made few improvements to the module (#4)

komminarlabs · Dec 19, 2023 · 9115c08 · 9115c08
1 parent c73a129
commit 9115c08
Show file tree

Hide file tree

Showing 12 changed files with 330 additions and 189 deletions.
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -4,55 +4,140 @@ name: Terraform
 on:
   pull_request:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
-  terraform-fmt:
+  fmt-lint-validate:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code
-        uses: actions/checkout@master
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+
+      - name: Setup Terraform Linters
+        uses: terraform-linters/setup-tflint@v4
+        with:
+          github_token: ${{ env.GITHUB_TOKEN }}
+
       - name: Terraform Format
-        uses: hashicorp/terraform-github-actions@master
+        id: fmt
+        run: terraform fmt -check -recursive
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Lint
+        id: lint
+        run: tflint --no-color --recursive --format compact
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request' || always()
         with:
-          tf_actions_version: latest
-          tf_actions_subcommand: fmt
-          tf_actions_comment: true
+          github-token: ${{ env.GITHUB_TOKEN }}
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
+            })
+
+            // 2. Prepare format of the comment
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Lint 📖\`${{ steps.lint.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            <details><summary>Validation Output</summary>
 
-  terraform-validate:
+            \`\`\`\n
+            ${{ steps.validate.outputs.stdout }}
+            \`\`\`
+
+            </details>`;
+
+            // 3. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: output
+              })
+            } else {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: output
+              })
+            }
+  
+  tfsec:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code
-        uses: actions/checkout@master
-      - name: Terraform Init
-        uses: hashicorp/terraform-github-actions@master
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Terraform security scan
+        uses: aquasecurity/[email protected]
         with:
-          tf_actions_version: latest
-          tf_actions_subcommand: init
-          tf_actions_comment: true
-      - name: Terraform Validate
-        uses: hashicorp/terraform-github-actions@master
-        env:
-          AWS_DEFAULT_REGION: eu-west-1
+          github_token: ${{ env.GITHUB_TOKEN }}
+          soft_fail: false
+
+      - name: Terraform pr commenter
+        uses: aquasecurity/[email protected]
         with:
-          tf_actions_version: latest
-          tf_actions_subcommand: validate
-          tf_actions_comment: true
+          github_token: ${{ env.GITHUB_TOKEN }}
+          tfsec_args: --concise-output --force-all-dirs
 
-  terraform-docs:
+  checkov:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+
+      - name: Run Checkov
+        uses: bridgecrewio/[email protected]
+        with:
+          container_user: 1000
+          directory: "/"
+          download_external_modules: false
+          framework: terraform
+          output_format: sarif
+          quiet: true
+          skip_check: "CKV_TF_1,CKV_AWS_108,CKV_AWS_109,CKV_AWS_111,CKV_AWS_356"
+          soft_fail: false
+
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-      - name: Update module usage docs and push any changes back to PR branch
-        uses: Dirrk/[email protected]
+
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/[email protected]
         with:
-          tf_docs_args: '--sort-inputs-by-required'
-          tf_docs_git_commit_message: 'terraform-docs: Update module usage'
-          tf_docs_git_push: 'true'
-          tf_docs_output_file: README.md
-          tf_docs_output_method: inject
-          tf_docs_find_dir: .
+          args: --sort-by required
+          git-commit-message: "docs(readme): update module usage"
+          git-push: true
+          output-file: README.md
+          output-method: inject
+          working-dir: .
+        continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow
diff --git a/README.md b/README.md
@@ -37,3 +37,60 @@ Terraform module to create and manage a SageMaker studio
 | user\_profile | The attributes of the users of sagemaker domain |
 
 <!--- END_TF_DOCS --->
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.62.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.62.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_efs_backup_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_backup_policy) | resource |
+| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_sagemaker_domain.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_domain) | resource |
+| [aws_sagemaker_studio_lifecycle_config.jupyter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_studio_lifecycle_config) | resource |
+| [aws_sagemaker_studio_lifecycle_config.kernel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_studio_lifecycle_config) | resource |
+| [aws_sagemaker_user_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_user_profile) | resource |
+| [aws_iam_policy_document.assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | The name for the sagemaker resources | `string` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The subnet ids | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the resources | `map(string)` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC id | `string` | n/a | yes |
+| <a name="input_app_network_access_type"></a> [app\_network\_access\_type](#input\_app\_network\_access\_type) | Specifies the VPC used for non-EFS traffic | `string` | `"VpcOnly"` | no |
+| <a name="input_auth_mode"></a> [auth\_mode](#input\_auth\_mode) | The mode of authentication that members use to access the domain | `string` | `"IAM"` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The kms key id of the AWS KMS Customer Managed Key to be used to encrypt the EFS volume attached to the domain | `string` | `null` | no |
+| <a name="input_lcc_python_kernel"></a> [lcc\_python\_kernel](#input\_lcc\_python\_kernel) | Specifies the custom lifecycle config file | `string` | `null` | no |
+| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The arn of the IAM role to use for sagemaker | `string` | `null` | no |
+| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | The security groups | `list(string)` | `null` | no |
+| <a name="input_user_profiles"></a> [user\_profiles](#input\_user\_profiles) | The subnet ids | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_domain"></a> [domain](#output\_domain) | The attributes of the sagemaker domain |
+| <a name="output_user_profile"></a> [user\_profile](#output\_user\_profile) | The attributes of the users of sagemaker domain |
+<!-- END_TF_DOCS -->
diff --git a/efs.tf b/efs.tf
@@ -0,0 +1,7 @@
+resource "aws_efs_backup_policy" "default" {
+  file_system_id = aws_sagemaker_domain.default.home_efs_file_system_id
+
+  backup_policy {
+    status = "ENABLED"
+  }
+}
diff --git a/examples/README.md b/examples/README.md
diff --git a/examples/example.tf b/examples/example.tf
@@ -1,5 +1,5 @@
 module "example_studio" {
-  source                  = "github.com/komminar/terraform-aws-sagemaker-studio?ref=v0.1.0"
+  source                  = "github.com/komminarlab/terraform-aws-sagemaker-studio?ref=v1.0.0"
   name                    = "example-studio"
   app_network_access_type = "VpcOnly"
   subnet_ids              = aws_subnet.private[*].id
@@ -12,6 +12,6 @@ module "example_studio" {
 
   tags = {
     Environment = "development"
-    Stack       = "glue"
+    Stack       = "sagemaker"
   }
 }