Skip to content

Commit 120a811

Browse files
OCM-24672 | chore: consolidate checks under make pre-push-checks
Unify the module merge gate in Makefile (inline pre-push-checks), extend the CI client image for tflint/addlicense/Vale, add verify-min-terraform workflow, remove test.yml, align CONTRIBUTING and workflows, and drop broken manual tf-* targets. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
1 parent 863dcb4 commit 120a811

9 files changed

Lines changed: 83 additions & 344 deletions

File tree

.github/pull_request_template.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,6 @@ Examples: variable rename/removal, output rename/removal, default value change,
8383
- [ ] Relevant Jira/GitHub issues and related PRs are linked.
8484
- [ ] Tests were added/updated where appropriate.
8585
- [ ] I manually tested the change.
86-
- [ ] `make verify` passes.
87-
- [ ] `make verify-gen` passes.
86+
- [ ] `make pre-push-checks` passes (or each step: `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, `docs-lint`).
8887
- [ ] Documentation was added/updated where appropriate (see `make terraform-docs`).
8988
- [ ] Any risk, limitation, or follow-up work is documented.
File renamed without changes.
Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
1-
name: Terraform test
1+
# Validates examples at the minimum Terraform version (root versions.tf required_version).
2+
name: Verify (minimum Terraform)
23

34
on:
45
pull_request:
56

67
jobs:
7-
test:
8+
verify-terraform-1-5-7:
89
runs-on: ubuntu-latest
910
permissions:
1011
contents: read
@@ -13,12 +14,8 @@ jobs:
1314

1415
- uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
1516
with:
17+
terraform_version: "1.5.7"
1618
terraform_wrapper: false
1719

18-
- uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
19-
20-
- name: Lint
21-
run: make lint
22-
23-
- name: Terraform unit tests
24-
run: make unit-tests
20+
- name: Validate examples (minimum supported Terraform)
21+
run: make verify

AGENTS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,4 +93,4 @@ Use mocks for AWS and RHCS resources to verify logic without requiring live cred
9393

9494
When module behavior branches on a **boolean variable** (e.g. **`count = var.x ? 1 : 0`**), prefer **more than one `run` block** (or clearly separated scenarios) so **both** outcomes are covered—typically **`true` / `count = 1`** and **`false` / `count = 0`**—not only the default or “happy” path. That avoids regressions where the positive case passes but the opt-out path breaks.
9595

96-
For exact commands and pass/fail criteria, follow **`CONTRIBUTING.md`**.
96+
Before opening a PR, `make pre-push-checks` must pass locally; see **`CONTRIBUTING.md`** for commands and pass/fail criteria.

CONTRIBUTING.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,20 +17,20 @@ This repo is **ROSA HCP** only. The sibling **ROSA Classic** module is [`terrafo
1717
## Before you open a PR
1818

1919
1. **Format**`terraform fmt -recursive` (or format only dirs you changed).
20-
2. **Validate**`make verify` (runs `terraform init` + `validate` in each `examples/*` directory). Fix failures in examples you touch or that your change breaks.
20+
2. **Validate**`make verify` (runs `terraform init` + `validate` in each `examples/*` directory; compatible with the minimum Terraform version in root **`versions.tf`**, currently **>= 1.5.7**). Fix failures in examples you touch or that your change breaks.
2121
3. **Docs** — If you changed variables, outputs, modules, or root wiring: run `make verify-gen` (runs `terraform-docs` via [`scripts/terraform-docs.sh`](scripts/terraform-docs.sh), then [`scripts/verify-gen.sh`](scripts/verify-gen.sh) to ensure README inject blocks are committed).
2222
4. **Module tests** — If a submodule under `modules/<name>/tests/` has `*.tftest.hcl`, run `terraform init -backend=false && terraform test` from `modules/<name>/`, or run `make unit-tests` for all modules with tests.
2323
5. **Documentation lint**`make docs-lint` runs the pinned [Vale](https://docs.vale.sh/) CLI with Red Hat documentation styles (see [`.vale.ini`](.vale.ini)). Building Vale uses `CGO_ENABLED=1` and requires a C compiler toolchain on the first install.
2424
6. **Provider** — Treat [`terraform-redhat/rhcs`](https://github.com/terraform-redhat/terraform-provider-rhcs) as the source of truth: mirror its schemas in variables and docs. Add `validation` / `precondition` only to echo the provider’s required fields and allowed values (fail fast); do not duplicate or tighten rules the provider already enforces.
2525
7. **Module scope (AWS-only)** — If the change adds or expands **AWS-only** configuration (no `rhcs` surface), confirm it matches **`Module scope (AWS-only vs core HCP)`** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc). In the PR, **link official Red Hat or cited ROSA HCP documentation** that supports shipping it in-repo, or explain why an exception is justified.
2626

