Use Terraform helpers module

[brettcurtis]

Summary by CodeRabbit

• New Features

  • Introduced a new helpers module to enhance infrastructure management.

• Bug Fixes

  • Updated the checkov repository version to improve security checks.

• Documentation

  • Updated Terraform module documentation to reflect new provider versions and module structure.
  • Removed the environment variable from various configurations, streamlining the setup.

• Chores

  • Removed deprecated local values and variable declarations to clean up the codebase.

[infracost]

💰 Infracost report

Monthly estimate generated

Estimate details (includes details of unsupported resources)

──────────────────────────────────
2 projects have no cost estimate changes.
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
57 cloud resources were detected:
∙ 4 were estimated
∙ 51 were free
∙ 2 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 2 x google_billing_budget

_{This comment will be updated when code changes.}

[coderabbitai]

Walkthrough

This pull request introduces several updates across multiple Terraform configuration files. Key changes include updating the checkov repository version in the .pre-commit-config.yaml, modifications to the README.md for the Google Cloud Platform project documentation, and the introduction of a new helpers module. Additionally, the handling of environment variables has been refactored, leading to the removal of the environment variable from various files. Local values related to labeling have also been removed, simplifying the configuration.

Changes

File	Change Summary
.pre-commit-config.yaml	Updated checkov version from 3.2.276 to 3.2.296 and added --skip-check "CKV_TF_1" argument.
README.md	Updated google provider version from 6.8.0 to 6.11.1, added helpers module, and removed environment from inputs.
helpers.tf	Introduced new helpers module sourced from github.com/osinfra-io/terraform-core-helpers//child at version v0.1.2.
locals.tf	Updated base_project_id and project_id to reference module.helpers.env; removed env_map.
tests/fixtures/default/locals.tf	Removed locals block with labels map.
tests/fixtures/default/main.tf	Updated labels from local.labels to a hardcoded map and removed environment variable.
tests/fixtures/default/variables.tf	Removed environment variable declaration.
tests/fixtures/logging/locals.tf	Removed locals block with labels map.
tests/fixtures/logging/main.tf	Removed environment parameter and updated labels to a hardcoded map.
tests/fixtures/logging/variables.tf	Removed environment variable declaration.
variables.tf	Removed environment variable declaration.

Possibly related PRs

• Terraform testing alignment #126: Updates the .pre-commit-config.yaml file to change the checkov repository version, directly related to the version update in the main PR.
• Use terraform-core-helpers child module #134: Introduces a new module from terraform-core-helpers, relevant to the changes in the main PR regarding helper modules.
• Align variables #136: Similar to the main PR, this PR updates the checkov repository version in the .pre-commit-config.yaml, reflecting a direct connection to the version change made in the main PR.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

tests/fixtures/logging/main.tf (1)

Line range hint 1-20: Consider documenting the test fixture's purpose

As this fixture is part of a broader architectural change to use Terraform helpers, it would be valuable to add a comment block explaining:

• The purpose of this specific test fixture
• How it relates to the helpers module
• Why certain values are mocked

locals.tf (1)

Line range hint 8-85: Consider enhancing CIS logging metrics documentation

While the CIS logging metrics configuration is well-structured, consider adding:

• Links to the official CIS benchmark documentation
• Examples of alerts these metrics would generate
• Typical response procedures for each alert type

This would make the configuration more maintainable and help future maintainers understand the security implications of each metric.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 023ad9c and 52e8663.

📒 Files selected for processing (11)

• .pre-commit-config.yaml (1 hunks)
• README.md (1 hunks)
• helpers.tf (1 hunks)
• locals.tf (2 hunks)
• tests/fixtures/default/locals.tf (0 hunks)
• tests/fixtures/default/main.tf (1 hunks)
• tests/fixtures/default/variables.tf (0 hunks)
• tests/fixtures/logging/locals.tf (0 hunks)
• tests/fixtures/logging/main.tf (1 hunks)
• tests/fixtures/logging/variables.tf (0 hunks)
• variables.tf (0 hunks)

💤 Files with no reviewable changes (5)

• tests/fixtures/default/locals.tf
• tests/fixtures/default/variables.tf
• tests/fixtures/logging/locals.tf
• tests/fixtures/logging/variables.tf
• variables.tf

✅ Files skipped from review due to trivial changes (1)

• helpers.tf

🔇 Additional comments (10)

tests/fixtures/logging/main.tf (2)

16-18: LGTM! Appropriate test fixture configuration.

The hardcoded mock labels are suitable for a test fixture and follow Terraform's map syntax correctly.

---

Line range hint 1-20: Verify consistent updates across all test fixtures

Let's ensure all test fixtures have been updated consistently with these changes.

