Merge pull request #432 from deploymenttheory/ci-hardening

Terraform changes from ci-hardening

.github/workflows/01-terraform-plan-sandbox.yml

@@ -17,21 +17,6 @@ on:
       - 'perf-*'
     paths:
       - '**/*.tf'
-  pull_request:
-    types: [opened, synchronize, reopened]
-    branches:
-      - 'feat-*'
-      - 'fix-*'
-      - 'docs-*'
-      - 'style-*'
-      - 'refactor-*'
-      - 'test-*'
-      - 'chore-*'
-      - 'build-*'
-      - 'ci-*'
-      - 'perf-*'
-    paths:
-      - '**/*.tf'
 
 env:
   TF_CLOUD_ORGANIZATION: "deploymenttheory"
@@ -81,42 +66,53 @@ jobs:
       TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
 
   update-pr:
-    if: github.event_name == 'pull_request' # only run this for PRs
     needs: terraform-plan
     runs-on: ubuntu-latest
     steps:
-      - name: Update PR
-        uses: actions/github-script@v6
-        id: plan-comment
+      - name: Create or Update PR
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            // 1. Retrieve existing bot comments for the PR
-            const { data: comments } = await github.rest.issues.listComments({
+            const branch = context.ref.replace('refs/heads/', '');
+            const base = 'sandbox';
+            
+            // Check if PR already exists
+            const { data: prs } = await github.rest.pulls.list({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-            const botComment = comments.find(comment => {
-              return comment.user.type === 'Bot' && comment.body.includes('HCP Terraform Plan Output')
+              head: `${context.repo.owner}:${branch}`,
+              base: base,
+              state: 'open'
             });
-            const output = `#### HCP Terraform Plan Output
-                \`\`\`
-                Plan: ${{ needs.terraform-plan.outputs.add }} to add, ${{ needs.terraform-plan.outputs.change }} to change, ${{ needs.terraform-plan.outputs.destroy }} to destroy.
-                \`\`\`
-                [HCP Terraform Plan](${{ needs.terraform-plan.outputs.run_link }})
-                `;
-            // 3. Delete previous comment so PR timeline makes sense
-            if (botComment) {
-              github.rest.issues.deleteComment({
+            
+            let pr;
+            if (prs.length === 0) {
+              // Create new PR
+              const { data: newPr } = await github.rest.pulls.create({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                comment_id: botComment.id,
+                title: `Terraform changes from ${branch}`,
+                head: branch,
+                base: base,
+                body: 'This PR contains Terraform changes.'
               });
+              pr = newPr;
+            } else {
+              pr = prs[0];
             }
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
+            
+            // Add Terraform plan results to PR
+            const planOutput = `#### Terraform Plan Results
+            \`\`\`
+            Plan: ${{ needs.terraform-plan.outputs.add }} to add, ${{ needs.terraform-plan.outputs.change }} to change, ${{ needs.terraform-plan.outputs.destroy }} to destroy.
+            \`\`\`
+            [View full plan details](${{ needs.terraform-plan.outputs.run_link }})
+            `;
+            
+            await github.rest.issues.createComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: output
+              issue_number: pr.number,
+              body: planOutput
             });

docs/getting-started.md

@@ -99,11 +99,13 @@ To manage your Jamf Pro infrastructure across different environments, you'll nee
    b. Click on "Variable sets" and then "Create variable set".
    c. Name it something like "Jamf Pro Common Variables".
    d. Add the following variables:
-      - `enable_client_sdk_logs`: Set to "false"
-      - `client_sdk_log_export_path`: Set to "" - empty
-      - `jamfpro_jamf_load_balancer_lock`: Set to "true"
-      - `jamfpro_token_refresh_buffer_period_seconds`: Set to "100"
-      - `jamfpro_mandatory_request_delay_milliseconds`: Set to "300"
+
+    - `enable_client_sdk_logs`: Set to "false"
+    - `client_sdk_log_export_path`: Set to "" - empty
+    - `jamfpro_jamf_load_balancer_lock`: Set to "true"
+    - `jamfpro_token_refresh_buffer_period_seconds`: Set to "100"
+    - `jamfpro_mandatory_request_delay_milliseconds`: Set to "300"
+
    f. Apply this variable set to all three Jamf Pro workspaces.
 
