tfctl 1.0.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d47682cf9949db840c18d07b6f06907a9d36e2a75d0a5255b4c57f3603c0dbf
-  data.tar.gz: d5a81e877943fff53e903a104249e1147a827c593430bc91c0b78d5cc467fc4b
+  metadata.gz: 5fe79c7d1c05d536eabd439037d74996bf35af1b72e359e34a0f52f32067fecf
+  data.tar.gz: 67c20fd6e27f58ce119e9c050923c80499b0054991716515f41dbbd2c4156336
 SHA512:
-  metadata.gz: 03b7d69b7a7bbf296b0b1ab3aa8794d8b91e51559a1e2ee1d450396615aeba495b63993f84866c6fe5997d34c760da143cb66ca0cabc2a1a5a1266b701676bac
-  data.tar.gz: f9ebdae72fd58473c3a8cc5015fd2d2e32092488218b52efa79e2d625802ccdf4447298e45497d4ec0e03583b0edbd3a31b51e92f76a5981a5f3819f9cee1e4a
+  metadata.gz: 693f29d4f7ddea34dfe9dbb747cf976452bdc8ff423bf63d41bc2f77f2ae05fb58ddb8b6d9a2d4c1f151749899a325b7326384e5e4128eda076d51c7c54bd8ca
+  data.tar.gz: a71acfa057e8a80923b7ec9c48ab2654af1fd6d73e4fa0259949d3bded769773dd3127590475266586fe48e3f5549a7f8725c111429a6ceb850389bb7fc63c01

data/.bundle/config

@@ -0,0 +1,3 @@
+---
+BUNDLE_WITH: "developement"
+BUNDLE_BIN: "vendor/bin"

data/.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10

data/.gitignore

@@ -4,7 +4,6 @@
 pkg/
 *.gem
 vendor/
-.bundle
 bin/bundle
 bin/htmldiff
 bin/ldiff

data/.rubocop.yml

@@ -1,12 +1,13 @@
 ---
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.5
   DisplayCopNames: true
+  NewCops: enable
 
 Layout/IndentationWidth:
   Width: 4
 
-Layout/IndentHeredoc:
+Layout/HeredocIndentation:
   Enabled: false
 
 Layout/EmptyLines:
@@ -15,7 +16,7 @@ Layout/EmptyLines:
 Layout/EmptyLinesAroundMethodBody:
   Enabled: false
 
-Layout/AlignHash:
+Layout/HashAlignment:
   EnforcedHashRocketStyle:
     - table
   EnforcedColonStyle:
@@ -45,7 +46,7 @@ Metrics/BlockLength:
 Metrics/MethodLength:
   Enabled: false
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 140
 
 Metrics/AbcSize:
@@ -77,3 +78,7 @@ Style/TrailingCommaInHashLiteral:
 
 Style/RedundantReturn:
   Enabled: false
+
+# don't break older Rubies just because of style
+Style/RedundantBegin:
+  Enabled: false

data/.travis.yml

@@ -1,18 +1,19 @@
 rvm:
-  - 2.3
-  - 2.6
+- 2.5
+- 2.6
+- 2.7
 os: linux
 language: ruby
 script: make test
 jobs:
   include:
-    - stage: Gem release
-      rvm: 2.6
-      deploy:
-        provider: rubygems
-        api_key:
-          secure: FKAONS7x6koN7oiEULr4ViwjlDBzbE0bCgqhXRP4DfTtlRyEymeqgrfSIqkVH7unjd0muIGrMBnFuaQVSx7648RS1Ss0QAJo32SVnzoYl1P03cijqNmbbaf1jRdA3IGmh0gV5vsXrmlHiP8gfAuC9PqQ550OzxzWUvEI8vXgSTibmKd/PoQinv5g/dq0gBFjlhSMt/k3Z9WlMmkEsAro/r/Ie2M7mItHPT65f0ga5q5SeujPQQ3Sd/l3mznh37bmnw5RZpFDYdA7jL2p0Y58XJPBU8soa3ZC5GeHyxCYVoGh6EDGAFb83ERRT6rQ7ywkOufTv1o497P7a/prSbvT6fzc+DcugXPEaglT+dUXMe36OoF907Xva4vq3xIHV2N/yrxbDM85hmMk22wEU+9wpDDzFNQnfsXNbaHG9F7gLgy0eoTRrSuJf6cPDlE8pwvn7b8cjieeqWc//ZNhSYnHYZGER4LFINWVxs68Eofmmqp2IESTcUpJ8oB4bV+bzzyobJMRobOXu2hvgCrTdr6r/PnckpAfZE/l4nVQa14f1FU//8bU3DwvNun6TX1Ujp+XNiRDUlvP2KnkBU4s5rsIkL3lCHW7r6GipSk6SOvGMTz5eySMsoWvZQBdAzk/OxcIteeWH9pdo1Hbu5x2/bwyuTRCQ9E79CKWDKlIQwCgUY0=
-        gem: tfctl
-        on:
-          tags: true
-          repo: scalefactory/tfctl
+  - stage: Gem release
+    rvm: 2.6
+    deploy:
+      provider: rubygems
+      api_key:
+        secure: LAVcdER+LtQ2TSUrVOY7Be1BC7GXJRD0QBt386vRM5Nld5QaD9Ow9gtN6FprzkzloI4R8BkPWqZbAT6YjC+C0AFB5HK6iPwD2bLsiF9w3ccDD+yrW99RHxiErpmYMun2PqZv0WkJ/pkEplPCKMRFv7SM7W9DMRlU7dsXc1v6IVyIb5u3A04jErS2jXXKY0ijlCDJYVo8zzYL6yUmUcXhc//3CIVnu2Miu6Qr8h7e6jMXNUWfMkwEXsFP9id4TsCz7hRY+39PkiBAknHTN5UqjjJiEOknZnHeTBcVPvi2h2xv+fFLSzVTxlxaRsVoMCShQp5D12qzhQObRJsRVQFs8Yyg9IYMyPdxssFYyUZFaAy5taWDm57uM3HTHylm/Dq3LmXTgGNxWUUkf2oh1g7R6cYZpBUQwiEPzhZQ7CoBQbGUAJmH9ZU9m+cr8kuAOUipd6BNEDvn/fIH4WJsRCNP72JGX16JBpuICvpkuNhskZT91xFlYk1pTXHOxNpbTcxUTgMHhrTqspeRXPmf6DiYGvjMb2S6kaoGqCIRIcwl0TGKuMsOMqR9SqF8gubkqHMVbSl1E7mwBn4ke8/7IGoMkWOGwUpVxqVOLBHi6zSR09RTVSbKl4oiFV3ZwmVPSxDncq54MptyJ2WCZ7dD6ht2l+VA8iGwYeIoqOpwGWxyuNI=
+      gem: tfctl
+      on:
+        tags: true
+        repo: scalefactory/tfctl