✅ Verification successful

Test fixtures are consistently updated and aligned

The verification shows that:

• No environment variables are present in any test fixtures
• Label structure is consistent across both test fixtures with the same mock values
• Common configurations (prefix, description, folder_id) are consistently formatted
• Each fixture appropriately handles its specific test case:
  • logging fixture: focuses on cis_2_2_logging_bucket_locked
  • default fixture: handles cis_2_2_logging_sink_project_id and services

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check consistency of test fixtures
# Expected results: All fixtures should follow similar patterns (no environment variable, consistent label structure)

# Check for any remaining environment variables in test fixtures
echo "Checking for remaining environment variables..."
rg -l "environment\s*=" tests/fixtures/

# Check label structure in test fixtures
echo "Checking label structure in test fixtures..."
rg -l "labels\s*=" tests/fixtures/

Length of output: 344

---

Script:

#!/bin/bash
# Let's examine the content of both files to verify label consistency
echo "Content of tests/fixtures/logging/main.tf:"
cat tests/fixtures/logging/main.tf

echo -e "\nContent of tests/fixtures/default/main.tf:"
cat tests/fixtures/default/main.tf

# Also check for any other potential inconsistencies in test fixtures
echo -e "\nListing all .tf files in test fixtures:"
fd -e tf . tests/fixtures/

# Check for any other potential configuration variables
echo -e "\nChecking other common configuration patterns:"
rg "^\s*(prefix|description|folder_id|cis_)" tests/fixtures/

Length of output: 1999

tests/fixtures/default/main.tf (2)

15-18: LGTM! Test fixture simplified appropriately.

The removal of the environment variable and the simplification of labels to use hardcoded mock values is appropriate for test fixtures. This change aligns well with the PR objective of utilizing the Terraform helpers module.

---

15-18: Verify consistency across test fixtures

Let's ensure this pattern is consistently applied across all test fixtures.

✅ Verification successful

Labels are consistently defined across test fixtures

The verification shows that the label structure is identical across all test fixtures:

• Both tests/fixtures/default/main.tf and tests/fixtures/logging/main.tf use the same pattern:

  labels = {
    "mock-key" = "mock-value"
  }

No inconsistencies were found in the label definitions across the test fixtures.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that all test fixtures follow the same pattern for labels and environment handling

# Check for any remaining references to environment variable in test fixtures
echo "Checking for remaining environment variable references:"
rg -l "environment\s*=" "tests/fixtures/"

# Check for consistent label structure across test fixtures
echo "Checking label structure in test fixtures:"
rg -A 3 "labels\s*=\s*{" "tests/fixtures/"

# Check for any remaining local.labels references
echo "Checking for remaining local.labels references:"
rg "local\.labels" "tests/fixtures/"

Length of output: 534

---

Script:

#!/bin/bash
# Let's fix the regex syntax and try again

# Check for consistent label structure across test fixtures
echo "Checking label structure in test fixtures:"
rg -A 3 'labels\s*=' "tests/fixtures/"

# Also check for any .tf files in the fixtures directory to ensure we're not missing anything
echo -e "\nListing all .tf files in fixtures:"
fd -e tf . "tests/fixtures/"

Length of output: 692

.pre-commit-config.yaml (2)

37-38: Review the implications of skipping CKV_TF_1

The addition of --skip-check "CKV_TF_1" disables Checkov's check for ensuring all Terraform resources are pinned to specific versions. This might be intentional due to the new helpers module implementation, but we should verify this approach.

#!/bin/bash
# Description: Check if there are unpinned module versions in the codebase
# that would be missed by disabling CKV_TF_1

# Search for module blocks without version constraints
rg -U 'source\s*=\s*"[^"]+"\s*(?!\s*version\s*=)' -g '*.tf'

# Also check for registry modules without version constraints
rg -U 'source\s*=\s*"[^"]+".*?}\s*$' -g '*.tf' | grep -v 'version\s*='

Consider documenting the rationale for disabling this check in a comment, especially since version pinning is generally considered a security best practice. If this is related to the new helpers module implementation, please ensure that version control is handled appropriately at a higher level.

---

32-32: Verify the checkov version upgrade

The version bump from 3.2.276 to 3.2.296 should be verified for stability and breaking changes.

