Allow conftest policy directory to be specified in global config (#1519)

* Allow conftest policy directory to be specified in global config Fixes #85 * style: format by prettier * fix: fix TypeScript compilation error and update tfmigrate-plan * chore: cmdx build ```sh cmdx build ``` * docs: update JSON Schema * style: format * fix: fix typo * fix: fail action if conftest_policy_directory is set but the directory isn't found --------- Co-authored-by: Shunsuke Suzuki <[email protected]>
suzuki-shunsuke · Feb 9, 2024 · bbfae9e · bbfae9e
1 parent 1d13aae
commit bbfae9e
Show file tree

Hide file tree

Showing 17 changed files with 71 additions and 53 deletions.
diff --git a/check-terraform-skip/dist/index.js b/check-terraform-skip/dist/index.js
diff --git a/export-aws-secrets-manager/dist/index.js b/export-aws-secrets-manager/dist/index.js
diff --git a/get-global-config/dist/index.js b/get-global-config/dist/index.js
diff --git a/get-global-config/src/run.test.ts b/get-global-config/src/run.test.ts
@@ -14,6 +14,7 @@ test("default", () => {
       draft_pr: false,
       skip_create_pr: false,
       plan_workflow_name: "plan",
+      conftest_policy_directory: "",
 
       label_prefix_target: "target:",
       label_prefix_tfmigrate: "tfmigrate:",
@@ -79,6 +80,7 @@ test("customize", () => {
       renovate_login: "renovate-custom[bot]",
       draft_pr: true,
       skip_create_pr: true,
+      conftest_policy_directory: "terraform/policy",
 
       label_prefix_target: "target:",
       label_prefix_tfmigrate: "tfmigrate:",
@@ -111,6 +113,7 @@ test("customize", () => {
         renovate_login: "renovate-custom[bot]",
         draft_pr: true,
         skip_create_pr: true,
+        conftest_policy_directory: "terraform/policy",
       },
       {
         repository: "",

diff --git a/get-global-config/src/run.ts b/get-global-config/src/run.ts
@@ -19,6 +19,7 @@ interface Outputs {
   draft_pr: boolean;
   skip_create_pr: boolean;
   plan_workflow_name: string;
+  conftest_policy_directory: string;
 
   label_prefix_target: string;
   label_prefix_tfmigrate: string;
@@ -55,6 +56,7 @@ export const main = (config: lib.Config, input: Input): Result => {
     draft_pr: !!config.draft_pr,
     skip_create_pr: !!config.skip_create_pr,
     plan_workflow_name: config.plan_workflow_name,
+    conftest_policy_directory: config.conftest_policy_directory ?? "",
 
     label_prefix_target: config?.label_prefixes?.target || "target:",
     label_prefix_tfmigrate: config?.label_prefixes?.tfmigrate || "tfmigrate:",

diff --git a/get-target-config/dist/index.js b/get-target-config/dist/index.js
diff --git a/lib/dist/index.d.ts b/lib/dist/index.d.ts
diff --git a/lib/dist/index.js b/lib/dist/index.js
diff --git a/lib/src/index.ts b/lib/src/index.ts
@@ -148,6 +148,7 @@ const Config = z.object({
     }),
   ),
   base_working_directory: z.optional(z.string()),
+  conftest_policy_directory: z.optional(z.string()),
   draft_pr: z.optional(z.boolean()),
   drift_detection: z.optional(
     z.object({