data/CHANGELOG.adoc

@@ -1,5 +1,34 @@
 = Changelog
 
+== 1.3.0
+
+ * feat: support new Terraform provider syntax
+
+BREAKING CHANGE: The minimum supported Terraform version has been bumped to
+0.12.29.  If you are running an older version of Terraform you will need to
+update to the latest Terraform in 0.12.x series before updating tfctl.  Once
+tfctl is updated you can upgrade Terraform to further versions.
+
+== 1.2.2
+ * chore: reverted PR #11 - not necessary and introduced regression.  See PR #13 for details.
+
+== 1.2.1
+ * chore: added required Ruby version to Gemspec.
+
+== 1.2.0
+
+ * feat: pass TF_ environment variables to terraform (PR #11).
+
+== 1.1.1
+
+ * fix: handle empty response from Organizations API containing children (thanks @grothja)
+ * chore: stopped testing on EOL Rubies 2.3 and 2.4 (but should still currently work)
+ * chore: dependencies minimum version bump
+
+== 1.1.0
+
+* feat: look for configuration in `tfctl.yaml` by default.
+
 == 1.0.0
 
 * feat(config): JSON schema config validation

data/Makefile

@@ -2,7 +2,8 @@
 
 vendor:
 	$(info => Installing Ruby dependencies)
-	@bundle install --path vendor --with developement --binstubs=vendor/bin
+	@bundle install
+	@bundle binstubs --all --path vendor/bin
 
 test: vendor rubocop spec
 
@@ -10,11 +11,11 @@ guard: vendor
 	$(info => Starting guard)
 	@bundle exec guard
 
-rubocop:
+rubocop: vendor
 	$(info => Running rubocop)
 	@vendor/bin/rubocop
 
-spec:
+spec: vendor
 	$(info => Running spec tests)
 	@vendor/bin/rspec
 

data/README.adoc

@@ -28,19 +28,37 @@ toc::[]
 
 == Overview
 
-Tfctl is a small Terraform wrapper for working with multi-account AWS
+`tfctl` is a small Terraform wrapper for working with multi-account AWS
 infrastructures where new accounts may be created dynamically and on-demand.
 
-It discovers accounts by reading the AWS Organizations API and can assign
+It discovers accounts by reading the AWS Organizations API, and can assign
 Terraform resources to multiple accounts based on the organization hierarchy.
 Resources can be assigned globally, based on organization unit or to individual
-accounts.  It supports nested OU hierarchies and helps keep your Terraform DRY.
+accounts.  It supports hierarchies of nested Organizational Units (OUs),
+and helps keep your Terraform DRY.
 
-Tfctl was originally developed to integrate Terraform with
+The Scale Factory originally created tfctl to integrate Terraform with
 https://aws.amazon.com/solutions/aws-landing-zone/[AWS Landing Zone] and
 https://aws.amazon.com/controltower/[Control Tower] but should work with most
 other ways of managing accounts in AWS Organizations.
 
