From 922fc53312a53c2e6393742764acf38a90e91082 Mon Sep 17 00:00:00 2001 From: Nuru Date: Fri, 16 Apr 2021 19:10:10 -0700 Subject: [PATCH] Normalize metadata service, revert option to use fixed name (#63) --- .github/CODEOWNERS | 4 ++-- .github/auto-release.yml | 2 +- .github/mergify.yml | 7 ++++++ .github/workflows/auto-format.yml | 4 +++- .github/workflows/auto-release.yml | 24 +++++++++++-------- .github/workflows/validate-codeowners.yml | 2 ++ README.md | 6 +++-- docs/terraform.md | 6 +++-- examples/complete/main.tf | 24 +++++++++---------- main.tf | 10 ++++---- outputs.tf | 5 ++++ variables.tf | 28 +++++++++++------------ 12 files changed, 74 insertions(+), 48 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2537f2f..6f64b5a 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,8 +15,8 @@ # Cloud Posse must review any changes to standard context definition, # but some changes can be rubber-stamped. -**/*.tf @cloudposse/engineering @cloudposse/approvers -README.yaml @cloudposse/engineering @cloudposse/approvers +**/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers diff --git a/.github/auto-release.yml b/.github/auto-release.yml index c78a4d8..ba0c226 100644 --- a/.github/auto-release.yml +++ b/.github/auto-release.yml @@ -46,7 +46,7 @@ template: | replacers: # Remove irrelevant information from Renovate bot -- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm' +- search: '/---\s+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm' replace: '' # Remove Renovate bot banner image - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm' diff --git a/.github/mergify.yml b/.github/mergify.yml index b010656..ef15545 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -56,3 +56,10 @@ pull_request_rules: changes_requested: true approved: true message: "This Pull Request has been updated, so we're dismissing all reviews." + +- name: "close Pull Requests without files changed" + conditions: + - "#files=0" + actions: + close: + message: "This pull request has been automatically closed by Mergify because there are no longer any changes." diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml index 990abed..375d0fd 100644 --- a/.github/workflows/auto-format.yml +++ b/.github/workflows/auto-format.yml @@ -6,7 +6,7 @@ on: jobs: auto-format: runs-on: ubuntu-latest - container: cloudposse/build-harness:slim-latest + container: cloudposse/build-harness:latest steps: # Checkout the pull request branch # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using @@ -29,6 +29,8 @@ jobs: - name: Auto Format if: github.event.pull_request.state == 'open' shell: bash + env: + GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host # Commit changes (if any) to the PR branch diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 3f48017..c766b1f 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -3,17 +3,23 @@ name: auto-release on: push: branches: - - master + - master jobs: publish: runs-on: ubuntu-latest steps: - # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 - with: - publish: true - prerelease: false - config-name: auto-release.yml - env: - GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + # Get PR from merged commit to master + - uses: actions-ecosystem/action-get-merged-pull-request@v1 + id: get-merged-pull-request + with: + github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + # Drafts your next Release notes as Pull Requests are merged into "master" + - uses: release-drafter/release-drafter@v5 + if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')" + with: + publish: true + prerelease: false + config-name: auto-release.yml + env: + GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml index 386eb28..c5193b6 100644 --- a/.github/workflows/validate-codeowners.yml +++ b/.github/workflows/validate-codeowners.yml @@ -1,5 +1,7 @@ name: Validate Codeowners on: + workflow_dispatch: + pull_request: jobs: diff --git a/README.md b/README.md index e949dc9..c1efd72 100644 --- a/README.md +++ b/README.md @@ -284,7 +284,9 @@ Available targets: | [load\_balancers](#input\_load\_balancers) | A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use `target_group_arns` instead | `list(string)` | `[]` | no | | [max\_instance\_lifetime](#input\_max\_instance\_lifetime) | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | `number` | `null` | no | | [max\_size](#input\_max\_size) | The maximum size of the autoscale group | `number` | n/a | yes | -| [metadata\_http\_tokens](#input\_metadata\_http\_tokens) | Whether or not the metadata service requires session tokens, also referred
to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or
"required". | `string` | `"optional"` | no | +| [metadata\_http\_endpoint\_enabled](#input\_metadata\_http\_endpoint\_enabled) | Set false to disable the Instance Metadata Service. | `bool` | `true` | no | +| [metadata\_http\_put\_response\_hop\_limit](#input\_metadata\_http\_put\_response\_hop\_limit) | The desired HTTP PUT response hop limit (between 1 and 64) for Instance Metadata Service requests.
