Configure terraform api #139
Conversation
|
Warning Rate limit exceeded@italopessoa has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 11 minutes and 47 seconds before requesting another review. How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. WalkthroughThe changes introduced in this pull request enhance the CI/CD pipeline by integrating Terraform workflows for automated infrastructure management. New environment variables are added to the GitHub Actions workflows, and a new workflow for executing Terraform plans is created. The modifications include a new job for generating configuration files and updating pull requests with plan outputs, facilitating better management of infrastructure based on Docker images. Changes
Assessment against linked issues
Possibly related issues
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Outside diff range and nitpick comments (2)
tf/providers.tf (1)
24-27: Remove the commented out code.The commented out code for configuring the Kubernetes provider using a local kubeconfig file is no longer needed as the Kubernetes provider is configured to use the EKS cluster in the next code segment. Consider removing the commented out code to keep the configuration clean and maintainable.
Apply this diff to remove the commented out code:
-# provider "kubernetes" { -# config_path = "C:\\Users\\italo\\.kube\\config" -# config_context = "minikube" -# }tf/main.tf (1)
227-319: LGTM with a suggestion!The Kubernetes Service and Deployment for Seq are correctly defined. The configurations look good and follow the best practices:
- The Service uses NLB with an internal scheme for load balancing.
- The Deployment specifies the required configurations, such as replica count, container image, ports, resources, and environment variables.
However, I noticed that the host path volume for storing dashboards is commented out and not being used.
If it is not required, consider removing the commented out code to keep the configuration clean and maintainable:
- # volume { - # name = "seq-persistent-storage" - # persistent_volume_claim { - # claim_name = "pvc-seq" - # } - # } - volume { - name = "dashboards-volume" - host_path { - path = "/home/docker/seq" - } - }
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (6)
- .github/workflows/dotnet.yml (3 hunks)
- .github/workflows/terraform-plan.yaml (1 hunks)
- tf/main.tf (1 hunks)
- tf/output.tf (1 hunks)
- tf/providers.tf (1 hunks)
- tf/variables.tf (1 hunks)
Additional context used
actionlint
.github/workflows/terraform-plan.yaml
27-27: property "build-docker-image" is not defined in object type {}
(expression)
Additional comments not posted (34)
tf/output.tf (1)
1-4: LGTM!The output variable is correctly defined, and setting the
sensitiveattribute totrueis a good practice for handling sensitive information like cluster details.tf/providers.tf (3)
1-9: LGTM!Pinning the AWS provider and Terraform versions is a good practice to ensure consistent behavior across different environments. The versions used are recent and should be compatible with the latest features and bug fixes.
11-21: LGTM!The AWS provider configuration looks good:
- Using variables for the profile and region allows for flexibility and reusability across different environments.
- Aliasing the provider is useful when multiple providers with different configurations are needed.
- Setting default tags is a good practice for resource management and tracking.
29-38: LGTM!The Kubernetes provider configuration for EKS looks good:
- Using the EKS cluster endpoint and certificate ensures that the Kubernetes provider can communicate with the EKS cluster securely.
- Retrieving the EKS cluster data using the
aws_eks_clusterdata source is a good practice as it ensures that the configuration is always up to date.- Using the
execblock to authenticate with the EKS cluster using theawsCLI is a secure and recommended approach.tf/variables.tf (12)
1-4: LGTM!The variable is correctly defined with a default value.
6-10: LGTM!The variable is correctly defined with a default value.
12-16: LGTM!The variable is correctly defined with a default value.
18-21: LGTM!The variable is correctly defined with a default value.
23-26: LGTM!The variable is correctly defined with a default value.
28-31: LGTM!The variable is correctly defined as a sensitive string.
33-36: LGTM!The variable is correctly defined as a sensitive string.
38-41: LGTM!The variable is correctly defined as a sensitive string.
43-47: LGTM!The variable is correctly defined as a sensitive string with a default value.