+== Project status
+
+`tfctl` is an open source project published by The Scale Factory.
+
+We currently consider this project to be maintained but we don't actively
+develop new features.  We keep it security patched and ready for use in
+production environments.
+
+We’ll take a look at any issues or PRs you open and get back to you as soon as
+we can. We don’t offer any formal SLA, but we’ll be checking on this project
+periodically.
+
+If your issue is urgent, you can flag it as such, and we’ll attempt to triage
+appropriately, but we have paying customers who also have demands on our time.
+If your business depends on this project and you have an urgent problem, then
+you can talk to our sales team about paying us to support you.
+
 == Features
 
 * Discovers AWS accounts automatically.
@@ -56,8 +74,8 @@ other ways of managing accounts in AWS Organizations.
 
 == Requirements
 
- * Terraform >= 0.12
- * Ruby >= 2.3
+ * Terraform >= 0.12.29
+ * Ruby >= 2.5
  * Accounts managed in AWS Organizations (by Landing Zone, Control Tower, some
    other means)
 
@@ -65,17 +83,19 @@ other ways of managing accounts in AWS Organizations.
 
 To install the latest release from RubyGems run:
 
+[source,shell]
 ----
 gem install tfctl
 ----
 
-Alternatively you can build and install from this repo with:
+Alternatively, you can build and install from this repo with:
 
+[source,shell]
 ----
 make install
 ----
 
-== Docs
+== Documentation
 
  * https://github.com/scalefactory/tfctl/tree/master/docs/control_tower.adoc[Control Tower quick start guide]
  * https://github.com/scalefactory/tfctl/tree/master/docs/project_layout.adoc[Project layout]
@@ -85,23 +105,25 @@ make install
 
 == Running tfctl
 
-tfctl should be run from the root of the project directory.  It will generate
-Terraform configuration in `.tfctl/`.
+You should run `tfctl` from the root of your project directory.  It will generate
+Terraform configuration in `.tfctl/` (add this to your `.gitignore`).
 
 Anatomy of a tfctl command:
 
+[source,shell]
 ----
 tfctl -c CONFIG_FILE TARGET_OPTIONS -- TERRAFORM_COMMAND
 ----
 
-* `-c` specifies which tfctl config file to use (usually in `conf/`)
+* `-c` specifies which tfctl config file to use (defaults to `tfctl.yaml` in
+ current working directory if not set)
 * `TARGET_OPTIONS` specifies which accounts to target.  This could be an individual
   account, a group of accounts in an organizational unit or all accounts.
 * `TERRAFORM_COMMAND` will be passed to `terraform` along with any
   options.  See https://www.terraform.io/docs/commands/index.html[Terraform
   commands] for details.
 
-NOTE: You must have your AWS credentials configured before running tfctl or run
+NOTE: You must have your AWS credentials configured before you run `tfctl`, or run
 it using an AWS credentials helper such as
 https://github.com/99designs/aws-vault[aws-vault].
 
@@ -109,68 +131,78 @@ https://github.com/99designs/aws-vault[aws-vault].
 
 Show help:
 
+[source,shell]
 ----
 tfctl -h
 ----
 
 Show merged configuration:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -s
+tfctl -s
 ----
 
 List all discovered accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -l
+tfctl --all -l
 ----
 
 TIP: This can be narrowed down using targeting options and is a good way to
 test what accounts match.
 
-Run Terraform init across all accounts:
+Run `terraform init` across all accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- init
+tfctl --all -- init
 ----
 
-Run plan in `test` OU accounts:
+Plan Terraform across all accounts in the `test` OU:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -o test -- plan
+tfctl -o test -- plan
 ----
 
-Run plan in `live` accounts assuming that `live` is a child OU in multiple
+Plan Terraform in `live` accounts, assuming that `live` is a child OU in multiple
 organization units:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -o '.*/live' -- plan
+tfctl -o '.*/live' -- plan
 ----
 
-Run plan in an individual account:
+Run a plan for an individual account:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -a example-account - plan
+tfctl -a example-account - plan
 ----
 
-Run apply in all accounts:
+Apply Terraform changes across all accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- apply
+tfctl --all -- apply
 ----
 
-Run destroy in `test` OU accounts:
+Destroy Terraform-managed resources in all the `test` OU accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -o test -- destroy -auto-approve
+tfctl -o test -- destroy -auto-approve
 ----
 
 Don't buffer the output:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -a example-account -u -- plan
+tfctl -a example-account -u -- plan
 ----
 
 This will show output in real time.  Usually output is buffered and displayed
-after Terraform command finishes to make it more readable when running across
-multiple accounts in parallel.
+after the Terraform command finishes, to make it more readable when running
+across multiple accounts in parallel.

data/RELEASING.adoc

@@ -0,0 +1,13 @@
+= Releasing
+
+This document is aimed at `tfctl` maintainers and describes the process of
+releasing a new gem version.
+
+== Process
+
+* Smoke test in SF test accounts: https://github.com/scalefactory/tfctl-test
+* Bump version in `lib/tfctl/version.rb`
+* Update `CHANGELOG.adoc`
+* Commit
+* Create a new GitHub release and version tag using format: vX.X.X
+* TravisCI will build and release the gem automatically: https://travis-ci.org/github/scalefactory/tfctl

data/bin/tfctl

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-if File.directory?(File.dirname(__FILE__) + '/../vendor')
+if File.directory?("#{File.dirname(__FILE__)}/../vendor")
     require 'bundler/setup'
 end
 require 'optparse'
@@ -22,7 +22,7 @@ options = {
     ou:          nil,
     all:         nil,
     show_config: false,
-    config_file: nil,
+    config_file: 'tfctl.yaml',
     unbuffered:  false,
     debug:       false,
     use_cache:   false,
@@ -68,10 +68,6 @@ begin
 
