Fork of mercari/tfnotify. tfcmt enhances tfnotify in many ways, including Terraform >= v0.15 support and advanced formatting options
OTHER License
Bot releases are visible (Hide)
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.11.0...v4.12.0
#1355 Get GitHub API endpoints from environment variables GITHUB_API_URL
and GITHUB_GRAPHQL_URL
in GitHub Actions
Published by github-actions[bot] 3 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.10.0...v4.11.0
#1336 #1339 Post comments to a pull request if the workflow run is triggered via GitHub Actions' merge_group event
Update Go to 1.22.5
Published by github-actions[bot] 3 months ago
Published by github-actions[bot] 5 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.9.1...v4.10.0
#1294 plan: Support disabling labels by a command line option and environment variable
Added a command line option -disable-label
and an environment variable TFCMT_DISABLE_LABEL
. If they are set, tfcmt plan
doesn't set labels.
tfcmt plan -disable-label -- terraform plan
export TFCMT_DISABLE_LABEL=true
tfcmt plan -- terraform plan
#1295 validate if command is specified
tfcmt plan
and tfcmt apply
require command to be executed.
tfcmt plan -- terraform plan
tfcmt apply -- terraform apply
So this pull request adds a validation if command is specified.
If no command is specified, tfcmt plan and apply return an error immediately.
$ tfcmt plan
ERRO[0000] tfcmt failed error="no command specified"
#1292 #1293 Improve the help message
Published by github-actions[bot] 5 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.9.0...v4.9.1
#1187 #1257 #1258 Exit commands with non zero exit code if any error such as API rate limit happens
This update changes the exit code of tfcmt when an error happens.
The exit code was same with the exit code of terraform plan
and terraform apply
.
This means tfcmt might have exited with zero even if tfcmt failed to post a comment due to some reason such as API rate limit.
This was not a bug but a expected behavior.
But this behaviour was dangerous because people might have missed unexpected changes.
So this update changes the behaviour as tfcmt exits with non zero if any error such as API rate limit happens.
Published by github-actions[bot] 9 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.8.0...v4.9.0
#1083 #1115 Support masking sensitive data
You can mask sensitive data in outputs of terraform.
This feature prevents the leak of sensitive data.
The following outputs are masked.
tfcmt plan
and tfcmt apply
--output
option[!CAUTION]
Even if you maske secrets using this feature, secrets are still stored in Terraform States.
Please see also Sensitive Data in State.
You can use environment variables TFCMT_MASKS
and TFCMT_MASKS_SEPARATOR
.
TFCMT_MASKS
: A list of masks. Masks are joined by TFCMT_MASKS_SEPARATOR
TFCMT_MASKS_SEPARATOR
: A separator of masks. The default value is ,
The format of each mask is ${type}:${value}
.
${type}
must be either env
or regexp
.
If ${type}
is env
, ${value}
is a masked environment variable name.
If ${type}
is regexp
, ${value}
is a masked regular expression.
e.g. Mask GitHub access tokens and the environment variable DATADOG_API_KEY
.
export TFCMT_MASKS='env:GITHUB_TOKEN,env:DATADOG_API_KEY,regexp:ghp_[^ ]+'
tfcmt plan -- terraform plan
e.g. Change the separator to /
.
export TFCMT_MASKS_SEPARATOR=/
export TFCMT_MASKS='env:GITHUB_TOKEN/env:DATADOG_API_KEY/regexp:ghp_[^ ]+'
All matching strings are replaced with ***
.
Replacements are done in order of TFCMT_MASKS
, so the result depends on the order of TFCMT_MASKS
.
For example, if TFCMT_MASKS
is regexp:foo,regexp:foo.*
, regexp:foo.*
has no meaning because all foo
are replaced with ***
before replacing foo.*
with ***
so foo.*
doesn't match with anything.
This example creates a resource google_cloudbuild_trigger.
This resource has a GitHub Access token as a field substitutions._GH_TOKEN
.
main.tf
resource "google_cloudbuild_trigger" "filename_trigger" {
location = "us-central1"
trigger_template {
branch_name = "main"
repo_name = "my-repo"
}
substitutions = {
_GH_TOKEN = var.gh_token # Secret
}
filename = "cloudbuild.yaml"
}
variable "gh_token" {
type = string
description = "GitHub Access token"
}
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "5.13.0"
}
}
}
If you run terraform plan
without masking, the secret would be leaked.
To prevent the leak, let's mask the secret.
export TFCMT_MASKS=env:TF_VAR_gh_token # Mask the environment variable TF_VAR_gh_token
Please see _GH_TOKEN
in the output of tfcmt plan
and the pull request comment.
You can confirm _GH_TOKEN
is masked as ***
properly.