 - **Configure Workspace-Specific Variables**:
@@ -112,11 +114,13 @@ To manage your Jamf Pro infrastructure across different environments, you'll nee
    a. Go to the workspace settings in Terraform Cloud.
    b. Navigate to the "Variables" section.
    c. Add the following variables:
-      - `jamfpro_instance_fqdn`: The FQDN of your Jamf Pro instance for this environment.
-      - `jamfpro_client_id`: Your Jamf Pro client ID (for OAuth2)
-      - `jamfpro_client_secret`: Your Jamf Pro client secret (for OAuth2)
-      - `jamfpro_basic_auth_username`: Your Jamf Pro username (for basic auth)
-      - `jamfpro_basic_auth_password`: Your Jamf Pro password (for basic auth)
+
+    - `jamfpro_instance_fqdn`: The FQDN of your Jamf Pro instance for this environment.
+    - `jamfpro_client_id`: Your Jamf Pro client ID (for OAuth2)
+    - `jamfpro_client_secret`: Your Jamf Pro client secret (for OAuth2)
+    - `jamfpro_basic_auth_username`: Your Jamf Pro username (for basic auth)
+    - `jamfpro_basic_auth_password`: Your Jamf Pro password (for basic auth)
+
    d. Mark sensitive variables (like passwords and secrets) as sensitive.
 
 - **Access Controls**:
@@ -149,11 +153,13 @@ c. Give your token a descriptive name, e.g., "Terraform Jamf Pro Config Branch M
 d. Set the expiration as per your security policies.
 e. Under "Repository access", select "Only select repositories" and choose the repository you're setting up.
 f. Under "Permissions", grant the following permissions:
+
 - Repository permissions:
 - Contents: Read and write (This allows branch management)
 - Metadata: Read-only (This is required for API operations)
 - Organization permissions:
 - Members: Read-only (If working within an organization)
+
 g. Click "Generate token" and copy the token immediately.
 h. In your repository, go to Settings > Secrets and variables > Actions.
 i. Click "New repository secret", name it PAT_TOKEN, and paste your token as the value.
@@ -388,19 +394,3 @@ This automated process ensures consistent versioning, provides a clear history o
 14. **Promote to Production**: Repeat the process for promoting to Production by manually triggering the `04-release-and-plan-production.yml` workflow and approving the pull request to merge the release branch into the `production` branch after change review.
 
 15. **Apply to Production**: After the pull request is merged, the `05-terraform-apply-production.yml` workflow will automatically run to apply the changes to the Production environment.
-
-## Example Terraform Resource
-
-Below is an example of defining a building in Jamf Pro using Terraform:
-
-```hcl
-resource "jamfpro_building" "example_building" {
-  name            = "Example Building"
-  street_address1 = "123 Example St"
-  street_address2 = "Suite 100"
-  city            = "Example City"
-  state_province  = "Example State"
-  zip_postal_code = "12345"
-  country         = "Example Country"
-}
-```

workload/terraform/jamfpro/accountgroups.tf

@@ -1,7 +1,7 @@
 
 # // account group - custom example
 # resource "jamfpro_account_group" "jamfpro_account_group_001" {
-#   name          = "tf-ghatest-accountgroup-custom"
+#   name          = "tf-demo-accountgroup-custom"
 #   access_level  = "Full Access" // Full Access / Site Access / Group Access
 #   privilege_set = "Custom"
 

workload/terraform/jamfpro/accounts.tf

@@ -1,6 +1,6 @@
 
 # resource "jamfpro_account" "jamf_pro_account_001" {
-#   name                  = "tf-ghapipeline-account-custom-privileges-full-access"
+#   name                  = "tf-demo-account-custom-privileges-full-access"
 #   directory_user        = false
 #   full_name             = "micky mouse"
 #   password              = "mySecretThing10" // Password must be at least 10 characters long. password not stored in state

workload/terraform/jamfpro/api_roles.tf

@@ -1,7 +1,7 @@
 
 // cicd jamf api roles with no priviledge as they will be applied dynamically 
 resource "jamfpro_api_role" "jamfpro_api_role_001" {
-  display_name = "tf-localtest-all-jamf-pro-privileges-11.7"
+  display_name = "tf-demo-all-jamf-pro-privileges-11.7"
   privileges = ["Allow User to Enroll",
     "Assign Users to Computers",
     "Assign Users to Mobile Devices",

workload/terraform/jamfpro/buildings.tf

@@ -1,20 +1,30 @@
 
-# resource "jamfpro_building" "jamfpro_building_001" {
-#   name            = "tf-dw-ghatest-Apple-Park"
-#   street_address1 = "The McIntosh Tree"
-#   street_address2 = "One Apple Park Way"
-#   city            = "Cupertino"
-#   state_province  = "California"
-#   zip_postal_code = "95014"
-#   country         = "The United States of America"
-# }
+resource "jamfpro_building" "jamfpro_building_001" {
+  name            = "tf-demo-Apple-Park"
+  street_address1 = "The McIntosh Tree"
+  street_address2 = "One Apple Park Way"
+  city            = "Cupertino"
+  state_province  = "California"
+  zip_postal_code = "95014"
+  country         = "The United States of America"
+}
 