27-
Run the full local verification flow (same steps planned for CI) with:
27+
Run the full local verification flow (same steps as the planned single OpenShift Prow presubmit) with:
2828

2929
```shell
30-
make basic-checks
30+
make pre-push-checks
3131
```
3232

33-
`make basic-checks` runs `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, and `docs-lint` in order (fail-fast). Use `make run-checks -- basic --list-steps` or `--dry-run` to inspect the sequence without running it.
33+
`make pre-push-checks` runs `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, and `docs-lint` in order (fail-fast). Run individual targets when debugging one step. OpenShift Prow will use `make pre-push-checks` as the presubmit merge gate after `openshift/release` is updated. Until then, GitHub Actions runs `make verify` at Terraform 1.5.7 via **`verify-min-terraform.yml`**; run `make pre-push-checks` locally before opening a PR.
3434

3535
## Commit format
3636

Dockerfile

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
FROM registry.access.redhat.com/ubi9/ubi:latest
22
WORKDIR /app
33
COPY . /app
4-
RUN yum update -y && yum install -y yum-utils shadow-utils unzip tar make && \
4+
RUN yum update -y && yum install -y yum-utils shadow-utils unzip tar make golang gcc gcc-c++ git which && \
55
yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo && \
66
yum -y install terraform && \
77
yum clean all && \
@@ -13,4 +13,10 @@ RUN curl -sL "https://mirror.openshift.com/pub/cgw/rosa/latest/rosa-linux.tar.gz
1313
ARG TERRAFORM_DOCS_VERSION=0.22.0
1414
RUN curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v${TERRAFORM_DOCS_VERSION}/terraform-docs-v${TERRAFORM_DOCS_VERSION}-$(uname)-amd64.tar.gz && \
1515
tar -xzf terraform-docs.tar.gz terraform-docs && chmod +x terraform-docs && \
16-
mv terraform-docs /usr/local/bin/terraform-docs && rm terraform-docs.tar.gz
16+
mv terraform-docs /usr/local/bin/terraform-docs && rm terraform-docs.tar.gz
17+
ARG VALE_VERSION=v3.14.1
18+
ARG ADDLICENSE_VERSION=v1.2.0
19+
RUN go install github.com/google/addlicense@${ADDLICENSE_VERSION} && \
20+
CGO_ENABLED=1 go install github.com/errata-ai/vale/v3/cmd/vale@${VALE_VERSION} && \
21+
curl -sL https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash -s -- -b /usr/local/bin
22+
ENV PATH="/root/go/bin:/usr/local/bin:${PATH}"

Makefile

Lines changed: 60 additions & 114 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ SHELL := bash
22

33
LOCALBIN ?= $(CURDIR)/bin
44
LOCALBIN_ABS := $(abspath $(LOCALBIN))
5-
RUN_CHECKS_SCRIPT := ./hack/run-checks.sh
65
VALE_VERSION ?= v3.14.1
6+
MODULE_REGISTRY := terraform-redhat/rosa-hcp/rhcs
77

88
ifeq ($(shell go env GOOS 2>/dev/null),windows)
99
BIN_EXT=.exe
@@ -19,135 +19,59 @@ $(LOCALBIN):
1919
$(VALE): | $(LOCALBIN)
2020
CGO_ENABLED=1 GOBIN="$(LOCALBIN_ABS)" go install github.com/errata-ai/vale/v3/cmd/vale@$(VALE_VERSION)
2121