$ tfcmt plan -- terraform plan
tfcmt plan -- terraform plan
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_cloudbuild_trigger.filename_trigger will be created
+ resource "google_cloudbuild_trigger" "filename_trigger" {
+ create_time = (known after apply)
+ filename = "cloudbuild.yaml"
+ id = (known after apply)
+ location = "us-central1"
+ name = (known after apply)
+ project = "hello"
+ substitutions = {
+ "_GH_TOKEN" = "***"
}
+ trigger_id = (known after apply)
+ trigger_template {
+ branch_name = "main"
+ project_id = (known after apply)
+ repo_name = "my-repo"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Terraform itself has features to prevent sensitive data from being leaked.
So first you should use these features.
But even if these features are available, it still makes sense for tfcmt to mask sensitive data.
Please imagine the situation that platform engineers manage Terraform workflows and product teams manage Terraform codes in a Monorepo.
Then platform engineers need to prevent sensitive data from being leaked, but if product teams forget to protect them with sensitive
flags, sensitive data would be leaked.
By protecting sensitive data using tfcmt, platform engineers can prevent sensitive data from being leaked while delegating the management of Terraform codes to product teams.
tfcmt's masking feature works as a guardrail.
Published by github-actions[bot] 9 months ago
https://github.com/suzuki-shunsuke/tfcmt/compare/v4.8.0...v4.9.0-2
56dfca4 fix(mask): Change the default separator from ;
to ,
#1083 #1115 support masking secrets
You can mask secrets in outputs of terraform.
This feature prevents the leak of secrets.
The following outputs are masked.
tfcmt plan
and tfcmt apply
--output
option[!CAUTION]
Even if you maske secrets using this feature, secrets are still stored in Terraform States.
Please see also Sensitive Data in State.
You can use environment variables TFCMT_MASKS
and TFCMT_MASKS_SEPARATOR
.
TFCMT_MASKS
: A list of masks. Masks are joined by TFCMT_MASKS_SEPARATOR
TFCMT_MASKS_SEPARATOR
: A separator of masks. The default value is ,
The format of each mask is ${type}:${value}
.
${type}
must be either env
or regexp
.
If ${type}
is env
, ${value}
is a masked environment variable name.
If ${type}
is regexp
, ${value}
is a masked regular expression.
e.g. Mask GitHub access tokens and the environment variable DATADOG_API_KEY
.
export TFCMT_MASKS="env:GITHUB_TOKEN,env:DATADOG_API_KEY,regexp:ghp_[^ ]+"
tfcmt plan -- terraform plan
e.g. Change the separator to /
.
export TFCMT_MASKS_SEPARATOR=/
export TFCMT_MASKS="env:GITHUB_TOKEN/env:DATADOG_API_KEY/regexp:ghp_[^ ]+"
All matching strings are replaced with ***
.
Replacements are done in order of TFCMT_MASKS
, so the result depends on the order of TFCMT_MASKS
.
For example, if TFCMT_MASKS
is regexp:foo,regexp:foo.*
, regexp:foo.*
has no meaning because all foo
are replaced with ***
before replacing foo.*
with ***
so foo.*
doesn't match with anything.
This example creates a resource google_cloudbuild_trigger.
This resource has a GitHub Access token as a field substitutions._GH_TOKEN
.
main.tf
resource "google_cloudbuild_trigger" "filename_trigger" {
location = "us-central1"
trigger_template {
branch_name = "main"
repo_name = "my-repo"
}
substitutions = {
_GH_TOKEN = var.gh_token # Secret
}
filename = "cloudbuild.yaml"
}
variable "gh_token" {
type = string
description = "GitHub Access token"
}
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "5.13.0"
}
}
}
If you run terraform plan
without masking, the secret would be leaked.
To prevent the leak, let's mask the secret.
export TFCMT_MASKS=env:TF_VAR_gh_token # Mask the environment variable TF_VAR_gh_token
Please see _GH_TOKEN
in the output of tfcmt plan
and the pull request comment.
You can confirm _GH_TOKEN
is masked as ***
properly.
$ tfcmt plan -- terraform plan
tfcmt plan -- terraform plan
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_cloudbuild_trigger.filename_trigger will be created
+ resource "google_cloudbuild_trigger" "filename_trigger" {
+ create_time = (known after apply)
+ filename = "cloudbuild.yaml"
+ id = (known after apply)
+ location = "us-central1"
+ name = (known after apply)
+ project = "hello"
+ substitutions = {
+ "_GH_TOKEN" = "***"
}
+ trigger_id = (known after apply)
+ trigger_template {
+ branch_name = "main"
+ project_id = (known after apply)
+ repo_name = "my-repo"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Published by github-actions[bot] 9 months ago
https://github.com/suzuki-shunsuke/tfcmt/compare/v4.8.0...v4.9.0-1
#1083 #1115 support masking secrets
You can mask secrets in outputs of terraform.
