Convert to TF 0.12. Add Tests. Add Codefresh test pipeline. Pin prov…

…iders (#26)

* Convert to TF 0.12. Add Tests. Add Codefresh test pipeline

* Update README

* Update README

* Pin providers

README.md

@@ -3,7 +3,7 @@
 
 [![Cloud Posse][logo]](https://cpco.io/homepage)
 
-# terraform-aws-tfstate-backend [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-tfstate-backend.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-tfstate-backend) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-tfstate-backend.svg)](https://github.com/cloudposse/terraform-aws-tfstate-backend/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
+# terraform-aws-tfstate-backend [![Codefresh Build Status](https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-tfstate-backend?type=cf-1)](https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d0d3d11c841e6807afe8d2a) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-tfstate-backend.svg)](https://github.com/cloudposse/terraform-aws-tfstate-backend/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
 
 Terraform module to provision an S3 bucket to store `terraform.tfstate` file and a DynamoDB table to lock the state file
@@ -57,20 +57,21 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
 
 ## Usage
 
+
+**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
+Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-tfstate-backend/releases).
+
+
 1. Define the module in your `.tf` file using local state:
    ```hcl
-   terraform {
-     required_version = ">= 0.11.3"
-   }
-
-   module "terraform_state_backend" {
-     source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
-     namespace     = "cp"
-     stage         = "prod"
-     name          = "terraform"
-     attributes    = ["state"]
-     region        = "us-east-1"
-   }
+     module "terraform_state_backend" {
+       source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
+       namespace     = "eg"
+       stage         = "test"
+       name          = "terraform"
+       attributes    = ["state"]
+       region        = "us-east-1"
+     }
    ```
 
 1. `terraform init`
@@ -79,9 +80,6 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
 
 1. Then add a `backend` that uses the new bucket and table:
    ```hcl
-   terraform {
-     required_version = ">= 0.11.3"
-
      backend "s3" {
        region         = "us-east-1"
        bucket         = "< the name of the S3 bucket >"
@@ -122,33 +120,33 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
-| additional_tag_map | Additional tags for appending to each tag map | map | `<map>` | no |
-| attributes | Additional attributes (e.g. `state`) | list | `<list>` | no |
-| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | string | `false` | no |
-| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | string | `false` | no |
-| context | Default context to use for passing state between label invocations | map | `<map>` | no |
+| additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
+| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |
+| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket | string | `true` | no |
+| context | Default context to use for passing state between label invocations | object | `<map>` | no |
 | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | string | `-` | no |
-| enable_server_side_encryption | Enable DynamoDB server-side encryption | string | `true` | no |
+| enable_server_side_encryption | Enable DynamoDB server-side encryption | bool | `true` | no |
 | environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | string | `` | no |
-| force_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | string | `false` | no |
-| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | string | `false` | no |
-| label_order | The naming order of the id output and Name tag | list | `<list>` | no |
-| mfa_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | string | `false` | no |
+| force_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | bool | `false` | no |
+| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket | bool | `true` | no |
+| label_order | The naming order of the id output and Name tag | list(string) | `<list>` | no |
+| mfa_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | bool | `false` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | string | `terraform` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | string | `` | no |
-| prevent_unencrypted_uploads | Prevent uploads of unencrypted objects to S3 | string | `true` | no |
+| prevent_unencrypted_uploads | Prevent uploads of unencrypted objects to S3 | bool | `true` | no |
 | profile | AWS profile name as set in the shared credentials file | string | `` | no |
 | read_capacity | DynamoDB read capacity units | string | `5` | no |
 | regex_replace_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. By default only hyphens, letters and digits are allowed, all other chars are removed | string | `/[^a-zA-Z0-9-]/` | no |
 | region | AWS Region the S3 bucket should reside in | string | - | yes |
-| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | string | `false` | no |
+| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket | bool | `true` | no |
 | role_arn | The role to be assumed | string | `` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | string | `` | no |
-| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | map | `<map>` | no |
+| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | map(string) | `<map>` | no |
 | terraform_backend_config_file_name | Name of terraform backend config file | string | `terraform.tf` | no |
 | terraform_backend_config_file_path | The path to terrafrom project directory | string | `` | no |
 | terraform_state_file | The path to the state file inside the bucket | string | `terraform.tfstate` | no |
-| terraform_version | The minimum required terraform version | string | `0.11.3` | no |
+| terraform_version | The minimum required terraform version | string | `0.12.2` | no |
 | write_capacity | DynamoDB write capacity units | string | `5` | no |
 
