tfctl 0.2.0 → 1.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c01c64c623610d77abd88401c0bbea5d56eb4963b58d7ad3178a777d5d297ead
-  data.tar.gz: f6bbe78e0bc1f504105bcfa3362ce90368e5cd79b4b075a92e57b8adadbce1c1
+  metadata.gz: 7851ad9d647739e471f8d430dace8564f16f403f3a7e7ffb98e21384db641f53
+  data.tar.gz: d52713addc4006e2e67f5c3fce56941697d4a9edfb6bea08953c76eeb673c2f1
 SHA512:
-  metadata.gz: 2eb1394b05e67619f9a2498348f4a1f96b2eb4bf0afd7252c74d822c3f35e08a6bc953c7eae95388ab2a5e34f5c8c7dbde91db9f59f0f02cbba51e23030542e2
-  data.tar.gz: a17c9e00867b95243e47ddc495a662a2464dcc251148fb7bfd51e8c380de6845235a4b7411fd5c833cbcdb5c3f582ff2bbbafc21f5c7bb2bb707c3955cfd9381
+  metadata.gz: 10f6a9bce18e905d787783a6f61a3f93724b4809d1c7f2c7e7c1edc155ba2c14b17a97096140f790c9b7e250dc4fd24f7af5c86fefea8139d25e1b15dddc65d3
+  data.tar.gz: 9e81ab6abbc15df5917ea6b23a1b167a2cd745e057d462ce0e28db47b27c6f12477c62293893c59f1977c5c406df31dbb797818fc27978b5bd9255a12bd86370

data/CHANGELOG.adoc

@@ -1,5 +1,15 @@
 = Changelog
 
+== 1.0.0-rc1 (unreleased)
+
+* feat(config): JSON schema config validation
+* feat(config): added 'data' parameter
+
+BREAKING CHANGE: This release moves user defined data under a separate `data`
+parameter so it can be easily distinguished from parameters required by tfctl.
+Configuration file will need to be updated to reflect this to pass validation.
+
+
 == 0.2.0
 
 * feat: configurable Terraform and AWS provider version requirements

data/README.adoc

@@ -1,19 +1,40 @@
-:toc:
+// Settings:
+:idprefix:
+:idseparator: -
+ifndef::env-github[:icons: font]
+ifdef::env-github,env-browser[]
+:toc: macro
+:toclevels: 1
+endif::[]
+ifdef::env-github[]
+:branch: master
+:status:
+:outfilesuffix: .adoc
+:!toc-title:
+:caution-caption: :fire:
+:important-caption: :exclamation:
+:note-caption: :paperclip:
+:tip-caption: :bulb:
+:warning-caption: :warning:
+endif::[]
 
 = tfctl
 
 image:https://travis-ci.org/scalefactory/tfctl.svg?branch=master["Build Status", link="https://travis-ci.org/scalefactory/tfctl"]
 image:https://badge.fury.io/rb/tfctl.svg["Gem Version", link="https://badge.fury.io/rb/tfctl"]
+image:https://img.shields.io/badge/terraform-0.12-blue.svg["Terraform 0.12", link="https://img.shields.io/badge/terraform-0.12-blue"]
+
+toc::[]
 
 == Overview
 
 Tfctl is a small Terraform wrapper for working with multi-account AWS
 infrastructures where new accounts may be created dynamically and on-demand.
 
-Discovers accounts by reading the AWS Organizations API and can assign
-Terraform resources to accounts based on the organization hierarchy.  Resources
-can be assigned globally, based on organization unit or individual accounts.
-It supports nested OU hierarchies.
+It discovers accounts by reading the AWS Organizations API and can assign
+Terraform resources to multiple accounts based on the organization hierarchy.
+Resources can be assigned globally, based on organization unit or to individual
+accounts.  It supports nested OU hierarchies and helps keep your Terraform DRY.
 
 Tfctl was originally developed to integrate Terraform with
 https://aws.amazon.com/solutions/aws-landing-zone/[AWS Landing Zone] and

data/bin/tfctl

@@ -150,6 +150,7 @@ begin
     log.info 'Working out AWS account topology'
 
     yaml_config = YAML.safe_load(File.read(options[:config_file]))
+    Tfctl::Schema.validate(yaml_config)
     yaml_config.symbolize_names!
 
     org_units = yaml_config[:organization_units].keys
@@ -212,4 +213,11 @@ begin
 rescue Tfctl::Error => e
     log.error(e)
     exit 1
+rescue Tfctl::ValidationError => e
+    log.error(e)
+    e.issues.each do |issue|
+        log.error("Parameter: #{issue[:data_pointer]}") unless issue[:data_pointer] == ''
+        log.error(issue[:details]) unless issue[:details].nil?
+    end
+    exit 2
 end

data/docs/configuration.adoc

@@ -1,7 +1,7 @@
 == Configuration
 
 Tfctl retrieves initial account configuration from AWS Organizations and merges
-it with organization config specified in the yaml file.
+it with configuration specified in a yaml file.
 
