v1.12.0

Issues | Pull Requests | v1.11.2...v1.12.0 | Base revision

Features

#1982 Install dependencies

setup and list-targets actions install the following tools via aqua and AQUA_GLOBAL_CONFIG.

• ci-info
• conftest
• gh
• ghcp
• github-comment
• terraform-config-inspect
• terraform-docs
• tfaction-go
• tfcmt
• tfmigrate

tfaction install these tools securely via checksum verification.

So you don't need to install these tools yourself anymore, but you can still overwrite these commands by your own aqua.yaml because your own aqua.yaml takes precedence over $AQUA_GLOBAL_CONFIG.

On the other hand, you still have to install the following tools yourself if necessary.

• tfsec
• tflint
• trivy
• Terraform
• tfprovidercheck

If you want to hide old comments, you still have to install and run github-comment yourself.
If you want to verify conftest policies via conftest verify, you still need to install and run conftest yourself.

Fixes

#1987 #1988 ignore tfaction.yaml out of target_groups

v1.11.2

Issues | Pull Requests | v1.11.1...v1.11.2 | Base revision

Bug Fixes

#1975 list-targets: Fix a bug Error: No target is found for the working directory when updating a nested module

v1.11.2-1

v1.11.1...v1.11.2-1 | Base revision

#1975

v1.11.1

Issues | Pull Requests | v1.11.0...v1.11.1 | Base revision

Bug Fixes

#1936 terraform-plan: Skip conftest if a skip label is set

v1.11.0

Issues | Pull Requests | v1.10.0...v1.11.0 | Base revision

Features

#1931 #1934 Enable you to change AWS IAM Role session name and improve the default session name @ponkio-o

You can now configure AWS IAM Role session name by aws_role_session_name.
This is optional.

Warning

The maximum length of the session name is 64.
And it must satisfy regular expression pattern [\w+=,.@-]*.

terraform_plan_config:
  aws_role_session_name: tfplan

And the default session name is improved.

1. tfaction-{plan or apply}-{normalized target}-${GitHub Actions Run ID}
2. tfaction-{plan or apply}-{normalized target}
3. tfaction-{plan or apply}-${GitHub Actions Run ID}
4. tfaction-{plan or apply}

/ in the default targets are converted to _.
And if target is too long, it is removed from the default session name.

Bug Fixes

#1920 terraform-docs: Fix a bug that terraform-docs configuration files can't be found

Others

#1924 Format shell scripts by shfmt
#1921 #1925 Use shellcheck

v1.10.0

Issues | Pull Requests | v1.9.0...v1.10.0 | Base revision

Features

#1914 Refer target and working_directory in policies by -data option

Now tfaction creates a special data file temporarily and passes it to your policies by --data option.
The data file includes target and working_directory, so you can refer them in policies.

e.g.

import data.tfaction
target := tfaction.target
working_directory := tfaction.working_directory

Others

#1912 #1913 Remove dist directories from main and feature branches

This is the automation of format and build process.

We develop JavaScript actions using TypeScript and build them to JavaScript.
Before this release, we built them and formatted code using prettier and committed them on our laptops.

There were some problems in the process.

• It was bothersome and sometimes we forgot them
• Pull requests got dirty due to those changes and it made hard to review pull requests

For example, in the pull request #1909 I changed about 100 lines but after I built and formatted codes over 1,000 lines were changed.
It was so annoying.

And generated code may cause conflicts.

To solve these problems, we removed dist directories from main branch and feature branches.
We added dist to .gitignore.
And we set up GitHub Actions Workflows to build and format codes and push them to branches pr/<pr number>.
Note that these processes are skipped in case of pull requests from fork repositories.
We can still execute them by workflow_dispatch workflows.
Code is built automatically in the release workflow too.

This update makes pull requests easy to review.

• e.g. #1914

v1.10.0-1

v1.9.0...v1.10.0-1 | Base revision

v1.9.1-1

v1.9.0...v1.9.1-1 | Base revision

v1.9.1-0

v1.9.0...v1.9.1-0 | Base revision

v1.9.0

Issues | Pull Requests | v1.8.0...v1.9.0 | Base revision

Overview

Features:

#1909 conftest: Support additional Conftest test options

Bug Fixes:

Fixed bugs of Conftest feature released at v1.8.0

#1905 conftest: Fix the path of -data option
#1910 test-module: Stop running Conftest

Features

#1909 conftest: Support additional Conftest test options

e.g.

conftest:
  policies:
    - policy: # array or string
        - policy/terraform
      data: # array or string
        - data/data.yaml
      fail_on_warn: true
      no_fail: true
      all_namespaces: true
      quiet: true
      trace: true
      strict: true
      show_builtin_errors: true
      junit_hide_message: true
      suppress_exceptions: true
      tls: true
      parser: hcl
      output: json
      namespaces:
        - main

About the meaning of each options, please see conftest test --help.

$ conftest --version                                                            
Conftest: 0.55.0
OPA: 0.67.0

$ contest test --help
# ...
Flags:
      --all-namespaces            Test policies found in all namespaces
      --capabilities string       Path to JSON file that can restrict opa functionality against a given policy. Default: all operations allowed
      --combine                   Combine all config files to be evaluated together
  -d, --data strings              A list of paths from which data for the rego policies will be recursively loaded
      --fail-on-warn              Return a non-zero exit code if warnings or errors are found
  -h, --help                      help for test
      --ignore string             A regex pattern which can be used for ignoring paths
      --junit-hide-message        Do not include the violation message in the JUnit test name
  -n, --namespace strings         Test policies in a specific namespace (default [main])
      --no-color                  Disable color when printing
      --no-fail                   Return an exit code of zero even if a policy fails
  -o, --output string             Output format for conftest results - valid options are: [stdout json tap table junit github] (default "stdout")
      --parser string             Parser to use to parse the configurations. Valid parsers: [cue dockerfile edn hcl1 hcl2 hocon ignore ini json jsonnet properties spdx textproto toml vcl xml yaml dotenv]
  -p, --policy strings            Path to the Rego policy files directory (default [policy])
      --proto-file-dirs strings   A list of directories containing Protocol Buffer definitions
      --quiet                     Disable successful test output
      --show-builtin-errors       Collect and return all encountered built-in errors
      --strict                    Enable strict mode for Rego policies
      --suppress-exceptions       Do not include exceptions in output
      --tls                       Use TLS to access the registry (default true)
      --trace                     Enable more verbose trace output for Rego queries
  -u, --update strings            A list of URLs can be provided to the update flag, which will download before the tests run

data and policy accept not only a string but also an array of string.

Warning

Some options haven't been supported yet.

• --ignore
• --capabilities
• --proto-file-dirs