tfctl 1.4.0 → 1.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a7ca446d4435cb6780d2b8018e89c8f7b981a247d249ff3fe8083b94edd66ac
-  data.tar.gz: bc7f96ea1cb77fb6366453f4e268e55be5c398e939002f382223c94e09bccbf0
+  metadata.gz: 0a21de0b7977bcd56a7055e677dc1689e07b7e62e89d29319fb5e432100f434f
+  data.tar.gz: ac7a0f930a88e683692e5863fcbf2aecb7b0cfe918aa891fe5f6f3df656b901f
 SHA512:
-  metadata.gz: 777d4fd03430d1d54bcf822f3f4087c7e0c55374d69167487057201ef20132abe5de5c2b949cfa33aa1d48c346a9e0cd819db8193af5a8803dacb7d3988e526e
-  data.tar.gz: 5cc2a820f7930d930efc43c8eab98e9b825e6d1cf48390ca929f01b4136cdbd33509978a31e16f5f4956c458e007bc6dc759e86ee9305b4f14d21c77f267d8ab
+  metadata.gz: a266d7e164849d1d31be19ffc37572e591c74f4b33fece71de1db510088f3221b6dcf454b5173ffc0cbdae5f2fdc2bf54fc92dab82862cf34cb188fff37953ee
+  data.tar.gz: 6e9f97dbf88dc5a759545b88a3031b9cf2dcb72ab3d5120ba11c9a89c6d15a3fb381d8ed834dac18cd2f4e8f64f0d5862b6eaf57025c1e5541cfe621192f4de5

data/.bundle/config

@@ -1,3 +1,4 @@
 ---
 BUNDLE_PATH: "vendor/bundle"
 BUNDLE_BIN: "vendor/bin"
+BUNDLE_WITH: "developement"

data/.github/workflows/linter.yml

@@ -1,6 +1,9 @@
 name: Linting
 
-on: [push]
+on:
+  push:
+  pull_request:
+    branches: [ master ]
 
 jobs:
   lint:

data/.github/workflows/release.yml

@@ -27,11 +27,10 @@ jobs:
         env:
           GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"
       - name: Release on GitHub
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        uses: ncipollo/release-action@v1
         with:
+          body: 'See [CHANGELOG](https://github.com/scalefactory/tfctl/blob/master/CHANGELOG.adoc) for details.'
+          token: "${{ secrets.GITHUB_TOKEN }}"
           draft: false
           prerelease: false
-          release_name: 'Release ${{ github.ref }}'
-          tag_name: '${{ github.ref }}'
+          artifacts: pkg/*.gem

data/CHANGELOG.adoc

@@ -1,5 +1,35 @@
 = Changelog
 
+== 1.6.1
+
+ * fix: pagination problem when listing accounts in an OU.
+
+== 1.6.0
+
+ * fix: pass the default AWS provider explicitly from tfctl generated configuration.
+   This fixes provider inheritance issues when using multiple providers which
+   was introduced in 1.3.0.  You may need to add a terraform block with
+   `required_provides` to your profiles if you don't have it defined already.
+   Terraform will warn about this during `init`.  Here's an example block:
+
+----
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}
+----
+
+== 1.5.0
+
+ * feat: support for setting default tags at AWS provider level.  (Thanks @patrickli)
+   For details see: https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider
+ * feat: new `tf_state_prefix` config parameter. (Thanks @patrickli)
+   Allows setting an path prefix for state files stored in S3.
+ * feat: print version number in output log
+
 == 1.4.0
 
  * feat: support yaml anchors and aliases in configuration file.

data/README.adoc

@@ -20,7 +20,8 @@ endif::[]
 
 = tfctl
 
-image:https://travis-ci.com/scalefactory/tfctl.svg?branch=master["Build Status", link="https://travis-ci.com/scalefactory/tfctl"]
+image:https://github.com/scalefactory/tfctl/actions/workflows/linter.yml/badge.svg["Linter", link="https://github.com/scalefactory/tfctl/actions/workflows/linter.yml"]
+image:https://github.com/scalefactory/tfctl/actions/workflows/test.yml/badge.svg["Tests", link="https://github.com/scalefactory/tfctl/actions/workflows/test.yml"]
 image:https://badge.fury.io/rb/tfctl.svg["Gem Version", link="https://badge.fury.io/rb/tfctl"]
 image:https://img.shields.io/badge/terraform-0.12-blue.svg["Terraform 0.12", link="https://img.shields.io/badge/terraform-0.12-blue"]
 
@@ -33,32 +34,14 @@ infrastructures where new accounts may be created dynamically and on-demand.
 