22-
######################
23-
# Define a variable for the Terraform examples directory
24-
TERRAFORM_DIR := examples/rosa-hcp-public-with-byo-vpc-byo-iam-byo-oidc
25-
26-
######################
27-
# Log into your AWS account before running this make file.
28-
# Create .env file with your ROSA token. This file will be ignored by git.
29-
# format.
30-
# RHCS_TOKEN=<ROSA TOKEN>
31-
32-
# include .env
33-
# export $(shell sed '/^\#/d; s/=.*//' .env)
34-
TF_LOG=INFO
35-
######################
36-
# .EXPORT_ALL_VARIABLES:
37-
38-
# Run make init \ make plan \ make apply \ make destroy
39-
22+
# Merge gate: verify, verify-gen, lint, unit-tests, license-check, docs-lint (fail-fast).
23+
# Intended single OpenShift Prow presubmit after openshift/release switches from verify + verify-gen.
24+
.PHONY: pre-push-checks
25+
pre-push-checks:
26+
@$(MAKE) --no-print-directory verify
27+
@$(MAKE) --no-print-directory verify-gen
28+
@$(MAKE) --no-print-directory lint
29+
@$(MAKE) --no-print-directory unit-tests
30+
@$(MAKE) --no-print-directory license-check
31+
@$(MAKE) --no-print-directory docs-lint
32+
33+
# Prow today (until consolidated): verify-format → make verify, verify-gen → make verify-gen.
34+
# https://github.com/openshift/release/tree/master/ci-operator/config/terraform-redhat/terraform-rhcs-rosa-hcp
4035
.PHONY: verify
41-
# This target is used by prow target (https://github.com/openshift/release/blob/77159f7696ed6c7bae518091079724cb8217dd33/ci-operator/config/terraform-redhat/terraform-rhcs-rosa/terraform-redhat-terraform-rhcs-rosa-main.yaml#L18)
42-
# Don't remove this target
4336
verify:
4437
@for d in examples/*; do \
45-
echo "!! Validating $$d !!" && cd $$d && rm -rf .terraform .terraform.lock.hcl && terraform init && terraform validate && cd - ;\
38+
echo "!! Validating $$d !!" && cd "$$d" && rm -rf .terraform .terraform.lock.hcl && terraform init && terraform validate && cd - ; \
4639
done
4740

41+
.PHONY: verify-gen
4842
verify-gen: terraform-docs
4943
scripts/verify-gen.sh
5044

51-
.PHONY: tf-init
52-
tf-init:
53-
@cd $(TERRAFORM_DIR) && terraform init -input=false -lock=false -no-color -reconfigure
54-
55-
.PHONY: tf-plan
56-
tf-plan: format validate
57-
@cd $(TERRAFORM_DIR) && terraform plan -lock=false -out=.terraform-plan
58-
59-
.PHONY: tf-apply
60-
tf-apply:
61-
@cd $(TERRAFORM_DIR) && terraform apply .terraform-plan
62-
63-
.PHONY: tf-destroy
64-
tf-destroy:
65-
@cd $(TERRAFORM_DIR) && terraform destroy -auto-approve -input=false
66-
67-
.PHONY: tf-output
68-
tf-output:
69-
@cd $(TERRAFORM_DIR) && terraform output > tf-output-parameters
70-
71-
.PHONY: tf-format
72-
tf-format:
73-
@cd $(TERRAFORM_DIR) && terraform fmt
74-
75-
.PHONY: tf-validate
76-
tf-validate:
77-
@cd $(TERRAFORM_DIR) && terraform validate
78-
79-
.PHONY: tests
80-
tests:
81-
sh tests.sh
45+
.PHONY: lint
46+
lint:
47+
terraform fmt -check -recursive
48+
terraform init -backend=false -input=false
49+
@command -v tflint >/dev/null 2>&1 || { echo "tflint not found; see https://github.com/terraform-linters/tflint"; exit 1; }
50+
tflint --init
51+
tflint --recursive \
52+
--disable-rule=terraform_required_providers \
53+
--disable-rule=terraform_unused_declarations \
54+
--disable-rule=terraform_unused_required_providers
8255

