feat: add iam_member resource and uodate GH actions (#11)

SweetOps · Mar 17, 2021 · c9f7672 · c9f7672
1 parent 6c83a5b
commit c9f7672
Show file tree

Hide file tree

Showing 13 changed files with 229 additions and 34 deletions.
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -0,0 +1,59 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: '$RESOLVED_VERSION'
+version-template: '$MAJOR.$MINOR.$PATCH'
+version-resolver:
+  major:
+    labels:
+    - 'major'
+  minor:
+    labels:
+    - 'minor'
+    - 'enhancement'
+    - 'feat'
+  patch:
+    labels:
+    - 'auto-update'
+    - 'patch'
+    - 'fix'
+    - 'bugfix'
+    - 'bug'
+    - 'hotfix'
+    - 'refactor'
+    - 'ci'
+    - 'build'
+    - 'docs'
+    - 'test'
+    - 'chore'
+  default: 'minor'
+
+categories:
+- title: '🚀 Enhancements'
+  labels:
+  - 'minor'
+  - 'enhancement'
+  - 'feat'
+- title: '🐛 Bug Fixes'
+  labels:
+  - 'auto-update'
+  - 'patch'
+  - 'fix'
+  - 'bugfix'
+  - 'bug'
+  - 'hotfix'
+  - 'refactor'
+  - 'ci'
+  - 'build'
+  - 'docs'
+  - 'test'
+  - 'chore'
+- title: '🤖 Automatic Updates'
+  labels:
+  - 'auto-update'
+
+change-template: |
+  <details>
+    <summary>$TITLE @$AUTHOR (#$NUMBER)</summary>
+    $BODY
+  </details>
+template: |
+  $CHANGES
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,27 @@
+version: v1
+
+labels:
+  - label: "feat"
+    matcher:
+      title: "^feat:.*"
+  - label: "fix"
+    matcher:
+      title: "^fix:.*"
+  - label: "ci"
+    matcher:
+      title: "^ci:.*"
+  - label: "chore"
+    matcher:
+      title: "^chore:.*"
+  - label: "build"
+    matcher:
+      title: "^build:.*"
+  - label: "docs"
+    matcher:
+      title: "^docs:.*"
+  - label: "refactor"
+    matcher:
+      title: "^refactor:.*"
+  - label: "test"
+    matcher:
+      title: "^test:.*"
diff --git a/.github/labels.yml b/.github/labels.yml
@@ -0,0 +1,57 @@
+---
+# Default GitHub labels
+- color: d73a4a
+  name: bug
+  description: Something isn't working
+- color: cfd3d7
+  name: duplicate
+  description: This issue or pull request already exists
+- color: a2eeef
+  name: enhancement
+  description: New feature or request
+- color: 7057ff
+  name: good first issue
+  description: Good for newcomers
+- color: 008672
+  name: help wanted
+  description: Extra attention is needed
+- color: e4e669
+  name: invalid
+  description: This doesn't seem right
+- color: d876e3
+  name: question
+  description: Further information is requested
+- color: ffffff
+  name: wontfix
+  description: This will not be worked on
+
+- color: a0040c
+  name: no-pr-activity
+  description: stalled PR
+- color: d93f0b
+  name: no-issue-activity
+  description: stalled issue
+- color: f9dcbd
+  name: build
+  description: Changes that affect the build system or external dependencies
+- color: 63dae2
+  name: ci
+  description: Changes to our CI configuration files and scripts
+- color: 6e93e5
+  name: docs
+  description: Documentation only changes
+- color: 5edb3f
+  name: feat
+  description: A new feature
+- color: 58e8c8
+  name: fix
+  description: A bug fix
+- color: efada0
+  name: refactor
+  description: A code change that neither fixes a bug nor adds a feature
+- color: 1d76db
+  name: test
+  description: Adding missing tests or correcting existing tests
+- color: dfb443
+  name: chore
+  description: Adding missing tests or correcting existing tests
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,6 +1,7 @@
 name: Generate terraform docs
 on:
-  - pull_request
+  pull_request_target:
+
 jobs:
   docs:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -0,0 +1,13 @@
+name: Auto Label
+on:
+  pull_request_target:
+
+jobs:
+  labeler:
+    name: Labeler
+    runs-on: ubuntu-latest
+    steps:
+      - uses: fuxingloh/[email protected] 
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          config-path: .github/labeler.yml
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -0,0 +1,17 @@
+---
+name: Sync labels in the declarative way
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+      - uses: micnncim/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        with:
+          manifest: .github/labels.yml
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
@@ -1,11 +1,6 @@
 name: Lint PR
 on:
-  pull_request:
-    types:
-      - opened
-      - reopened
-      - edited
-      - synchronize
+  pull_request_target:
 