     # Validate CLI arguments
 
-    if options[:config_file].nil?
-        raise OptionParser::MissingArgument, '--config-file'
-    end
-
     unless File.exist? options[:config_file]
         raise OptionParser::InvalidOption,
               "Config file not found in: #{options[:config_file]}"
@@ -85,8 +81,8 @@ begin
     targetting_opts = %i[account ou all]
     targets_set = []
     options.each do |k, v|
-        if targetting_opts.include?(k)
-            targets_set << k.to_s unless v.nil?
+        if targetting_opts.include?(k) and !v.nil?
+            targets_set << k.to_s
         end
     end
     if targets_set.length > 1
@@ -104,7 +100,7 @@ end
 
 
 
-# Generates configuration and runs Terraform commands for a target account.
+# Execute terraform in target accounts
 def run_account(config, account, options, tf_argv, log)
 
     # Skip excluded accounts
@@ -145,6 +141,7 @@ begin
     log.info 'tfctl running'
 
     config_name = File.basename(options[:config_file]).chomp('.yaml')
+    config_name = 'default' if config_name == 'tfctl'
     log.info "Using config: #{config_name}"
 
     log.info 'Working out AWS account topology'

data/docs/configuration.adoc

@@ -24,8 +24,8 @@ toc::[]
 
 == Overview
 
-Tfctl retrieves initial account configuration from AWS Organizations and merges
-it with configuration specified in a yaml file.
+`tfctl` retrieves initial account configuration from AWS Organizations and merges
+it with configuration specified in YAML format (`tfctl.yaml` by default).
 
 The configuration is merged in the following order:
 
@@ -68,9 +68,9 @@ organization_units:
 
 This will result in all three profiles deployed to accounts in `team` OU.
 
-TIP: You can display the fully merged configuration by running `tfctl -c
-conf/CONFIG_FILE.yaml -s`.  It's safe to run as it doesn't make any changes to
-AWS resources.  It's a good way to test your configuration.
+TIP: You can display the fully merged configuration by running `tfctl -s`.
+It's safe to run as it doesn't make any changes to AWS resources.  It's a good
+way to test your configuration.
 
 == Defining arbitrary data
 
@@ -83,7 +83,17 @@ above.
 
 == Handling secrets
 
-No secrets should be committed into Terraform or tfctl configuration.  Use AWS
-Secrets Manager instead and retrieve in Terraform profiles using
+CAUTION: Do not commit secrets into your Terraform or tfctl configuration.
+
+Instead, use AWS Secrets Manager and retrieve secrets in Terraform profiles using
+the
 https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret.html[secrets
-manager data source]
+manager data source].
+
+== Configuration Schema
+
+The configuration file is validated using https://json-schema.org/[JSON Schema].
+
+The schema is defined in
+https://github.com/scalefactory/tfctl/blob/master/lib/tfctl/schema.rb[lib/tfctl/schema.rb]
+and is a good place to look up all available options.

data/docs/control_tower.adoc

@@ -31,7 +31,7 @@ toc::[]
 For state tracking we're going to create a dedicated `shared-services` account
 under a `mgmt` organization unit.  We'll use S3 for state storage and DynamoDB
 for locking.  `TerraformState` IAM role will be created for cross account
-access to state resources from the primary account.
+access to state resources from the primary AWS account.
 
 In the primary account we'll create a `TfctlOrgAccess` role.  It gives tfctl
 read only access to AWS Organizations which is used to discover accounts and
@@ -50,9 +50,10 @@ and provision a couple of accounts for testing.
 
 Before starting you'll need:
 
- * Control Tower set up in your primary account.
- * A user with `AdministratorAccess` privileges in primary account.
- * AWS CLI tools installed on your machine.
+ * An AWS account that is part of an Organization.
+ * Control Tower set up in your primary AWS account.
+ * A user with `AdministratorAccess` privileges in your primary AWS account.
+ * AWS CLI tools installed on your local machine.
  * Terraform 0.12 or higher.
 
 == Configure Control Tower
@@ -74,6 +75,7 @@ approximately 20 mins to provision one.
 
 == Install tfctl
 
+[source,shell]
 ----
 git clone git@github.com:scalefactory/tfctl.git
 cd tfctl/ && sudo make install
@@ -85,17 +87,21 @@ It's assumed you have configured AWS CLI access to the primary account.
 
 We'll use CloudFormation templates in `examples/bootstrap/`.
 