49-53: LGTM!The variable is correctly defined as a sensitive string with a default value.
55-58: LGTM!The variable is correctly defined with a default value.
61-64: LGTM!The
internal_elb_namevariable is correctly defined with a default value..github/workflows/terraform-plan.yaml (6)
43-49: LGTM!The step correctly uploads the Terraform configuration to Terraform Cloud using the appropriate action and inputs.
51-57: LGTM!The step correctly creates a speculative plan in Terraform Cloud using the appropriate action and inputs.
59-63: LGTM!The step correctly retrieves the output of the speculative plan using the appropriate action and input.
65-99: LGTM!The step correctly updates the pull request with the formatted plan output using a well-structured JavaScript script. Deleting the previous comment and creating a new one keeps the PR timeline clean and informative.
6-10: LGTM!The environment variables are correctly set to configure Terraform Cloud using secrets for sensitive values and variables for easily changeable values. This is a secure and maintainable approach.
18-20: LGTM!The permissions are correctly set to allow the necessary actions in the workflow while following the principle of least privilege. This is a secure approach.
.github/workflows/dotnet.yml (6)
25-28: LGTM!The new environment variables are correctly set using GitHub Actions variables and secrets. The
CONFIG_DIRECTORYvariable indicates the location of Terraform configuration files.
78-78: LGTM!The change in the job dependency ensures that the
build-docker-imagejob runs after thebuildjob completes successfully.
86-87: LGTM!The new output variable
API_IMAGE_TAGcaptures the dynamically generated Docker image tag, allowing it to be used in subsequent jobs.
139-160: LGTM!The new
create-infrastructurejob creates the necessary.auto.tfvarsconfiguration file for Terraform operations. It correctly uses the dynamically generatedAPI_IMAGE_TAGvalue from thebuild-docker-imagejob and sets the configuration parameters using GitHub Actions variables and secrets.
162-190: LGTM!The modifications to the
create-appjob ensure that it has access to the repository and the necessary.auto.tfvarsconfiguration file. The configuration parameters are correctly set using GitHub Actions variables and secrets.
192-212: LGTM!The new steps in the
create-appjob effectively integrate Terraform workflows into the CI/CD pipeline. The configuration is uploaded to Terraform Cloud using the provided actions, and an apply run is created with execution controlled by theTF_AUTO_APPROVEvariable.tf/main.tf (6)
5-7: LGTM!The data block correctly retrieves information about the existing EKS cluster using the provided variable for the cluster name.
26-28: LGTM!The data block correctly retrieves information about the existing RDS cluster using the provided variable for the cluster identifier.
30-35: LGTM!The locals block correctly defines the required local values. The sensitive information is passed using variables, which is a good practice to avoid exposing secrets in the configuration files.
42-71: LGTM!The Kubernetes ConfigMap is correctly defined with the required configuration settings for the API. The sensitive information is passed using variables, which is a good practice to avoid exposing secrets in the configuration files.
73-86: LGTM!The Kubernetes Secret is correctly defined for storing the MercadoPago webhook secret and access token. The sensitive information is passed using variables, which is a good practice to avoid exposing secrets in the configuration files.
92-221: LGTM!The Kubernetes Service, Deployment, and HorizontalPodAutoscaler for the API are correctly defined. The configurations look good and follow the best practices:
- The Service uses NLB with an internal scheme for load balancing.
- The Deployment specifies the required configurations, such as replica count, container image, ports, probes, resources, and environment variables.
- The ConfigMap and Secret are used to inject the required configurations and secrets into the API pods.
- The probes are correctly defined to ensure the health of the API pods.
- The resource requests and limits are specified to ensure proper resource allocation.
- The HorizontalPodAutoscaler is configured to scale the API pods based on CPU utilization.
| variable "db_pwd" { | ||
| type = string | ||
| sensitive = true | ||
| default = "db_password" | ||
| } |
There was a problem hiding this comment.
