docs(readme): add terraform docs automation (#17)

* docs(readme): add terraform docs automation
Add terraform docs script along with makefile target and gihub action for same

Signed-off-by: Timothy MacDonald <[email protected]>

* docs(readme): automate update and testing of README.md by terraform-docs
Add github action to test that README.md has been update. Also add update of README.md to /scripts/release.sh prepare

Signed-off-by: Timothy MacDonald <[email protected]>

---------

Signed-off-by: Timothy MacDonald <[email protected]>

.github/workflows/terraform_docs.yml

@@ -0,0 +1,29 @@
+name: Test that terraform docs has been run
+on: push
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+    - name: Install terraform-docs
+      run: curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz | (cd /usr/local/bin; tar zxvf -; chmod +x /usr/local/bin/terraform-docs)
+    - name: store hash of orig README.md
+      id: old_hash
+      run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT
+    - name: Update README.md using terraform-docs make target
+      run: make terraform-docs
+    - name: store hash of new README.md
+      id: new_hash
+      run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT
+    - name: echo hashes
+      run: |
+        echo ${{ steps.old_hash.outputs.README_HASH }}
+        echo ${{ steps.new_hash.outputs.README_HASH }}
+    - name: test to see of hashs are the same
+      if: ${{ steps.old_hash.outputs.README_HASH != steps.new_hash.outputs.README_HASH }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          core.setFailed('Please run "make terraform-docs" and try again')

.terraform-docs.yml

@@ -0,0 +1,4 @@
+formatter: "markdown"
+version: "0.16.0"
+output:
+  file: README.md

GNUmakefile

@@ -17,4 +17,8 @@ ci: ## *CI ONLY* Runs tests on CI pipeline
 
 .PHONY: release
 release: ci ## *CI ONLY* Prepares a release of the Terraform module
-	scripts/release.sh prepare
+	scripts/release.sh prepare
+.PHONY: terraform-docs
+terraform-docs:
+	scripts/terraform-docs.sh
+