The default is `2` to support containerized workloads. | `number` | `2` | no | +| [metadata\_http\_tokens\_required](#input\_metadata\_http\_tokens\_required) | Set true to require IMDS session tokens, disabling Instance Metadata Service Version 1. | `bool` | `true` | no | | [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is 1Minute | `string` | `"1Minute"` | no | | [min\_elb\_capacity](#input\_min\_elb\_capacity) | Setting this causes Terraform to wait for this number of instances to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number changes | `number` | `0` | no | | [min\_size](#input\_min\_size) | The minimum size of the autoscale group | `number` | n/a | yes | @@ -312,7 +314,6 @@ Available targets: | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | | [target\_group\_arns](#input\_target\_group\_arns) | A list of aws\_alb\_target\_group ARNs, for use with Application Load Balancing | `list(string)` | `[]` | no | | [termination\_policies](#input\_termination\_policies) | A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `Default` | `list(string)` | 
[
  "Default"
]
| no | -| [use\_name\_prefix](#input\_use\_name\_prefix) | If `true`, this will use the asg argument `name_prefix` instead of `name` | `bool` | `true` | no | | [user\_data\_base64](#input\_user\_data\_base64) | The Base64-encoded user data to provide when launching the instances | `string` | `""` | no | | [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. Setting this to '0' causes Terraform to skip all Capacity Waiting behavior | `string` | `"10m"` | no | | [wait\_for\_elb\_capacity](#input\_wait\_for\_elb\_capacity) | Setting this will cause Terraform to wait for exactly this number of healthy instances in all attached load balancers on both create and update operations. Takes precedence over `min_elb_capacity` behavior | `number` | `0` | no | @@ -330,6 +331,7 @@ Available targets: | [autoscaling\_group\_max\_size](#output\_autoscaling\_group\_max\_size) | The maximum size of the autoscale group | | [autoscaling\_group\_min\_size](#output\_autoscaling\_group\_min\_size) | The minimum size of the autoscale group | | [autoscaling\_group\_name](#output\_autoscaling\_group\_name) | The AutoScaling Group name | +| [autoscaling\_group\_tags](#output\_autoscaling\_group\_tags) | A list of tag settings associated with the AutoScaling Group | | [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template | | [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template | diff --git a/docs/terraform.md b/docs/terraform.md index 96dda32..a47fd4a 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -79,7 +79,9 @@ | [load\_balancers](#input\_load\_balancers) | A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use `target_group_arns` instead | `list(string)` | `[]` | no | | [max\_instance\_lifetime](#input\_max\_instance\_lifetime) | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | `number` | `null` | no | | [max\_size](#input\_max\_size) | The maximum size of the autoscale group | `number` | n/a | yes | -| [metadata\_http\_tokens](#input\_metadata\_http\_tokens) | Whether or not the metadata service requires session tokens, also referred
to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or
"required". | `string` | `"optional"` | no | +| [metadata\_http\_endpoint\_enabled](#input\_metadata\_http\_endpoint\_enabled) | Set false to disable the Instance Metadata Service. | `bool` | `true` | no | +| [metadata\_http\_put\_response\_hop\_limit](#input\_metadata\_http\_put\_response\_hop\_limit) | The desired HTTP PUT response hop limit (between 1 and 64) for Instance Metadata Service requests.
The default is `2` to support containerized workloads. | `number` | `2` | no | +| [metadata\_http\_tokens\_required](#input\_metadata\_http\_tokens\_required) | Set true to require IMDS session tokens, disabling Instance Metadata Service Version 1. | `bool` | `true` | no | | [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is 1Minute | `string` | `"1Minute"` | no | | [min\_elb\_capacity](#input\_min\_elb\_capacity) | Setting this causes Terraform to wait for this number of instances to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number changes | `number` | `0` | no | | [min\_size](#input\_min\_size) | The minimum size of the autoscale group | `number` | n/a | yes | @@ -107,7 +109,6 @@ | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | | [target\_group\_arns](#input\_target\_group\_arns) | A list of aws\_alb\_target\_group ARNs, for use with Application Load Balancing | `list(string)` | `[]` | no | | [termination\_policies](#input\_termination\_policies) | A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `Default` | `list(string)` | 
[
  "Default"
]
