fix(deploy): forward extra terraform args, drop vestigial targets#1244
fix(deploy): forward extra terraform args, drop vestigial targets#1244cristim wants to merge 1 commit into
Conversation
|
Warning Review limit reached
More reviews will be available in 43 minutes and 15 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
The Makefile.terraform targets docker-build, docker-skip and
frontend-skip passed -var flags as a 4th argument to tf-deploy.sh,
which only consumed $1..$3, so the flags were silently discarded and
each target ran a plain full terraform apply. The named variables
(skip_docker_push, skip_docker_build, enable_frontend_build) are not
declared root-module variables in any environment, so the targets were
never functional; nothing references them. Remove them and their .PHONY
entries instead of plumbing dead variables through three cloud roots.
Fix the root cause in scripts/tf-deploy.sh so this argument class can
never be silently dropped again: arguments after provider/profile/
action are now forwarded verbatim to terraform (set -u safe on bash
3.2 via the ${arr[@]+...} guard). Also make the usage check reachable:
PROVIDER=$1 aborted with "unbound variable" under set -u before the
intended usage message could print; use ${1:-}/${2:-} defaults.
Verified with a stub terraform binary: extra -var/-target args now
appear in the rendered command line, plain invocations are unchanged,
and the no-args usage path exits 1 with the usage text. make -n shows
the removed targets now fail loudly with "No rule to make target".
Closes #1172
|
@coderabbitai review |
Rate Limit Exceeded
|
Adversarial review — PR #1244Reviewed against the stated risk surfaces (argument forwarding, injection, What I checked
CI stateThe three failed checks on this PR ( Out-of-scope follow-ups filed
Minor pre-existing nit (no fix required, not blocking)The VerdictNo fix needed on PR #1244 itself. Recommend re-requesting CR (it was rate-limited on the last ping) and merging once CR is clean and the unrelated CI failures are addressed at the repo level. |
|
@coderabbitai full review |
✅ Action performedFull review finished. |
Problem
Code-review finding HYG-04 (#1172): the
Makefile.terraformtargetsdocker-build,docker-skipandfrontend-skippassed-var="..."flags as a 4th argument toscripts/tf-deploy.sh, but the script only consumed$1..$3and ran a plainterraform apply -var-file=.... The flags were silently discarded, so e.g.make docker-skipperformed a full deploy including the Docker build.The verifier also found the targets were never functional at all: none of the named variables (
skip_docker_push,skip_docker_build,enable_frontend_build) is a declared root-module variable in any of the three cloud environments (they exist only at module level, hardcodedfalsein each rootbuild.tf), and nothing in the repo references the targets.Fix
.PHONYentries) rather than plumbing dead variables through three cloud root modules. They now fail loudly withNo rule to make targetinstead of silently running a full apply.frontend-only(which works via-target=module.frontend) is kept.scripts/tf-deploy.sh: arguments after<provider> <profile> <action>are now forwarded verbatim to terraform (e.g.-target=...,-var=...), so this class of silent argument drop cannot recur. The empty-array expansion uses the${EXTRA_ARGS[@]+...}guard to stayset -usafe on bash 3.2 (macOS default).PROVIDER=$1aborted withunbound variableunderset -ubefore the intended usage message could print; now uses${1:-}/${2:-}and prints the usage text with exit 1.Test evidence
Verified per the finding's guidance with
make -ndry-runs and a stubterraformbinary onPATHthat records its exact invocation:./scripts/tf-deploy.sh aws <profile> plan -var="skip_docker_build=true"invokedterraform plan -var-file=<profile.tfvars>with the-varflag silently dropped;./scripts/tf-deploy.shwith no args died withline 34: $1: unbound variable.plan -var-file=<profile.tfvars> -var=skip_docker_build=true -target=module.frontend(extras forwarded verbatim); a plain invocation renders identically to before (plan -var-file=<profile.tfvars>); no-args prints the usage message and exits 1.make -n -f Makefile.terraform docker-build|docker-skip|frontend-skipnow fail withNo rule to make target;deploy,planandfrontend-onlyrender unchanged.bash -n scripts/tf-deploy.shclean.Closes #1172