Skip to content

Commit

Permalink
Merge pull request #13 from mineiros-io/mariux/sc-4056/secret-refs
Browse files Browse the repository at this point in the history
feat!: Add support for reading environment from secret manager
  • Loading branch information
mariux authored Apr 19, 2022
2 parents a872abb + 5f8b782 commit 3107801
Show file tree
Hide file tree
Showing 26 changed files with 2,099 additions and 81 deletions.
36 changes: 35 additions & 1 deletion .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,16 @@ on:
push:
branches:
- main
- master
pull_request:

env:
AWS_SECRET_ACCESS_KEY: ${{ secrets.MINEIROS_TESTING_AWS_SECRET_ACCESS_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.MINEIROS_TESTING_AWS_ACCESS_KEY_ID }}
GOOGLE_CREDENTIALS: ${{ secrets.MINEIROS_TESTING_GCP_SA_KEY_FILE }}
TEST_GCP_PROJECT: ${{ secrets.MINEIROS_TESTING_GCP_PROJECT }}
TEST_GCP_ORG_DOMAIN: ${{ secrets.MINEIROS_TESTING_GCP_ORG_DOMAIN }}

concurrency:
group: terraform-google-cloud-run
cancel-in-progress: false
Expand All @@ -17,6 +25,32 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0

- name: Run pre-commit
run: make test/pre-commit
run: make test/docker/pre-commit

unit-tests:
needs: pre-commit
runs-on: ubuntu-latest
name: Unit Tests
steps:
- name: Checkout
uses: actions/checkout@v2

- name: Check for Terraform file changes
uses: getsentry/paths-filter@v2
id: changes
with:
filters: |
terraform:
- '*.tf'
- 'test/**/*.tf'
- 'test/**/*.go'
- 'test/go.mod'
- 'test/go.sum'
- name: Run Unit Tests
if: steps.changes.outputs.terraform == 'true'
run: make test/docker/unit-tests
7 changes: 5 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
repos:
- repo: https://github.com/mineiros-io/pre-commit-hooks
rev: v0.3.1
rev: v0.4.1
hooks:
- id: terraform-fmt
- id: terraform-validate
exclude: ^examples|.terraform/
- id: tflint
- id: golangci-lint
- id: phony-targets
- id: terradoc-validate
- id: terradoc-fmt
- id: terradoc-generate
- id: terramate-generate
- id: markdown-link-check
args: ['-p'] # When adding the -p flag, markdown-link-check will always with an exit code 0, even if dead links are found
verbose: true # Forces the output of the hook to be printed even when the hook passes.
22 changes: 21 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [0.1.0] BREAKING CHANGES

### Added

- Add support for reading secrets from secret manager for container environment variables

### Changed

- Updated IAM module to support IAM members validation

### Fixed

- Fix template variable that is required (was defined as optional)
- Fix disabling module
- Fix IAM usage where Terraform complains over mismatched types in ternary operator

### Removed

- BREAKING CHANGE: Drop support for Terraform Google Provider < 4.1
- BREAKING CHANGE: Drop support for Terraform < 1.0

## [0.0.2]

Expand All @@ -23,7 +42,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

<!-- markdown-link-check-disable -->

[unreleased]: https://github.com/mineiros-io/terraform-google-cloud-run/compare/v0.0.2...HEAD
[unreleased]: https://github.com/mineiros-io/terraform-google-cloud-run/compare/v0.1.0...HEAD
[0.1.0]: https://github.com/mineiros-io/terraform-google-cloud-run/compare/v0.0.2...v0.1.0
[0.0.2]: https://github.com/mineiros-io/terraform-google-cloud-run/compare/v0.0.1...v0.0.2
[0.0.1]: https://github.com/mineiros-io/terraform-google-cloud-run/releases/tag/v0.0.1

Expand Down
60 changes: 53 additions & 7 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Set default shell to bash
SHELL := /bin/bash -o pipefail

BUILD_TOOLS_VERSION ?= v0.15.1
BUILD_TOOLS_VERSION ?= v0.15.2
BUILD_TOOLS_DOCKER_REPO ?= mineiros/build-tools
BUILD_TOOLS_DOCKER_IMAGE ?= ${BUILD_TOOLS_DOCKER_REPO}:${BUILD_TOOLS_VERSION}

Expand Down Expand Up @@ -57,6 +57,22 @@ ifdef GOOGLE_CREDENTIALS
DOCKER_GCP_FLAGS += -e GOOGLE_CREDENTIALS
endif

# If GOOGLE_CREDENTIALS is defined, we are likely running inside a GCP provider
# module. To enable GCP authentication inside the docker container, we inject
# the relevant environment variables (service-account key file).
ifdef GOOGLE_CREDENTIALS
DOCKER_GCP_FLAGS += -e GOOGLE_CREDENTIALS
DOCKER_GCP_FLAGS += -e TEST_GCP_PROJECT
DOCKER_GCP_FLAGS += -e TEST_GCP_ORG_DOMAIN
endif

