diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..5eddfae --- /dev/null +++ b/.travis.yml @@ -0,0 +1,86 @@ +language: ruby + +sudo: false + +dist: trusty + +rvm: + - 2.4.2 + +services: + - docker + +before_install: + - echo "before_install" + +install: + - echo "install" + - gem install bundler --no-rdoc --no-ri + - bundle install + +before_script: + - echo 'before_script' + # Get a random variable from the awscli and use it through the remainder of the test cycle. + - export AWS_REGION=$(docker run --env AWS_DEFAULT_REGION=us-east-2 --env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} --env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} garland/aws-cli-docker aws ec2 describe-regions --query 'Regions[].{Name:RegionName}' --output text | shuf | head -n1) + - echo "using AWS_REGION=${AWS_REGION}" + - export TF_VAR_region=${AWS_REGION} + - wget https://releases.hashicorp.com/terraform/0.10.7/terraform_0.10.7_linux_amd64.zip + - unzip terraform_0.10.7_linux_amd64 + - chmod +x terraform + - mkdir -p ${HOME}/bin + - export PATH=${PATH}:${HOME}/bin + - mv terraform ${HOME}/bin/ + - rm -f terraform_* + - terraform -v + +script: + - echo 'before_script' + # no terraform through docker until kitchen-terraform supports it + # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light init + # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light fmt -check=true + # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light validate + - terraform init + - terraform fmt -check=true + - terraform validate -var "region=${AWS_REGION}" -var "certificate_arn=arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" -var "health_check_path=/" -var "subnets=[]" -var "vpc_id=vpc-abcde012" -var "alb_name=my-alb" -var "alb_security_groups=[]" + - docker run --rm -v $(pwd):/app/ --workdir=/app/ -t wata727/tflint --error-with-issues + - cd examples/test_fixtures + # this line is to change the source of the root module to 2 dirs back which works when validating in CI but when running through test kitchen, we need to source from 3 dirs up, oddly + - sed -i.bak 's/\.\.\/\.\.\/\.\./\.\.\/\.\./g' main.tf + # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light init + # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light fmt -check=true + # - docker run -i -t -v $(pwd):/app/ -w /app/ hashicorp/terraform:light validate + - terraform init + - terraform fmt -check=true + - terraform validate + # FIXME: tflint is unhappy with sourcing a module from a relative dir here. + # - docker run --rm -v $(pwd):/data --workdir=/data -t wata727/tflint --error-with-issues + - mv main.tf.bak main.tf + - cd - + - pwd + - ls -lah + - terraform -v + - kitchen test --destroy always + +# after_success: +# - echo 'after_success' + +# after_failure: +# - echo 'after_failure' + +before_deploy: +# check if this is new release and conditionally continue? + - echo 'before_deploy phase' + +deploy: +# likely want to publish to the registry + provider: script + script: ci/deploy.sh + on: + branch: dev + +# after_deploy: +# notify of success/failure provide links +# - echo 'after_deploy' + +# after_script: +# - echo 'after_script' diff --git a/CHANGELOG.md b/CHANGELOG.md index 46816ab..425f044 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,25 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [1.0.3] - 2017-10-19 +## Added +* TravisCI configuration added and now passing. +* badge added to docs. +* permissions section now in the example readme. +* placeholder shell script added for CI deployment. Eventually this should conditionally release to the registry when those APIs become available. + +## Changed +* altered tf variable `aws_region` to `region`. +* replaced hardcoding the region to instead use a random region as retrieved by an awscli docker container within CI. +* example cert is now a regionally-specific resource enabling tests to run in various regions at once and not collide. +* ruby version bump means `Rhcl` becomes `rhcl`. + ## [1.0.2] - 2017-10-12 ### Added * moved data sources to dedicated `data.tf` file. * `aws_caller_identity` now used to gather account_id rather than using a variable. * tests added for `target_group` and expanded for `alb`. * input variables added for health checks, bucket policy, force_destroy_log_bucket - increasing flexibility. -* circle CI config and badge ### Changed * altered structure of module to conform to the new [Terraform registry standards](https://www.terraform.io/docs/registry/modules/publish.html#requirements) @@ -19,9 +31,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). * pinned examples to provider and terraform versions to harden versioning. * self signed cert added to the test fixtures, eliminating the need for manual upload and terraform.tfvars configuration. * modules referenced in the test fixture are now sourced from the terraform registry. -* moved