padok-team / burrito Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): update docker.io/library/golang:1.22.4 docker digest to c8736b8
• chore(deps): update docker.io/library/node:20.14.0 docker digest to 02cd220
• fix(deps): update all patch dependencies (patch) (@floating-ui/react, autoprefixer, axios, docker.io/library/alpine, docker.io/library/golang, eslint-plugin-react-refresh, github.com/aws/aws-sdk-go-v2/config, github.com/gruntwork-io/go-commons, go, k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, postcss, tailwindcss, vite)
• chore(deps): update dependency vite to ^5.4.0
• chore(deps): update docker.io/library/node docker tag to v20.16.0
• fix(deps): update dependency @tanstack/react-table to v8.20.1
• fix(deps): update dependency react-router-dom to v6.26.0
• fix(deps): update dependency tailwind-merge to v2.4.0
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.7.0
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/storage/azblob to v1.4.0
• fix(deps): update module github.com/hashicorp/hc-install to v0.8.0
• fix(deps): update module github.com/hashicorp/terraform-exec to v0.21.0
• fix(deps): update module github.com/hashicorp/terraform-json to v0.22.1
• fix(deps): update module github.com/labstack/echo/v4 to v4.12.0
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.20.0
• fix(deps): update module github.com/onsi/gomega to v1.34.1
• fix(deps): update module github.com/spf13/cobra to v1.8.1
• fix(deps): update module github.com/spf13/viper to v1.19.0
• fix(deps): update module golang.org/x/oauth2 to v0.22.0
• fix(deps): update module google.golang.org/api to v0.191.0
• chore(deps): update actions/cache action to v4
• chore(deps): update actions/checkout action to v4
• chore(deps): update actions/setup-go action to v5
• chore(deps): update actions/setup-node action to v4
• chore(deps): update actions/setup-python action to v5
• chore(deps): update codecov/codecov-action action to v4
• chore(deps): update dependency eslint to v9
• chore(deps): update docker.io/library/node docker tag to v21
• chore(deps): update docker.io/library/node docker tag to v22
• chore(deps): update docker/build-push-action action to v5
• chore(deps): update docker/build-push-action action to v6
• chore(deps): update docker/login-action action to v3
• chore(deps): update docker/metadata-action action to v5
• chore(deps): update docker/setup-buildx-action action to v3
• chore(deps): update docker/setup-qemu-action action to v3
• chore(deps): update golangci/golangci-lint-action action to v4
• chore(deps): update golangci/golangci-lint-action action to v5
• chore(deps): update golangci/golangci-lint-action action to v6
• chore(deps): update goreleaser/goreleaser-action action to v4
• chore(deps): update goreleaser/goreleaser-action action to v5
• chore(deps): update goreleaser/goreleaser-action action to v6
• chore(deps): update stefanzweifel/git-auto-commit-action action to v5
• chore(deps): update typescript-eslint monorepo to v8 (major) (@typescript-eslint/eslint-plugin, @typescript-eslint/parser)
• fix(deps): update module github.com/google/go-github/v50 to v51
• fix(deps): update module github.com/google/go-github/v50 to v52
• fix(deps): update module github.com/google/go-github/v50 to v53
• fix(deps): update module github.com/google/go-github/v50 to v54
• fix(deps): update module github.com/google/go-github/v50 to v55
• fix(deps): update module github.com/google/go-github/v50 to v56
• fix(deps): update module github.com/google/go-github/v50 to v57
• fix(deps): update module github.com/google/go-github/v50 to v58
• fix(deps): update module github.com/google/go-github/v50 to v59
• fix(deps): update module github.com/google/go-github/v50 to v60
• fix(deps): update module github.com/google/go-github/v50 to v61
• fix(deps): update module github.com/google/go-github/v50 to v62
• fix(deps): update module github.com/google/go-github/v50 to v63
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): pin dependencies (@typescript-eslint/eslint-plugin, @typescript-eslint/parser, @vitejs/plugin-react-swc, actions/cache, actions/checkout, actions/setup-go, actions/setup-node, actions/setup-python, autoprefixer, codecov/codecov-action, docker/build-push-action, docker/login-action, docker/metadata-action, docker/setup-buildx-action, docker/setup-qemu-action, eslint, eslint-plugin-react-hooks, eslint-plugin-react-refresh, ghcr.io/padok-team/burrito, golangci/golangci-lint-action, goreleaser/goreleaser-action, nginx, node, postcss, sealio/hermitcrab, stefanzweifel/git-auto-commit-action, tailwindcss, typescript, vite)
• chore(deps): pin dependencies (@types/react, @types/react-dom, react, react-dom)
• chore(deps): update dependency @vitejs/plugin-react-swc to ^3.6.0
• chore(deps): update typescript-eslint monorepo to ^7.10.0 (minor) (@typescript-eslint/eslint-plugin, @typescript-eslint/parser)
• fix(deps): update dependency @tanstack/react-query to v5.51.23
• fix(deps): update dependency react-tooltip to v5.28.0
• fix(deps): update module cloud.google.com/go/storage to v1.43.0
• fix(deps): update module github.com/aws/aws-sdk-go to v1.55.5
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.58.3
• fix(deps): update module github.com/xanzy/go-gitlab to v0.107.0
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

