Terraform module to create Terraform drift, plan, and apply CodePipelines.
- CodePipeline to run Terraform plan/apply operations. This pipeline contains a manual review step.
- CodePipeline to run drift check on target resources. This pipeline is scheduled with a cron expression.
- CodeBuld projects to support the CodePipelines
- IAM Policies and Roles to support the CodePipelines
- Notifications of Pipeline/Build status sent to Teams
This module uses automated GitHub releases. To create a new release:
-
Tag your commit with a semantic version:
git tag v4.0.2 git push origin v4.0.2
-
The GitHub Actions workflow will automatically:
- Create a new GitHub release
- Generate release notes from commits and PRs
- Mark pre-release versions (e.g.,
v4.1.0-beta) appropriately
Tag formats supported:
- Stable releases:
v1.2.3 - Pre-releases:
v1.2.3-alpha,v1.2.3-beta,v1.2.3-rc1
- Add configuration options. E.g., send notifications to existing SNS topic instead of creating a new one.
- More documentation
- Fix CodeBuild failure notification configuration.
- Update the "plan" step of the "apply" pipeline to use new capabilities in the "drift" script to ignore specific resources during the "plan" step.
- Update the "plan" step to terminate the pipeline early if no changes are detected (after accounting for ignored resources).
- Enhance "drift" process to generate plan output that can be used in the "apply" step.
- Expand the buildspec cache path for Terraform files.
- Convert the format of CodeBuild failure notifications to Chatbot custom message format.
- Add EventBridge rule to capture CodePipeline stopped events and send them to Chatbot for notification. "Stopped" is not one of the standard CodePipeline notification events, so this is done via EventBridge.
- Add
semantic_versionvariable to allow versioning of scripts deployed by this module in S3. Resources that use this module should pass in their own semantic version. - Enhance drift buildspec to ignore resources listed in a
plan.ignore-resources.txtpresent in the source Terraform configuration. Thus a Terraform plan that shows no changes other than (possibly) the resources inplan.ignore-resources.txtwill be treated as no drift detected. - Add scripts used by drift buildspec to the shared CodePipeline S3 bucket.
- Add lifecycle policy to CodePipeline S3 bucket to expire objects older than
expire_daysdays (default 180 days).
- Set
TF_RECREATE_MISSING_LAMBDA_PACKAGEtofalsein drift buildspec to avoid issues with missing Lambda packages when usingterraform-aws-modules/lambda/awsmodule.
- Propagate global tags to drift pipeline, which was previously not tagged.
- Add GitHub action to automatically create GitHub releases when a new semantic version tag is pushed.
- Add an "alert" SNS topic that is used for all notifications that represent some sort of abnormal situation (e.g., pileline failure, abort, stop). The existing "notify" SNS topic will be used for normal situations (e.g., pipeline success). The ARN for the "alert" topic is available as the
alerts_sns_topic_arnoutput value. - Add
notify_topic_tagsandalert_topic_tagsvariables to allow specific tagging of the SNS topics this module creates.
- Add
logs:ListTagsForResourceprivs to build and apply roles
- Add public access block (
aws_s3_bucket_public_access_block) to resource/pipeline bucket - Add bucket policy (
aws_s3_bucket_policy) blocking insecure transport to resource/pipeline bucket - Add
aws_s3_bucket_server_side_encryption_configurationto resource/pipeline bucket - Remove private ACL from resource/pipeline bucket
- Add
aws_s3_bucket_ownership_controlsfor resource/pipeline bucket
- Loosen version restriction on
hashicorp/archiveprovider. - Update references from old
CU-CommunityAppsGithub Organization to newcu-cit-cloud-teamGithub Organization.
- add tags to IAM role and policy resources
- added minimum version of v4.9.0 for AWS provider
- added
aws_s3_bucket_aclresource- This will require that the existing
aws_s3_bucket_aclconfigurationbe imported:terraform import module.example.aws_s3_bucket_acl.codepipeline_bucket bucket-name,private,private
- This will require that the existing
- removed
aclproperty fromaws_s3_bucket
- added global tags to
build-driftCloudWatch log group - added
log_retention_in_daysvariable to allow customization of how long logs are kept
- Added tags to
build-planCodeBuild project, which was missed in v3.0.0 release.
- add output consisting of the ARN of SNS topic where CodePipeline and CodeBuild notifications are sent
- remove use of
tf-module-sns-teams-relaymodule - add tags to all resources that can be tagged
- added TF_LOGs configuration option
- added
iam:GetPolicyandiam:GetPolicyVersionprivileges for the policies passed in asresource_plan_policy_arnsandresource_apply_policy_arns - bump
tf-module-sns-teams-relayversion to 1.1.0 - removed unused
environmentvariable - rename
build_cronvariable todrift_cron - added minimal documentation
- Initial release that is lacking in documentation and subtlety
See descriptions in variables.tf.
None.
module "apply_pipeline" {
source = "github.com/cu-cit-cloud-team/tf-module-apply-pipeline.git?ref=v1.0.0"
namespace = "tf-example"
# cornell-cloud-devops-GH-user
github_codestarconnections_connection_arn = "arn:aws:codestar-connections:us-east-1:123456789012:connection/abcdef123456"
terraform_version = "1.0.10"
terraform_state_bucket = "my-tf-bucket"
terraform_state_key = "prod/tf-example/resources/terraform.state"
github_repo = "cu-cit-cloud-team/tf-example"
git_branch = "main"
resource_plan_policy_arns = [
"arn:aws:iam::123456789012:policy/tf-example-plan-privs"
]
resource_apply_policy_arns = [
"arn:aws:iam::123456789012:policy/tf-example-apply-privs"
]
global_tags = {
Terraform = "true"
Environment = "dev"
Application = "tf-example"
}
}