 The configuration is merged in the following order:
 
@@ -15,13 +15,16 @@ Parameters further down the hierarchy take precedence.  For example:
 [source, yaml]
 ----
 organization_root:
-  example_param: 'will be overriden further down'
+  data:
+    example_param: 'will be overriden further down'
 
 organization_units:
   team:
-    example_param: 'will win in team ou'
+    data:
+      example_param: 'will win in team ou'
   team/live:
-    example_param: 'will win in team/live ou'
+    data:
+      example_param: 'will win in team/live ou'
 ----
 
 One exception to this rule is the `profiles` parameter.  Profiles are additive:
@@ -45,6 +48,15 @@ TIP: You can display the fully merged configuration by running `tfctl -c
 conf/CONFIG_FILE.yaml -s`.  It's safe to run as it doesn't make any changes to
 AWS resources.  It's a good way to test your configuration.
 
+=== Defining arbitrary data
+
+You can define arbitrary data under the `data:` parameter, both in the root of
+the config and in the organization sections.  It will be available in Terraform
+profiles to use by your modules.  You can use this to define things like VPC
+subnet ranges, s3 bucket names and so on.  `data:` in organization sections
+will be merged with accounts following the usual merge order as described
+above.
+
 === Handling secrets
 
 No secrets should be committed into Terraform or tfctl configuration.  Use AWS

data/examples/control_tower/conf/example.yaml

@@ -12,8 +12,6 @@
 # Terraform configuration
 #
 
-# State management
-
 tf_state_bucket: 'CHANGEME'
 tf_state_dynamodb_table: 'terraform-lock'
 tf_state_region: 'eu-west-1'
@@ -26,47 +24,57 @@ aws_provider_version: '>= 2.14'
 tfctl_role_arn: 'arn:aws:iam::PRIMARY_ACCOUNT_ID:role/TfctlRole'
 
 #
-# Organization configuration
+# Data
+#
+# Here you can add arbitrary data which will be accessible from Terraform
+# profiles.  Data can also be defined per account in the organization sections
+# below.
 #
+# data:
+#   my_parameter: some_value
 
+#
+# Organization configuration
+#
+# Assign resources and data to accounts based on the organization structure.
+#
 # IMPORTANT: Removing a Terraform profile here will remove all of it's
-#            associated resources in AWS!
-
-# Name of the primary account.
-primary_account: CHANGEME
+#            associated resources during next apply!
 
-# Configuration to apply in all accounts
+# Configuration to apply to all accounts
 organization_root:
-
   # Role assumed by Terraform for execution in each account
   tf_execution_role: 'AWSControlTowerExecution'
   region: 'eu-west-1'
-  # Bucket name used by example profile it will be prefixed with the target
-  # account number for uniqueness across accounts.
-  example_bucket_name: 'tfctl-example-bucket'
+  data:
+    # Bucket name used by example profile it will be prefixed with the target
+    # account number for uniqueness across accounts.
+    example_bucket_name: 'tfctl-example-bucket'
   # Assign example-profile to all accounts in managed OUs
   profiles:
     - example-profile
 
 # Configuration to apply to accounts in Organization Units
-# Units not listed here will be ignored
+# OU's not listed here will be ignored.
 organization_units:
-  # Uncomment if you want to include Core OU accounts
-  # Core: {}
+  # Core: {} # Uncomment if you want to include Core OU accounts
   live: {}
   test: {}
   mgmt:
-    # Override the example bucket name in mgmt OU accounts
-    example_bucket_name: 'tfctl-ou-override-example'
+    data:
+      # Override the example bucket name in mgmt OU accounts
+      example_bucket_name: 'tfctl-ou-override-example'
 
 # Configuration to apply to individual accounts
 account_overrides:
   test-example1:
-    # Override the bucket name in a specific account
-    example_bucket_name: 'tfctl-account-override-example'
+    data:
+      # Override the bucket name in a specific account
+      example_bucket_name: 'tfctl-account-override-example'
 
 
-# Exclude individual accounts from Terraform runs.
-#exclude_accounts:
-#   - Audit
-#   - 'Log archive'
+# Exclude individual accounts from Terraform runs
+#
+# exclude_accounts:
+#    - Audit
+#    - 'Log archive'

data/lib/tfctl.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
+require_relative 'tfctl/aws_org.rb'
 require_relative 'tfctl/config.rb'
-require_relative 'tfctl/generator.rb'
-require_relative 'tfctl/executor.rb'
 require_relative 'tfctl/error.rb'
+require_relative 'tfctl/executor.rb'
+require_relative 'tfctl/generator.rb'
 require_relative 'tfctl/logger.rb'
-require_relative 'tfctl/aws_org.rb'
+require_relative 'tfctl/schema.rb'
 require_relative 'tfctl/version.rb'

data/lib/tfctl/error.rb

@@ -3,4 +3,13 @@
 module Tfctl
     class Error < StandardError
     end
+
+    class ValidationError < StandardError
+        attr_reader :issues
+
+        def initialize(message, issues = [])
+            super(message)
+            @issues = issues
+        end
+    end
 end

data/lib/tfctl/schema.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'json_schemer'
+require_relative 'error.rb'
+
+# Config validator using JSON schema
+
+module Tfctl
+    module Schema
+        class << self
+
+            def validate(data)
+                schemer = JSONSchemer.schema(main_schema)
+                issues = []
+                schemer.validate(data).each do |issue|
+                    issues << {
+                        details:      issue['details'],
+                        data_pointer: issue['data_pointer'],
+                    }
+                end
+
+                return if issues.empty?
+
+                raise Tfctl::ValidationError.new('Config validation failed', issues)
+            end
+
+            private
+
+            def main_schema
+                iam_arn_pattern = 'arn:aws:iam:[a-z\-0-9]*:[0-9]{12}:[a-zA-Z\/+@=.,]*'
+
+                # rubocop:disable Layout/AlignHash
+                {
+                    'type'       => 'object',
+                    'properties' => {
+                        'tf_state_bucket'         => { 'type' => 'string' },
+                        'tf_state_role_arn'       => {
+                            'type'    => 'string',
+                            'pattern' => iam_arn_pattern,
+                        },
+                        'tf_state_dynamodb_table' => { 'type' => 'string' },
+                        'tf_state_region'         => { 'type' => 'string' },
+                        'tf_required_version'     => { 'type' => 'string' },
+                        'aws_provider_version'    => { 'type' => 'string' },
+                        'tfctl_role_arn'          => {
+                            'type'    => 'string',
+                            'pattern' => iam_arn_pattern,
+                        },
+                        'data'                    => { 'type' => 'object' },
+                        'exclude_accounts'        => { 'type' => 'array' },
+                        'organization_root'       => org_schema,
+                        'organization_units'      => org_schema,
+                        'account_overrides'       => org_schema,
+                    },
+                    'required'   => %w[
+                        tf_state_bucket
+                        tf_state_role_arn
+                        tf_state_dynamodb_table
+                        tf_state_region
+                        tfctl_role_arn
+                    ],
+                    'additionalProperties' => false,
+                }
+                # rubocop:enable Layout/AlignHash
+            end
+
+            def org_schema
+                {
+                    'type'       => 'object',
+                    'properties' => {
+                        'profiles'          => { 'type'=> 'array' },
+                        'data'              => { 'type'=> 'object' },
+                        'tf_execution_role' => { 'type'=> 'string' },
+                        'region'            => { 'type'=> 'string' },
+                    },
+                }
+            end
+        end
+    end
+end

data/lib/tfctl/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tfctl
-    VERSION = '0.2.0'
+    VERSION = '1.0.0.rc1'
 end

data/tfctl.gemspec

@@ -26,6 +26,7 @@ Gem::Specification.new do |spec|
     # Think when adding new dependencies.  Is it really necessary?
     # "The things you own end up owning you" etc.
     spec.add_dependency 'aws-sdk-organizations', '~> 1.13'
+    spec.add_dependency 'json_schemer',          '~> 0.2'
     spec.add_dependency 'parallel',              '~> 1.17'
     spec.add_dependency 'terminal-table',        '~> 1.8'
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tfctl
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.0.rc1
 platform: ruby
 authors:
 - Andrew Wasilczuk
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: json_schemer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -135,6 +149,7 @@ files:
 - lib/tfctl/executor.rb
 - lib/tfctl/generator.rb
 - lib/tfctl/logger.rb
+- lib/tfctl/schema.rb
 - lib/tfctl/version.rb
 - tfctl.gemspec
 homepage: https://github.com/scalefactory/tfctl
@@ -152,9 +167,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.7.7