feat: introduce new option ignore_changes_enabled and update actions (#7

)

.github/workflows/docs.yml

@@ -6,28 +6,28 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Render terraform docs inside the examples/basic/README.md
-        uses: terraform-docs/gh-actions@v0.11.0
+        uses: terraform-docs/gh-actions@v1.0.0
         with:
           working-dir: ./examples/basic/
           git-push: "false"
           output-file: README.md
           config-file: ".terraform-docs.yml"
 
       - name: Render terraform docs inside the examples/basic/README.md
-        uses: terraform-docs/gh-actions@v0.11.0
+        uses: terraform-docs/gh-actions@v1.0.0
         with:
           working-dir: ./examples/replicated/
           git-push: "false"
           output-file: README.md
           config-file: ".terraform-docs.yml"
 
       - name: Render terraform docs inside the README.md
-        uses: terraform-docs/gh-actions@v0.11.0
+        uses: terraform-docs/gh-actions@v1.0.0
         with:
           working-dir: .
           git-push: "true"

.github/workflows/labeler.yml

@@ -8,7 +8,7 @@ jobs:
     name: Auto Label
     runs-on: ubuntu-latest
     steps:
-      - uses: fuxingloh/multi-labeler@v1.5.0 
+      - uses: fuxingloh/multi-labeler@v2.0.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          config-path: .github/labeler.yml
+          config-path: .github/labeler.yml

.github/workflows/labels.yml

@@ -12,10 +12,10 @@ jobs:
     name: Sync labels in the declarative way
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: micnncim/action-label-syncer@v0.3.1
+      - uses: actions/checkout@v3
+      - uses: micnncim/action-label-syncer@v1.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY: ${{ github.repository }}
         with:
-          manifest: .github/labels.yml
+          manifest: .github/labels.yml

.github/workflows/pr-lint.yml

@@ -2,22 +2,27 @@ name: PR title conformance
 
 on:
   pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
 
 jobs:
   lint-pr:
     runs-on: ubuntu-latest
 
     steps:
       - name: Lint PR
-        uses: aslafy-z/conventional-pr-title-action@v2.4.1
+        uses: aslafy-z/conventional-pr-title-action@v3.0.1
         with:
           preset: conventional-changelog-angular@^5.0.6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Comment for PR title conformance
         if: failure()
-        uses: peter-evans/create-or-update-comment@v1
+        uses: peter-evans/create-or-update-comment@v3
         with:
           issue-number: ${{tojson(github.event.number)}}
           body: |

.github/workflows/release.yml

@@ -1,4 +1,3 @@
-
 name: Release Drafter
 
 on:
@@ -11,10 +10,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-    - uses: release-drafter/release-drafter@v5
-      with:
-        publish: true
-        prerelease: false
-        config-name: auto-release.yml
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: release-drafter/release-drafter@v5
+        with:
+          publish: true
+          prerelease: false
+          config-name: auto-release.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -2,20 +2,19 @@ name: Mark stale issues and pull requests
 
 on:
   schedule:
-  - cron: "0 12 * * *"
+    - cron: "0 12 * * *"
 
 jobs:
   stale:
-
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v1
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-        stale-pr-message: 'This pull-request is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-        stale-issue-label: 'no-issue-activity'
-        stale-pr-label: 'no-pr-activity'
-        days-before-stale: 30
-        days-before-close: 5
+      - uses: actions/stale@v8
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days"
+          stale-pr-message: "This pull-request is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days"
+          stale-issue-label: "no-issue-activity"
+          stale-pr-label: "no-pr-activity"
+          days-before-stale: 30
+          days-before-close: 5

.github/workflows/terraform.yml

@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 1.3.0
 

.github/workflows/tflint.yml

@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 1.3.0
 

.github/workflows/tfsec.yml

@@ -10,10 +10,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 1.3.0
 

README.md

@@ -68,6 +68,7 @@ module "secrets" {
 | [aws_secretsmanager_secret.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_rotation.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |
 | [aws_secretsmanager_secret_version.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.ignore_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 
 ## Inputs
 