Remove the default value for the db_pwd variable.
It's not recommended to provide a default value for sensitive variables like passwords.
Apply this diff to remove the default value:
variable "db_pwd" {
type = string
sensitive = true
- default = "db_password"
}Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| variable "db_pwd" { | |
| type = string | |
| sensitive = true | |
| default = "db_password" | |
| } | |
| variable "db_pwd" { | |
| type = string | |
| sensitive = true | |
| } |
tf/variables.tf
Outdated
| variable "db_user" { | ||
| type = string | ||
| sensitive = false | ||
| default = "db_user" | ||
| } |
There was a problem hiding this comment.
Consider marking the db_user variable as sensitive.
It's recommended to mark the db_user variable as sensitive to avoid exposing the database username.
Apply this diff to mark the variable as sensitive:
variable "db_user" {
type = string
- sensitive = false
+ sensitive = true
default = "db_user"
}Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| variable "db_user" { | |
| type = string | |
| sensitive = false | |
| default = "db_user" | |
| } | |
| variable "db_user" { | |
| type = string | |
| sensitive = true | |
| default = "db_user" | |
| } |
| - name: Create .auto.tfvars file | ||
| env: | ||
| API_IMAGE_TAG: ${{ needs.build-docker-image.outputs.API_IMAGE_TAG }} | ||
| run: | | ||
| cat <<EOF > api.auto.tfvars | ||
| eks_cluster_name = "${{ vars.BMB_EKS_CLUSTER_NAME }}" | ||
| apgw_name ="${{ vars.BMB_AUTH_API_NAME }}" | ||
| mercadopago_webhook_secret = "${{ secrets.BMB_MERCADO_PAGO_WH_SECRET }}" | ||
| mercadopago_accesstoken = "${{ secrets.BMB_MERCADO_PAGO_ACCESS_TOKEN }}" | ||
| jwt_signing_key = "${{ secrets.BMB_JWT_SECRET_KEY }}" | ||
| jwt_issuer = "${{ vars.BMB_JWT_ISSUER }}" | ||
| jwt_aud = "${{ vars.BMB_JWT_AUDIENCE }}" | ||
| api_docker_image = "${{ env.API_IMAGE_TAG }}" | ||
| internal_elb_name = "${{ vars.BMB_INTERNAL_LB_NAME }}" | ||
| db_user = "${{ vars.BMB_MYSQL_USER }}" | ||
| db_pwd = "${{ secrets.BMB_MYSQL_PASSWORD }}" | ||
| EOF |
There was a problem hiding this comment.
Fix the undefined job reference.
The needs.build-docker-image.outputs.API_IMAGE_TAG expression references the output of a build-docker-image job, which is not defined in this workflow. This will cause the workflow to fail.
If the build-docker-image job is defined in a separate workflow file, you can use the workflow_run event to trigger this workflow after the build-docker-image job completes and pass the API_IMAGE_TAG value as an input to this workflow.
Alternatively, if the build-docker-image job is not required, remove the env block and directly set the api_docker_image variable in the api.auto.tfvars file.
Tools
actionlint
27-27: property "build-docker-image" is not defined in object type {}
(expression)
There was a problem hiding this comment.
Actionable comments posted: 1
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (2)
- .github/workflows/terraform-plan.yaml (1 hunks)
- tf/variables.tf (1 hunks)
Files skipped from review due to trivial changes (1)
- tf/variables.tf
Additional context used
actionlint
.github/workflows/terraform-plan.yaml
40-40: shellcheck reported issue in this script: SC2001:style:3:16: See if you can use ${variable//search/replace} instead
(shellcheck)
40-40: shellcheck reported issue in this script: SC2001:style:10:14: See if you can use ${variable//search/replace} instead
(shellcheck)
40-40: shellcheck reported issue in this script: SC2001:style:11:13: See if you can use ${variable//search/replace} instead
(shellcheck)
Additional comments not posted (4)
.github/workflows/terraform-plan.yaml (4)
25-31: LGTM!The step correctly sets the variable values in the
eks.auto.tfvarsfile using GitHub Actions variables.