 It discovers accounts by reading the AWS Organizations API, and can assign
 Terraform resources to multiple accounts based on the organization hierarchy.
-Resources can be assigned globally, based on organization unit or to individual
-accounts.  It supports hierarchies of nested Organizational Units (OUs),
-and helps keep your Terraform DRY.
+Resources can be assigned globally, based on organization unit (OU) or to individual
+accounts.  It supports hierarchies of nested OUs, and helps keep your Terraform DRY.
 
 The Scale Factory originally created tfctl to integrate Terraform with
 https://aws.amazon.com/solutions/aws-landing-zone/[AWS Landing Zone] and
 https://aws.amazon.com/controltower/[Control Tower] but should work with most
 other ways of managing accounts in AWS Organizations.
 
-== Project status
-
-`tfctl` is an open source project published by The Scale Factory.
-
-We currently consider this project to be maintained but we don't actively
-develop new features.  We keep it security patched and ready for use in
-production environments.
-
-We’ll take a look at any issues or PRs you open and get back to you as soon as
-we can. We don’t offer any formal SLA, but we’ll be checking on this project
-periodically.
-
-If your issue is urgent, you can flag it as such, and we’ll attempt to triage
-appropriately, but we have paying customers who also have demands on our time.
-If your business depends on this project and you have an urgent problem, then
-you can talk to our sales team about paying us to support you.
-
 == Features
 
 * Discovers AWS accounts automatically.
@@ -206,3 +189,20 @@ tfctl -a example-account -u -- plan
 This will show output in real time.  Usually output is buffered and displayed
 after the Terraform command finishes, to make it more readable when running
 across multiple accounts in parallel.
+
+== Project status
+
+`tfctl` is an open source project published by The Scale Factory.
+
+We currently consider this project to be maintained but we don't actively
+develop new features.  We keep it security patched and ready for use in
+production environments.
+
+We’ll take a look at any issues or PRs you open and get back to you as soon as
+we can. We don’t offer any formal SLA, but we’ll be checking on this project
+periodically.
+
+If your issue is urgent, you can flag it as such, and we’ll attempt to triage
+appropriately, but we have paying customers who also have demands on our time.
+If your business depends on this project and you have an urgent problem, then
+you can talk to our sales team about paying us to support you.

data/RELEASING.adoc

@@ -6,8 +6,14 @@ releasing a new gem version.
 == Process
 
 * Smoke test in SF test accounts: https://github.com/scalefactory/tfctl-test
-* Bump version in `lib/tfctl/version.rb`
-* Update `CHANGELOG.adoc`
-* Commit
-* Create a new GitHub release and version tag using format: vX.X.X
-* TravisCI will build and release the gem automatically: https://travis-ci.org/github/scalefactory/tfctl
+* Bump version in `lib/tfctl/version.rb`.
+* Update `CHANGELOG.adoc`.
+* Commit.
+* Tag the release using format: vX.X.X and push the tag.
+
+----
+git tag vX.X.X
+git push origin vX.X.X
+----
+
+* GitHub actions will build and release the gem and create a GitHub release automatically.

data/bin/tfctl

@@ -138,7 +138,7 @@ begin
     log_level = options[:debug] ? Logger::DEBUG : Logger::INFO
     log = Tfctl::Logger.new(log_level)
 
-    log.info 'tfctl running'
+    log.info "tfctl #{Tfctl::VERSION} running"
 
     config_name = File.basename(options[:config_file]).chomp('.yaml')
     config_name = 'default' if config_name == 'tfctl'

data/examples/control_tower/modules/s3-bucket/main.tf

@@ -2,3 +2,7 @@ resource aws_s3_bucket bucket {
   bucket = var.name
   acl    = "private"
 }
+
+output "arn" {
+  value = aws_s3_bucket.bucket.arn
+}

data/examples/control_tower/profiles/example-profile/main.tf

@@ -1,4 +1,11 @@
+resource "random_pet" "bucket_prefix" {
+}
+
 module "bucket" {
   source = "../../modules/s3-bucket"
-  name   = "${local.account_id}-${local.account["data"]["example_bucket_name"]}"
+  name   = "${random_pet.bucket_prefix.id}-${local.account["data"]["example_bucket_name"]}"
+}
+
+output "bucket_arn" {
+  value = module.bucket.arn
 }

