Merge pull request #9 from pingidentity/PDI-2114-opa-tf-out

Wrapper script for opa utility

Author: PingDavidR

.gitignore

@@ -35,6 +35,7 @@ crash.*.log
 # Used by OPA policies
 **/plan.tfplan
 **/plan.json
+**/opa_output.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

GNUmakefile

@@ -7,7 +7,6 @@ DVLINT_INCLUDE_RULES:=
 DVLINT_IGNORE_RULES:=dv-rule-annotations-001,dv-rule-empty-flow-001
 default: devcheck
 
-
 check-for-terraform:
 	@command -v terraform >/dev/null 2>&1 || { echo >&2 "'terraform' is required but not installed. Aborting."; exit 1; }
 
@@ -39,7 +38,6 @@ dvlint:
 		fi; \
 	done
 
-
 validate: check-for-terraform
 	@echo "==> Validating Terraform code with terraform validate..."
 	@if [ -d "./$(DEV_DIR)" ]; then \
@@ -51,6 +49,16 @@ trivy:
 	@command -v trivy >/dev/null 2>&1 || { echo >&2 "'trivy' is required but not installed. Aborting."; exit 1; }
 	@trivy config ./
 
-devcheck: fmt fmt-check validate tflint dvlint trivy
+shell-files:
+	@echo "==> Checking and formatting shell scripts..."
+	@command -v shfmt >/dev/null 2>&1 || { echo >&2 "'shfmt' is required but not installed. Aborting."; exit 1; }
+	@command -v shellcheck >/dev/null 2>&1 || { echo >&2 "'shellcheck' is required but not installed. Aborting."; exit 1; }
+	@echo "==> Formatting shell scripts with shfmt..."
+	@shfmt -w -i 4 -sr -ci ./scripts/
+
+	@echo "==> Checking shell scripts with shellcheck..."
+	@shellcheck --exclude=SC1090,SC1091 ./scripts/*.sh
+
+devcheck: fmt fmt-check validate tflint dvlint trivy shell-files
 
 .PHONY: devcheck fmt fmt-check validate tflint dvlint trivy

README.md

@@ -30,13 +30,16 @@ To be successful in recreating the use cases supported by this pipeline, there a
 - Completion of all pre-requisites and configuration steps leading to [Feature Development](https://github.com/pingidentity/pipeline-example-platform?tab=readme-ov-file#feature-development) from the example-pipeline-platform repository
 - [Docker](https://docs.docker.com/engine/install/) - used to deploy the UI for a sample interface
 - [terraform](https://developer.hashicorp.com/terraform/install) - HashiCorp Terraform (version 1.9.8 was used in this guide)
-- [opa](https://www.openpolicyagent.org/docs/latest/#running-opa) - Open Policy Agent (version 0.70.0 was used in this guide)
+- [opa](https://www.openpolicyagent.org/docs/latest/#running-opa) - Open Policy Agent for policy enforcement (version 0.70.0 was used in this guide)
 - [tflint](https://github.com/terraform-linters/tflint) - for Terraform linting (version 0.53.0 was used in this guide)
 - [dvlint](https://github.com/pingidentity/dvlint) - for Davinci flow linting (version 1.0.3 was used in this guide)
 - [trivy](https://github.com/aquasecurity/trivy) - for security scanning (version 0.56.2 was used in this guide)
+- [shellcheck](https://github.com/koalaman/shellcheck?tab=readme-ov-file#installing) - for shell script linting (version 0.10.0 was used in this guide)
+- [shfmt](https://github.com/mvdan/sh) - for shell script formatting (version 3.10.0 was used in this guide)
+- [jq](https://jqlang.github.io/jq/download/) - for JSON parsing (version 1.7.1 was used in this guide)
 
 > [!TIP]
-> The last three tools are used by the pipeline in Github, and the pipeline will fail if these tests and configuration checks do not pass. Installing these tools locally and running `make devcheck` before committing changes should ensure that the pipeline will pass when changes are pushed.
+> The last six tools are used by the pipeline in Github, and the pipeline will fail if these tests and configuration checks do not pass. To help ensure the pipeline instance of these tools passes, install these tools locally and run `make devcheck` before committing changes
 
 <!-- TODO - Review Required Permissions-->
 > [!IMPORTANT]
@@ -67,15 +70,6 @@ Click the **Use this template** button at the top right of this page to create y
 > [!NOTE]
 > A pipeline will run and fail when the repository is created. This result is expected as the pipeline is attempting to deploy the application and the necessary configuration has not yet been completed.
 