# If GITHUB_OWNER is defined, we are likely running inside a GitHub provider
# module. To enable GitHub authentication inside the docker container,
# we inject the relevant environment variables.
ifdef GITHUB_OWNER
DOCKER_GITHUB_FLAGS += -e GITHUB_TOKEN
DOCKER_GITHUB_FLAGS += -e GITHUB_OWNER
endif

.PHONY: default
default: help
Expand All @@ -68,18 +84,53 @@ template/adjust:
@find . $(FILTER) -exec sed -i -e "s,terraform-module-template,$${PWD##*/},g" {} \;

## Run pre-commit hooks inside a build-tools docker container.
.PHONY: test/docker/pre-commit
test/docker/pre-commit: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
test/docker/pre-commit: DOCKER_FLAGS += -e NOCOLOR=1
test/docker/pre-commit:
$(call docker-run,make test/pre-commit)

## Run all Go tests inside a build-tools docker container. This is complementary to running 'go test ./test/...'.
.PHONY: test/docker/unit-tests
test/docker/unit-tests: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
test/docker/unit-tests: DOCKER_FLAGS += ${DOCKER_GITHUB_FLAGS}
test/docker/unit-tests: DOCKER_FLAGS += ${DOCKER_AWS_FLAGS}
test/docker/unit-tests: DOCKER_FLAGS += ${DOCKER_GCP_FLAGS}
test/docker/unit-tests: DOCKER_FLAGS += $(shell env | grep ^TF_VAR_ | cut -d = -f 1 | xargs -i printf ' -e {}')
test/docker/unit-tests: DOCKER_FLAGS += -e TF_DATA_DIR=.terratest
test/docker/unit-tests: DOCKER_FLAGS += -e NOCOLOR=1
test/docker/unit-tests: TEST ?= "TestUnit"
test/docker/unit-tests:
@echo "${YELLOW}[TEST] ${GREEN}Start Running Go Tests in Docker Container.${RESET}"
$(call docker-run,make test/unit-tests)

## Run pre-commit hooks.
.PHONY: test/pre-commit
test/pre-commit: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
test/pre-commit:
$(call docker-run,pre-commit run -a)
$(call quiet-command,pre-commit run -a)

## Run all unit tests.
.PHONY: test/docker/unit-tests
test/unit-tests: TEST ?= "TestUnit"
test/unit-tests:
@echo "${YELLOW}[TEST] ${GREEN}Start Running unit tests.${RESET}"
$(call quiet-command,cd test ; go test -v -count 1 -timeout 45m -parallel 128 -run $(TEST))

## Generate README.md with Terradoc
.PHONY: terradoc
terradoc:
$(call quiet-command,terradoc generate -o README.md README.tfdoc.hcl)

## Clean up cache and temporary files
.PHONY: clean
clean:
$(call rm-command,.terraform)
$(call rm-command,.terratest)
$(call rm-command,.terraform.lock.hcl)
$(call rm-command,*.tfplan)
$(call rm-command,*/*/.terraform)
$(call rm-command,*/*/.terratest)
$(call rm-command,*/*/*.tfplan)
$(call rm-command,*/*/.terraform.lock.hcl)

Expand All @@ -96,11 +147,6 @@ help:
} \
{ lastLine = $$0 }' $(MAKEFILE_LIST)

## Generate README.md with Terradoc
.PHONY: terradoc
terradoc:
$(call quiet-command,terradoc generate -o README.md README.tfdoc.hcl)

# Define helper functions
DOCKER_FLAGS += ${DOCKER_RUN_FLAGS}
DOCKER_RUN_CMD = docker run ${DOCKER_FLAGS} ${BUILD_TOOLS_DOCKER_IMAGE}
Expand Down
55 changes: 45 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,20 @@ Most common usage of the module:

```hcl
module "terraform-google-cloud-run" {
source = "git@github.com:mineiros-io/terraform-google-cloud-run.git?ref=v0.0.2"
source = "github.com/mineiros-io/terraform-google-cloud-run?ref=v0.1.0"
name = "example-name"
location = "us-central1"
template = {
spec = {
containers = [
{
image = "gcr.io/cloudrun/hello:latest"
}
]
}
}
}
```

Expand All @@ -80,7 +90,7 @@ See [variables.tf] and [examples/] for details and use-cases.

- [**`project`**](#var-project): *(Optional `string`)*<a name="var-project"></a>

The ID of the project in which the resource belongs. If it is not
The ID of the project in which the resource belongs. If it is not
provided, the provider project is used.

