From 8b9f70b143946cb5d525c7c016c5c6d73d2a8e00 Mon Sep 17 00:00:00 2001 From: Nicholas Farley Date: Tue, 27 Jun 2023 15:57:27 -0400 Subject: [PATCH 1/5] Add troubleshooting entry about Terraform & GitHub Actions Signed-off-by: Nicholas Farley --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index 48745c9..9faaa55 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,36 @@ The action supports the following inputs: This action does not set any direct outputs. +## Troubleshooting + +### Within GitHub Actions, using Terraform plan as `input` results in `["command"]` + +Sometimes, when trying to analyze a JSON-formatted Terraform plan with `opa`, +the `input` is always bound to `["command"]` regardless of the contents of the +plan. This issue is specific to GitHub Actions, and is related to the +`terraform_wrapper` functionality that is enabled by default in the official +[hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) +action. Specifically, the `terraform_wrapper` includes extra metadata when +running commands such as `terraform show -json tfplan > tfplan.json`. For a more +thorough description of why this happens, see this +[issue](https://github.com/open-policy-agent/opa/issues/5619#issuecomment-1608245191). + +There are two primary options for resolving this issue: + +- Disable the `terraform_wrapper` when using [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) + + ```yaml + - uses: hashicorp/setup-terraform@{{REF}} + with: + terraform_wrapper: false + ``` + +- Manually "filter" the extra metadata when creating the JSON-formatted plan: + + ```yaml + - run: terraform show -json tfplan | grep '^{.*}$' > tfplan.json + ``` + ## Credits Thanks to the folks over at [Infracost](https://github.com/infracost/infracost) who created the initial version of this repository. From 1403132fccb7dd0d1ae934efc4cdc65b77419300 Mon Sep 17 00:00:00 2001 From: Nicholas Farley Date: Tue, 27 Jun 2023 16:00:21 -0400 Subject: [PATCH 2/5] Pluralize plans Signed-off-by: Nicholas Farley --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9faaa55..29c5122 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ This action does not set any direct outputs. ## Troubleshooting -### Within GitHub Actions, using Terraform plan as `input` results in `["command"]` +### Within GitHub Actions, using Terraform plans as `input` results in `["command"]` Sometimes, when trying to analyze a JSON-formatted Terraform plan with `opa`, the `input` is always bound to `["command"]` regardless of the contents of the From 5b0ed6af11ca949fdce59c900f88f5ddea2fdfd6 Mon Sep 17 00:00:00 2001 From: Nicholas Farley Date: Tue, 27 Jun 2023 16:01:00 -0400 Subject: [PATCH 3/5] Add "additional details note" to end of section Signed-off-by: Nicholas Farley --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 29c5122..0f910b3 100644 --- a/README.md +++ b/README.md @@ -120,9 +120,7 @@ plan. This issue is specific to GitHub Actions, and is related to the `terraform_wrapper` functionality that is enabled by default in the official [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) action. Specifically, the `terraform_wrapper` includes extra metadata when -running commands such as `terraform show -json tfplan > tfplan.json`. For a more -thorough description of why this happens, see this -[issue](https://github.com/open-policy-agent/opa/issues/5619#issuecomment-1608245191). +running commands such as `terraform show -json tfplan > tfplan.json`. There are two primary options for resolving this issue: @@ -140,6 +138,9 @@ There are two primary options for resolving this issue: - run: terraform show -json tfplan | grep '^{.*}$' > tfplan.json ``` +For a more thorough description of why this happens, see this +[issue](https://github.com/open-policy-agent/opa/issues/5619#issuecomment-1608245191). + ## Credits Thanks to the folks over at [Infracost](https://github.com/infracost/infracost) who created the initial version of this repository. From 178627de0d2c1461cf890f5b93b8cead843ea43d Mon Sep 17 00:00:00 2001 From: Nicholas Farley Date: Tue, 27 Jun 2023 16:02:56 -0400 Subject: [PATCH 4/5] Make it clear the recommendations are an OR Signed-off-by: Nicholas Farley --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0f910b3..900a57d 100644 --- a/README.md +++ b/README.md @@ -124,7 +124,8 @@ running commands such as `terraform show -json tfplan > tfplan.json`. There are two primary options for resolving this issue: -- Disable the `terraform_wrapper` when using [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) +- **Either** disable the `terraform_wrapper` when using + [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) ```yaml - uses: hashicorp/setup-terraform@{{REF}} @@ -132,7 +133,8 @@ There are two primary options for resolving this issue: terraform_wrapper: false ``` -- Manually "filter" the extra metadata when creating the JSON-formatted plan: +- **OR** manually "filter" the extra metadata when creating the JSON-formatted + plan: ```yaml - run: terraform show -json tfplan | grep '^{.*}$' > tfplan.json From 23e2c2d261286fdc27b2f35fb23047146c64c243 Mon Sep 17 00:00:00 2001 From: Nicholas Farley Date: Tue, 27 Jun 2023 16:09:24 -0400 Subject: [PATCH 5/5] Capitalize for consistency Signed-off-by: Nicholas Farley --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 900a57d..f162fb7 100644 --- a/README.md +++ b/README.md @@ -124,7 +124,7 @@ running commands such as `terraform show -json tfplan > tfplan.json`. There are two primary options for resolving this issue: -- **Either** disable the `terraform_wrapper` when using +- **EITHER** disable the `terraform_wrapper` when using [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) ```yaml