This feature prevents the leak of secrets.
The following outputs are masked.
tfcmt plan
and tfcmt apply
--output
option[!CAUTION]
Even if you maske secrets using this feature, secrets are still stored in Terraform States.
Please see also Sensitive Data in State.
You can use environment variables TFCMT_MASKS
and TFCMT_MASKS_SEPARATOR
.
TFCMT_MASKS
: A list of masks. Masks are joined by TFCMT_MASKS_SEPARATOR
TFCMT_MASKS_SEPARATOR
: A separator of masks. The default value is ;
The format of each mask is ${type}:${value}
.
${type}
must be either env
or regexp
.
If ${type}
is env
, ${value}
is a masked environment variable name.
If ${type}
is regexp
, ${value}
is a masked regular expression.
e.g. Mask GitHub access tokens and the environment variable DATADOG_API_KEY
.
export TFCMT_MASKS="env:GITHUB_TOKEN;env:DATADOG_API_KEY;regexp:ghp_[^ ]+"
tfcmt plan -- terraform plan
e.g. Change the separator to /
.
export TFCMT_MASKS_SEPARATOR=/
export TFCMT_MASKS="env:GITHUB_TOKEN/env:DATADOG_API_KEY/regexp:ghp_[^ ]+"
All matching strings are replaced with ***
.
Replacements are done in order of TFCMT_MASKS
, so the result depends on the order of TFCMT_MASKS
.
For example, if TFCMT_MASKS
is regexp:foo;regexp:foo.*
, regexp:foo.*
has no meaning because all foo
are replaced with ***
before replacing foo.*
with ***
so foo.*
doesn't match with anything.
This example creates a resource google_cloudbuild_trigger.
This resource has a GitHub Access token as a field substitutions._GH_TOKEN
.
main.tf
resource "google_cloudbuild_trigger" "filename_trigger" {
location = "us-central1"
trigger_template {
branch_name = "main"
repo_name = "my-repo"
}
substitutions = {
_GH_TOKEN = var.gh_token # Secret
}
filename = "cloudbuild.yaml"
}
variable "gh_token" {
type = string
description = "GitHub Access token"
}
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "5.13.0"
}
}
}
If you run terraform plan
without masking, the secret would be leaked.
To prevent the leak, let's mask the secret.
export TFCMT_MASKS=env:TF_VAR_gh_token # Mask the environment variable TF_VAR_gh_token
Please see _GH_TOKEN
in the output of tfcmt plan
and the pull request comment.
You can confirm _GH_TOKEN
is masked as ***
properly.
$ tfcmt plan -- terraform plan
tfcmt plan -- terraform plan
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_cloudbuild_trigger.filename_trigger will be created
+ resource "google_cloudbuild_trigger" "filename_trigger" {
+ create_time = (known after apply)
+ filename = "cloudbuild.yaml"
+ id = (known after apply)
+ location = "us-central1"
+ name = (known after apply)
+ project = "hello"
+ substitutions = {
+ "_GH_TOKEN" = "***"
}
+ trigger_id = (known after apply)
+ trigger_template {
+ branch_name = "main"
+ project_id = (known after apply)
+ repo_name = "my-repo"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Published by github-actions[bot] 10 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.7.3...v4.8.0
#1090 #1091 Support passing GitHub Access token via the environment variable TFCMT_GITHUB_TOKEN
In addition to the environment variable GITHUB_TOKEN
, tfcmt supports the environment variable TFCMT_GITHUB_TOKEN
too.
Published by github-actions[bot] 10 months ago
https://github.com/suzuki-shunsuke/tfcmt/compare/v4.7.3...v4.8.0-1
#1090 #1091 Support passing GitHub Access token via the environment variable TFCMT_GITHUB_TOKEN
In addition to the environment variable GITHUB_TOKEN
, tfcmt supports the environment variable TFCMT_GITHUB_TOKEN
too.
Published by github-actions[bot] 10 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.7.2...v4.7.3
#1073 Fix a bug code blocks are broken if "```" are used in the command output @jemiam
When triple backticks are in results for terraform command, wrapCode method uses HTML tags(pre + code) to escape it.
But currently these tags are also escaped so it doesn't work as intended.
Thank you for your contirbution!
@jemiam #1073
Published by github-actions[bot] 11 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.7.1...v4.7.2
#1061 #1062 Change the default template to fix the issue that emojis aren't rendered
Recently, some emojis in tfcmt's comments aren't rendered properly.
We guess this is a bug of GitHub itself.