- [**`autogenerate_revision_name`**](#var-autogenerate_revision_name): *(Optional `bool`)*<a name="var-autogenerate_revision_name"></a>
Expand Down Expand Up @@ -110,7 +120,7 @@ See [variables.tf] and [examples/] for details and use-cases.
annotations. Name will be generated by the Configuration. To set
minimum instances for this revision, use the
`autoscaling.knative.dev/minScale` annotation key. To set maximum
instances for this revision, use the
instances for this revision, use the
`autoscaling.knative.dev/maxScale` annotation key. To set Cloud SQL
connections for the revision, use the
`run.googleapis.com/cloudsql-instances` annotation key.
Expand Down Expand Up @@ -210,15 +220,13 @@ See [variables.tf] and [examples/] for details and use-cases.
in for this Revision. It is expected that the system will
manipulate this based on routability and load.

- [**`containers`**](#attr-template-spec-containers): *(Optional `list(container)`)*<a name="attr-template-spec-containers"></a>
- [**`containers`**](#attr-template-spec-containers): *(**Required** `list(container)`)*<a name="attr-template-spec-containers"></a>

Container defines the unit of execution for this Revision. In the
context of a Revision, we disallow a number of the fields of this
Container, including: name, ports, and volumeMounts. The runtime
contract is documented here: https://github.com/knative/serving/blob/master/docs/runtime-contract.md

Default is `[]`.

Each `container` object in the list accepts the following attributes:

- [**`args`**](#attr-template-spec-containers-args): *(Optional `list(string)`)*<a name="attr-template-spec-containers-args"></a>
Expand Down Expand Up @@ -269,10 +277,37 @@ See [variables.tf] and [examples/] for details and use-cases.
previous defined environment variables in the container and
any route environment variables. If a variable cannot be
resolved, the reference in the input string will be unchanged.
The `$(VAR_NAME)` syntax can be escaped with a double `$$`,
The `$(VAR_NAME)` syntax can be escaped with a double `$$`,
ie: `$$(VAR_NAME)`. Escaped references will never be expanded,
regardless of whether the variable exists or not.

- [**`values_from`**](#attr-template-spec-containers-env-values_from): *(Optional `list(value_from)`)*<a name="attr-template-spec-containers-env-values_from"></a>

Source for the environment variable's value.
Only supports `secret_key_ref`.

Each `value_from` object in the list accepts the following attributes:

- [**`secret_key_ref`**](#attr-template-spec-containers-env-values_from-secret_key_ref): *(**Required** `object(secret_key_ref)`)*<a name="attr-template-spec-containers-env-values_from-secret_key_ref"></a>

Selects a key (version) of a secret in Secret Manager.

The `secret_key_ref` object accepts the following attributes:

- [**`key`**](#attr-template-spec-containers-env-values_from-secret_key_ref-key): *(Optional `string`)*<a name="attr-template-spec-containers-env-values_from-secret_key_ref-key"></a>

A Cloud Secret Manager secret version.
Must be `"latest"` for the latest version or an integer for a specific version.

- [**`name`**](#attr-template-spec-containers-env-values_from-secret_key_ref-name): *(Optional `string`)*<a name="attr-template-spec-containers-env-values_from-secret_key_ref-name"></a>

The name of the secret in Cloud Secret Manager.
By default, the secret is assumed to be in the same project.
If the secret is in another project, you must define an alias.
You set the in this field, and create an annotation with the following structure
`"run.googleapis.com/secrets" = ":projects//secrets/"`.
If multiple alias definitions are needed, they must be separated by commas in the annotation field.

- [**`ports`**](#attr-template-spec-containers-ports): *(Optional `list(port)`)*<a name="attr-template-spec-containers-ports"></a>

List of open ports in the container. More Info:
Expand Down Expand Up @@ -355,7 +390,7 @@ See [variables.tf] and [examples/] for details and use-cases.
annotations. Name will be generated by the Configuration. To set
minimum instances for this revision, use the
`autoscaling.knative.dev/minScale` annotation key. To set maximum
instances for this revision, use the
instances for this revision, use the
`autoscaling.knative.dev/maxScale` annotation key. To set Cloud SQL
connections for the revision, use the
`run.googleapis.com/cloudsql-instances` annotation key.
Expand Down Expand Up @@ -435,7 +470,7 @@ See [variables.tf] and [examples/] for details and use-cases.

- [**`certificate_mode`**](#attr-domain_mapping-spec-certificate_mode): *(Optional `string`)*<a name="attr-domain_mapping-spec-certificate_mode"></a>

The mode of the certificate. Possible values are `NONE` and
The mode of the certificate. Possible values are `NONE` and
`AUTOMATIC`.

Default is `"AUTOMATIC"`.
Expand All @@ -446,7 +481,7 @@ See [variables.tf] and [examples/] for details and use-cases.
annotations. Name will be generated by the Configuration. To set
minimum instances for this revision, use the
`autoscaling.knative.dev/minScale` annotation key. To set maximum
instances for this revision, use the
instances for this revision, use the
`autoscaling.knative.dev/maxScale` annotation key. To set Cloud SQL
connections for the revision, use the
`run.googleapis.com/cloudsql-instances` annotation key.
Expand Down
Loading

0 comments on commit 3107801

Please sign in to comment.