-Create a `qa` branch from the `prod` branch in the repository.  This branch will be used to test the changes before they are promoted to the `prod` branch.  Changes to the `qa` branch in this repository are deployed to the `qa` environment in PingOne.  As with the `prod` branch, the pipeline will fail due to missing configuration.
-
-```bash
-git checkout prod
-git pull origin prod
-git checkout -b qa
-git push origin qa
-```
-
 ## Development Lifecycle Diagram
 
 The use cases in this repository follow a flow similar to this diagram:
@@ -211,7 +205,7 @@ source localsecrets
 
 12. To capture the changes for inclusion in your code, export the flow. You can do so by selecting the three dots at the top right of the DaVinci flow editor UI and clicking **Download Flow JSON**. Ensure to select **Include Variable Values** when you export.
 
-![Export Menu](./img/exportMenu.png "Export Menu")
+![Export Menu](./img/pingOneEnvs.png "Export Menu")
 
 13. For the sake of brevity, assume that testing has been done, and you are ready to proceed. After the application is "tested", the new configuration must be added to the Terraform configuration. This addition will happen in a few steps:
 

scripts/lib.sh

@@ -1,36 +1,37 @@
 #!/usr/bin/env sh
+# shellcheck disable=SC2154
 
 ## this holds the common functions used by other scripts ####
 
 checkVars() {
-  for var in \
-  "${TF_VAR_pingone_client_region_code}" \
-  "${TF_VAR_pingone_client_environment_id}" \
-  "${TF_VAR_pingone_client_id}" \
-  "${TF_VAR_pingone_client_secret}" \
-  "${TF_VAR_pingone_davinci_admin_username}" \
-  "${TF_VAR_pingone_davinci_admin_password}" \
-  "${TF_VAR_pingone_davinci_admin_environment_id}" \
-  "${AWS_ACCESS_KEY_ID}" \
-  "${AWS_SECRET_ACCESS_KEY}" \
-  "${TF_VAR_tf_state_bucket}" \
-  "${TF_VAR_tf_state_region}" \
-  "${TF_VAR_tf_state_key_prefix}" ; do
-    if [ -z "${var}" ]; then
-      echo "Please set the required environment variables: 
-      TF_VAR_pingone_region_code
-      TF_VAR_pingone_environment_id
-      TF_VAR_pingone_client_id
-      TF_VAR_pingone_client_secret
-      TF_VAR_pingone_davinci_admin_username
-      TF_VAR_pingone_davinci_admin_password
-      TF_VAR_pingone_davinci_admin_environment_id
-      AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY
-      TF_VAR_tf_state_bucket
-      TF_VAR_tf_state_region
-      TF_VAR_tf_state_key_prefix"
-      exit 1
-    fi
-  done
-}
+    for var in \
+        "${TF_VAR_pingone_client_region_code}" \
+        "${TF_VAR_pingone_client_environment_id}" \
+        "${TF_VAR_pingone_client_id}" \
+        "${TF_VAR_pingone_client_secret}" \
+        "${TF_VAR_pingone_davinci_admin_username}" \
+        "${TF_VAR_pingone_davinci_admin_password}" \
+        "${TF_VAR_pingone_davinci_admin_environment_id}" \
+        "${AWS_ACCESS_KEY_ID}" \
+        "${AWS_SECRET_ACCESS_KEY}" \
+        "${TF_VAR_tf_state_bucket}" \
+        "${TF_VAR_tf_state_region}" \
+        "${TF_VAR_tf_state_key_prefix}"; do
+        if [ -z "${var}" ]; then
+            echo "Please set the required environment variables: 
+            TF_VAR_pingone_region_code
+            TF_VAR_pingone_environment_id
+            TF_VAR_pingone_client_id
+            TF_VAR_pingone_client_secret
+            TF_VAR_pingone_davinci_admin_username
+            TF_VAR_pingone_davinci_admin_password
+            TF_VAR_pingone_davinci_admin_environment_id
+            AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY
+            TF_VAR_tf_state_bucket
+            TF_VAR_tf_state_region
+            TF_VAR_tf_state_key_prefix"
+            exit 1
+        fi
+    done
+}

scripts/local_feature_deploy.sh

@@ -1,16 +1,16 @@
 #!/usr/bin/env sh
+# shellcheck disable=SC2154
 
 ### this script is used to run terraform apply for your local feature branch only. ###
 
 test -f scripts/lib.sh || {
-  echo "Please run the script from the root of the repository"
-  exit 1
+    echo "Please run the script from the root of the repository"
+    exit 1
 }
 _command="apply"
 