| no | -| [use\_name\_prefix](#input\_use\_name\_prefix) | If `true`, this will use the asg argument `name_prefix` instead of `name` | `bool` | `true` | no | | [user\_data\_base64](#input\_user\_data\_base64) | The Base64-encoded user data to provide when launching the instances | `string` | `""` | no | | [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. Setting this to '0' causes Terraform to skip all Capacity Waiting behavior | `string` | `"10m"` | no | | [wait\_for\_elb\_capacity](#input\_wait\_for\_elb\_capacity) | Setting this will cause Terraform to wait for exactly this number of healthy instances in all attached load balancers on both create and update operations. Takes precedence over `min_elb_capacity` behavior | `number` | `0` | no | @@ -125,6 +126,7 @@ | [autoscaling\_group\_max\_size](#output\_autoscaling\_group\_max\_size) | The maximum size of the autoscale group | | [autoscaling\_group\_min\_size](#output\_autoscaling\_group\_min\_size) | The minimum size of the autoscale group | | [autoscaling\_group\_name](#output\_autoscaling\_group\_name) | The AutoScaling Group name | +| [autoscaling\_group\_tags](#output\_autoscaling\_group\_tags) | A list of tag settings associated with the AutoScaling Group | | [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template | | [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0eb8035..6bd8a58 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -26,18 +26,18 @@ module "subnets" { module "autoscale_group" { source = "../../" - image_id = var.image_id - instance_type = var.instance_type - instance_market_options = var.instance_market_options - mixed_instances_policy = var.mixed_instances_policy - subnet_ids = module.subnets.public_subnet_ids - health_check_type = var.health_check_type - min_size = var.min_size - max_size = var.max_size - wait_for_capacity_timeout = var.wait_for_capacity_timeout - associate_public_ip_address = true - user_data_base64 = base64encode(local.userdata) - metadata_http_tokens = "required" + image_id = var.image_id + instance_type = var.instance_type + instance_market_options = var.instance_market_options + mixed_instances_policy = var.mixed_instances_policy + subnet_ids = module.subnets.public_subnet_ids + health_check_type = var.health_check_type + min_size = var.min_size + max_size = var.max_size + wait_for_capacity_timeout = var.wait_for_capacity_timeout + associate_public_ip_address = true + user_data_base64 = base64encode(local.userdata) + metadata_http_tokens_required = true tags = { Tier = "1" diff --git a/main.tf b/main.tf index aca5245..3711ada 100644 --- a/main.tf +++ b/main.tf @@ -98,9 +98,9 @@ resource "aws_launch_template" "default" { } metadata_options { - http_endpoint = "enabled" - http_tokens = var.metadata_http_tokens - http_put_response_hop_limit = 1 + http_endpoint = (var.metadata_http_endpoint_enabled) ? "enabled" : "disabled" + http_put_response_hop_limit = var.metadata_http_put_response_hop_limit + http_tokens = (var.metadata_http_tokens_required) ? "required" : "optional" } tag_specifications { @@ -144,8 +144,7 @@ locals { resource "aws_autoscaling_group" "default" { count = module.this.enabled ? 1 : 0 - name = ! var.use_name_prefix ? format("%s%s", module.this.id, module.this.delimiter) : null - name_prefix = var.use_name_prefix ? format("%s%s", module.this.id, module.this.delimiter) : null + name_prefix = format("%s%s", module.this.id, module.this.delimiter) vpc_zone_identifier = var.subnet_ids max_size = var.max_size min_size = var.min_size @@ -244,5 +243,6 @@ resource "aws_autoscaling_group" "default" { lifecycle { create_before_destroy = true + ignore_changes = [desired_capacity] } } diff --git a/outputs.tf b/outputs.tf index 2dd5e72..7a91d4d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -18,6 +18,11 @@ output "autoscaling_group_name" { value = join("", aws_autoscaling_group.default.*.name) } +output "autoscaling_group_tags" { + description = "A list of tag settings associated with the AutoScaling Group" + value = module.this.enabled ? aws_autoscaling_group.default[0].tags : [] +} + output "autoscaling_group_arn" { description = "ARN of the AutoScaling Group" value = join("", aws_autoscaling_group.default.*.arn) diff --git a/variables.tf b/variables.tf index e65b9ea..720e4de 100644 --- a/variables.tf +++ b/variables.tf @@ -432,25 +432,25 @@ variable "custom_alarms" { description = "Map of custom CloudWatch alarms configurations" } -variable "use_name_prefix" { +variable "metadata_http_endpoint_enabled" { type = bool default = true - description = "If `true`, this will use the asg argument `name_prefix` instead of `name`" + description = "Set false to disable the Instance Metadata Service." } -variable "metadata_http_tokens" { - type = string - default = "optional" +variable "metadata_http_put_response_hop_limit" { + type = number + default = 2 description = <<-EOT - Whether or not the metadata service requires session tokens, also referred - to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or - "required". - EOT - - validation { - condition = var.metadata_http_tokens == "optional" || var.metadata_http_tokens == "required" - error_message = "Only 'optional' and 'required' are supported as values." - } + The desired HTTP PUT response hop limit (between 1 and 64) for Instance Metadata Service requests. + The default is `2` to support containerized workloads. + EOT +} + +variable "metadata_http_tokens_required" { + type = bool + default = true + description = "Set true to require IMDS session tokens, disabling Instance Metadata Service Version 1." } variable "tag_specifications_resource_types" {