diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..0fe9d37 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,18 @@ +version: 2 + +updates: +- package-ecosystem: github-actions + commit-message: + prefix: chore + prefix-development: chore + directory: "/" + labels: + - chore ๐Ÿงน + - workflows ๐Ÿ‘ทโ€โ™€๏ธ + pull-request-branch-name: + separator: / + reviewers: + - unfunco + schedule: + day: sunday + interval: weekly diff --git a/.github/labeler.yaml b/.github/labeler.yaml new file mode 100644 index 0000000..587ec30 --- /dev/null +++ b/.github/labeler.yaml @@ -0,0 +1,3 @@ +"workflows ๐Ÿ‘ทโ€โ™€๏ธ": +- changed-files: + - any-glob-to-any-file: .github/**/*.yaml diff --git a/.github/release-please-config.json b/.github/release-please-config.json new file mode 100644 index 0000000..e36ddb2 --- /dev/null +++ b/.github/release-please-config.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "bootstrap-sha": "6aed749fc1cdbff25a0052eec5ae9a2d584507e9", + "initial-version": "1.8.0", + "packages": { + ".": { + "changelog-sections": [ + { + "hidden": false, + "section": "New features", + "type": "feat" + }, + { + "hidden": false, + "section": "Bug fixes", + "type": "fix" + }, + { + "hidden": false, + "section": "Miscellaneous", + "type": "chore" + } + ], + "draft": false, + "extra-label": "automata ๐Ÿค–,autorelease: pending,chore ๐Ÿงน", + "include-v-in-tag": true, + "initial-version": "1.8.0", + "prerelease": false, + "pull-request-header": "๐Ÿค– I have created a release", + "pull-request-title-pattern": "chore: Release v${version}", + "release-type": "terraform-module" + } + } +} diff --git a/.github/release-please-manifest.json b/.github/release-please-manifest.json new file mode 100644 index 0000000..5eb41ee --- /dev/null +++ b/.github/release-please-manifest.json @@ -0,0 +1 @@ +{".":"1.8.0"} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 33d129d..8dad209 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,6 +7,7 @@ on: paths-ignore: - .editorconfig - .gitignore + - CHANGELOG.md - LICENSE.md - README.md push: @@ -15,6 +16,7 @@ on: paths-ignore: - .editorconfig - .gitignore + - CHANGELOG.md - LICENSE.md - README.md @@ -26,7 +28,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ matrix.terraform_version }} - name: Initialise with no backend @@ -48,8 +50,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - run: aws sts get-caller-identity + + release: + name: Release? + needs: [ caller-identity ] + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Prepare a release + uses: google-github-actions/release-please-action@v4 + with: + config-file: .github/release-please-config.json + manifest-file: .github/release-please-manifest.json + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index f74391f..e56314e 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -13,14 +13,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - run: aws sts get-caller-identity - if: ${{ failure() }} name: Send a notification to Slack - uses: slackapi/slack-github-action@v1.18.0 + uses: slackapi/slack-github-action@v1.26.0 env: SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/pr_label.yaml b/.github/workflows/pr_label.yaml new file mode 100644 index 0000000..ee125d1 --- /dev/null +++ b/.github/workflows/pr_label.yaml @@ -0,0 +1,42 @@ +name: PR / Label + +on: + pull_request_target: { } + +jobs: + triage: + name: Triage + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Apply context labels + uses: actions/labeler@v5 + with: + configuration-path: .github/labeler.yaml + sync-labels: true + - name: Apply commit message labels + uses: actions/github-script@v7 + with: + script: | + const labels = [] + if (context.payload.pull_request.title.startsWith('fix:')) { + labels.push('bug ๐Ÿ›') + } + if (context.payload.pull_request.title.startsWith('chore:')) { + labels.push('chore ๐Ÿงน') + } + if (context.payload.pull_request.title.startsWith('feat:')) { + labels.push('feature ๐Ÿ’ก') + } + if (labels.length > 0) { + github.rest.issues.addLabels({ + issue_number: context.issue.number, + labels, + owner: context.repo.owner, + repo: context.repo.repo, + }) + } diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 7fd4484..911e139 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -40,6 +40,6 @@ jobs: with: sarif_file: tfsec.sarif - name: Upload SARIF artifact - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: tfsec.sarif diff --git a/CHANGELOG.md b/CHANGELOG.md index fc61bfd..7616fea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,25 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.8.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.1...v1.8.0) (2024-04-22) + + +### New features + +* Begin automating the release process ([#42](https://github.com/unfunco/terraform-aws-oidc-github/issues/42)) ([c9493af](https://github.com/unfunco/terraform-aws-oidc-github/commit/c9493aff293beb6797da347ca282bd3f0d9913c3)) + + +### Miscellaneous + +* Automatically upgrade workflow dependencies ([#48](https://github.com/unfunco/terraform-aws-oidc-github/issues/48)) ([be2be58](https://github.com/unfunco/terraform-aws-oidc-github/commit/be2be58ee1099200738ef947082607056a16ee73)) +* Bump aws-actions/configure-aws-credentials from 2 to 4 ([#50](https://github.com/unfunco/terraform-aws-oidc-github/issues/50)) ([0f5075d](https://github.com/unfunco/terraform-aws-oidc-github/commit/0f5075dd79665395e8cc0f82432c8f0e03f9d34d)) +* bump github/codeql-action from 2 to 3 ([#49](https://github.com/unfunco/terraform-aws-oidc-github/issues/49)) ([6cbdace](https://github.com/unfunco/terraform-aws-oidc-github/commit/6cbdaceb66b5ebc06ae3ba2660c58f78748f6301)) +* Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 ([#51](https://github.com/unfunco/terraform-aws-oidc-github/issues/51)) ([5093c20](https://github.com/unfunco/terraform-aws-oidc-github/commit/5093c2023bf0b148f2c4b769b43f6f3dae3d55ff)) +* Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 ([#53](https://github.com/unfunco/terraform-aws-oidc-github/issues/53)) ([5962e07](https://github.com/unfunco/terraform-aws-oidc-github/commit/5962e07265407e8c70c95dd20a917ff1b12aa712)) +* Remove known thumbprints ([#52](https://github.com/unfunco/terraform-aws-oidc-github/issues/52)) ([c0b2178](https://github.com/unfunco/terraform-aws-oidc-github/commit/c0b2178bc74e49dcc9c2330651f0e866f25b762c)) +* Set the first automated release version ([#44](https://github.com/unfunco/terraform-aws-oidc-github/issues/44)) ([cc3ded5](https://github.com/unfunco/terraform-aws-oidc-github/commit/cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2)) +* Set the previous version in the manifest ([#46](https://github.com/unfunco/terraform-aws-oidc-github/issues/46)) ([cb4b7c9](https://github.com/unfunco/terraform-aws-oidc-github/commit/cb4b7c9ab3bd00ab35541e23417e145c62082802)) + ## [1.7.1] โ€“ 2023-10-29 - Condition the OIDC provider ARN output ([b570d79](https://github.com/unfunco/terraform-aws-oidc-github/commit/b570d7995efa9b542d5cdbe9ae30dea29f23cfcc)) diff --git a/README.md b/README.md index 0784c7d..904f8c6 100644 --- a/README.md +++ b/README.md @@ -24,13 +24,9 @@ The following snippet shows the minimum required configuration to create a working OIDC connection between GitHub Actions and AWS. ```terraform -provider "aws" { - region = var.region -} - module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.7.1" + version = "1.8.0" github_repositories = [ "org/repo", @@ -54,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github @@ -89,7 +85,7 @@ applied, the JWT will contain an updated `iss` claim. | Name | Description | Type | Default | Required | | ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | | additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | -| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `null` | no | +| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | | attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | | attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no | | create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index a3b98fe..6315d8d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -5,13 +5,13 @@ variable "additional_audiences" { } variable "additional_thumbprints" { - default = null + default = [] description = "List of additional thumbprints for the OIDC provider." type = list(string) validation { - condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3 - error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider." + condition = length(var.additional_thumbprints) <= 5 + error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." } } diff --git a/main.tf b/main.tf index cc51d25..671d769 100644 --- a/main.tf +++ b/main.tf @@ -16,10 +16,6 @@ locals { github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) - known_thumbprints = [ - "1c58a3a8518e8759bf075b76b750d4f2df264fcd", - "6938fd4d98bab03faadb97b34396831e3780aea1", - ] oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" partition = data.aws_partition.current.partition } @@ -77,15 +73,10 @@ resource "aws_iam_openid_connect_provider" "github" { tags = var.tags url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" - thumbprint_list = toset(var.additional_thumbprints != null ? + thumbprint_list = toset( concat( - local.known_thumbprints, [data.tls_certificate.github.certificates[0].sha1_fingerprint], var.additional_thumbprints, - ) : - concat( - local.known_thumbprints, - [data.tls_certificate.github.certificates[0].sha1_fingerprint], ) ) } diff --git a/variables.tf b/variables.tf index 5746f14..47ec94a 100644 --- a/variables.tf +++ b/variables.tf @@ -19,13 +19,13 @@ variable "additional_audiences" { } variable "additional_thumbprints" { - default = null + default = [] description = "List of additional thumbprints for the OIDC provider." type = list(string) validation { - condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3 - error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider." + condition = length(var.additional_thumbprints) <= 5 + error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." } }