Releases: suzuki-shunsuke/tfaction
v0.7.1
Issues | Pull Requests | v0.7.0...v0.7.1 | Base revision
Features
#1233 setup: Support pull_request_target
tfaction works with pull_request_target event.
v0.7.0
Issues | Pull Requests | v0.6.9...v0.7.0 | Base revision
💡 This release includes significant security improvements, so we strongly recommend upgrading to v0.7.0 or later as soon as possible.
Overview
- Breaking Changes
- Features
⚠️ Breaking Changes
#1175 The setting plan_workflow_name is required in tfaction-root.yaml.
plan_workflow_name: <GitHub Actions Workflow name running terraform-plan action>e.g.
plan_workflow_name: test#1175 terraform-apply action's github_token input, which is the GitHub Actions' token ${{github.token}} by default, requires the additional permission actions: read.
How to upgrade
1.Create a pull request to upgrade tfaction- Update tfaction
- Add the setting
plan_workflow_nametotfaction-root.yaml - Remove unnecessary settings
s3_bucket_name_plan_fileandgcs_bucket_name_plan_filefrom tfaction-root.yaml and tfaction.yaml - Add the permission
actions: readtoterraform-applyaction'sgithub_tokeninput, which is the GitHub Actions' token${{github.token}}by default- If you use GitHub App or personal access token, please add the permission
actions:readto the token or App - 📝 The permission is necessary to download plan files from GitHub Actions Artifacts before running
terraform apply: ref
- If you use GitHub App or personal access token, please add the permission
2.Verify the upgrade with a working directory in the upgrade pull request3.If CI works well, merge the pull request4.Update all pull request branches to create plan files at GitHub Actions Artifacts
This is an example script to update pull request branches.
#!/usr/bin/env bash
set -euo pipefail
while read -r pr_number; do
echo "===> Update PR $pr_number" >&2
gh api -X PUT "repos/{owner}/{repo}/pulls/${pr_number}/update-branch" || :
done < <(gh pr list --json number -L 100 -q ".[].number")If you merge a pull request without updating the pull request branch, apply would fail because the plan file wouldn't found at GitHub Actions Artifacts. In that case, please merge a follow up pull request, then the issue would be solved.
5.Remove unnecessary resources such as S3 or GCS buckets for plan files and permissions to access plan files- If you use terraform-aws-tfaction, please update it to v0.2.0 or later
⚠️ To delete a non empty S3 bucket, please see s3_bucket#force_destroy
Features
#1175 Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
#1174 Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD
Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
tfaction ever stored plan files to S3 or GCS, but tfaction v0.7.0 migrats them to GitHub Actions Artifacts.
By this change you don't have to create and manage S3 or GCS.
Furthermore, S3 or GCS had security risks that plan files could be tampered.
GitHub Actions Artifacts can be uploaded files only in the associated workflow run and can't be tampered from outside of the workflow run.
GitHub Actions Artifacts has the retention period so plan files are removed after the retension period.
The default retention period is 90 days, and we think it is enough.
Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD
If the workflow run's commit hash is old, the workflow run would fail.
Retrying old workflow run confuses you because old workflow run's results are posted to the pull request as if the latest result.
This validation prevents old workflow run from being retried and resolves the issue.
Thank you for your support ❤️
We really appreciate your support.
We couldn't release v0.7.0 without your support.
We called for testers for this release, then many people helped us!
They conducted tests with the prerelease version. Thank you a lot!
And thank you everyone who reposted my post!
Contributors
Assets 2
v0.7.0-1
Issues | Pull Requests | v0.6.9...v0.7.0-1 | Base revision
💡 This release includes significant security improvements, so we strongly recommend upgrading to v0.7.0 or later as soon as possible.
Overview
- Breaking Changes
- Features
⚠️ Breaking Changes
#1175 The setting plan_workflow_name is required in tfaction-root.yaml.
plan_workflow_name: <GitHub Actions Workflow name running terraform-plan action>e.g.
plan_workflow_name: test#1175 terraform-apply action's github_token input, which is the GitHub Actions' token ${{github.token}} by default, requires the additional permission actions: read.