-# resource "jamfpro_building" "jamfpro_building_002" {
-#   name            = "tf-dw-ghatest-jamf-headquarters"
-#   street_address1 = "100 Washington Ave S"
-#   street_address2 = "Suite 1100"
-#   city            = "Minneapolis"
-#   state_province  = "Minnesota"
-#   zip_postal_code = "55401"
-#   country         = "The United States of America"
-# }
+resource "jamfpro_building" "jamfpro_building_002" {
+  name            = "tf-demo-jamf-headquarters"
+  street_address1 = "100 Washington Ave S"
+  street_address2 = "Suite 1100"
+  city            = "Minneapolis"
+  state_province  = "Minnesota"
+  zip_postal_code = "55401"
+  country         = "The United States of America"
+}
+
+resource "jamfpro_building" "jamfpro_building_003" {
+  name            = "tf-demo-Apple-Battersea"
+  street_address1 = "Ground Floor, Turbine Hall A, Circus Rd W, Nine Elms"
+  street_address2 = "Suite 1100"
+  city            = "London"
+  state_province  = "London"
+  zip_postal_code = "SW11 8AL"
+  country         = "United Kingdom"
+}

workload/terraform/jamfpro/computer_extension_attributes.tf

@@ -1,7 +1,7 @@
 
 
 resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_001" {
-  name        = "tf-ghatest-cexa-popup-menu-example"
+  name        = "tf-demo-cexa-popup-menu-example"
   enabled     = true
   description = "An attribute collected from a pop-up menu."
 
@@ -13,7 +13,7 @@ resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_00
 }
 
 # resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_002" {
-#   name        = "tf-example-cexa-text-field-example"
+#   name        = "tf-demo-cexa-text-field-example"
 #   enabled     = true
 #   description = "An attribute collected from a text field."
 
@@ -22,7 +22,7 @@ resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_00
 # }
 
 # resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_003" {
-#   name         = "tf-example-cexa-hello-world"
+#   name         = "tf-demo-cexa-hello-world"
 #   enabled      = true
 #   description  = "An attribute collected via a script."
 #   input_type   = "script"
@@ -32,7 +32,7 @@ resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_00
 # }
 
 # resource "jamfpro_computer_extension_attribute" "computer_extension_attribute_004" {
-#   name         = "tf-example-cexa-system_extensions"
+#   name         = "tf-demo-cexa-system_extensions"
 #   enabled      = true
 #   description  = "An attribute collected via a script."
 #   input_type   = "script"

workload/terraform/jamfpro/dockitems.tf

@@ -1,18 +1,18 @@
 
 resource "jamfpro_dock_item" "jamfpro_dock_item_001" {
-  name = "tf-dw-ghatest-dockItem-app-iTunes"
+  name = "tf-demo-dockItem-app-iTunes"
   type = "App"
   path = "file://localhost/Applications/iTunes.app/"
 }
 
 resource "jamfpro_dock_item" "jamfpro_dock_item_002" {
-  name = "tf-dw-ghatest-dockItem-file-hosts"
+  name = "tf-demo-dockItem-file-hosts"
   type = "File" // App / File / Folder
   path = "/etc/hosts"
 }
 
 resource "jamfpro_dock_item" "jamfpro_dock_item_003" {
-  name = "tf-dw-ghatest-dockItem-folder-downloadsFolder"
+  name = "tf-demo-dockItem-folder-downloadsFolder"
   type = "Folder" // App / File / Folder
   path = "~/Downloads"
 }

workload/terraform/jamfpro/macos_configuration_profiles_plist.tf

@@ -1,6 +1,6 @@
 
 # resource "jamfpro_macos_configuration_profile_plist" "jamfpro_macos_configuration_profile_001" {
-#   name                = "tf-ghatest-dt-mcp-accessibility_hearing_base-prod-v0.0.1"
+#   name                = "tf-demo-mcp-accessibility_hearing_base-prod-v0.0.1"
 #   distribution_method = "Install Automatically"
 #   payloads            = file("${path.module}/support_files/configuration_profiles/dt-mcp-accessibility_hearing_base-prod-v0.0.1.mobileconfig")
 #   category_id         = -1
@@ -14,7 +14,7 @@
 # }
 