 jobs:
   main:
@@ -38,3 +33,4 @@ jobs:
             * **refactor**: A code change that neither fixes a bug nor adds a feature
             * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
             * **test**: Adding missing tests or correcting existing tests
+            * **chore**: No production code change
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,17 +1,20 @@
-name: Release
+
+name: Release Drafter
+
 on:
   push:
-    tags:
-      - "v*"
+    branches:
+    - master
+
 jobs:
-  release-notary:
-    name: Release-notary
+  publish:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-
-      - name: Release Notary Action
-        uses: commitsar-app/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    # Drafts your next Release notes as Pull Requests are merged into "master"
+    - uses: release-drafter/release-drafter@v5
+      with:
+        publish: true
+        prerelease: false
+        config-name: auto-release.yml
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -0,0 +1,21 @@
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+  - cron: "0 12 * * *"
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@v1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+        stale-pr-message: 'This pull-request is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+        stale-issue-label: 'no-issue-activity'
+        stale-pr-label: 'no-pr-activity'
+        days-before-stale: 30
+        days-before-close: 5
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -1,13 +1,14 @@
 name: 'Validate TF manifests'
 on:
-  - pull_request
+  pull_request_target:
+
 jobs:
   terraform:
     name: Terraform
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@master
 
       - name: Terraform
         uses: hashicorp/setup-terraform@v1

diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf
@@ -5,5 +5,5 @@ terraform {
       version = ">= 3.0"
     }
   }
-  required_version = ">= 0.13"
+  required_version = ">= 0.14"
 }
diff --git a/main.tf b/main.tf
@@ -1,17 +1,21 @@
 locals {
   service_account_key_enabled = module.this.enabled && var.create_service_account_key
+  iam_policy_enabled          = module.this.enabled && length(var.roles) > 0
+  iam_policy_count            = module.this.enabled && length(var.roles) > 0 ? length(var.roles) : 0
 }
 
 resource "google_service_account" "default" {
-  count        = module.this.enabled ? 1 : 0
+  count = module.this.enabled ? 1 : 0
+
   account_id   = module.this.id
   display_name = module.this.id
   description  = var.description
   project      = var.project
 }
 
 resource "google_service_account_key" "default" {
-  count              = local.service_account_key_enabled ? 1 : 0
+  count = local.service_account_key_enabled ? 1 : 0
+
   service_account_id = join("", google_service_account.default.*.name)
   key_algorithm      = var.key_algorithm
   public_key_type    = var.public_key_type
@@ -20,14 +24,10 @@ resource "google_service_account_key" "default" {
   keepers            = var.keepers
 }
 
-data "google_iam_policy" "default" {
-  count = module.this.enabled ? 1 : 0
+resource "google_project_iam_member" "default" {
+  count = local.iam_policy_count
 
-  dynamic "binding" {
-    for_each = toset(var.roles)
-    content {
-      role    = binding.key
-      members = [format("serviceAccount:%s", join("", google_service_account.default.*.email))]
-    }
-  }
+  project = var.project
+  role    = var.roles[count.index]
+  member  = format("serviceAccount:%s", join("", google_service_account.default.*.email))
 }
diff --git a/versions.tf b/versions.tf
@@ -5,5 +5,5 @@ terraform {
       version = ">= 3.0"
     }
   }
-  required_version = ">= 0.13"
+  required_version = ">= 0.14"
 }