83-
# Terraform unit tests (distinct from `make tests`, which runs tests.sh).
84-
# for each module under modules, check if tests directory exists and run tests.
8556
.PHONY: unit-tests
8657
unit-tests:
8758
@set -e; \
8859
for submodule in modules/*; do \
8960
echo "== $$submodule =="; \
90-
cd $$submodule/tests 2> /dev/null || continue; \
61+
cd "$$submodule/tests" 2>/dev/null || continue; \
9162
echo "== running tests for $$submodule =="; \
92-
(cd .. && terraform init -backend=false -input=false && terraform test ); \
63+
(cd .. && terraform init -backend=false -input=false && terraform test); \
9364
cd ../../..; \
9465
done
9566

96-
# fmt -check and tflint across root and submodules. tflint --recursive does not
97-
# apply root .tflint.hcl rule blocks to child dirs; --disable-rule avoids failing
98-
# on undeclared optional providers (random/tls/local/http/time) until pinned.
99-
.PHONY: lint
100-
lint:
101-
terraform fmt -check -recursive
102-
@command -v tflint >/dev/null 2>&1 || { echo "tflint not found; see https://github.com/terraform-linters/tflint"; exit 1; }
103-
tflint --init
104-
tflint --recursive --disable-rule=terraform_required_providers
105-
106-
.PHONY: dev-environment
107-
dev-environment:
108-
find . -type f -name "versions.tf" -exec sed -i -e "s/terraform-redhat\/rhcs/terraform.local\/local\/rhcs/g" -- {} +
109-
110-
.PHONY: registry-environment
111-
registry-environment:
112-
find . -type f -name "versions.tf" -exec sed -i -e "s/terraform.local\/local\/rhcs/terraform-redhat\/rhcs/g" -- {} +
113-
114-
.PHONY: run-example
115-
run-example:
116-
bash scripts/run-example.sh $(EXAMPLE_NAME)
117-
118-
.PHONY: change-ocp-version
119-
# Example for running: make change-ocp-version OLD_VER=4.13.13 NEW_VER=4.14.9
120-
change-ocp-version:
121-
find . -type f -name "variables.tf" -exec sed -i -e 's/default = "${OLD_VER}"/default = "${NEW_VER}"/g' -- {} +
122-
123-
.PHONY: terraform-docs
124-
# This target require teraform-docs, follow the installation guide: https://terraform-docs.io/user-guide/installation/
125-
terraform-docs:
126-
bash scripts/terraform-docs.sh
127-
128-
.PHONY: change-module-version
129-
# Example for running: make change-module-version MODULE_VERSION=1.7.0
130-
change-module-version:
131-
find ./examples -type f -name '*.tf' -exec sed -i 's^source\s*= "\.\./\.\./"^source = "terraform-redhat/rosa-hcp/rhcs"\n  version = "${MODULE_VERSION}"^g' -- {} +
132-
find ./examples -type f -name '*.tf' -exec sed -E -i 's^source\s*= "\.\./\.\./modules/([^"]+)"^source = "terraform-redhat/rosa-hcp/rhcs//modules/\1"\n  version = "${MODULE_VERSION}"^g' -- {} +
133-
13467
.PHONY: license-check
13568
license-check:
136-
@echo "Checking for missing license headers..."
13769
@bash scripts/add-license-header.sh -check
13870

13971
.PHONY: license-add
14072
license-add:
141-
@echo "Adding license headers to files..."
14273
@bash scripts/add-license-header.sh
14374

144-
.PHONY: commits/check
145-
commits/check:
146-
@./hack/commit-msg-verify.sh
147-
148-
.PHONY: vale
149-
vale: $(VALE)
150-
15175
.PHONY: docs-lint
15276
docs-lint: $(VALE)
15377
@echo "Note: README and module docs are generated with 'make terraform-docs'; fix descriptions in *.tf, then run 'make verify-gen'."
@@ -162,15 +86,37 @@ docs-lint: $(VALE)
16286
fi; \
16387
"$(VALE)" --minAlertLevel=error $$docs
16488

