Merge pull request #267 from nimblehq/release/2.3.0

Release - 2.3.0

.github/workflows/increment-version.yml

@@ -0,0 +1,136 @@
+name: Increment version
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      newVersion:
+        description: Version to increment
+        required: true
+        default: auto
+        type: string
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  VERSION_FILE: ./package.json
+
+jobs:
+  set-next-version:
+    name: Set next version automatically
+    runs-on: ubuntu-latest
+    if: github.event_name != 'workflow_dispatch' || github.event.inputs.newVersion == 'auto'
+    outputs:
+      version: ${{ steps.set-next-version.outputs.version }}
+
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Get version on main
+        id: get-main-version
+        run: |
+          currentVersion=$(node -p -e "require('${{ env.VERSION_FILE }}').version")
+          echo "version=$currentVersion" >> $GITHUB_OUTPUT
+
+      - name: Checkout develop
+        uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - name: Get version on develop
+        id: get-develop-version
+        run: |
+          currentVersion=$(node -p -e "require('${{ env.VERSION_FILE }}').version")
+          echo "version=$currentVersion" >> $GITHUB_OUTPUT
+
+      - name: Set next version
+        id: set-next-version
+        env:
+          VERSION_DELIMITER: .
+        run: |
+          function ver { printf "%03d%03d%03d%03d" $(echo "$1" | tr '${VERSION_DELIMITER}' ' '); }
+
+          echo "main version: $(ver ${{ steps.get-main-version.outputs.version }})"
+          echo "develop version: $(ver ${{ steps.get-develop-version.outputs.version }})"
+
+          if [[ $(ver ${{ steps.get-main-version.outputs.version }}) -gt $(ver ${{ steps.get-develop-version.outputs.version }}) ]]; then
+            echo "main version is greater than develop version"
+
+            echo "version=${{ steps.get-main-version.outputs.version }}" >> $GITHUB_OUTPUT
+          else
+            echo "develop version is greater or equal to main version"
+
+            versionComponents=($(echo "${{ steps.get-develop-version.outputs.version }}" | tr ${VERSION_DELIMITER} '\n'))
+
+            versionComponents[1]=$((versionComponents[1]+1))
+            versionComponents[2]=0
+
+            nextVersion=$(IFS=${VERSION_DELIMITER} ; echo "${versionComponents[*]}")
+
+            echo "version=$nextVersion" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Print next version
+        run: |
+          echo "Next version: ${{ steps.set-next-version.outputs.version }}"
+
+  increment-version:
+    name: Increment version
+    runs-on: ubuntu-latest
+    needs: [set-next-version]
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - name: Set next version
+        id: next-version
+        run: |
+          if [ ${{ github.event_name }} != 'workflow_dispatch' ] || [ ${{ github.event.inputs.newVersion }} == 'auto' ]; then
+            echo "version=${{ needs.set-next-version.outputs.version }}" >> $GITHUB_OUTPUT
+          else
+            echo "version=${{ github.event.inputs.newVersion }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Change version in ${{ env.VERSION_FILE }}
+        run: |
+          jq ".version = \"${{ steps.next-version.outputs.version }}\"" ${{ env.VERSION_FILE }} > ${{ env.VERSION_FILE }}.tmp && mv ${{ env.VERSION_FILE }}.tmp ${{ env.VERSION_FILE }}
+
+      - name: Update package-lock.json
+        run: npm install
+
+      - name: Create a new pull request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ github.token }}
+          branch: chore/bump-version-to-${{ steps.next-version.outputs.version }}
+          base: develop
+          delete-branch: true
+          title: "[Chore] Bump version to ${{ steps.next-version.outputs.version }}"
+          commit-message: "Bump version to ${{ steps.next-version.outputs.version }}"
+          labels: |
+            type : chore
+          body: |
+            ## What happened 👀
+
+            Bump version to ${{ steps.next-version.outputs.version }}
+
+            ## Insight 📝
+
+            Automatically created by the GitHub Actions workflow.
+
+            ## Proof Of Work 📹
+
+            On the Files changed tab

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nimblehq/infra-template",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Nimble Infrastructure Template generator",
   "author": "Nimblehq",
   "bin": {

src/generators/addons/aws/modules/core/iamUserAndGroup.ts

@@ -15,8 +15,8 @@ const iamVariablesContent = dedent`
     type        = list(string)
   }
 
-  variable "iam_bot_emails" {
-    description = "List of bot emails to provision IAM user account"
+  variable "iam_infra_service_account_emails" {
+    description = "List of infra service account emails to provision IAM user account"
     type        = list(string)
   }
 
@@ -43,35 +43,33 @@ const iamUsersModuleContent = dedent`
     usernames = var.iam_developer_emails
   }
 
-  module "iam_bot_users" {
+  module "iam_infra_service_account_users" {
     source = "../modules/iam_users"
 
-    usernames = var.iam_bot_emails
+    usernames = var.iam_infra_service_account_emails
+    has_login = false
   }`;
 
 const iamGroupMembershipModuleContent = dedent`
-  module "iam_admin_group_membership" {
+  module "iam_group_membership" {
     source = "../modules/iam_group_membership"
 