data/examples/control_tower/profiles/example-profile/terraform.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

data/examples/control_tower/profiles/example-profile/variables.tf

@@ -6,7 +6,7 @@ variable "config" {
 
 locals {
   config     = jsondecode(var.config)
-  account_id = "${data.aws_caller_identity.current.account_id}"
+  account_id = data.aws_caller_identity.current.account_id
   # get account configuration from tfctl config
-  account    = [ for account in local.config["accounts"]: account if account["id"] == local.account_id ][0]
+  account = [for account in local.config["accounts"] : account if account["id"] == local.account_id][0]
 }

data/examples/control_tower/tfctl.yaml

@@ -13,6 +13,7 @@
 #
 
 tf_state_bucket: 'CHANGEME'
+# tf_state_prefix: ''
 tf_state_dynamodb_table: 'terraform-lock'
 tf_state_region: 'eu-west-1'
 # Role for accessing state resources
@@ -22,6 +23,7 @@ aws_provider_version: '>= 2.14'
 # Role used by tfctl to retrieve data from AWS Organizations
 # Has to be set up in the primary org account
 tfctl_role_arn: 'arn:aws:iam::PRIMARY_ACCOUNT_ID:role/TfctlRole'
+# default_tags: {}
 
 #
 # Data

data/lib/tfctl/aws_org.rb

@@ -25,19 +25,22 @@ module Tfctl
 
                 parent_id = aws_ou_ids[ou_path]
 
-                @aws_org_client.list_accounts_for_parent(parent_id: parent_id).accounts.each do |account|
-                    next unless account.status == 'ACTIVE'
-
-                    output[:accounts] << {
-                        name:       account.name,
-                        id:         account.id,
-                        arn:        account.arn,
-                        email:      account.email,
-                        ou_path:    ou_path.to_s,
-                        ou_parents: ou_path.to_s.split('/'),
-                        profiles:   [],
-                    }
+                @aws_org_client.list_accounts_for_parent(parent_id: parent_id).each do |response|
+                    response.accounts.each do |account|
+                        next unless account.status == 'ACTIVE'
+
+                        output[:accounts] << {
+                            name:       account.name,
+                            id:         account.id,
+                            arn:        account.arn,
+                            email:      account.email,
+                            ou_path:    ou_path.to_s,
+                            ou_parents: ou_path.to_s.split('/'),
+                            profiles:   [],
+                        }
+                    end
                 end
+
             end
             output
         end
@@ -71,8 +74,8 @@ module Tfctl
             @aws_org_client.list_children(
                 child_type: 'ORGANIZATIONAL_UNIT',
                 parent_id:  parent_id,
-            ).each do |resp|
-                resp.children.each do |child|
+            ).each do |response|
+                response.children.each do |child|
 
                     begin
                         ou = @aws_org_client.describe_organizational_unit(

data/lib/tfctl/config.rb

@@ -105,7 +105,7 @@ module Tfctl
 
         def write_cache(cache_file)
             FileUtils.mkdir_p File.dirname(cache_file)
-            File.open(cache_file, 'w') { |f| f.write to_yaml }
+            File.write(cache_file, to_yaml)
         end
 
         def read_cache(cache_file)

data/lib/tfctl/executor.rb

@@ -41,6 +41,12 @@ module Tfctl
             # Create the command
             exec = [cmd] + [subcmd] + args
 
+            runcmd = if Gem.win_platform?
+                         exec.join(' ')
+                     else
+                         exec.shelljoin
+                     end
+
             # Set environment variables for Terraform
             env = {
                 'TF_INPUT'           => '0',
@@ -49,10 +55,10 @@ module Tfctl
                 # 'TF_LOG'             => 'TRACE'
             }
 
-            log.debug "#{account_name}: Executing: #{exec.shelljoin}"
+            log.debug "#{account_name}: Executing: #{runcmd}"
 
             FileUtils.cd path
-            Open3.popen3(env, exec.shelljoin) do |stdin, stdout, stderr, wait_thr|
+            Open3.popen3(env, runcmd) do |stdin, stdout, stderr, wait_thr|
                 stdin.close_write
 
