ...
  - Parsing dependencies information
  - Checking /modules/gcp_iam_role ...
  - Parsing dependencies information
  - Checking /modules/gcp_log_sink ...
  - Parsing dependencies information
  - Done

There is nothing happening when it's completed and there is no PR created. The output doesn't state anything either.. so hot can I see if it's failing or is it possible to get a more detailed information when running like "found version XX".
I've added different versions in the providers so it should have triggered on some..

When dependabot-terraform creates a pull request with the changes, it will not trigger any further actions.

This is currently a limitation from github actions itself

When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token

Suggestion from github is to use a personal access token - i.e. from a bot user.
Alternatively it would be possible to create a github app and fetch a app token via https://github.com/marketplace/actions/get-an-app-token-in-an-actions-workflow

Now that dependabot/dependabot-core#1176 is resolved, does it make sense to deprecate this action / archive this repo?

I don't know, perhaps it adds some functionality beyond what Dependabot provides that I'm unaware of, or perhaps some folks simply prefer a GitHub action...

Just thought I'd raise the question.

I'm stoked to use this!
I wanted to ask about being able to specific a root directory and have it look for versions.tf directories. Is this possible.
I don't write Ruby, but in reading the code it seems it expects a single directory right now?

I don't think this should work right?

- uses: patrickjahns/depedanbot-terraform-action@v1
  with:
    directory:
      - 'plans/prod/foo'
      - 'plans/prod/terraform-cloud-workspaces'
      - 'plans/qa/bar'
      - 'plans/qa/terraform-cloud-workspaces'

So if this is the case, maybe I could request if it's easy, 2 things.

1. Possible to offer match pattern so any folder with versions.tf or maybe even main.tf could be evaluated in a directory collection and then each parsed?
2. If that's too complex for a quick solution, possibility to support input of string list so I can provide each plan directory to search

The main reason I wanted to leverage this is to simplify bumping the version on a plan repo that will continue to grow and need me to occasionally bump the version of providers. Until dependabot handles this, maybe your github action will provide that better fix!

Thanks again for throwing this together. Much appreciated!

Thanks for making an HCL 2.0 compatible dependabot available! ❤️

Is submodule syntax known to be supported? I'm using a block such as

module "sg_http_inbound" {
  source              = "terraform-aws-modules/security-group/aws//modules/http-80"
  version             = "3.15.0"
  name                = "web_inbound_http"
  ...
}

This seems to be throwing an error of - Updating terraform-aws-modules/security-group/aws (from 3.1.0)…bundler: failed to load command: ./dependabot.rb (./dependabot.rb) (that 3.1.0 version string is odd as well, which I can't find in my code base).

If this should be working, I'll put some effort into generating a more useful reprex. This is currently in a thicket of private code I'm trying to sort out. Appreciate the time!

My private modules in Terraform cloud aren't showing up (Terraform Cloud has a connection to GitHub, which is where these are stored)

I've set the github_dependency_token to a token which has read access to all repos, and the action is showing as successful (no errors and it picks up public modules just fine), is there something I'm missing for private ones?

Currently this action fails when it encounters versions like this version = "~> 13, <14" which should be supported based on the terraform docs.

The full error from the run output

bundler: failed to load command: ./dependabot.rb (./dependabot.rb)
41
Gem::Requirement::BadRequirementError: Illformed requirement ["~> 13, <14"]
42
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/terraform/lib/dependabot/terraform/requirement.rb:15:in `parse'
43
  /usr/local/lib/ruby/2.6.0/rubygems/requirement.rb:135:in `block in initialize'
44
  /usr/local/lib/ruby/2.6.0/rubygems/requirement.rb:135:in `map!'
45
  /usr/local/lib/ruby/2.6.0/rubygems/requirement.rb:135:in `initialize'
46
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/terraform/lib/dependabot/terraform/requirement.rb:27:in `new'
47
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/terraform/lib/dependabot/terraform/requirement.rb:27:in `requirements_array'
48
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `block in version_from_requirements'
49
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `each'
50
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `flat_map'
51
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:267:in `version_from_requirements'
52
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:255:in `can_compare_requirements?'
53
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:246:in `requirements_up_to_date?'
54
  /usr/local/bundle/bundler/gems/dependabot-core-44f458dba8ce/common/lib/dependabot/update_checkers/base.rb:29:in `up_to_date?'
55
  /usr/src/app/dependabot.rb:103:in `block in update'
56
  /usr/src/app/dependabot.rb:93:in `each'
57
  /usr/src/app/dependabot.rb:93:in `update'
58
  /usr/src/app/dependabot.rb:162:in `block in <top (required)>'
59
  /usr/src/app/dependabot.rb:153:in `each'
60
  /usr/src/app/dependabot.rb:153:in `<top (required)>'
Complete job