diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 07b38d2..ceb4644 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,7 +1,7 @@
# Use this file to define individuals or teams that are responsible for code in a repository.
# Read more:
#
-# Order is important: the last matching pattern takes the most precedence
+# Order is important: the last matching pattern has the highest precedence
# These owners will be the default owners for everything
* @cloudposse/engineering @cloudposse/contributors
@@ -13,5 +13,12 @@
# Cloud Posse must review any changes to GitHub actions
.github/* @cloudposse/engineering
-# Cloud Posse must review any changes to standard context definition
-**/context.tf @cloudposse/engineering
+# Cloud Posse must review any changes to standard context definition,
+# but some changes can be rubber-stamped.
+**/context.tf @cloudposse/engineering @cloudposse/approvers
+README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+
+# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
+.github/mergify.yml @cloudposse/admins
+.github/CODEOWNERS @cloudposse/admins
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
index 2836185..c78a4d8 100644
--- a/.github/auto-release.yml
+++ b/.github/auto-release.yml
@@ -4,30 +4,35 @@ version-template: '$MAJOR.$MINOR.$PATCH'
version-resolver:
major:
labels:
- - 'major'
+ - 'major'
minor:
labels:
- - 'minor'
- - 'enhancement'
+ - 'minor'
+ - 'enhancement'
patch:
labels:
- - 'patch'
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
+ - 'auto-update'
+ - 'patch'
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
default: 'minor'
categories:
- - title: '๐ Enhancements'
- labels:
- - 'enhancement'
- - title: '๐ Bug Fixes'
- labels:
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
+- title: '๐ Enhancements'
+ labels:
+ - 'enhancement'
+ - 'patch'
+- title: '๐ Bug Fixes'
+ labels:
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
+- title: '๐ค Automatic Updates'
+ labels:
+ - 'auto-update'
change-template: |
@@ -38,3 +43,11 @@ change-template: |
template: |
$CHANGES
+
+replacers:
+# Remove irrelevant information from Renovate bot
+- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+ replace: ''
+# Remove Renovate bot banner image
+- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
+ replace: ''
diff --git a/.github/mergify.yml b/.github/mergify.yml
new file mode 100644
index 0000000..b010656
--- /dev/null
+++ b/.github/mergify.yml
@@ -0,0 +1,58 @@
+# https://docs.mergify.io/conditions.html
+# https://docs.mergify.io/actions.html
+pull_request_rules:
+- name: "approve automated PRs that have passed checks"
+ conditions:
+ - "author~=^(cloudpossebot|renovate\\[bot\\])$"
+ - "base=master"
+ - "-closed"
+ - "head~=^(auto-update|renovate)/.*"
+ - "check-success=test/bats"
+ - "check-success=test/readme"
+ - "check-success=test/terratest"
+ - "check-success=validate-codeowners"
+ actions:
+ review:
+ type: "APPROVE"
+ bot_account: "cloudposse-mergebot"
+ message: "We've automatically approved this PR because the checks from the automated Pull Request have passed."
+
+- name: "merge automated PRs when approved and tests pass"
+ conditions:
+ - "author~=^(cloudpossebot|renovate\\[bot\\])$"
+ - "base=master"
+ - "-closed"
+ - "head~=^(auto-update|renovate)/.*"
+ - "check-success=test/bats"
+ - "check-success=test/readme"
+ - "check-success=test/terratest"
+ - "check-success=validate-codeowners"
+ - "#approved-reviews-by>=1"
+ - "#changes-requested-reviews-by=0"
+ - "#commented-reviews-by=0"
+ actions:
+ merge:
+ method: "squash"
+
+- name: "delete the head branch after merge"
+ conditions:
+ - "merged"
+ actions:
+ delete_head_branch: {}
+
+- name: "ask to resolve conflict"
+ conditions:
+ - "conflict"
+ - "-closed"
+ actions:
+ comment:
+ message: "This pull request is now in conflict. Could you fix it @{{author}}? ๐"
+
+- name: "remove outdated reviews"
+ conditions:
+ - "base=master"
+ actions:
+ dismiss_reviews:
+ changes_requested: true
+ approved: true
+ message: "This Pull Request has been updated, so we're dismissing all reviews."
diff --git a/.github/renovate.json b/.github/renovate.json
new file mode 100644
index 0000000..ae4f0aa
--- /dev/null
+++ b/.github/renovate.json
@@ -0,0 +1,12 @@
+{
+ "extends": [
+ "config:base",
+ ":preserveSemverRanges"
+ ],
+ "labels": ["auto-update"],
+ "enabledManagers": ["terraform"],
+ "terraform": {
+ "ignorePaths": ["**/context.tf", "examples/**"]
+ }
+}
+
diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml
new file mode 100644
index 0000000..df1a857
--- /dev/null
+++ b/.github/workflows/auto-context.yml
@@ -0,0 +1,55 @@
+name: "auto-context"
+on:
+ schedule:
+ # Update context.tf nightly
+ - cron: '0 3 * * *'
+
+jobs:
+ update:
+ if: github.event_name == 'schedule'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Update context.tf
+ shell: bash
+ id: update
+ env:
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+ run: |
+ if [[ -f context.tf ]]; then
+ echo "Discovered existing context.tf! Fetching most recent version to see if there is an update."
+ curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
+ if git diff --no-patch --exit-code context.tf; then
+ echo "No changes detected! Exiting the job..."
+ else
+ echo "context.tf file has changed. Update examples and rebuild README.md."
+ make init
+ make github/init/context.tf
+ make readme/build
+ echo "::set-output name=create_pull_request=true"
+ fi
+ else
+ echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates."
+ fi
+
+ - name: Create Pull Request
+ if: steps.update.outputs.create_pull_request == 'true'
+ uses: cloudposse/actions/github/create-pull-request@0.22.0
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ commit-message: Update context.tf from origin source
+ title: Update context.tf
+ body: |-
+ ## what
+ This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label`
+
+ ## why
+ To support all the features of the `context` interface.
+
+ branch: auto-update/context.tf
+ base: master
+ delete-branch: true
+ labels: |
+ auto-update
+ context
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
new file mode 100644
index 0000000..990abed
--- /dev/null
+++ b/.github/workflows/auto-format.yml
@@ -0,0 +1,86 @@
+name: Auto Format
+on:
+ pull_request_target:
+ types: [opened, synchronize]
+
+jobs:
+ auto-format:
+ runs-on: ubuntu-latest
+ container: cloudposse/build-harness:slim-latest
+ steps:
+ # Checkout the pull request branch
+ # "An action in a workflow run canโt trigger a new workflow run. For example, if an action pushes code using
+ # the repositoryโs GITHUB_TOKEN, a new workflow will not run even when the repository contains
+ # a workflow configured to run when push events occur."
+ # However, using a personal access token will cause events to be triggered.
+ # We need that to ensure a status gets posted after the auto-format commit.
+ # We also want to trigger tests if the auto-format made no changes.
+ - uses: actions/checkout@v2
+ if: github.event.pull_request.state == 'open'
+ name: Privileged Checkout
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
+ # Check out the PR commit, not the merge commit
+ # Use `ref` instead of `sha` to enable pushing back to `ref`
+ ref: ${{ github.event.pull_request.head.ref }}
+
+ # Do all the formatting stuff
+ - name: Auto Format
+ if: github.event.pull_request.state == 'open'
+ shell: bash
+ run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
+
+ # Commit changes (if any) to the PR branch
+ - name: Commit changes to the PR branch
+ if: github.event.pull_request.state == 'open'
+ shell: bash
+ id: commit
+ env:
+ SENDER: ${{ github.event.sender.login }}
+ run: |
+ set -x
+ output=$(git diff --name-only)
+
+ if [ -n "$output" ]; then
+ echo "Changes detected. Pushing to the PR branch"
+ git config --global user.name 'cloudpossebot'
+ git config --global user.email '11232728+cloudpossebot@users.noreply.github.com'
+ git add -A
+ git commit -m "Auto Format"
+ # Prevent looping by not pushing changes in response to changes from cloudpossebot
+ [[ $SENDER == "cloudpossebot" ]] || git push
+ # Set status to fail, because the push should trigger another status check,
+ # and we use success to indicate the checks are finished.
+ printf "::set-output name=%s::%s\n" "changed" "true"
+ exit 1
+ else
+ printf "::set-output name=%s::%s\n" "changed" "false"
+ echo "No changes detected"
+ fi
+
+ - name: Auto Test
+ uses: cloudposse/actions/github/repository-dispatch@0.22.0
+ # match users by ID because logins (user names) are inconsistent,
+ # for example in the REST API Renovate Bot is `renovate[bot]` but
+ # in GraphQL it is just `renovate`, plus there is a non-bot
+ # user `renovate` with ID 1832810.