                 # capture stdout and stderr in separate threads to prevent deadlocks

data/lib/tfctl/generator.rb

@@ -9,13 +9,12 @@ module Tfctl
         module_function
 
         def write_json_block(path, block)
-            File.open(path, 'w') do |f|
-                f.write("#{JSON.pretty_generate(block)}\n")
-            end
+            File.write(path, "#{JSON.pretty_generate(block)}\n")
         end
 
         def make(account:, config:)
             target_dir = "#{PROJECT_ROOT}/.tfctl/#{config[:config_name]}/#{account[:name]}"
+            tf_state_prefix = config.fetch(:tf_state_prefix, '').delete_suffix('/')
             tf_version = config.fetch(:tf_required_version, '>= 0.12.29')
             aws_provider_version = config.fetch(:aws_provider_version, '>= 2.14')
 
@@ -33,7 +32,7 @@ module Tfctl
                     'backend'            => {
                         's3' => {
                             'bucket'         => config[:tf_state_bucket],
-                            'key'            => "#{account[:name]}/tfstate",
+                            'key'            => [tf_state_prefix, account[:name], 'tfstate'].join('/').delete_prefix('/'),
                             'region'         => config[:tf_state_region],
                             'role_arn'       => config[:tf_state_role_arn],
                             'dynamodb_table' => config[:tf_state_dynamodb_table],
@@ -47,10 +46,13 @@ module Tfctl
             provider_block = {
                 'provider' => {
                     'aws' => {
-                        'region'      => account[:region],
-                        'assume_role' => {
+                        'region'       => account[:region],
+                        'assume_role'  => {
                             'role_arn' => "arn:aws:iam::#{account[:id]}:role/#{account[:tf_execution_role]}",
                         },
+                        'default_tags' => {
+                            'tags' => config.fetch(:default_tags, {}),
+                        },
                     },
                 },
             }
@@ -76,8 +78,11 @@ module Tfctl
                 profile_block = {
                     'module' => {
                         profile => {
-                            'source' => "../../../profiles/#{profile}",
-                            'config' => '${var.config}',
+                            'source'    => "../../../profiles/#{profile}",
+                            'config'    => '${var.config}',
+                            'providers' => {
+                                'aws' => 'aws',
+                            },
                         },
                     },
                 }

data/lib/tfctl/schema.rb

@@ -34,6 +34,7 @@ module Tfctl
                     'type'       => 'object',
                     'properties' => {
                         'tf_state_bucket'         => { 'type' => 'string' },
+                        'tf_state_prefix'         => { 'type' => 'string' },
                         'tf_state_role_arn'       => {
                             'type'    => 'string',
                             'pattern' => iam_arn_pattern,
@@ -48,6 +49,7 @@ module Tfctl
                         },
                         'data'                    => { 'type' => 'object' },
                         'exclude_accounts'        => { 'type' => 'array' },
+                        'default_tags'            => { 'type' => 'object' },
                         'organization_root'       => org_schema,
                         'organization_units'      => org_schema,
                         'account_overrides'       => org_schema,

data/lib/tfctl/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tfctl
-    VERSION = '1.4.0'
+    VERSION = '1.6.1'
 end

data/tfctl.gemspec

@@ -20,7 +20,6 @@ Gem::Specification.new do |spec|
     end
     spec.bindir        = 'bin'
     spec.executables   = spec.files.grep(%r{^bin/tfctl}) { |f| File.basename(f) }
-    spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
     spec.require_paths = ['lib']
 
     spec.required_ruby_version = '>= 2.5.0'
@@ -36,4 +35,5 @@ Gem::Specification.new do |spec|
     spec.add_development_dependency 'rspec',         '~> 3.9'
     spec.add_development_dependency 'rubocop',       '~> 1.3'
     spec.add_development_dependency 'rubocop-rspec', '~> 2.2'
+    spec.metadata['rubygems_mfa_required'] = 'true'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tfctl
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.6.1
 platform: ruby
 authors:
 - Andrew Wasilczuk
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-23 00:00:00.000000000 Z
+date: 2022-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-organizations
@@ -164,6 +164,7 @@ files:
 - examples/control_tower/modules/s3-bucket/variables.tf
 - examples/control_tower/profiles/example-profile/data.tf
 - examples/control_tower/profiles/example-profile/main.tf
+- examples/control_tower/profiles/example-profile/terraform.tf
 - examples/control_tower/profiles/example-profile/variables.tf
 - examples/control_tower/tfctl.yaml
 - lib/hash.rb
@@ -180,7 +181,8 @@ files:
 homepage: https://github.com/scalefactory/tfctl
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths: