Skip to content

Commit

Permalink
Remove legacy modules lock check from cicd (#209)
Browse files Browse the repository at this point in the history
  • Loading branch information
@christian-calabrese
christian-calabrese authored Jan 16, 2025
1 parent 7072bc5 commit 5eb5b03
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 155 deletions.
74 changes: 0 additions & 74 deletions .github/workflows/infra_apply.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,80 +124,6 @@ jobs:
run: |
terraform init
- name: Check terraform registry modules hashes
id: check-terraform-registry-modules-hashes
working-directory: ${{ steps.directory.outputs.dir }}
run: |
set -euo pipefail
MODULES_DIR=".terraform/modules"
MODULES_METADATA=".terraform/modules/modules.json"
REGISTRY_URL="registry.terraform.io"
HASHES_FILE="tfmodules.lock.json"
# Check if modules metadata exists
if [ ! -f "$MODULES_METADATA" ]; then
echo "Error: Modules metadata file $MODULES_METADATA not found. Did you run 'terraform init'?"
exit 1
fi
# Check for modules sourced from the Terraform registry
registry_modules=$(jq --arg registry_url "$REGISTRY_URL" \
'.Modules[] | select(.Source | contains($registry_url)) | .Key' \
"$MODULES_METADATA")
if [ -z "$registry_modules" ]; then
echo "No Terraform modules from the registry were found. No lock file check needed."
exit 0
fi
echo "Terraform modules from the registry were found. Checking for $HASHES_FILE..."
# Check if the lock file exists if there are registry modules
if [ ! -f "$HASHES_FILE" ]; then
echo "Error: $HASHES_FILE is missing. Please ensure it exists and is up to date."
exit 1
fi
echo "$HASHES_FILE is present. Proceeding..."
calculate_hash() {
local module_path="$1"
tar --exclude=.* -cvf - "$module_path" | sha256sum | awk '{ print $1 }'
}
# Iterate over modules listed in the metadata that were sourced from the Terraform registry
jq -r --arg registry_url "$REGISTRY_URL" \
'.Modules[] | select(.Source | contains($registry_url)) | .Key' \
"$MODULES_METADATA" | while read -r module_key; do
module_path="$MODULES_DIR/$module_key"
if [ -d "$module_path" ]; then
module_name=$(basename "$module_path")
new_hash=$(calculate_hash "$module_path")
# Retrieve the previous hash
previous_hash=$(jq -r --arg module "$module_name" '.[$module]' "$HASHES_FILE")
if [ "$previous_hash" = "null" ] || [ -z "$previous_hash" ]; then
# The hash for the current module is not found
echo "Error: the hash for module $module_name is missing in $HASHES_FILE. Please ensure it exists and is up to date."
exit 1
else
# Compare the hashes
if [ "$previous_hash" == "$new_hash" ]; then
echo "The module $module_name has not changed."
else
echo "The module $module_name has changed!"
# Exit with an error if the module has changed
exit 1
fi
fi
else
echo "Module path $module_path not found."
fi
done
- name: Terraform Plan
working-directory: ${{ steps.directory.outputs.dir }}
run: |
Expand Down
81 changes: 0 additions & 81 deletions .github/workflows/infra_plan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,87 +121,6 @@ jobs:
run: |
terraform init
- name: Check terraform registry modules hashes
id: check-terraform-registry-modules-hashes
working-directory: ${{ steps.directory.outputs.dir }}
run: |
set -euo pipefail
MODULES_DIR=".terraform/modules"
MODULES_METADATA=".terraform/modules/modules.json"
REGISTRY_URL="registry.terraform.io"
HASHES_FILE="tfmodules.lock.json"
# Check if modules directory exists, exit if not
if [ ! -d "$MODULES_DIR" ]; then
echo "No modules directory found. Skipping module check."
exit 0
fi
# Check if modules metadata exists, exit if not
if [ ! -f "$MODULES_METADATA" ]; then
echo "No modules metadata file found. Skipping module check."
exit 0
fi
# Check for modules sourced from the Terraform registry
registry_modules=$(jq --arg registry_url "$REGISTRY_URL" \
'.Modules[] | select(.Source | contains($registry_url)) | .Key' \
"$MODULES_METADATA")
if [ -z "$registry_modules" ]; then
echo "No Terraform modules from the registry were found. No lock file check needed."
exit 0
fi
echo "Terraform modules from the registry were found. Checking for $HASHES_FILE..."
# Check if the lock file exists if there are registry modules
if [ ! -f "$HASHES_FILE" ]; then
echo "Error: $HASHES_FILE is missing. Please ensure it exists and is up to date."
exit 1
fi
echo "$HASHES_FILE is present. Proceeding..."
calculate_hash() {
local module_path="$1"
tar --exclude=.* -cvf - "$module_path" | sha256sum | awk '{ print $1 }'
}
# Iterate over modules listed in the metadata that were sourced from the Terraform registry
jq -r --arg registry_url "$REGISTRY_URL" \
'.Modules[] | select(.Source | contains($registry_url)) | .Key' \
"$MODULES_METADATA" | while read -r module_key; do
module_path="$MODULES_DIR/$module_key"
if [ -d "$module_path" ]; then
module_name=$(basename "$module_path")
new_hash=$(calculate_hash "$module_path")
# Retrieve the previous hash
previous_hash=$(jq -r --arg module "$module_name" '.[$module]' "$HASHES_FILE")
if [ "$previous_hash" = "null" ] || [ -z "$previous_hash" ]; then
# The hash for the current module is not found
echo "Error: the hash for module $module_name is missing in $HASHES_FILE. Please ensure it exists and is up to date."
exit 1
else
# Compare the hashes
if [ "$previous_hash" == "$new_hash" ]; then
echo "The module $module_name has not changed."
else
echo "The module $module_name has changed!"
# Exit with an error if the module has changed
exit 1
fi
fi
else
echo "Module path $module_path not found."
fi
done
# Run Terraform Plan
# The plan output is saved in a file and then processed to remove unnecessary lines
# The step never fails but the result is checked in the next step
Expand Down

0 comments on commit 5eb5b03

Please sign in to comment.