-First export configuration using environment variables making sure to change to
-values to suit your set up:
+First export configuration using environment variables, making sure to change to
+values to suit your setup:
 
+[source,shell]
 ----
-export PRIMARY_ACCOUNT_ID=11111111
-export SHARED_SERVICES_ACCOUNT_ID=22222222
+# Change these to match your setup
+export PRIMARY_ACCOUNT_ID=123456789012
+export SHARED_SERVICES_ACCOUNT_ID=345678901234
 export STATE_BUCKET_NAME='example-terraform-state'
+export AWS_REGION=eu-west-1
 ----
 
 Create the remote state resources stack set:
 
+[source,shell]
 ----
 cd examples/bootstrap/
 
@@ -107,31 +113,34 @@ aws cloudformation create-stack-set \
     --execution-role-name AWSControlTowerExecution \
     --administration-role-arn arn:aws:iam::${PRIMARY_ACCOUNT_ID}:role/service-role/AWSControlTowerStackSetRole \
     --parameters ParameterKey=PrimaryAccountId,ParameterValue=${PRIMARY_ACCOUNT_ID} \
-    ParameterKey=TerraformStateBucket,ParameterValue=${STATE_BUCKET_NAME}
+    ParameterKey=TerraformStateBucket,ParameterValue="${STATE_BUCKET_NAME}"
 ----
 
-Create a stack set instance in you shared services account:
+Create a stack set instance in your shared services account:
 
+[source,shell]
 ----
 aws cloudformation create-stack-instances \
     --stack-set-name TerraformState \
     --accounts ${SHARED_SERVICES_ACCOUNT_ID} \
-    --regions eu-west-1
+    --regions ${AWS_REGION}
 ----
 
 Check status:
 
+[source,shell]
 ----
 aws cloudformation describe-stack-instance \
     --stack-set-name TerraformState \
     --stack-instance-account ${SHARED_SERVICES_ACCOUNT_ID} \
-    --stack-instance-region eu-west-1
+    --stack-instance-region ${AWS_REGION}
 ----
 
 NOTE: Initial status will be `OUTDATED`, it should change to `CURRENT` once deployed.
 
-Deploy `TfctlOrgAccess` IAM role stack:
+Deploy the `TfctlOrgAccess` IAM role stack:
 
+[source,shell]
 ----
 aws cloudformation create-stack \
     --stack-name TfctlOrgAccess \
@@ -142,6 +151,7 @@ aws cloudformation create-stack \
 
 Check status:
 
+[source,shell]
 ----
 aws cloudformation describe-stacks --stack-name TfctlOrgAccess
 ----
@@ -151,14 +161,14 @@ NOTE: Successful status should read: `CREATE_COMPLETE`.
 == Configure tfctl
 
 Copy the example project directory `examples/control_tower` somewhere convenient
-and edit `conf/example.yaml`.
+and edit `tfctl.yaml`.
 
 You need to modify the following parameters:
 
  * `tf_state_bucket` - set to `$STATE_BUCKET_NAME`
  * `tf_state_role_arn` - set shared services account ID
  * `tfctl_role_arn` - set primary account ID
- * `primary_account` - set the primary account name.  You can find it in AWS Organizations.
+ * `primary_account` - set the primary account name.  You can find it through AWS Organizations in the console.
 
 TIP: You should keep your project directory under version control.
 
@@ -169,43 +179,51 @@ and `mgmt` OUs.
 
 NOTE: Run tfctl commands from the root of you project directory.
 
-First dump the configuration to verify everything works:
+First, dump the configuration to verify everything works:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -s
+tfctl -s
 ----
 
-This will not make any changes but will print out a yaml containing the final,
+This will not make any changes but will print out YAML containing the final,
 merged configuration data.  It should contain a list of discovered accounts and
 their configuration.
 
-Initialise terraform for all discovered accounts:
+Initialise Terraform for all discovered accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- init
+tfctl --all -- init
 ----
 
 Tfctl will run Terraform against all accounts in parallel.
 
-Run plan:
+`plan` the Terraform:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- plan
+tfctl --all -- plan
 ----
 
-and apply:
+and `apply` it:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- apply
+tfctl --all -- apply
 ----
 
-To destroy created resources run:
 
+== Clean up
+
+To destroy created resources, run:
+
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- destroy -auto-approve
+tfctl --all -- destroy -auto-approve
 ----
 
-That's it! You can now execute terraform across your Control Tower estate.
+That's it! You can now execute Terraform across your Control Tower estate.
 
 TIP: Your project directory should be under version control excluding the
 `.tfctl` directory which is automatically generated.

data/docs/creating_a_profile.adoc

@@ -81,7 +81,7 @@ profile.  Tfctl configuration can be accessed using this variable. This It
 includes an array of all discovered accounts as well their parameters from
 tfctl config file.
 
-TIP: You can run `tfctl -c conf/CONFIG_FILE.yaml -s` to show the config data in
+TIP: You can run `tfctl -s` to show the config data in
 yaml format.  This exact data is available in the `config` variable in your
 profile.
 
@@ -124,7 +124,7 @@ You have few options here:
 For the sake of this example we're going to deploy our bucket to all accounts
 in `test` OU.
 
