Skip to content

Commit

Permalink
[ci] Add linter and format terraform files (#991)
Browse files Browse the repository at this point in the history
* [ci] Add linter for terraform files

* [ci] Format terraform files

* [ci] Update README

* Fix hygiene ci step
  • Loading branch information
barroco authored Jan 25, 2024
1 parent b423986 commit d70f571
Show file tree
Hide file tree
Showing 18 changed files with 63 additions and 49 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/CI.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ Before a pull request can be merged into the master branch, it must pass all aut

### Go lint (`make go-lint`)

### Terraform lint (`make terraform-lint`)

## DSS tests (`make check-dss`)

### Deployment infrastructure tests (`make evaluate-tanka`)
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,13 @@ jobs:
- name: Python lint
run: make python-lint
- name: Automated hygiene verification
run: make check-hygiene
run: make hygiene
- name: Shell lint
run: make shell-lint
- name: Go lint
run: make go-lint
- name: Terraform lint
run: make terraform-lint

dss-tests:
name: DSS tests
Expand Down
8 changes: 6 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ format:
gofmt -s -w .

.PHONY: lint
lint: python-lint shell-lint go-lint
lint: python-lint shell-lint go-lint terraform-lint

.PHONY: check-hygiene
check-hygiene: python-lint hygiene shell-lint go-lint
check-hygiene: python-lint hygiene shell-lint go-lint terraform-lint

.PHONY: python-lint
python-lint:
Expand All @@ -58,6 +58,10 @@ shell-lint:
go-lint:
echo "===== Checking Go lint (except for *.gen.go files) =====" && docker run --rm -v $(CURDIR):/dss -w /dss golangci/golangci-lint:v1.50.1 golangci-lint run --timeout 5m --skip-dirs /dss/build/workspace --skip-files '.*\.gen\.go' -v -E gofmt,bodyclose,rowserrcheck,misspell,golint,staticcheck,vet

.PHONY: terraform-lint
terraform-lint:
docker run --rm -w /opt/dss -v ./deploy:/opt/dss/deploy -e TF_LOG=TRACE hashicorp/terraform fmt -recursive -check

# This mirrors the hygiene-tests continuous integration workflow job (.github/workflows/ci.yml)
.PHONY: hygiene-tests
hygiene-tests: check-hygiene
Expand Down
6 changes: 6 additions & 0 deletions deploy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,9 @@ If you wish to deploy a DSS from scratch, "Getting Started" instructions can be
- [Google (GKE)](infrastructure/modules/terraform-google-dss/README.md#Getting-started)

For a real use case, you can look into the configurations of the [CI job](../.github/workflows/dss-deploy.yml) in operations: [ci](operations/ci)

## Development

### Formatting

Terraform files must be formatted using `terraform fmt -recursive` command to pass the CI linter check.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ resource "aws_eks_cluster" "kubernetes_cluster" {
vpc_config {
subnet_ids = aws_subnet.dss[*].id
endpoint_public_access = true
public_access_cidrs = [
public_access_cidrs = [
"0.0.0.0/0"
]
}
Expand All @@ -32,7 +32,7 @@ resource "aws_eks_node_group" "eks_node_group" {
node_role_arn = aws_iam_role.dss-cluster-node-group.arn
disk_size = 100
node_group_name_prefix = aws_eks_cluster.kubernetes_cluster.name
instance_types = [
instance_types = [
var.aws_instance_type
]

Expand Down
30 changes: 15 additions & 15 deletions deploy/infrastructure/dependencies/terraform-aws-kubernetes/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,17 @@ resource "aws_iam_role" "dss-cluster" {
name = "${var.cluster_name}-dss-cluster"

assume_role_policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
})

permissions_boundary = var.aws_iam_permissions_boundary
Expand All @@ -41,14 +41,14 @@ resource "aws_iam_role" "dss-cluster-node-group" {
assume_role_policy = jsonencode({
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
Version = "2012-10-17"
Version = "2012-10-17"
})

permissions_boundary = var.aws_iam_permissions_boundary
Expand Down Expand Up @@ -84,7 +84,7 @@ resource "aws_iam_role" "AmazonEKS_EBS_CSI_DriverRole" {
// Policies

resource "aws_iam_policy" "AWSLoadBalancerControllerPolicy" {
name = "${var.cluster_name}-AWSLoadBalancerControllerPolicy"
name = "${var.cluster_name}-AWSLoadBalancerControllerPolicy"