diff --git a/list-targets-with-changed-files/dist/index.js b/list-targets-with-changed-files/dist/index.js
diff --git a/schema/tfaction-root.json b/schema/tfaction-root.json
@@ -23,19 +23,15 @@
             "type": "string",
             "description": "the prefix of the target"
           },
-
           "aws_assume_role_arn": {
             "$ref": "#/$defs/AWSAssumeRoleARN"
           },
-
           "aws_region": {
             "$ref": "#/$defs/AWSRegion"
           },
-
           "aws_secrets_manager": {
             "$ref": "#/$defs/AWSSecretsManager"
           },
-
           "drift_detection": {
             "type": "object",
             "required": [],
@@ -47,11 +43,9 @@
               }
             }
           },
-
           "envs": {
             "$ref": "#/$defs/Envs"
           },
-
           "gcp_service_account": {
             "$ref": "#/$defs/GCPServiceAccount"
           },
@@ -61,23 +55,18 @@
           "gcs_bucket_name_tfmigrate_history": {
             "$ref": "#/$defs/GCSBucketNameTfmigrateHistory"
           },
-
           "providers_lock_opts": {
             "$ref": "#/$defs/TerraformProvidersLockOptions"
           },
-
           "s3_bucket_name_tfmigrate_history": {
             "$ref": "#/$defs/S3BucketNameTfmigrateHistory"
           },
-
           "secrets": {
             "$ref": "#/$defs/Secrets"
           },
-
           "template_dir": {
             "$ref": "#/$defs/TemplateDir"
           },
-
           "terraform_plan_config": {
             "$ref": "#/$defs/JobConfig",
             "description": "configuration which is used in the job for 'terraform plan'"
@@ -97,7 +86,6 @@
         }
       }
     },
-
     "aqua": {
       "type": "object",
       "description": "configuration about aqua",
@@ -125,19 +113,21 @@
         }
       }
     },
-
     "base_working_directory": {
       "type": "string",
       "description": "tfaction searches working directories in this directory",
       "default": "current directory"
     },
-
+    "conftest_policy_directory": {
+      "type": "string",
+      "description": "Conftest policy directory",
+      "default": "policy"
+    },
     "draft_pr": {
       "type": "boolean",
       "description": "If this is true, tfaction creates pull requests as draft",
       "default": false
     },
-
     "drift_detection": {
       "type": "object",
       "description": "Drift Detection",
@@ -169,11 +159,9 @@
         }
       }
     },
-
     "envs": {
       "$ref": "#/$defs/Envs"
     },
-
     "label_prefixes": {
       "type": "object",
       "description": "Pull Request label prefixes",
@@ -195,17 +183,14 @@
         }
       }
     },
-
     "providers_lock_opts": {
       "$ref": "#/$defs/TerraformProvidersLockOptions"
     },
-
     "renovate_login": {
       "type": "string",
       "description": "Renovate App login",
       "default": "renovate[bot]"
     },
-
     "renovate_terraform_labels": {
       "type": "array",
       "description": "This attribute is ignored if `skip_terraform_by_renovate` is false. If any one of labels in `renovate_terraform_labels` is set to the pull request, tfaction would run `terraform plan` and `terraform apply`. [Detail](https://suzuki-shunsuke.github.io/tfaction/docs/feature/support-skipping-terraform-renovate-pr)",
@@ -214,7 +199,6 @@
         "description": "Pull Request label name"
       }
     },
-
     "scaffold_working_directory": {
       "type": "object",
       "description": "configuration about scaffold-working-directory",
@@ -226,19 +210,16 @@
         }
       }
     },
-
     "skip_create_pr": {
       "type": "boolean",
       "description": "If this is true, tfaction skips creating pull requests. [Detail](https://suzuki-shunsuke.github.io/tfaction/docs/feature/skip-creating-pr)",
       "default": false
     },
-
     "skip_terraform_by_renovate": {
       "type": "boolean",
       "description": "If this is true, `terraform plan` and `terraform apply` are skipped in case of pull request by Renovate. [Detail](https://suzuki-shunsuke.github.io/tfaction/docs/feature/support-skipping-terraform-renovate-pr)",
       "default": false
     },
-
     "tflint": {
       "type": "object",
       "properties": {
@@ -249,7 +230,6 @@
         }
       }
     },
-
     "tfsec": {
       "type": "object",
       "properties": {
@@ -260,7 +240,6 @@
         }
       }
     },
-
     "trivy": {
       "type": "object",
       "properties": {
@@ -271,7 +250,6 @@
         }
       }
     },
-
     "update_related_pull_requests": {
       "type": "object",
       "description": "update related pull requests",
@@ -283,7 +261,6 @@
         }
       }
     },
-
     "working_directory_file": {
       "type": "string",
       "description": "working directory configuration file name",

diff --git a/terraform-plan/action.yaml b/terraform-plan/action.yaml
@@ -35,6 +35,7 @@ runs:
         RENOVATE_LOGIN: ${{ steps.global-config.outputs.renovate_login }}
         HEAD_SHA: ${{github.event.pull_request.head.sha}}
         DESTROY: ${{ steps.target-config.outputs.destroy }}
+        CONFTEST_POLICY_DIRECTORY: ${{ steps.global-config.outputs.conftest_policy_directory }}
 
     - run: echo "value=terraform_plan_file_${TFACTION_TARGET//\//__}" >> "$GITHUB_OUTPUT"
       id: artifact_name

diff --git a/terraform-plan/conftest.sh b/terraform-plan/conftest.sh
@@ -2,10 +2,21 @@
 
 set -euo pipefail
 
+if [ -n "$CONFTEST_POLICY_DIRECTORY" ] && [ ! -d "$ROOT_DIR/$CONFTEST_POLICY_DIRECTORY" ]; then
+	echo "::error::The conftest directory $CONFTEST_POLICY_DIRECTORY isn't found"
+	exit 1
+fi
+
+CONFTEST_POLICY_DIRECTORY=$ROOT_DIR/${CONFTEST_POLICY_DIRECTORY:-policy}
+
+if [ ! -d "$CONFTEST_POLICY_DIRECTORY" ]; then
+	exit 0
+fi
+
 github-comment exec -- terraform show -json tfplan.binary >tfplan.json
 conftest -v # Install conftest in advance to exclude aqua lazy install log from github-comment's comment
 github-comment exec \
 	--config "${GITHUB_ACTION_PATH}/github-comment.yaml" \
 	-var "tfaction_target:$TFACTION_TARGET" \
 	-k conftest -- \
-		conftest test --no-color -p "$ROOT_DIR/policy" tfplan.json
+		conftest test --no-color -p "$CONFTEST_POLICY_DIRECTORY" tfplan.json
diff --git a/terraform-plan/main.sh b/terraform-plan/main.sh
@@ -21,9 +21,7 @@ if [ "$code" -eq 1 ]; then
 	exit 1
 fi
 
-if [ -d "$ROOT_DIR/policy" ]; then
-	bash "$GITHUB_ACTION_PATH/conftest.sh"
-fi
+bash "$GITHUB_ACTION_PATH/conftest.sh"
 
 if [ "$code" = "0" ]; then
 	exit 0

diff --git a/tfmigrate-plan/action.yaml b/tfmigrate-plan/action.yaml
@@ -23,3 +23,4 @@ runs:
         PR_NUMBER: ${{ github.event.pull_request.number }}
         S3_BUCKET_NAME_TFMIGRATE_HISTORY: ${{ steps.target-config.outputs.s3_bucket_name_tfmigrate_history }}
         GCS_BUCKET_NAME_TFMIGRATE_HISTORY: ${{ steps.target-config.outputs.gcs_bucket_name_tfmigrate_history }}
+        CONFTEST_POLICY_DIRECTORY: ${{ steps.global-config.outputs.conftest_policy_directory }}