README.md

@@ -34,29 +34,30 @@ serviceusage.googleapis.com
 cloudresourcemanager.googleapis.com
 ```
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.4.0, < 5.0.0 |
-| <a name="requirement_lacework"></a> [lacework](#requirement\_lacework) | ~> 1.0 |
+| <a name="requirement_lacework"></a> [lacework](#requirement\_lacework) | ~> 1.5 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | ~> 0.6 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | >= 4.4.0, < 5.0.0 |
-| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | ~> 1.0 |
+| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | ~> 1.5 |
 | <a name="provider_random"></a> [random](#provider\_random) | n/a |
 | <a name="provider_time"></a> [time](#provider\_time) | ~> 0.6 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="lacework_al_ps_svc_account"></a> [lacework\_al\_ps\_svc\_account](#module\_lacework\_al\_ps\_svc\_account) | lacework/service-account/gcp | ~> 1.0 |
+| <a name="module_lacework_al_ps_svc_account"></a> [lacework\_al\_ps\_svc\_account](#module\_lacework\_al\_ps\_svc\_account) | lacework/service-account/gcp | ~> 1.0 |
 
 ## Resources
 
@@ -65,6 +66,7 @@ cloudresourcemanager.googleapis.com
 | [google_logging_organization_sink.lacework_organization_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink) | resource |
 | [google_logging_project_sink.lacework_project_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
 | [google_organization_iam_audit_config.organization_audit_logs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_audit_config) | resource |
+| [google_organization_iam_member.for_lacework_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
 | [google_project_iam_audit_config.project_audit_logs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_audit_config) | resource |
 | [google_project_iam_member.for_lacework_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_service.required_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
@@ -79,23 +81,26 @@ cloudresourcemanager.googleapis.com
 
 ## Inputs
 
-| Name                                                                                                                                             | Description | Type | Default | Required |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------|---------|:--------:|
-| <a name="input_existing_sink_name"></a> [existing\_sink\_name](#input\_existing\_sink\_name)                                                     | The name of an existing sink to be re-used for this integration | `string` | `""` | no |
-| <a name="input_integration_type"></a> [integration\_type](#input\_integration\_type)                                                             | Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT | `string` | `"PROJECT"` | no |
-| <a name="input_labels"></a> [labels](#input\_labels)                                                                                             | Set of labels which will be added to the resources managed by the module | `map(string)` | `{}` | no |
-| <a name="input_lacework_integration_name"></a> [lacework\_integration\_name](#input\_lacework\_integration\_name)                                | n/a | `string` | `"TF pub_sub_audit_log"` | no |
-| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id)                                                                | The organization ID, required if integration\_type is set to ORGANIZATION | `string` | `""` | no |
-| <a name="input_prefix"></a> [prefix](#input\_prefix)                                                                                             | The prefix that will be use at the beginning of every generated resource | `string` | `"lw-al-ps"` | no |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                                               | A project ID different from the default defined inside the provider | `string` | `""` | no |
-| <a name="input_pubsub_subscription_labels"></a> [pubsub\_subscription\_labels](#input\_pubsub\_subscription\_labels)                             | Set of labels which will be added to the subscription | `map(string)` | `{}` | no |
-| <a name="input_pubsub_topic_labels"></a> [pubsub\_topic\_labels](#input\_pubsub\_topic\_labels)                                                  | Set of labels which will be added to the topic | `map(string)` | `{}` | no |
-| <a name="input_required_apis"></a> [required\_apis](#input\_required\_apis)                                                                      | n/a | `map(any)` | <pre>{<br>  "iam": "iam.googleapis.com",<br>  "pubsub": "pubsub.googleapis.com",<br>  "resourcemanager": "cloudresourcemanager.googleapis.com",<br>  "serviceusage": "serviceusage.googleapis.com"<br>}</pre> | no |
-| <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name)                                               | The Service Account name (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
-| <a name="input_service_account_private_key"></a> [service\_account\_private\_key](#input\_service\_account\_private\_key)                        | The private key in JSON format, base64 encoded (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
-| <a name="input_skip_create_lacework_integration"></a> [skip\_create\_lacework\_integration](#input\_skip\_create\_lacework\_integration)         | Set this to true to skip creating the LW integration during GCPv1 to GCPv2 migration | `bool` | `false` | no |
-| <a name="input_use_existing_service_account"></a> [use\_existing\_service\_account](#input\_use\_existing\_service\_account)                     | Set this to true to use an existing Service Account | `bool` | `false` | no |