 # resource "jamfpro_macos_configuration_profile_plist" "jamfpro_macos_configuration_profile_002" {
-#   name                = "tf-ghatest-dt-mcp-accessibility_seeing_base-prod-v0.0.1"
+#   name                = "tf-demo-mcp-accessibility_seeing_base-prod-v0.0.1"
 #   distribution_method = "Install Automatically"
 #   payloads            = file("${path.module}/support_files/configuration_profiles/dt-mcp-accessibility_seeing_base-prod-v0.0.1.mobileconfig")
 #   category_id         = -1
@@ -28,7 +28,7 @@
 # }
 
 # resource "jamfpro_macos_configuration_profile_plist" "jamfpro_macos_configuration_profile_003" {
-#   name                = "tf-ghatest-dt-mcp-background_notifications-prod-v0.0.1"
+#   name                = "tf-demo-mcp-background_notifications-prod-v0.0.1"
 #   distribution_method = "Install Automatically"
 #   payloads            = file("${path.module}/support_files/configuration_profiles/dt-mcp-background_notifications-prod-v0.0.1.mobileconfig")
 #   category_id         = jamfpro_category.jamfpro_category_001.id
@@ -42,7 +42,7 @@
 # }
 
 # resource "jamfpro_macos_configuration_profile_plist" "jamfpro_macos_configuration_profile_004" {
-#   name                = "tf-ghatest-dt-mcp-block_beta_updates-prod-v0.0.1"
+#   name                = "tf-demo-mcp-block_beta_updates-prod-v0.0.1"
 #   distribution_method = "Install Automatically"
 #   payloads            = file("${path.module}/support_files/configuration_profiles/dt-mcp-block_beta_updates-prod-v0.0.1.mobileconfig")
 #   category_id         = jamfpro_category.jamfpro_category_001.id

workload/terraform/jamfpro/packages.tf

@@ -1,6 +1,6 @@
 # // Example of referencing a package directly within the repository
 # resource "jamfpro_package" "jamfpro_package_001" {
-#   package_name          = "tf-ghatest-package-suspiciouspackage"
+#   package_name          = "tf-demo-package-suspiciouspackage"
 #   package_file_source   = "support_files/packages/gha-test-SuspiciousPackage.dmg"
 #   category_id           = "-1" // jamfpro_category.jamfpro_category_001.id
 #   info                  = "tf package deployment for demonstration"
@@ -29,7 +29,7 @@
 
 # // Example of referencing a package from a https source (with redirects)
 # resource "jamfpro_package" "jamfpro_package_02" {
-#   package_name          = "tf-ghatest-package-httpsourceprovider-test"
+#   package_name          = "tf-demo-package-httpsourceprovider-test"
 #   package_file_source   = "https://download.mozilla.org/?product=firefox-latest&os=osx&lang=en-US"
 #   category_id           = "-1"
 #   info                  = "tf package deployment for demonstration"
@@ -54,7 +54,7 @@
 
 # // Example of referencing a package from a https source
 # resource "jamfpro_package" "jamfpro_package_03" {
-#   package_name          = "tf-ghatest-package-httpsourceprovider-companyportal"
+#   package_name          = "tf-demo-package-httpsourceprovider-companyportal"
 #   package_file_source   = "https://go.microsoft.com/fwlink/?linkid=853070"
 #   category_id           = "-1"
 #   info                  = "tf package deployment for demonstration"

workload/terraform/jamfpro/policy_packages.tf

@@ -1,5 +1,5 @@
 # resource "jamfpro_policy" "jamfpro_package_policy_001" {
-#   name                          = "tf-ghatest-policy-packages-suspiciouspackage"
+#   name                          = "tf-demo-policy-packages-suspiciouspackage"
 #   enabled                       = false
 #   trigger_checkin               = false
 #   trigger_enrollment_complete   = false

workload/terraform/jamfpro/policy_scripts.tf

@@ -1,5 +1,5 @@
 # resource "jamfpro_policy" "jamfpro_policy_script_001" {
-#   name                          = "tf-dw-ghatest-policy-script-correct-application-permissions"
+#   name                          = "tf-demo-policy-script-correct-application-permissions"
 #   enabled                       = true
 #   trigger_checkin               = false
 #   trigger_enrollment_complete   = false
@@ -54,7 +54,7 @@
 # }
 
 # resource "jamfpro_policy" "jamfpro_policy_script_002" {
-#   name                          = "tf-dw-ghatest-policy-script-reset_safari"
+#   name                          = "tf-demo-policy-script-reset_safari"
 #   enabled                       = false
 #   trigger_checkin               = false
 #   trigger_enrollment_complete   = false