How to upgrade
1.Create a pull request to upgrade tfaction- Update tfaction
- Add the setting
plan_workflow_nametotfaction-root.yaml - Remove unnecessary settings
s3_bucket_name_plan_fileandgcs_bucket_name_plan_filefrom tfaction-root.yaml and tfaction.yaml - Add the permission
actions: readtoterraform-applyaction'sgithub_tokeninput, which is the GitHub Actions' token${{github.token}}by default- If you use GitHub App or personal access token, please add the permission
actions:readto the token or App - 📝 The permission is necessary to download plan files from GitHub Actions Artifacts before running
terraform apply: ref
- If you use GitHub App or personal access token, please add the permission
2.Verify the upgrade with a working directory in the upgrade pull request3.If CI works well, merge the pull request4.Update all pull request branches to create plan files at GitHub Actions Artifacts
This is an example script to update pull request branches.
#!/usr/bin/env bash
set -euo pipefail
while read -r pr_number; do
echo "===> Update PR $pr_number" >&2
gh api -X PUT "repos/{owner}/{repo}/pulls/${pr_number}/update-branch" || :
done < <(gh pr list --json number -L 100 -q ".[].number")If you merge a pull request without updating the pull request branch, apply would fail because the plan file wouldn't found at GitHub Actions Artifacts. In that case, please merge a follow up pull request, then the issue would be solved.
5.Remove unnecessary resources such as S3 or GCS buckets for plan files and permissions to access plan files- If you use terraform-aws-tfaction, please update it to v0.2.0 or later
⚠️ To delete a non empty S3 bucket, please see s3_bucket#force_destroy
Features
#1175 Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
#1174 Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD
Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
tfaction ever stored plan files to S3 or GCS, but tfaction v0.7.0 migrats them to GitHub Actions Artifacts.
By this change you don't have to create and manage S3 or GCS.
Furthermore, S3 or GCS had security risks that plan files could be tampered.
GitHub Actions Artifacts can be uploaded files only in the associated workflow run and can't be tampered from outside of the workflow run.
GitHub Actions Artifacts has the retention period so plan files are removed after the retension period.
The default retention period is 90 days, and we think it is enough.
Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD
If the workflow run's commit hash is old, the workflow run would fail.
Retrying old workflow run confuses you because old workflow run's results are posted to the pull request as if the latest result.
This validation prevents old workflow run from being retried and resolves the issue.
v0.6.9
Issues | Pull Requests | v0.6.8...v0.6.9 | Base revision
Bug Fixes
#1171 update-drift-issue: Skip posting a comment if Drift Detection is disabled on the working directory
Fixed a bug that update-drift-issue failed due to TFACTION_DRIFT_ISSUE_NUMBER: unbound variable if Drift Detection was disabled on the working directory.
#1172 test-module: Stop running terraform validate
terraform validate may fail even if modules are valid. So we stop running terraform validate in test-module.
v0.6.8
Issues | Pull Requests | v0.6.7...v0.6.8 | Base revision
Features
#1118 setup: Support updating aqua-checksums.json
#1150 #1151 update-drift-issue: Post a comment if CI failed and no comment was posted
setup: Support updating aqua-checksums.json
Support updating aqua-checksums.json by aquaproj/update-checksum-action.
By default, this feature is disabled.
To enable it, please configure it in tfaction-root.yaml.
tfaction-root.yaml
aqua:
update_checksum:
# Update aqua-checksums.json in `setup` action
enabled: true # default is false
skip_push: false # default is false
prune: true # default is falseupdate-drift-issue: Post a comment if CI failed and no comment was posted
update-drift-issue action posts a comment if CI fails and no comment is posted.
This update resolves the issue that sometimes issues are reopened without any comment.
Bug Fixes
#1152 update-drift-issue: Fixed a bug of update-drift-issue action that issues aren't updated well if issues are managed in the other repository
#1154 get-global-config: Fixed outputs
#1156 get-target-config: Fixed outputs
Others
#1154 setup: Output get-global-config and get-target-config's outputs for troubleshooting
💡 Update tfaction-go to v0.2.2 or later
https://github.com/suzuki-shunsuke/tfaction-go/releases/tag/v0.2.2
Please update tfaction-go to v0.2.2 or later.
v0.6.7
Issues | Pull Requests | v0.6.6...v0.6.7 | Base revision
Features
#1128 Support tfsec v1.28.2. Parse the output of tfsec properly
As of tfsec v1.28.2, tfsec outputs the transition message to the standard output.
e.g.