165-
.PHONY: basic-checks
166-
basic-checks:
167-
@$(RUN_CHECKS_SCRIPT) basic
89+
.PHONY: terraform-docs
90+
terraform-docs:
91+
bash scripts/terraform-docs.sh
92+
93+
.PHONY: commits/check
94+
commits/check:
95+
@./hack/commit-msg-verify.sh
96+
97+
.PHONY: vale
98+
vale: $(VALE)
99+
100+
# OpenShift Prow example jobs (rhcs-module-run-example-hcp): make run-example EXAMPLE_NAME=...
101+
.PHONY: run-example
102+
run-example:
103+
bash scripts/run-example.sh $(EXAMPLE_NAME)
168104

169-
.PHONY: run-checks
170-
run-checks:
171-
@$(RUN_CHECKS_SCRIPT) $(filter-out $@,$(MAKECMDGOALS))
105+
# Maintainer utilities (not part of pre-push-checks).
106+
.PHONY: dev-environment registry-environment change-ocp-version change-module-version
107+
dev-environment:
108+
find . -type f -name "versions.tf" -exec sed -i -e "s/terraform-redhat\/rhcs/terraform.local\/local\/rhcs/g" -- {} +
172109

173-
RUN_CHECKS_PASSTHROUGH_ARGS := basic --dry-run --list-steps -h --help
174-
.PHONY: $(RUN_CHECKS_PASSTHROUGH_ARGS)
175-
$(RUN_CHECKS_PASSTHROUGH_ARGS):
176-
@:
110+
registry-environment:
111+
find . -type f -name "versions.tf" -exec sed -i -e "s/terraform.local\/local\/rhcs/terraform-redhat\/rhcs/g" -- {} +
112+
113+
change-ocp-version:
114+
find . -type f -name "variables.tf" -exec sed -i -e 's/default = "$(OLD_VER)"/default = "$(NEW_VER)"/g' -- {} +
115+
116+
change-module-version:
117+
find ./examples -type f -name '*.tf' -exec sed -i 's^source\s*= "\.\./\.\./"^source = "$(MODULE_REGISTRY)"\n version = "$(MODULE_VERSION)"^g' -- {} +
118+
find ./examples -type f -name '*.tf' -exec sed -E -i 's^source\s*= "\.\./\.\./modules/([^"]+)"^source = "$(MODULE_REGISTRY)//modules/\1"\n version = "$(MODULE_VERSION)"^g' -- {} +
119+
120+
.PHONY: tests
121+
tests:
122+
sh tests.sh

README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,12 +49,12 @@ The primary sub-modules responsible for ROSA HCP cluster creation includes optio
4949

5050
Contributors are encouraged to add Terraform tests when introducing or substantially changing a submodule, so configuration stays aligned with provider behavior before changes merge.
5151

52-
Two Makefile targets help with that:
52+
Before opening a PR, run **`make pre-push-checks`** (or the individual targets below). That flow is the intended single merge gate for OpenShift Prow once `openshift/release` is updated.
5353

5454
- **`make lint`** — Runs `terraform fmt -check -recursive` and [tflint](https://github.com/terraform-linters/tflint) across the root module and submodules so formatting and common Terraform issues are caught early.
55-
- **`make unit-tests`** — For each module directory that contains **`test/*.tftest.hcl`** files, runs `terraform init -backend=false` and `terraform test -test-directory=test` (requires **Terraform 1.6+**). If no matching files exist, the target succeeds without running tests. This is separate from **`make tests`**, which runs the legacy `tests.sh` script.
55+
- **`make unit-tests`** — For each submodule that contains **`modules/<name>/tests/*.tftest.hcl`**, runs `terraform init -backend=false` and `terraform test` from `modules/<name>/` (requires **Terraform 1.6+**). If no matching files exist, the target succeeds without running tests. This is separate from **`make tests`**, which runs the legacy `tests.sh` script.
5656

57-
Place tests under a **`test/`** directory beside the module’s `.tf` files (for example `modules/my-module/test/example.tftest.hcl`). You need the Terraform CLI and tflint on your PATH; `make lint` runs `tflint --init`, which may download plugins from [.tflint.hcl](.tflint.hcl).
57+
Place tests under **`modules/<name>/tests/`** (for example `modules/my-module/tests/example.tftest.hcl`). You need the Terraform CLI and tflint on your PATH; `make lint` runs `tflint --init`, which may download plugins from [.tflint.hcl](.tflint.hcl).
5858

5959
## Pre-requisites
6060

0 commit comments

Comments
 (0)