+ # Mergify bot: 37929162
+ # Renovate bot: 29139614
+ # Cloudpossebot: 11232728
+ # Need to use space separators to prevent "21" from matching "112144"
+ if: >
+ contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id))
+ && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open'
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ repository: cloudposse/actions
+ event-type: test-command
+ client-payload: |-
+ { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}},
+ "pull_request": ${{ toJSON(github.event.pull_request) }},
+ "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }},
+ "comment": {"id": ""}
+ }
+ }
+ }
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index e21fbfe..3f48017 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -3,17 +3,17 @@ name: auto-release
on:
push:
branches:
- - master
+ - master
jobs:
- semver:
+ publish:
runs-on: ubuntu-latest
steps:
- # Drafts your next Release notes as Pull Requests are merged into "master"
- - uses: release-drafter/release-drafter@v5
- with:
- publish: true
- prerelease: false
- config-name: auto-release.yml
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # Drafts your next Release notes as Pull Requests are merged into "master"
+ - uses: release-drafter/release-drafter@v5
+ with:
+ publish: true
+ prerelease: false
+ config-name: auto-release.yml
+ env:
+ GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml
index 0d94310..4ddc067 100644
--- a/.github/workflows/chatops.yml
+++ b/.github/workflows/chatops.yml
@@ -9,7 +9,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: "Handle common commands"
- uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+ uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
- name: "Checkout commit"
uses: actions/checkout@v2
- name: "Run tests"
- uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+ uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
new file mode 100644
index 0000000..386eb28
--- /dev/null
+++ b/.github/workflows/validate-codeowners.yml
@@ -0,0 +1,25 @@
+name: Validate Codeowners
+on:
+ pull_request:
+
+jobs:
+ validate-codeowners:
+ runs-on: ubuntu-latest
+ steps:
+ - name: "Checkout source code at current commit"
+ uses: actions/checkout@v2
+ - uses: mszostok/codeowners-validator@v0.5.0
+ if: github.event.pull_request.head.repo.full_name == github.repository
+ name: "Full check of CODEOWNERS"
+ with:
+ # For now, remove "files" check to allow CODEOWNERS to specify non-existent
+ # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
+ # checks: "files,syntax,owners,duppatterns"
+ checks: "syntax,owners,duppatterns"
+ # GitHub access token is required only if the `owners` check is enabled
+ github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
+ - uses: mszostok/codeowners-validator@v0.5.0
+ if: github.event.pull_request.head.repo.full_name != github.repository
+ name: "Syntax check of CODEOWNERS"
+ with:
+ checks: "syntax,duppatterns"
diff --git a/README.md b/README.md
index 0141906..6fff18d 100644
--- a/README.md
+++ b/README.md
@@ -69,13 +69,22 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
## Usage
-**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
-Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-kms-key/releases).
+**IMPORTANT:** We do not pin modules to versions in our examples because of the
+difficulty of keeping the versions in the documentation in sync with the latest released versions.
+We highly recommend that in your code you pin the version to the exact version you are
+using so that your infrastructure remains stable, and update versions in a
+systematic way so that they do not catch you by surprise.
+
+Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
+the registry shows many of our inputs as required when in fact they are optional.
+The table below correctly indicates which inputs are required.
```hcl
module "kms_key" {
- source = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
+ source = "cloudposse/kms-key/aws"
+ # Cloud Posse recommends pinning every module to a specific version
+ # version = "x.x.x"
namespace = "eg"
stage = "test"
name = "chamber"
@@ -108,7 +117,7 @@ Available targets:
| Name | Version |
|------|---------|
-| terraform | >= 0.13 |
+| terraform | >= 0.12.26 |
| aws | >= 3.0 |
| local | >= 1.3 |
| null | >= 2.0 |
diff --git a/README.yaml b/README.yaml
index 7dc5428..7715eac 100644
--- a/README.yaml
+++ b/README.yaml
@@ -42,7 +42,9 @@ description: |-
usage: |-
```hcl
module "kms_key" {
- source = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
+ source = "cloudposse/kms-key/aws"
+ # Cloud Posse recommends pinning every module to a specific version
+ # version = "x.x.x"
namespace = "eg"
stage = "test"
name = "chamber"
diff --git a/context.tf b/context.tf
index 1b135ad..f5f2797 100644
--- a/context.tf
+++ b/context.tf
@@ -20,7 +20,7 @@
module "this" {
source = "cloudposse/label/null"
- version = "0.22.0"
+ version = "0.22.1" // requires Terraform >= 0.12.26
enabled = var.enabled
namespace = var.namespace
diff --git a/docs/terraform.md b/docs/terraform.md
index 1d6957c..679d1c5 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -3,7 +3,7 @@
| Name | Version |
|------|---------|
-| terraform | >= 0.13 |
+| terraform | >= 0.12.26 |
| aws | >= 3.0 |
| local | >= 1.3 |
| null | >= 2.0 |
diff --git a/examples/complete/context.tf b/examples/complete/context.tf
index 1b135ad..f5f2797 100644
--- a/examples/complete/context.tf
+++ b/examples/complete/context.tf
@@ -20,7 +20,7 @@
module "this" {
source = "cloudposse/label/null"
- version = "0.22.0"
+ version = "0.22.1" // requires Terraform >= 0.12.26
enabled = var.enabled
namespace = var.namespace
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index 34bd9eb..6333751 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 0.12.26"
required_providers {
aws = {
diff --git a/versions.tf b/versions.tf
index babd110..6333751 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 0.12.26"
required_providers {
aws = {
@@ -15,4 +15,4 @@ terraform {
version = ">= 2.0"
}
}
-}
\ No newline at end of file
+}