We found the bug doesn't occur if we remove emojis from the end of lines.
Before
### :warning: Resource Deletion will happen :warning:
After
### :warning: Resource Deletion will happen
Until the bug will be fixed, we'll remove emojis from the end of lines.
Update dependencies
#1058 chore(deps): update dependency golang/go to v1.21.5
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.7.0...v4.7.1
#959 chore(deps): update dependency golang/go to v1.21.3
#960 fix(deps): update module github.com/google/go-cmp to v0.6.0
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.6.1...v4.7.0
We roughly checked if tfcmt worked with OpenTofu, then we fixed some issues that tfcmt didn't work with OpenTofu.
We tested tfcmt with OpenTofu v1.6.0-alpha2.
tfcmt seems to work with OpenTofu.
You can simply replace Terraform CLI with OpenTofu CLI.
$ tfcmt plan -- tofu plan
$ tfcmt apply -- tofu apply
But we didn't check deeply. We just checked roughly.
And we don't promise OpenTofu Support for now.
We primary support Terraform.
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.6.0...v4.6.1
#952 Fix Go Module Path
This update fixes the issue that tfcmt can't be installed by go install
.
$ go install github.com/suzuki-shunsuke/tfcmt/cmd/[email protected]
go: github.com/suzuki-shunsuke/tfcmt/cmd/[email protected]: github.com/suzuki-shunsuke/[email protected]: invalid version: module contains a go.mod file, so module path must match major version ("github.com/suzuki-shunsuke/tfcmt/v4")
$ go install github.com/suzuki-shunsuke/tfcmt/v4/cmd/[email protected]
go: github.com/suzuki-shunsuke/tfcmt/v4/cmd/[email protected]: github.com/suzuki-shunsuke/[email protected]: invalid version: module contains a go.mod file, so module path must match major version ("github.com/suzuki-shunsuke/tfcmt/v4")
As of v4.6.1, you can install tfcmt by go install
.
$ go install github.com/suzuki-shunsuke/tfcmt/v4/cmd/[email protected]
go: downloading github.com/suzuki-shunsuke/tfcmt/v4 v4.6.1
#947 Update Go 1.21.1 to 1.21.2
#890 Update github.com/google/go-github/v53 to v55
Addressed go-github's breaking changes.
#711 Update dependency golangci/golangci-lint to v1.54.2
Fixed lint errors.
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.6.0...v4.6.1-1
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.5.1...v4.6.0
#930 #932 List imported or moved resources even if they are changed or replaced
tfcmt v4.5.0 now lists imported or moved resources, but doesn't list them if they are changed or replaced.
This release enables to list imported or moved resources even if they are changed.
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.5.0...v4.5.1
terraform plan
's -no-color
option--output
: List imported and moved resources#117 #896 (#904 #909 #910)
tfcmt ever couldn't parse the output of terraform plan if only Terraform's Outputs will be changed.
e.g.
$ tfcmt plan -- terraform plan
Changes to Outputs:
+ foo = "foo"
You can apply this plan to save these new output values to the Terraform
state, without changing any real infrastructure.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
As of tfcmt v4.5.1, tfcmt can parse the output properly.
terraform plan
's -no-color
option#903 #911
tfcmt ever couldn't parse errors and warnings without terraform plan
's -no-color
option because they start with |
.
tfcmt plan -- terraform plan
e.g.
╷
│ Warning: "default_branch": [DEPRECATED] Use the github_branch_default resource instead
│
│ with github_repository.tfcmt,
│ on main.tf line 10, in resource "github_repository" "tfcmt":
│ 10: resource "github_repository" "tfcmt" {
│
│ (and one more similar warning elsewhere)
╵
As of tfcmt v4.5.1, tfcmt supports parsing warnings and errors even if the -no-color
option isn't set.
--output
: List imported and moved resources#907
Follow up #881 and #884
https://github.com/suzuki-shunsuke/tfcmt/releases/tag/v4.5.0
https://suzuki-shunsuke.github.io/tfcmt/output-file
#906
tfcmt changes the title by the result of terraform commands
Success
## Plan Result
Failure
## :x: Plan Failed
tfcmt evers checked only the exit code of terraform commands,
but as of tfcmt v4.5.1, tfcmt checks also if terraform commands outputs errors.
This is useful when you outputs terraform commands to a text file and runs tfcmt.
e.g.
terraform plan > plan.txt 2>&1
tfcmt plan -- cat plan.txt
Thank you for your contribution!
#896 @taro-kayo
Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.5.1-1...v4.5.1-2
-no-color
(#911)-no-color
(#903)Published by github-actions[bot] about 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/tfcmt/compare/v4.5.0...v4.5.1-1