-    name  = "admin-group-membership"
-    group = module.iam_groups.admin_group
-    users = var.iam_admin_emails
-  }
-
-  module "iam_bot_group_membership" {
-    source = "../modules/iam_group_membership"
-
-    name  = "bot-group-membership"
-    group = module.iam_groups.bot_group
-    users = var.iam_bot_emails
-  }
-
-  module "iam_developer_group_membership" {
-    source = "../modules/iam_group_membership"
-
-    name  = "developer-group-membership"
-    group = module.iam_groups.developer_group
-    users = var.iam_developer_emails
+    for_each = {
+      admin                 = { group = module.iam_groups.admin_group, users = var.iam_admin_emails },
+      infra_service_account = { group = module.iam_groups.infra_service_account_group, users = var.iam_infra_service_account_emails },
+      developer             = { group = module.iam_groups.developer_group, users = var.iam_developer_emails }
+    }
+
+    name  = "\${each.key}-group-membership"
+    group = each.value.group
+    users = each.value.users
+
+    depends_on = [
+      module.iam_groups,
+      module.iam_admin_users,
+      module.iam_developer_users,
+      module.iam_infra_service_account_users,
+    ]
   }`;
 
 const iamOutputsContent = dedent`
@@ -83,11 +81,6 @@ const iamOutputsContent = dedent`
   output "iam_developer_temporary_passwords" {
     description = "List of first time passwords for developer accounts. Must be changed at first time login and will no longer be valid."
     value       = module.iam_developer_users.temporary_passwords
-  }
-
-  output "iam_bot_temporary_passwords" {
-    description = "List of first time passwords for bot accounts. Must be changed at first time login and will no longer be valid."
-    value       = module.iam_bot_users.temporary_passwords
   }`;
 
 const applyAwsIamUserAndGroup = async ({ projectName }: AwsOptions) => {

src/generators/addons/aws/modules/core/vpc.ts

@@ -20,6 +20,7 @@ const vpcModuleContent = dedent`
     source    = "../modules/vpc"
 
     env_namespace = local.env_namespace
+    region        = var.region
   }`;
 
 const applyAwsVpc = async (options: AwsOptions) => {

templates/addons/aws/modules/iam_groups/data.tf

@@ -1,10 +1,10 @@
 locals {
   # Comes from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
-  # This policy allows users to view and edit their own passwords, access keys, MFA devices, X.509 certificates, SSH keys, and Git credentials. 
-  # In addition, users are required to set up and authenticate using MFA before performing any other operations in AWS. 
-  # It also means this policy does NOT allow users to reset a password while signing in to the AWS Management Console for the first time. 
+  # This policy allows users to view and edit their own passwords, access keys, MFA devices, X.509 certificates, SSH keys, and Git credentials.
+  # In addition, users are required to set up and authenticate using MFA before performing any other operations in AWS.
+  # It also means this policy does NOT allow users to reset a password while signing in to the AWS Management Console for the first time.
   # They must first set up their MFA because allowing users to change their password without MFA can be a security risk.
-  # 
+  #
   # The following actions are added to the initial policy from AWS
   # - iam:GetLoginProfile: allows the IAM user to view their account information on the security page.
   # - iam:GetAccessKeyLastUsed: allows the IAM user to view the last time their access key was used.
@@ -120,16 +120,16 @@ locals {
     ]
   })
 
-  # For the bot account
+  # For the infra-service-account account
   # It must be able to manage policies during terraform apply & create/delete users, permissions, etc. during terraform apply
   full_iam_access_policy = jsonencode({
-    version = "2012-10-17"
-    statement = [
+    Version = "2012-10-17"
+    Statement = [
       {
-        sid       = "AllowManageRoleAndPolicy"
-        effect    = "Allow"
-        resources = ["arn:aws:iam::*"]
-        actions   = ["iam:*"]
+        Sid      = "AllowManageRoleAndPolicy"
+        Effect   = "Allow"
+        Resource = ["arn:aws:iam::*"]
+        Action   = ["iam:*"]
       }
     ]
   })

templates/addons/aws/modules/iam_groups/main.tf

@@ -4,8 +4,8 @@ resource "aws_iam_group" "admin" {
 }
 
 #tfsec:ignore:aws-iam-enforce-group-mfa
-resource "aws_iam_group" "bot" {
-  name = "Bot-group"
+resource "aws_iam_group" "infra-service-account" {
+  name = "Infra-service-account-group"
 }
 
 #tfsec:ignore:aws-iam-enforce-group-mfa
@@ -30,12 +30,15 @@ resource "aws_iam_group_policy_attachment" "developer_power_user_access" {
   policy_arn = data.aws_iam_policy.power_user_access.arn
 }
 
-resource "aws_iam_group_policy_attachment" "bot_power_user_access" {
-  group      = aws_iam_group.bot.name
+resource "aws_iam_group_policy_attachment" "infra_service_account_power_user_access" {
+  group      = aws_iam_group.infra-service-account.name
   policy_arn = data.aws_iam_policy.power_user_access.arn
 }
 
-resource "aws_iam_group_policy" "bot_full_iam_access" {
-  group  = aws_iam_group.bot.name
+# This IAM policy is needed for the infra-service-account account to manage IAM users & groups
+# tfsec:ignore:aws-iam-no-policy-wildcards
+resource "aws_iam_group_policy" "infra_service_account_full_iam_access" {
+  name   = "AllowFullIamAccess"
+  group  = aws_iam_group.infra-service-account.name
   policy = local.full_iam_access_policy
 }

templates/addons/aws/modules/iam_groups/outputs.tf

@@ -8,7 +8,7 @@ output "developer_group" {
   value       = aws_iam_group.developer.name
 }
 
-output "bot_group" {
-  description = "IAM Group with bot permissions"
-  value       = aws_iam_group.bot.name
+output "infra_service_account_group" {
+  description = "IAM Group with infra-service-account permissions"
+  value       = aws_iam_group.infra-service-account.name
 }