 ## Outputs

README.yaml

@@ -16,11 +16,12 @@ license: "APACHE2"
 # Canonical GitHub repo
 github_repo: cloudposse/terraform-aws-tfstate-backend
 
+
 # Badges to display
 badges:
-  - name: "Build Status"
-    image: "https://travis-ci.org/cloudposse/terraform-aws-tfstate-backend.svg?branch=master"
-    url: "https://travis-ci.org/cloudposse/terraform-aws-tfstate-backend"
+  - name: "Codefresh Build Status"
+    image: "https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-tfstate-backend?type=cf-1"
+    url: "https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d0d3d11c841e6807afe8d2a"
   - name: "Latest Release"
     image: "https://img.shields.io/github/release/cloudposse/terraform-aws-tfstate-backend.svg"
     url: "https://github.com/cloudposse/terraform-aws-tfstate-backend/releases/latest"
@@ -59,18 +60,14 @@ description: |-
 usage: |-
   1. Define the module in your `.tf` file using local state:
      ```hcl
-     terraform {
-       required_version = ">= 0.11.3"
-     }
-
-     module "terraform_state_backend" {
-       source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
-       namespace     = "cp"
-       stage         = "prod"
-       name          = "terraform"
-       attributes    = ["state"]
-       region        = "us-east-1"
-     }
+       module "terraform_state_backend" {
+         source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
+         namespace     = "eg"
+         stage         = "test"
+         name          = "terraform"
+         attributes    = ["state"]
+         region        = "us-east-1"
+       }
      ```
 
   1. `terraform init`
@@ -79,9 +76,6 @@ usage: |-
 
   1. Then add a `backend` that uses the new bucket and table:
      ```hcl
-     terraform {
-       required_version = ">= 0.11.3"
-
        backend "s3" {
          region         = "us-east-1"
          bucket         = "< the name of the S3 bucket >"

codefresh/test.yml

@@ -0,0 +1,74 @@
+version: '1.0'
+
+stages:
+  - Prepare
+  - Test
+
+steps:
+  wait:
+    title: Wait
+    stage: Prepare
+    image: codefresh/cli:latest
+    commands:
+      - codefresh get builds --pipeline=${{CF_REPO_NAME}} --status running --limit 1000 -o json | jq --arg id ${{CF_BUILD_ID}} -ser 'flatten|.[-1].id==$id'
+    retry:
+      maxAttempts: 10
+      delay: 20
+      exponentialFactor: 1.1
+
+  main_clone:
+    title: "Clone repository"
+    type: git-clone
+    stage: Prepare
+    description: "Initialize"
+    repo: ${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+    git: CF-default
+    revision: ${{CF_REVISION}}
+
+  clean_init:
+    title: Prepare build-harness and test-harness
+    image: ${{TEST_IMAGE}}
+    stage: Prepare
+    commands:
+      - cf_export PATH="/usr/local/terraform/0.12/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+      - make init
+      - git -C build-harness checkout master
+      - make -C test/ clean init TEST_HARNESS_BRANCH=master
+      - make -C test/src clean init
+      - find . -type d -name '.terraform' | xargs rm -rf
+      - find . -type f -name 'terraform.tfstate*' -exec rm -f {} \;
+
+  test:
+    type: "parallel"
+    title: "Run tests"
+    description: "Run all tests in parallel"
+    stage: Test
+    steps:
+      test_readme_lint:
+        title: "Test README.md updated"
+        stage: "Test"
+        image: ${{TEST_IMAGE}}
+        description: Test "readme/lint"
+        commands:
+          - make readme/lint
+
+      test_module:
+        title: Test module with bats
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/ module
+
+      test_examples_complete:
+        title: Test "examples/complete" with bats
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/ examples/complete
+
+      test_examples_complete_terratest:
+        title: Test "examples/complete" with terratest
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/src