We want the controller to be notified when a PR/MR is opened on a given layer. When it's the case, we want to generate a new TerraformLayer which will be temporary to run only the plans.

Ideally, the controller/runner should send the result of the plan as a comment in the MR/PR

Currently, we use the same state to start an apply coming from a drift and a webhook event, we should seperate them

Repository URL comparison

For GitHub events we compare the repository url to webUrl and the sshUrl received in the webhook.
We should be able to parse thos url, reducing the number of compraisons.
For GitLab, we do not comprae to any sshUrl at the moment

Multiple files triggering layer plan

Today our webhook only checks for change in the path of the layer
For Terraform codebases that have local modules we need to be able to specify those modules' paths
For Terragrunt it's especially important as there is multiple levels of inputs

Currently, the runner will not be able to init a codebas eusing private terraform modules

• golang:alpine is not needed for the final stage of the Dockerfile
• The --no-cache can be added to apk

The merging logic we have make a list corev1.EnvVar without retrieving the valueFrom field.

We should implement a new runner type to handle terragrunt.

Also, we need to discuss wether terraform and terragrunt codebases will be handled through the same CRDs or with different CRDs

• Setup a test environment around the Handle method of the Webhook object
• Need to create a testenv first and load resources like terraformLayer controller
• This will help test
  • the additional paths feature
  • pullrequest and push events

The Makefile generates the CRDs in the config folder but does not update the manifests/all.yaml file

Make sure that burrito only watches the namespaces present in config

I thought about a specific use case: most of my Terraform codebase is somewhat idempotent. If you don't change anything in the code, after a successful apply all following plan/apply will find no changes to apply.

However I have some specific parts which might change, for example

• a datasource for an AWS AMI, which default to the latest AMI available
• a datasource containing a list of IP to block in the firewall. This datasource is managed by another team

For these specific changes, which can appear at any time, I would expect Burrito to notify me about this drift. However, I know that I can also blindy apply theses changes since it is common and mastered operations.

For other drifts however, it might be dangerous to apply blindly (for example reverting a manual hotfix in prod) and the planOnly mode of Burrito is more interesting.

I don't have an idea for an interface for this kind of configuration, but being able to have a selective "auto-apply" for know changes would we interesting

Support for :

• S3 Generic
• S3 AWS (Auth)
• GCS
• Azure Blob Storage

Currently, you cannot add your ownenv variables in the runner execution

It would be nice to discuss in this thread which struct methods and functions need to be exposed outside their own packages

Anyone who's coming on the repo can not understand the purpose of Burrito, a more complete readme could help :)

Currently a Terraform plan/apply failure in the runner does not result in an error.

It puts the runner.terraform.padok.cloud/plan-date or runner.terraform.padok.cloud/apply-date, resulting in the controller to believe that a plan was successfully generated for this layer (or apply successfully applied).

This code snippet should be adapted:

Also, and as stated in #27, runner should exit with a code greater than 0 when Terraform/Terragrunt fails inside the pod.

We need to check the repository status to handle the case where an event was not handled well

Currently, to connect the pull request controller to GitHub we only handle the use of an API Token. This token belongs to a user, not an organization. We should allow the use of a GitHub app which belongs to an organization

For a git repository, branch is a subset of ref which can include branch but also tags, commit, etc...

For argo app CRD, they use targetRevision instead.

Anyway, I think that naming this variable "ref" would still work for branch, but also enable some different uses cases such as testing on one commit or tag. Since it is a breaking change, it would be way easier to change it right away before there is any adoption.

However forcing the use of a branch can be an opinionated idea to push for a gitops/trunk workflow in all projects

Currently, if a terraform command fails. A new runner will be restarted indefinitely. We should implement an exponential back-off retry

We're seeing emerging usecases as Burrito grows in complexity :

• Validating the remediationStrategy enum
• Validating complex interaction between options

As stated in PR #144, CLI flags are not unit tested.

They should take precedence over configuration files, but not over environment variables.

Currently, after an apply has ran, we do not re-run a plan to make sure that everything is really up to date

The runner should exit on error