-usage ()
-{
-cat <<END_USAGE
+usage() {
+    cat << END_USAGE
 Usage: 
   This script defaults to running \`terraform apply\` for your local feature branch only. 
   This script should be run from the root of the repository. 
@@ -25,32 +25,36 @@ Usage:
     -g, --generate
       Generate terraform resources from import blocks
 END_USAGE
-exit 99
+    exit 99
 }
 
-exit_usage()
-{
+exit_usage() {
     echo "$*"
     usage
-    exit 1
 }
 
-while ! test -z ${1} ; do
-  case "${1}" in
-    -d|--destroy)
-      _command="destroy" ;;
-    --dry-run)
-      _command="plan" ;;  # Switch to terraform plan for dry-run
-    -g|--generate)
-      _command="plan -generate-config-out=generated-platform.tf" ;;
-    -v|--verbose)
-      set -x ;;
-    -h|--help)
-      exit_usage "" ;;
-    *)
-      exit_usage "Unrecognized Option" ;;
-  esac
-  shift
+while ! test -z "${1}"; do
+    case "${1}" in
+        -d | --destroy)
+            _command="destroy"
+            ;;
+        --dry-run)
+            _command="plan"
+            ;; # Switch to terraform plan for dry-run
+        -g | --generate)
+            _command="plan -generate-config-out=generated-platform.tf"
+            ;;
+        -v | --verbose)
+            set -x
+            ;;
+        -h | --help)
+            exit_usage ""
+            ;;
+        *)
+            exit_usage "Unrecognized Option"
+            ;;
+    esac
+    shift
 done
 
 # shellcheck source=lib.sh
@@ -61,32 +65,32 @@ checkVars
 _branch=$(git rev-parse --abbrev-ref HEAD)
 export TFDIR="terraform"
 
-if test "$_branch" = "prod" || test  "$_branch" = qa ; then
-  echo "You are on a non-dev branch. Please checkout to your feature branch to run this script."
-  exit 1
+if test "$_branch" = "prod" || test "$_branch" = qa; then
+    echo "You are on a non-dev branch. Please checkout to your feature branch to run this script."
+    exit 1
 fi
 
 ## S3 state bucket configuration
 ## local aws default profile will be used
 ## Specify the bucket name and region
 if [ -z "${TF_VAR_tf_state_bucket}" ] || [ -z "${TF_VAR_tf_state_region}" ]; then
-  echo "TF_VAR_tf_state_bucket or TF_VAR_tf_state_region is not set. Please set the appropriate variables in your localsecrets file."
-  exit 1
+    echo "TF_VAR_tf_state_bucket or TF_VAR_tf_state_region is not set. Please set the appropriate variables in your localsecrets file."
+    exit 1
 fi
 _bucket_name="${TF_VAR_tf_state_bucket}"
 _region="${TF_VAR_tf_state_region}"
 _key="${TF_VAR_tf_state_key_prefix}/dev/${_branch}/terraform.tfstate"
 
 ## terraform init
 terraform -chdir="${TFDIR}" init -migrate-state \
-  -backend-config="bucket=${_bucket_name}" \
-  -backend-config="region=${_region}" \
-  -backend-config="key=${_key}"
+    -backend-config="bucket=${_bucket_name}" \
+    -backend-config="region=${_region}" \
+    -backend-config="key=${_key}"
 
 ## run terraform with the required parameters
 
 echo "Running terraform ${_command} for branch: ${_branch}, You will be prompted to enter the required variables."
 
 export TF_VAR_pingone_environment_name="${_branch}"
 
-terraform -chdir="${TFDIR}" ${_command}
+terraform -chdir="${TFDIR}" "${_command}"