56-62: LGTM!The step correctly uploads the Terraform configuration to Terraform Cloud using the
hashicorp/tfc-workflows-github/actions/upload-configurationaction with the appropriate inputs.
64-70: LGTM!The step correctly creates a speculative plan run in Terraform Cloud using the
hashicorp/tfc-workflows-github/actions/create-runaction with the appropriate inputs.
78-112: LGTM!The step correctly retrieves the plan output using the
hashicorp/tfc-workflows-github/actions/plan-outputaction and posts a comment on the pull request with the plan summary using theactions/github-scriptaction. The logic to handle existing bot comments is also implemented correctly.
| - name: Create .auto.tfvars file | ||
| env: | ||
| JWT_SECRET: ${{ vars.BMB_JWT_SECRET_KEY }} | ||
| MYSQL_USER: ${{ secrets.BMB_MYSQL_USER }} | ||
| MYSQL_PASSWORD: ${{ secrets.BMB_MYSQL_PASSWORD }} | ||
| MERCADO_PAGO_WH_SECRET: ${{ vars.BMB_JWT_SECRET_KEY }} | ||
| MERCADO_PAGO_ACCESS_TOKEN: ${{ secrets.BMB_MERCADO_PAGO_ACCESS_TOKEN }} | ||
| run: | | ||
| cat <<EOF > api.auto.tfvars | ||
| eks_cluster_name = "${{ vars.BMB_EKS_CLUSTER_NAME }}" | ||
| apgw_name = "$(echo "$MERCADO_PAGO_WH_SECRET" | sed 's/./&/g')" | ||
| mercadopago_webhook_secret = "italo" | ||
| mercadopago_accesstoken = "mercadopago_accesstoken" | ||
| jwt_signing_key = "jwt_signing_key" | ||
| jwt_issuer = "${{ vars.BMB_JWT_ISSUER }}" | ||
| jwt_aud = "${{ vars.BMB_JWT_AUDIENCE }}" | ||
| internal_elb_name = "${{ vars.BMB_INTERNAL_LB_NAME }}" | ||
| db_user = "$(echo "$MYSQL_USER" | sed 's/./&/g')" | ||
| db_pwd = "$(echo "$MYSQL_PASSWORD" | sed 's/./&/g')" | ||
| rds_cluster_identifier = "${{ vars.BMB_MYSQL_CLUSTER }}" | ||
| EOF |
There was a problem hiding this comment.
Fix the sed commands and set the correct value for jwt_signing_key.
The step correctly sets the values of most variables using GitHub Actions secrets and variables. However, please address the following issues:
- The
sedcommands used to format some of the values are incorrect and will cause errors. The correct syntax issed 's/./& /g'. For example:apgw_name = "$(echo "$MERCADO_PAGO_WH_SECRET" | sed 's/./& /g')" db_user = "$(echo "$MYSQL_USER" | sed 's/./& /g')" db_pwd = "$(echo "$MYSQL_PASSWORD" | sed 's/./& /g')" - The
jwt_signing_keyvariable is set to a hardcoded string value. It should be set to the formatted value of theJWT_SECRETenvironment variable. Update the line to:jwt_signing_key = "$(echo "$JWT_SECRET" | sed 's/./& /g')"
Tools
actionlint
40-40: shellcheck reported issue in this script: SC2001:style:3:16: See if you can use ${variable//search/replace} instead
(shellcheck)
40-40: shellcheck reported issue in this script: SC2001:style:10:14: See if you can use ${variable//search/replace} instead
(shellcheck)
40-40: shellcheck reported issue in this script: SC2001:style:11:13: See if you can use ${variable//search/replace} instead
(shellcheck)
Terraform Cloud Plan Output |
No description provided.