-In tfctl config file add the profile to the `test` OU:
+In `tfctl.yaml` add the profile to the `test` OU:
 
 [source, yaml]
 ----
@@ -140,8 +140,8 @@ organization_units:
 To see what would happen when the change is applied run:
 
 ----
-tfctl -c conf/example.yaml -o test -- init
-tfctl -c conf/example.yaml -o test -- plan
+tfctl -o test -- init
+tfctl -o test -- plan
 ----
 
 This will run `terraform init` to initialise terraform and then `terraform
@@ -187,5 +187,5 @@ next step.
 
 Once you're happy with the plan, apply it.
 ----
-tfctl -c conf/example.yaml -o test -- apply
+tfctl -o test -- apply
 ----

data/docs/iam_permissions.adoc

@@ -20,7 +20,7 @@ endif::[]
 
 = IAM roles
 
-Tfctl usually requires three IAM roles to be configured:
+`tfctl` usually requires three IAM roles to be configured:
 
  * `TfctlRole` - read only access to AWS Organizations set up in the primary account.
  * `TerraformStateRole` - access to remote state resources (S3, DynamoDB) in the
@@ -28,7 +28,7 @@ Tfctl usually requires three IAM roles to be configured:
  * `TerraformExecutionRole` - configured in all spoke accounts and used for executing Terraform.
 
 The user executing tfctl needs permission to assume all three roles cross
-account.  Tfctl will assume roles automatically for you.
+account. Once these are configured, tfctl automatically assumes roles for you.
 
 It's possible to configure different Terraform execution roles in different
 spoke accounts based on OU or account names.  This can be used to restrict

data/docs/project_layout.adoc

@@ -23,8 +23,7 @@ endif::[]
 Example project structure
 ----
 project_dir/
-├── conf
-│   └── example.yaml
+├── tfctl.conf
 ├── modules
 │   └── s3-bucket
 │       ├── main.tf
@@ -51,7 +50,12 @@ The configuration data is exposed to terraform via a profile `config` variable.
 It also defines Terraform and tfctl configuration such as state tracking and
 what IAM roles to use.
 
-== profiles
+By default, tfctl will use `tfctl.yaml` in its current working directory.  You
+can specify a different file using `-c`.  Multiple configurations are supported
+in the same project directory and generated data will be stored separately for
+each config file in `.tfctl/`.
+
+== `profiles`
 
 Profiles are re-usable collections of resources which can be applied to
 accounts.  They are implemented just like usual modules but provide an
@@ -60,6 +64,6 @@ other data sources).  Profiles often compose multiple modules and provide
 configuration data to them.  This approach makes it possible to re-use standard
 modules (e.g. Terraform module registry).
 
-== modules
+== `modules`
 
 Standard Terraform modules.

data/examples/control_tower/profiles/example-profile/main.tf

@@ -1,4 +1,4 @@
 module "bucket" {
   source = "../../modules/s3-bucket"
-  name   = "${local.account_id}-${local.account["example_bucket_name"]}"
+  name   = "${local.account_id}-${local.account["data"]["example_bucket_name"]}"
 }

data/examples/control_tower/profiles/example-profile/variables.tf

@@ -7,6 +7,6 @@ variable "config" {
 locals {
   config     = jsondecode(var.config)
   account_id = "${data.aws_caller_identity.current.account_id}"
-  # get current account configuration from tfctl config
+  # get account configuration from tfctl config
   account    = [ for account in local.config["accounts"]: account if account["id"] == local.account_id ][0]
 }

data/examples/control_tower/{conf/example.yaml → tfctl.yaml}

@@ -5,7 +5,7 @@
 # create final configuration used by tfctl.  You can view the merged
 # configuration by running:
 #
-#   tfctl -c conf/example.yaml -s
+#   tfctl -c conf/tfctl.yaml -s
 #
 
 #
@@ -17,7 +17,7 @@ tf_state_dynamodb_table: 'terraform-lock'
 tf_state_region: 'eu-west-1'
 # Role for accessing state resources
 tf_state_role_arn: 'arn:aws:iam::SHARED_SERVICES_ACCOUNT_ID:role/TerraformStateRole'
-tf_required_version: '>= 0.12.0'
+tf_required_version: '>= 0.12.29'
 aws_provider_version: '>= 2.14'
 # Role used by tfctl to retrieve data from AWS Organizations
 # Has to be set up in the primary org account

data/lib/hash.rb

@@ -18,13 +18,14 @@ class Hash
         merge(second.to_h, &merger)
     end
 
-    # Copied from ruby 2.6 Psych for 2.3 compatibility.
     def symbolize_names!(result = self)
         case result
         when Hash
+            # rubocop:disable Style/HashEachMethods
             result.keys.each do |key|
                 result[key.to_sym] = symbolize_names!(result.delete(key))
             end
+            # rubocop:enable Style/HashEachMethods
         when Array
             result.map! { |r| symbolize_names!(r) }
         end