# Source: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
# Template: https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,6 @@ provider "helm" {
kubernetes {
host = aws_eks_cluster.kubernetes_cluster.endpoint
cluster_ca_certificate = base64decode(aws_eks_cluster.kubernetes_cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.kubernetes_cluster.token
token = data.aws_eks_cluster_auth.kubernetes_cluster.token
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ resource "aws_acm_certificate" "app_hostname" {
resource "aws_acm_certificate_validation" "app_hostname_cert" {
count = var.aws_route53_zone_id == "" ? 0 : 1
certificate_arn = aws_acm_certificate.app_hostname.arn
validation_record_fqdns = [for name in aws_acm_certificate.app_hostname.domain_validation_options.*.resource_record_name: trimsuffix(name, ".")]
validation_record_fqdns = [for name in aws_acm_certificate.app_hostname.domain_validation_options.*.resource_record_name : trimsuffix(name, ".")]
}

output "app_hostname_cert_arn" {
Expand Down
24 changes: 12 additions & 12 deletions deploy/infrastructure/dependencies/terraform-commons-dss/main.tf
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
locals {
workspace_folder = replace(replace(var.kubernetes_context_name, "/", "_"), ":", "_")
workspace_folder = replace(replace(var.kubernetes_context_name, "/", "_"), ":", "_")
# Replace ':' and '/' characters from folder name by underscores. Those characters are used by AWS for contexts.
workspace_location = abspath("${path.module}/../../../../build/workspace/${local.workspace_folder}")
}

resource "local_file" "tanka_config_main" {
content = templatefile("${path.module}/templates/main.jsonnet.tmp", {
content = templatefile("${path.module}/templates/main.jsonnet.tmp", {
root_path = path.module
VAR_NAMESPACE = var.kubernetes_namespace
VAR_CLUSTER_CONTEXT = var.kubernetes_context_name
Expand Down Expand Up @@ -33,7 +33,7 @@ resource "local_file" "tanka_config_main" {
}

resource "local_file" "tanka_config_spec" {
content = templatefile("${path.module}/templates/spec.json.tmp", {
content = templatefile("${path.module}/templates/spec.json.tmp", {
root_path = path.module
namespace = var.kubernetes_namespace
cluster_context = var.kubernetes_context_name
Expand All @@ -43,7 +43,7 @@ resource "local_file" "tanka_config_spec" {
}

resource "local_file" "make_certs" {
content = templatefile("${path.module}/templates/make-certs.sh.tmp", {
content = templatefile("${path.module}/templates/make-certs.sh.tmp", {
cluster_context = var.kubernetes_context_name
namespace = var.kubernetes_namespace
node_address = join(" ", var.crdb_internal_nodes[*].dns)
Expand All @@ -53,15 +53,15 @@ resource "local_file" "make_certs" {
}

resource "local_file" "apply_certs" {
content = templatefile("${path.module}/templates/apply-certs.sh.tmp", {
content = templatefile("${path.module}/templates/apply-certs.sh.tmp", {
cluster_context = var.kubernetes_context_name
namespace = var.kubernetes_namespace
})
filename = "${local.workspace_location}/apply-certs.sh"
}

resource "local_file" "get_credentials" {
content = templatefile("${path.module}/templates/get-credentials.sh.tmp", {
content = templatefile("${path.module}/templates/get-credentials.sh.tmp", {
get_credentials_cmd = var.kubernetes_get_credentials_cmd
})
filename = "${local.workspace_location}/get-credentials.sh"
Expand Down Expand Up @@ -96,11 +96,11 @@ resource "local_file" "helm_chart_values" {