======================================================
tfsec is joining the Trivy family
tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.
You can read more here:
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
{
"results": []
}
Because of this message, this action couldn't parse the output as JSON.
Parsing tfsec result
Error: Unexpected token = in JSON at position 1
This release enables to parse the output properly by removing the transition message before parsing the output as JSON.
Please see https://github.com/suzuki-shunsuke/github-action-tfsec/releases/tag/v0.1.9 too.
v0.6.6
Issues | Pull Requests | v0.6.5...v0.6.6 | Base revision
🐛 Bug Fixes
#1114 test-module: Fix a bug that it fails to push a commit by ghcp @kyontan
This bug occurs if Terraform Module document isn't latest.
🎉 New Contributors 🎉
Thank you for your contribution!
Contributors
Assets 2
v0.6.5
Issues | Pull Requests | v0.6.4...v0.6.5 | Base revision
Features
#1111 scaffold-module, scaffold-working-dir: Support scaffolding linters conditionally
By default, these actions generate aqua.yaml and add linters to aqua.yaml.
From this release, these actions add only enabled linters to aqua.yaml.
The default behaviour isn't changed, so tfsec and tflint are added.
If linters are enabled or disabled in tfaction-root.yaml, only enabled linters are added to aqua.yaml.
For example, if tfsec is disabled and trivy is enabled, trivy and tflint are added to aqua.yaml.
v0.6.4
Issues | Pull Requests | v0.6.3...v0.6.4 | Base revision
Features
#1110 test-module: Support Trivy and disabling linters tflint, tfsec, and trivy
This follows up #1106 (tfaction v0.6.3).
In addition to test action, test-module action also supports Trivy and disabling linters tflint, tfsec, and trivy.
The configuration is same with test action, so please see the release note v0.6.3.
v0.6.3
Issues | Pull Requests | v0.6.2...v0.6.3 | Base revision
Features
#1106 test: Support enabling Trivy and disabling tflint and tfsec
--
test action ever ran tflint and tfsec.
From this release, test action supports running Trivy and stop running tflint and tfsec.
The default behaviour isn't changed, so test action runs tflint and tfsec and doesn't run Trivy by default.
To run Trivy, you need to install Trivy by aqua.
aqua g -i aquasecurity/trivyYou can enable or disable Trivy, tfsec, and tflint with tfaction-root.yaml.
tfsec:
enabled: false # By default, this is true
trivy:
enabled: true # By default, this is false
# tflint:
# enabled: true # By default, this is true
We will consider allowing to configure these setting at tfaction-root.yaml's target_groups and tfaction.yaml too if necessary.
Background
- https://github.com/suzuki-shunsuke/tfaction/discussions/957
- https://github.com/aquasecurity/tfsec/discussions/1994
- https://github.com/aquasecurity/tfsec/blob/master/docs/index.md#-tfsec-to-trivy-migration
tfsec maintainers encourage the tfsec community to transition over to Trivy.
So tfaction needed to support migrating tfsec to Trivy.
tfsec doesn't support Terraform import block and the issue was closed because maintainers encourage to migrate to Trivy.
https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1673920879
So you should migrate tfsec to Trivy in near future.
Scaffold working directories
If you want to use Trivy instead of tfsec in new working directories, you should skip creating aqua.yaml following to the guide. https://suzuki-shunsuke.github.io/tfaction/docs/feature/scaffold-working-dir#-skip-creating-aquayaml-and-adding-packages
tfaction-root.yaml
scaffold_working_directory:
skip_adding_aqua_packages: trueAnd please add aqua.yaml to templates.
aqua init
aqua g -i open-policy-agent/conftest terraform-linters/tflint aquasecurity/trivy hashicorp/terraformKnown issues
test-module action doesn't support Trivy and doesn't support enabling and disabling linters.
We will work on it.
Fixes
#1102 test: Enable tfsec's --ignore-hcl-errors to prevent the parse error of Terraform's import block
- suzuki-shunsuke/github-action-tfsec#612
- https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215
You don't need to do anything.
tfsec is always run with --ignore-hcl-errors to prevent the parse error of Terraform's import block.
tfsec doesn't support Terraform's import block, but --ignore-hcl-errors can be used for workaround. https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215