data/lib/tfctl.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
-require_relative 'tfctl/aws_org.rb'
-require_relative 'tfctl/config.rb'
-require_relative 'tfctl/error.rb'
-require_relative 'tfctl/executor.rb'
-require_relative 'tfctl/generator.rb'
-require_relative 'tfctl/logger.rb'
-require_relative 'tfctl/schema.rb'
-require_relative 'tfctl/version.rb'
+require_relative 'tfctl/aws_org'
+require_relative 'tfctl/config'
+require_relative 'tfctl/error'
+require_relative 'tfctl/executor'
+require_relative 'tfctl/generator'
+require_relative 'tfctl/logger'
+require_relative 'tfctl/schema'
+require_relative 'tfctl/version'

data/lib/tfctl/aws_org.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative 'error.rb'
+require_relative 'error'
 require 'aws-sdk-organizations'
 
 module Tfctl
@@ -71,23 +71,25 @@ module Tfctl
             @aws_org_client.list_children(
                 child_type: 'ORGANIZATIONAL_UNIT',
                 parent_id:  parent_id,
-            ).children.each do |child|
-
-                begin
-                    ou = @aws_org_client.describe_organizational_unit(
-                        organizational_unit_id: child.id,
-                    ).organizational_unit
-                rescue Aws::Organizations::Errors::TooManyRequestsException
-                    # FIXME: - use logger
-                    puts 'AWS Organizations: too many requests.  Retrying in 5 secs.'
-                    sleep 5
-                    retries += 1
-                    retry if retries < 10
-                end
+            ).each do |resp|
+                resp.children.each do |child|
+
+                    begin
+                        ou = @aws_org_client.describe_organizational_unit(
+                            organizational_unit_id: child.id,
+                        ).organizational_unit
+                    rescue Aws::Organizations::Errors::TooManyRequestsException
+                        # FIXME: - use logger
+                        puts 'AWS Organizations: too many requests.  Retrying in 5 secs.'
+                        sleep 5
+                        retries += 1
+                        retry if retries < 10
+                    end
 
-                ou_name = parent_name == :root ? ou.name.to_sym : "#{parent_name}/#{ou.name}".to_sym
+                    ou_name = parent_name == :root ? ou.name.to_sym : "#{parent_name}/#{ou.name}".to_sym
 
-                output[ou_name] = ou.id
+                    output[ou_name] = ou.id
+                end
             end
             output
         end

data/lib/tfctl/config.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require_relative '../hash.rb'
-require_relative 'error.rb'
+require_relative '../hash'
+require_relative 'error'
 require 'yaml'
 require 'json'
 
@@ -48,7 +48,7 @@ module Tfctl
             @config.to_json
         end
 
-        # Filters accounts by account property
+        # Filters accounts by an account property
         def find_accounts(property_name, property_value)
             output =[]
             @config[:accounts].each do |account|
@@ -88,7 +88,6 @@ module Tfctl
 
         # Retrieves AWS Organizations data and merges it with data from yaml config.
         def load_config(config_name, yaml_config, aws_org_config)
-
             # AWS Organizations data
             config = aws_org_config
             # Merge organization sections from yaml file
@@ -122,7 +121,9 @@ module Tfctl
             return config unless config.key?(:exclude_accounts)
 
             config[:accounts].each_with_index do |account, idx|
+                # rubocop:disable Style/IfWithBooleanLiteralBranches
                 config[:accounts][idx][:excluded] = config[:exclude_accounts].include?(account[:name]) ? true : false
+                # rubocop:enable Style/IfWithBooleanLiteralBranches
             end
 
             config

data/lib/tfctl/executor.rb

@@ -3,7 +3,7 @@
 require 'open3'
 require 'fileutils'
 require 'shellwords'
-require_relative 'error.rb'
+require_relative 'error'
 
 module Tfctl
     module Executor

data/lib/tfctl/generator.rb

@@ -10,21 +10,27 @@ module Tfctl
 
         def write_json_block(path, block)
             File.open(path, 'w') do |f|
-                f.write(JSON.pretty_generate(block) + "\n")
+                f.write("#{JSON.pretty_generate(block)}\n")
             end
         end
 
         def make(account:, config:)
             target_dir = "#{PROJECT_ROOT}/.tfctl/#{config[:config_name]}/#{account[:name]}"
-            tf_version = config.fetch(:tf_required_version, '>= 0.12.0')
+            tf_version = config.fetch(:tf_required_version, '>= 0.12.29')
             aws_provider_version = config.fetch(:aws_provider_version, '>= 2.14')
 