docs/terraform.md

@@ -3,33 +3,33 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
-| additional_tag_map | Additional tags for appending to each tag map | map | `<map>` | no |
-| attributes | Additional attributes (e.g. `state`) | list | `<list>` | no |
-| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | string | `false` | no |
-| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | string | `false` | no |
-| context | Default context to use for passing state between label invocations | map | `<map>` | no |
+| additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
+| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |
+| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket | string | `true` | no |
+| context | Default context to use for passing state between label invocations | object | `<map>` | no |
 | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | string | `-` | no |
-| enable_server_side_encryption | Enable DynamoDB server-side encryption | string | `true` | no |
+| enable_server_side_encryption | Enable DynamoDB server-side encryption | bool | `true` | no |
 | environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | string | `` | no |
-| force_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | string | `false` | no |
-| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | string | `false` | no |
-| label_order | The naming order of the id output and Name tag | list | `<list>` | no |
-| mfa_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | string | `false` | no |
+| force_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | bool | `false` | no |
+| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket | bool | `true` | no |
+| label_order | The naming order of the id output and Name tag | list(string) | `<list>` | no |
+| mfa_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | bool | `false` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | string | `terraform` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | string | `` | no |
-| prevent_unencrypted_uploads | Prevent uploads of unencrypted objects to S3 | string | `true` | no |
+| prevent_unencrypted_uploads | Prevent uploads of unencrypted objects to S3 | bool | `true` | no |
 | profile | AWS profile name as set in the shared credentials file | string | `` | no |
 | read_capacity | DynamoDB read capacity units | string | `5` | no |
 | regex_replace_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. By default only hyphens, letters and digits are allowed, all other chars are removed | string | `/[^a-zA-Z0-9-]/` | no |
 | region | AWS Region the S3 bucket should reside in | string | - | yes |
-| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | string | `false` | no |
+| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket | bool | `true` | no |
 | role_arn | The role to be assumed | string | `` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | string | `` | no |
-| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | map | `<map>` | no |
+| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | map(string) | `<map>` | no |
 | terraform_backend_config_file_name | Name of terraform backend config file | string | `terraform.tf` | no |
 | terraform_backend_config_file_path | The path to terrafrom project directory | string | `` | no |
 | terraform_state_file | The path to the state file inside the bucket | string | `terraform.tfstate` | no |
-| terraform_version | The minimum required terraform version | string | `0.11.3` | no |
+| terraform_version | The minimum required terraform version | string | `0.12.2` | no |
 | write_capacity | DynamoDB write capacity units | string | `5` | no |
 
 ## Outputs

examples/complete/fixtures.us-west-1.tfvars

@@ -0,0 +1,7 @@
+region = "us-west-1"
+
+namespace = "eg"
+
+stage = "test"
+
+name = "terraform"

examples/complete/main.tf

@@ -0,0 +1,17 @@
+module "tfstate_backend" {
+  source = "../../"
+
+  providers = {
+    aws      = "aws"
+    null     = "null"
+    local    = "local"
+    template = "template"
+  }
+
+  region    = var.region
+  namespace = var.namespace
+  stage     = var.stage
+  name      = var.name
+
+  force_destroy = true
+}

examples/complete/outputs.tf

@@ -0,0 +1,14 @@
+output "s3_bucket_id" {
+  value       = module.tfstate_backend.s3_bucket_id
+  description = "S3 bucket ID"
+}
+
+output "dynamodb_table_name" {
+  value       = module.tfstate_backend.dynamodb_table_name
+  description = "DynamoDB table name"
+}
+
+output "dynamodb_table_id" {
+  value       = module.tfstate_backend.dynamodb_table_id
+  description = "DynamoDB table ID"
+}

examples/complete/variables.tf

@@ -0,0 +1,15 @@
+variable "region" {
+  type = string
+}
+
+variable "namespace" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+variable "stage" {
+  type = string
+}

examples/complete/versions.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_version = "~> 0.12.0"
+}
+
+# Pin the `aws` provider
+# https://www.terraform.io/docs/configuration/providers.html
+# Any non-beta version >= 2.0.0 and < 3.0.0, e.g. 2.X.Y
+provider "aws" {
+  version = "~> 2.0"
+  region  = var.region
+}
+
+provider "null" {
+  version = "~> 2.0"
+}
+
+provider "local" {
+  version = "~> 1.2"
+}
+
+provider "template" {
+  version = "~> 2.0"
+}