-| <a name="input_wait_time"></a> [wait\_time](#input\_wait\_time)                                                                                  | Amount of time to wait before the next resource is provisioned. | `string` | `"10s"` | no |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_custom_filter"></a> [custom\_filter](#input\_custom\_filter) | Customer defined Audit Log filter which will supersede all other filter options when defined | `string` | `""` | no |
+| <a name="input_existing_sink_name"></a> [existing\_sink\_name](#input\_existing\_sink\_name) | The name of an existing sink to be re-used for this integration | `string` | `""` | no |
+| <a name="input_google_workspace_filter"></a> [google\_workspace\_filter](#input\_google\_workspace\_filter) | Filter out Google Workspace login logs from GCP Audit Log sinks.  Default is true | `bool` | `true` | no |
+| <a name="input_integration_type"></a> [integration\_type](#input\_integration\_type) | Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT | `string` | `"PROJECT"` | no |
+| <a name="input_k8s_filter"></a> [k8s\_filter](#input\_k8s\_filter) | Filter out GKE logs from GCP Audit Log sinks.  Default is true | `bool` | `true` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | Set of labels which will be added to the resources managed by the module | `map(string)` | `{}` | no |
+| <a name="input_lacework_integration_name"></a> [lacework\_integration\_name](#input\_lacework\_integration\_name) | n/a | `string` | `"TF pub_sub_audit_log"` | no |
+| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | The organization ID, required if integration\_type is set to ORGANIZATION | `string` | `""` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that will be use at the beginning of every generated resource | `string` | `"lw-al-ps"` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | A project ID different from the default defined inside the provider | `string` | `""` | no |
+| <a name="input_pubsub_subscription_labels"></a> [pubsub\_subscription\_labels](#input\_pubsub\_subscription\_labels) | Set of labels which will be added to the subscription | `map(string)` | `{}` | no |
+| <a name="input_pubsub_topic_labels"></a> [pubsub\_topic\_labels](#input\_pubsub\_topic\_labels) | Set of labels which will be added to the topic | `map(string)` | `{}` | no |
+| <a name="input_required_apis"></a> [required\_apis](#input\_required\_apis) | n/a | `map(any)` | <pre>{<br>  "iam": "iam.googleapis.com",<br>  "pubsub": "pubsub.googleapis.com",<br>  "resourcemanager": "cloudresourcemanager.googleapis.com",<br>  "serviceusage": "serviceusage.googleapis.com"<br>}</pre> | no |
+| <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | The Service Account name (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
+| <a name="input_service_account_private_key"></a> [service\_account\_private\_key](#input\_service\_account\_private\_key) | The private key in JSON format, base64 encoded (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
+| <a name="input_skip_create_lacework_integration"></a> [skip\_create\_lacework\_integration](#input\_skip\_create\_lacework\_integration) | Set this to true to skip creating the LW integration during GCPv1 to GCPv2 migration | `bool` | `false` | no |
+| <a name="input_use_existing_service_account"></a> [use\_existing\_service\_account](#input\_use\_existing\_service\_account) | Set this to true to use an existing Service Account | `bool` | `false` | no |
+| <a name="input_wait_time"></a> [wait\_time](#input\_wait\_time) | Amount of time to wait before the next resource is provisioned. | `string` | `"10s"` | no |
 
 ## Outputs
 
@@ -105,4 +110,5 @@ cloudresourcemanager.googleapis.com
 | <a name="output_pubsub_topic_name"></a> [pubsub\_topic\_name](#output\_pubsub\_topic\_name) | The PubSub topic name |
 | <a name="output_service_account_name"></a> [service\_account\_name](#output\_service\_account\_name) | The Service Account name |
 | <a name="output_service_account_private_key"></a> [service\_account\_private\_key](#output\_service\_account\_private\_key) | The private key in JSON format, base64 encoded |
-| <a name="output_sink_name"></a> [sink\_name](#output\_sink\_name) | The sink name |
+| <a name="output_sink_name"></a> [sink\_name](#output\_sink\_name) | The sink name |
+<!-- END_TF_DOCS -->

scripts/release_helpers.sh

@@ -1,6 +1,6 @@
 #
 # Name::        release_helpers.sh
-# Description:: A set of helper funtions to be used by our release.sh script
+# Description:: A set of helper functions to be used by our release.sh script
 # Author::      Salim Afiune Maya (<[email protected]>)
 #
 
@@ -137,6 +137,7 @@ prepare_release() {
   prerequisites
   remove_tag_version
   check_for_minor_version_bump
+  generate_readme
   generate_release_notes
   update_changelog
   push_release
@@ -192,6 +193,10 @@ generate_release_notes() {
   echo "$(cat CHANGES.md)" >> RELEASE_NOTES.md
 }
 
+generate_readme() {
+  make terraform-docs
+}
+
 load_list_of_changes() {
   latest_version=$(find_latest_version)
   local _list_of_changes=$(git log --no-merges --pretty="* %s (%an)([%h](https://github.com/${org_name}/${project_name}/commit/%H))" ${latest_version}..${main_branch})

scripts/terraform-docs.sh

@@ -0,0 +1,13 @@
+
+if which terraform-docs >/dev/null; then
+    terraform-docs .
+elif which docker >/dev/null; then
+    echo "## terraform-docs not found in PATH, but docker was found"
+    echo "## running terraform-docs in docker"
+    terraform_docs_version=$(cat .terraform-docs.yml | grep version | cut -d\" -f 2)
+    docker run --rm -v `pwd`:/data cytopia/terraform-docs:${terraform_docs_version} terraform-docs .
+else
+    echo "## terraform-docs not found in PATH, neither was docker"
+    echo "## please install terraform-docs or docker"
+    exit 1
+fi