loadBalancers = {
cockroachdbNodes = [
for ip in var.crdb_internal_nodes[*].ip :
{
ip = ip
subnet = var.workload_subnet
}
for ip in var.crdb_internal_nodes[*].ip :
{
ip = ip
subnet = var.workload_subnet
}
]

dssGateway = {
Expand All @@ -114,7 +114,7 @@ resource "local_file" "helm_chart_values" {
image = local.image

conf = {
pubKeys = [
pubKeys = [
"/test-certs/auth2.pem"
]
jwksEndpoint = var.authorization.jwks != null ? var.authorization.jwks.endpoint : ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ variable "image_pull_secret" {
Example: docker-registry
EOT
default = ""
default = ""
}

variable "authorization" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
aws_region = "eu-west-1"

# DNS Management
aws_route53_zone_id = "Z01551234567890123456"
aws_route53_zone_id = "Z01551234567890123456"

# Hostnames
app_hostname = "dss.interuss.example.com"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ variable "image_pull_secret" {
Example: docker-registry
EOT
default = ""
default = ""
}

variable "authorization" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ google_machine_type = "e2-medium"
google_kubernetes_storage_class = "standard"

# DSS configuration
image = "latest"
image = "latest"
image_pull_secret = ""
authorization = {
public_key_pem_path = "/test-certs/auth2.pem"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ variable "image_pull_secret" {
Example: docker-registry
EOT
default = ""
default = ""
}

variable "authorization" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,5 @@ variable "image_pull_secret" {
Example: docker-registry
EOT
default = ""
default = ""
}
10 changes: 5 additions & 5 deletions deploy/operations/ci/aws-1/kubernetes_admin_access.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,30 @@
resource "local_file" "aws-auth-config-map" {
content = yamlencode({
apiVersion = "v1"
kind = "ConfigMap"
kind = "ConfigMap"
metadata = {
name = "aws-auth"
namespace = "kube-system"
}
data = {
mapRoles = yamlencode([
{
groups = [
groups = [
"system:bootstrappers",
"system:nodes"
]
rolearn = module.terraform-aws-dss.iam_role_node_group_arn
username = "system:node:{{EC2PrivateDNSName}}"
},
{
groups = [
groups = [
"system:masters"
]
rolearn = var.aws_iam_administrator_role
username = "interuss-aws-administrator"
},
{
groups = [
groups = [
"system:masters"
]
rolearn = var.aws_iam_ci_role
Expand All @@ -37,5 +37,5 @@ resource "local_file" "aws-auth-config-map" {
}
})

filename = "${module.terraform-aws-dss.workspace_location}/aws_auth_config_map.yml"
filename = "${module.terraform-aws-dss.workspace_location}/aws_auth_config_map.yml"
}
6 changes: 3 additions & 3 deletions deploy/operations/ci/aws-1/terraform.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ aws_region = "us-east-1"
aws_route53_zone_id = "Z03377073HUSGB4L9FKEK"

# Hostnames
app_hostname = "dss.ci.aws-interuss.uspace.dev"
app_hostname = "dss.ci.aws-interuss.uspace.dev"
crdb_hostname_suffix = "db.ci.aws-interuss.uspace.dev"

# Kubernetes configuration
Expand All @@ -26,5 +26,5 @@ crdb_locality = "interuss_dss-ci-aws-ue1"
crdb_external_nodes = []

aws_iam_permissions_boundary = "arn:aws:iam::301042233698:policy/GithubCIPermissionBoundaries20231130225039606500000001"
aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c"
aws_iam_ci_role = "arn:aws:iam::301042233698:role/InterUSSGithubCI"
aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c"
aws_iam_ci_role = "arn:aws:iam::301042233698:role/InterUSSGithubCI"
2 changes: 1 addition & 1 deletion deploy/operations/ci/aws-1/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ variable "image_pull_secret" {
Example: docker-registry
EOT
default = ""
default = ""
}

variable "authorization" {
Expand Down

0 comments on commit d70f571

Please sign in to comment.