             FileUtils.mkdir_p target_dir
 
             terraform_block = {
                 'terraform' => {
-                    'required_version' => tf_version,
-                    'backend'          => {
+                    'required_version'   => tf_version,
+                    'required_providers' => {
+                        'aws' => {
+                            'source'  => 'hashicorp/aws',
+                            'version' => aws_provider_version,
+                        },
+                    },
+                    'backend'            => {
                         's3' => {
                             'bucket'         => config[:tf_state_bucket],
                             'key'            => "#{account[:name]}/tfstate",
@@ -41,7 +47,6 @@ module Tfctl
             provider_block = {
                 'provider' => {
                     'aws' => {
-                        'version'     => aws_provider_version,
                         'region'      => account[:region],
                         'assume_role' => {
                             'role_arn' => "arn:aws:iam::#{account[:id]}:role/#{account[:tf_execution_role]}",
@@ -71,11 +76,8 @@ module Tfctl
                 profile_block = {
                     'module' => {
                         profile => {
-                            'source'    => "../../../profiles/#{profile}",
-                            'config'    => '${var.config}',
-                            'providers' => {
-                                'aws' => 'aws',
-                            },
+                            'source' => "../../../profiles/#{profile}",
+                            'config' => '${var.config}',
                         },
                     },
                 }

data/lib/tfctl/logger.rb

@@ -6,7 +6,7 @@ module Tfctl
     class Logger
 
         def initialize(log_level)
-            @outlog  = ::Logger.new(STDOUT)
+            @outlog  = ::Logger.new($stdout)
 
             self.level = log_level
 

data/lib/tfctl/schema.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'json_schemer'
-require_relative 'error.rb'
+require_relative 'error'
 
 # Config validator using JSON schema
 
@@ -29,7 +29,7 @@ module Tfctl
             def main_schema
                 iam_arn_pattern = 'arn:aws:iam:[a-z\-0-9]*:[0-9]{12}:[a-zA-Z\/+@=.,]*'
 
-                # rubocop:disable Layout/AlignHash
+                # rubocop:disable Layout/HashAlignment
                 {
                     'type'       => 'object',
                     'properties' => {
@@ -61,7 +61,7 @@ module Tfctl
                     ],
                     'additionalProperties' => false,
                 }
-                # rubocop:enable Layout/AlignHash
+                # rubocop:enable Layout/HashAlignment
             end
 
             def org_schema

data/lib/tfctl/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tfctl
-    VERSION = '1.0.0'
+    VERSION = '1.3.0'
 end

data/tfctl.gemspec

@@ -23,14 +23,17 @@ Gem::Specification.new do |spec|
     spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
     spec.require_paths = ['lib']
 
+    spec.required_ruby_version = '>= 2.5.0'
+
     # Think when adding new dependencies.  Is it really necessary?
     # "The things you own end up owning you" etc.
-    spec.add_dependency 'aws-sdk-organizations', '~> 1.13'
+    spec.add_dependency 'aws-sdk-organizations', '~> 1.40'
     spec.add_dependency 'json_schemer',          '~> 0.2'
-    spec.add_dependency 'parallel',              '~> 1.17'
-    spec.add_dependency 'terminal-table',        '~> 1.8'
+    spec.add_dependency 'parallel',              '~> 1.19'
+    spec.add_dependency 'terminal-table',        '>= 1.8', '< 4.0'
 
-    spec.add_development_dependency 'guard-rspec', '~> 4.7'
-    spec.add_development_dependency 'rspec',       '~> 3.8'
-    spec.add_development_dependency 'rubocop',     '~> 0.76'
+    spec.add_development_dependency 'guard-rspec',   '~> 4.7'
+    spec.add_development_dependency 'rspec',         '~> 3.9'
+    spec.add_development_dependency 'rubocop',       '~> 1.3'
+    spec.add_development_dependency 'rubocop-rspec', '~> 2.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tfctl
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Andrew Wasilczuk
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-14 00:00:00.000000000 Z
+date: 2021-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-organizations
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '1.40'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '1.40'
 - !ruby/object:Gem::Dependency
   name: json_schemer
   requirement: !ruby/object:Gem::Requirement
@@ -44,28 +44,34 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.19'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.19'
 - !ruby/object:Gem::Dependency
   name: terminal-table
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: guard-rspec
   requirement: !ruby/object:Gem::Requirement
@@ -86,28 +92,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.76'
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.76'
+        version: '2.2'
 description: 
 email:
 - akw@scalefactory.com
@@ -116,6 +136,8 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".bundle/config"
+- ".github/dependabot.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -126,6 +148,7 @@ files:
 - LICENSE
 - Makefile
 - README.adoc
+- RELEASING.adoc
 - bin/tfctl
 - docs/configuration.adoc
 - docs/control_tower.adoc
@@ -135,12 +158,12 @@ files:
 - examples/bootstrap/terraform-exec-role.template
 - examples/bootstrap/terraform-state.template
 - examples/bootstrap/tfctl-org-access.template
-- examples/control_tower/conf/example.yaml
 - examples/control_tower/modules/s3-bucket/main.tf
 - examples/control_tower/modules/s3-bucket/variables.tf
 - examples/control_tower/profiles/example-profile/data.tf
 - examples/control_tower/profiles/example-profile/main.tf
 - examples/control_tower/profiles/example-profile/variables.tf
+- examples/control_tower/tfctl.yaml
 - lib/hash.rb
 - lib/tfctl.rb
 - lib/tfctl/aws_org.rb
@@ -164,15 +187,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Terraform wrapper for managing multi-account AWS infrastructures