@@ -96,7 +97,7 @@ module "secrets" {
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_replicas"></a> [replicas](#input\_replicas) | kms\_key\_id:<br>    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to.<br>region:<br>    Region for replicating the secret. | <pre>list(<br>    object(<br>      {<br>        kms_key_id = string<br>        region     = string<br>      }<br>    )<br>  )</pre> | `[]` | no |
 | <a name="input_rotation"></a> [rotation](#input\_rotation) | enabled:<br>    Whether to create secret rotation rule. <br>    Default value: `false`<br>lambda\_arn:<br>    Specifies the ARN of the Lambda function that can rotate the secret.<br>automatically\_after\_days:<br>    Specifies the number of days between automatic scheduled rotations of the secret. | <pre>object({<br>    enabled                  = optional(bool, false)<br>    lambda_arn               = string<br>    automatically_after_days = number<br>  })</pre> | <pre>{<br>  "automatically_after_days": 0,<br>  "lambda_arn": ""<br>}</pre> | no |
-| <a name="input_secret_version"></a> [secret\_version](#input\_secret\_version) | enabled:<br>    Whether to create secret version. <br>    Default value: `false`<br>secret\_string:<br>    Specifies text data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_binary` is not set.<br>secret\_binary:<br>    Specifies binary data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_string` is not set. <br>    Needs to be encoded to base64. | <pre>object({<br>    enabled       = optional(bool, true)<br>    secret_string = optional(string)<br>    secret_binary = optional(string)<br>  })</pre> | `{}` | no |
+| <a name="input_secret_version"></a> [secret\_version](#input\_secret\_version) | ignore\_changes\_enabled:<br>    Whether to ignore changes in `secret_string` and `secret_binary`.<br>    Default value: `false`<br>secret\_string:<br>    Specifies text data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_binary` is not set.<br>secret\_binary:<br>    Specifies binary data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_string` is not set. <br>    Needs to be encoded to base64. | <pre>object({<br>    secret_string          = optional(string, "{}")<br>    secret_binary          = optional(string)<br>    ignore_changes_enabled = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |

examples/basic/main.tf

@@ -21,7 +21,6 @@ module "secrets" {
   source = "../../"
 
   secret_version = {
-    enabled = true
     secret_string = jsonencode(
       {
         ssh_public_key  = base64encode(module.ssh_key_pair.public_key)

examples/replicated/main.tf

@@ -56,7 +56,6 @@ module "secrets" {
   source = "../../"
 
   secret_version = {
-    enabled = true
     secret_string = jsonencode(
       {
         ssh_public_key  = base64encode(module.ssh_key_pair.public_key)

main.tf

@@ -3,8 +3,7 @@ locals {
   secret_name             = one(aws_secretsmanager_secret.default[*].name)
   secret_id               = one(aws_secretsmanager_secret.default[*].id)
   secret_arn              = one(aws_secretsmanager_secret.default[*].arn)
-  version_id              = one(aws_secretsmanager_secret_version.default[*].version_id)
-  secret_version_enabled  = local.enabled && var.secret_version["enabled"]
+  version_id              = local.enabled && !var.secret_version["ignore_changes_enabled"] ? one(aws_secretsmanager_secret_version.default[*].version_id) : one(aws_secretsmanager_secret_version.ignore_changes[*].version_id)
   secret_rotation_enabled = local.enabled && var.rotation["enabled"]
   kms_key_enabled         = local.enabled && var.kms_key["enabled"]
   kms_key_id              = var.kms_key["enabled"] ? module.kms_key.key_id : var.kms_key_id
@@ -45,13 +44,28 @@ resource "aws_secretsmanager_secret" "default" {
 }
 
 resource "aws_secretsmanager_secret_version" "default" {
-  count = local.secret_version_enabled ? 1 : 0
+  count = local.enabled && !var.secret_version["ignore_changes_enabled"] ? 1 : 0
 
   secret_id     = local.secret_id
   secret_string = var.secret_version["secret_string"]
   secret_binary = var.secret_version["secret_binary"]
 }
 
+resource "aws_secretsmanager_secret_version" "ignore_changes" {
+  count = local.enabled && var.secret_version["ignore_changes_enabled"] ? 1 : 0
+
+  secret_id     = local.secret_id
+  secret_string = var.secret_version["secret_string"]
+  secret_binary = var.secret_version["secret_binary"]
+
+  lifecycle {
+    ignore_changes = [
+      secret_string,
+      secret_binary,
+    ]
+  }
+}
+
 resource "aws_secretsmanager_secret_rotation" "default" {
   count = local.secret_rotation_enabled ? 1 : 0
 

variables.tf

@@ -75,15 +75,15 @@ variable "kms_key" {
 
 variable "secret_version" {
   type = object({
-    enabled       = optional(bool, true)
-    secret_string = optional(string)
-    secret_binary = optional(string)
+    secret_string          = optional(string, "{}")
+    secret_binary          = optional(string)
+    ignore_changes_enabled = optional(bool, false)
   })
   sensitive   = true
   default     = {}
   description = <<-DOC
-    enabled:
-        Whether to create secret version. 
+    ignore_changes_enabled:
+        Whether to ignore changes in `secret_string` and `secret_binary`.
         Default value: `false`
     secret_string:
         Specifies text data that you want to encrypt and store in this version of the secret.