✅ Verification successful

Version upgrade to checkov 3.2.296 is valid

The version bump from 3.2.276 to 3.2.296 has been verified:

• Both versions exist in the official PyPI registry
• The upgrade is a minor version increment (20 patch versions)
• The version is properly configured in the pre-commit config file

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check the changelog between versions to identify breaking changes
# and verify the version exists

# Verify the version exists and get release date
gh api repos/bridgecrewio/checkov/releases/tags/3.2.296 --jq '.published_at, .body'

# Get the list of releases between the old and new versions
gh api repos/bridgecrewio/checkov/releases --jq '.[] | select(.tag_name >= "3.2.276" and .tag_name <= "3.2.296") | {version: .tag_name, date: .published_at, body: .body}'

Length of output: 650

---

Script:

#!/bin/bash
# Let's try a different approach to verify the version
# First, check if the version exists in the checkov PyPI releases
curl -s "https://pypi.org/pypi/checkov/json" | jq -r '.releases | keys[]' | grep "3.2.296"

# Also verify the old version for reference
curl -s "https://pypi.org/pypi/checkov/json" | jq -r '.releases | keys[]' | grep "3.2.276"

# Let's also check the pre-commit config file to understand the context better
cat .pre-commit-config.yaml

Length of output: 1200

locals.tf (2)

5-5: Project ID formation logic looks good

The project ID formation logic is well-structured with:

• Clear naming convention using prefix and description
• Optional randomization using random_id
• Proper environment integration via helpers module

Also applies to: 100-100

---

5-5: Verify helpers module configuration

The environment handling has been migrated to use module.helpers.env. This aligns with the PR objective of centralizing environment management.

Let's verify the helpers module configuration:

Also applies to: 100-100

✅ Verification successful

Helpers module is properly configured and environment handling is correctly migrated

The verification confirms:

• The helpers module is properly defined in helpers.tf with source github.com/osinfra-io/terraform-core-helpers//child?ref=v0.1.2
• All references to env_map have been removed
• module.helpers.env is correctly used in both base_project_id and project_id formations
• No lingering var.environment references exist

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the helpers module configuration and usage

# Check for the module source definition
rg -A 5 'module\s+"helpers"\s+{' 

# Verify no remaining references to the old env_map
rg 'env_map'

# Check for any potential missed environment variable references
rg 'var\.environment'

Length of output: 179

---

Script:

#!/bin/bash
# Let's try with simpler patterns and separate searches

# Check for helpers module definition
rg "module \"helpers\""

# Check the module source
rg "source.*terraform-core-helpers"

# Look for any remaining env_map references
rg "env_map"

# Check for environment variable references
rg "var.environment"

# Check the actual usage of module.helpers.env
rg "module\.helpers\.env"

# Look at the locals.tf content to understand the full context
cat locals.tf

Length of output: 6801

README.md (2)

87-87: Verify Google provider version compatibility.

The Google provider version has been updated from 6.8.0 to 6.11.1.

✅ Verification successful

Provider version update from 6.8.0 to 6.11.1 has one breaking change in Looker service

The version update includes one breaking change in v6.11.0 that makes oauth_config a required field in google_looker_instance. Let's verify if this project uses Looker instances.

---

Provider version update from 6.8.0 to 6.11.1 is safe to proceed

The version update is safe as:

• No Looker instances are used in the codebase, so the breaking change doesn't affect this project
• Other changes are improvements and bug fixes that don't introduce breaking changes
• The version bump is relatively minor and follows semantic versioning

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for breaking changes in the Google provider version update

# Fetch the changelog between versions
gh api \
  -H "Accept: application/vnd.github+json" \
  repos/hashicorp/terraform-provider-google/releases | \
  jq -r '.[] | select(.tag_name | test("v6\\.(8|9|10|11)\\.*")) | "\(.tag_name)\n\(.body)\n"'

Length of output: 19846

---

Script:

#!/bin/bash
# Search for Looker instance resources
rg "google_looker_instance" -l

Length of output: 30

---

90-95: Verify the helpers module source and version.

A new helpers module has been added from github.com/osinfra-io/terraform-core-helpers//child at version v0.1.2.

✅ Verification successful

The helpers module source and version have been verified

The verification confirms:

• The repository and tag v0.1.2 exist at github.com/osinfra-io/terraform-core-helpers
• No security vulnerabilities were found for this module
• The module reference in README.md is accurate, though it's not currently used in any terraform files

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the helpers module source and version

# Check if the repository and version exist
gh api \
  -H "Accept: application/vnd.github+json" \
  repos/osinfra-io/terraform-core-helpers/git/ref/tags/v0.1.2

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: TERRAFORM, package: "terraform-core-helpers") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 1274

---

Script:

#!/bin/bash
# Description: Verify the helpers module source and version with corrected ecosystem type

# Check if the repository and version exist
gh api \
  -H "Accept: application/vnd.github+json" \
  repos/osinfra-io/terraform-core-helpers/git/ref/tags/v0.1.2

# Check for security advisories with correct ecosystem type
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "terraform-core-helpers") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

# Check if the module is referenced in terraform files
rg -l "source\s*=\s*\"github.com/osinfra-io/terraform-core-helpers//child\"" --type tf

Length of output: 917