bucket_policy.json and template rending to locals + optional variable input. +* removed bucket_policy.json in favor of creating the policy via the `aws_iam_policy_document` resource or optionally a variable. * stringed list variables moved to native lists -* ## [1.0.1] - 2017-09-14 ### Added diff --git a/README.md b/README.md index 5d4ebf5..e75251e 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,10 @@ A Terraform module containing common configurations for an AWS Application Load Balancer (ALB) running over HTTP/HTTPS. Available through the [terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/alb/aws). +| Branch | Build status | +| --- | --- | +| master | [![build Status](https://travis-ci.org/terraform-aws-modules/terraform-aws-alb.svg?branch=master)](https://travis-ci.org/terraform-aws-modules/terraform-aws-skeleton) | + ## Assumptions * You want to create a set of resources for the ALB: namely an associated target group and listener. * You've created a Virtual Private Cloud (VPC) + subnets where you intend to put @@ -20,7 +24,7 @@ It's recommended you use this module with [terraform-aws-vpc](https://registry.t ## Why ALB instead of ELB? The use-case presented here appears almost identical to how one would use an ELB -BUT we inherit a few bonuses by moving to ALB. Those are best outlined in [AWS's +but we inherit a few bonuses by moving to ALB. Those are best outlined in [AWS's documentation](https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/). For an example of using ALB with ECS look no further than the [hashicorp example](https://github.com/terraform-providers/terraform-provider-aws/blob/master/examples/ecs-alb). @@ -32,12 +36,15 @@ A full example leveraging other community modules is contained in the [examples/ ``` module "alb" { source = "terraform-aws-modules/alb/aws" + alb_name = "my-alb" + region = "us-east-2" + alb_security_groups = ["sg-edcd9784", "sg-edcd9785"] vpc_id = "vpc-abcde012" subnets = ["subnet-abcde012", "subnet-bcde012a"] - alb_security_groups = ["sg-edcd9784", "sg-edcd9785"] certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" log_bucket = "logs-us-east-2-123456789012" log_prefix = "my-alb-logs" + health_check_path = "/" tags { "Terraform" = "true" @@ -55,7 +62,7 @@ This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tes ``` gem install bundler; bundle install ``` -3. Configure variables in `test/fixtures/terraform.tfvars`. An example of how this should look is in [terraform.tfvars.example](test/fixtures/terraform.tfvars.example). +3. Ensure your AWS environment is configured (i.e. credentials and region) for test and set TF_VAR_region to a valid AWS region (e.g. `export TF_VAR_region=${AWS_REGION}`). 4. Test using `kitchen test` from the root of the repo. ## Contributing @@ -70,6 +77,10 @@ individual change made. These are the steps: 5. Push to the branch (`git push origin my-new-feature`). 6. Create a new Pull Request and tell us about your changes. +## IAM Permissions +Testing and using this repo requires a minimum set of IAM permissions. Test permissions +are listed in the [test_fixtures README](examples/test_fixtures/README.md). + ## Change log The [changelog](CHANGELOG.md) captures all important release notes. diff --git a/ci/deploy.sh b/ci/deploy.sh new file mode 100755 index 0000000..ac4c22b --- /dev/null +++ b/ci/deploy.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# this file is a placeholder. Not sure that the registry API is available yet. +echo "Deployment steps should include publishing to terraform registry on new releases. Exiting with success." diff --git a/examples/test_fixtures/README.md b/examples/test_fixtures/README.md index d6f70b0..81c7c58 100644 --- a/examples/test_fixtures/README.md +++ b/examples/test_fixtures/README.md @@ -2,3 +2,105 @@ This set of templates serves two purposes: 0. it shows developers how to use the module in a straightforward way as integrated with other terraform community supported modules. 1. serves as the test infrastructure for CI on the project. + +## IAM Permissions +The following IAM policy is the minimum needed to execute the module from the test suite. +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Stmt1507789535000", + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssignIpv6Addresses", + "ec2:AssignPrivateIpAddresses", + "ec2:AssociateAddress", + "ec2:AssociateDhcpOptions", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AttachNetworkInterface", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateDhcpOptions", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAcl", + "ec2:CreateNetworkAclEntry", + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteDhcpOptions", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAcl", + "ec2:DeleteNetworkAclEntry", + "ec2:DeleteNetworkInterface", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:Describe*", + "ec2:DetachInternetGateway", + "ec2:DetachNetworkInterface", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:DisassociateSubnetCidrBlock", + "ec2:DisassociateVpcCidrBlock", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ModifyVpcEndpoint", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:UpdateSecurityGroupRuleDescriptionsEgress", + "ec2:UpdateSecurityGroupRuleDescriptionsIngress" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "Stmt1507789585001", + "Effect": "Allow", + "Action": [ + "s3:*", + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "Stmt1507789655000", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:*" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "Stmt1507789655001", + "Effect": "Allow", + "Action": [ + "iam:UploadServerCertificate", + "iam:DeleteServerCertificate", + "iam:GetServerCertificate" + ], + "Resource": [ + "*" + ] + } + ] +} + +``` diff --git a/examples/test_fixtures/data.tf b/examples/test_fixtures/data.tf index 28fa52d..6e2e87d 100644 --- a/examples/test_fixtures/data.tf +++ b/examples/test_fixtures/data.tf @@ -1 +1,3 @@ data "aws_caller_identity" "fixtures" {} + +data "aws_availability_zones" "available" {} diff --git a/examples/test_fixtures/main.tf b/examples/test_fixtures/main.tf index 3e7abd1..1e05b3e 100644 --- a/examples/test_fixtures/main.tf +++ b/examples/test_fixtures/main.tf @@ -3,7 +3,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = "${var.region}" version = "~> 1.0.0" } @@ -12,7 +12,7 @@ provider "template" { } resource "aws_iam_server_certificate" "fixture_cert" { - name = "test_cert-${data.aws_caller_identity.fixtures.account_id}" + name = "test_cert-${data.aws_caller_identity.fixtures.account_id}-${var.region}" certificate_body = "${file("${path.module}/../../../examples/test_fixtures/certs/example.crt.pem")}" private_key = "${file("${path.module}/../../../examples/test_fixtures/certs/example.key.pem")}" @@ -25,9 +25,9 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" name = "my-vpc" cidr = "10.0.0.0/16" - azs = ["us-east-2a", "us-east-2b", "us-east-2c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + azs = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] enable_nat_gateway = true single_nat_gateway = true tags = {} @@ -40,15 +40,15 @@ module "security-group" { } module "alb" { - source = "../../../" + source = "../../.." alb_name = "my-alb" alb_security_groups = ["${module.security-group.this_security_group_id}"] - aws_region = "${var.aws_region}" + region = "${var.region}" vpc_id = "${module.vpc.vpc_id}" subnets = "${module.vpc.public_subnets}" certificate_arn = "${aws_iam_server_certificate.fixture_cert.arn}" health_check_path = "/" - log_bucket = "logs-${var.aws_region}-${data.aws_caller_identity.fixtures.account_id}" + log_bucket = "logs-${var.region}-${data.aws_caller_identity.fixtures.account_id}" log_prefix = "${var.log_prefix}" force_destroy_log_bucket = true diff --git a/examples/test_fixtures/variables.tf b/examples/test_fixtures/variables.tf index 46c20a0..01e109b 100644 --- a/examples/test_fixtures/variables.tf +++ b/examples/test_fixtures/variables.tf @@ -2,6 +2,4 @@ variable "log_prefix" { default = "my-alb-logs" } -variable "aws_region" { - default = "us-east-2" -} +variable "region" {} diff --git a/main.tf b/main.tf index 6b3b9a2..1fbd7c1 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,10 @@ ### ALB resources +provider "aws" { + region = "${var.region}" + version = "~> 1.0.0" +} + resource "aws_alb" "main" { name = "${var.alb_name}" subnets = ["${var.subnets}"] diff --git a/test/integration/default/local_alb.rb b/test/integration/default/local_alb.rb index fe42d0b..4bd46f2 100755 --- a/test/integration/default/local_alb.rb +++ b/test/integration/default/local_alb.rb @@ -1,7 +1,6 @@ require 'awspec' -require 'Rhcl' +require 'rhcl' -ENV['AWS_REGION'] = 'us-east-2' module_vars = Rhcl.parse(File.open('examples/test_fixtures/variables.tf')) log_prefix = module_vars['variable']['log_prefix']['default'] tf_state = JSON.parse(File.open('.kitchen/kitchen-terraform/default-aws/terraform.tfstate').read) @@ -11,7 +10,7 @@ security_group_id = tf_state['modules'][0]['outputs']['sg_id']['value'] account_id = tf_state['modules'][0]['outputs']['account_id']['value'] # this must match the format in examples/test_fixtures/locals.tf -log_bucket = 'logs-' + module_vars['variable']['aws_region']['default'] + '-' + account_id +log_bucket = 'logs-' + ENV['AWS_REGION'] + '-' + account_id # subnet_ids = tf_state['modules'][0]['outputs']['subnet_ids']['value'] describe alb('my-alb') do @@ -44,6 +43,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::#{principal_account_id}:root" diff --git a/variables.tf b/variables.tf index a390d93..5ab1d89 100644 --- a/variables.tf +++ b/variables.tf @@ -18,7 +18,7 @@ variable "alb_security_groups" { type = "list" } -variable "aws_region" { +variable "region" { description = "AWS region to use." }