fix: name space imports should not change project (#1515)

Signed-off-by: matttrach <matt.trachier@suse.com>

Author: matttrach

.github/workflows/pull_request.yaml

@@ -3,6 +3,11 @@ name: Pull Request
 on:
   pull_request:
 
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_OWNER: ${{ github.repository_owner }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -14,3 +19,162 @@ jobs:
           VERSION: ${{ github.ref_name }}
         run: |
           make build-rancher
+
+  terraform:
+    name: 'Terraform'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: install-nix
+        run: |
+          curl -L https://nixos.org/nix/install | sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
+      - name: lint terraform
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
+        run: |
+          terraform fmt -check -recursive
+          tflint --recursive
+
+  actionlint:
+    name: 'Lint Workflows'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: install-nix
+        run: |
+          curl -L https://nixos.org/nix/install | sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
+      - name: action lint
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
+        run: actionlint
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: install-nix
+        run: |
+          curl -L https://nixos.org/nix/install | sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
+      - name: shell check
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
+        run: |
+          # while read -r file; do
+          #   echo "checking $file..."
+          #   shellcheck -x "$file"
+          # done <<<"$(grep -Rl -e '^#!' | grep -v '.terraform'| grep -v '.git')"
+          # in the future run this on every script, but first we need to eliminate unused scripts
+          shellcheck -x "./scripts/run_tests.sh"
+
+  validate-commit-message:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # fetch all history so that we can validate the commit messages
+      - name: install-nix
+        run: |
+          curl -L https://nixos.org/nix/install | sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
+      - name: Check commit message
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
+        run: |
+          set -e
+          # Check commit messages
+          # This steps enforces https://www.conventionalcommits.org/en/v1.0.0/
+          # This format enables automatic generation of changelogs and versioning
+          filter() {
+            COMMIT="$1"
+            ouput="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e 'refactor!: ' -e 'feature!: ' -e 'feat!: ' -e '^chore(main): ')"
+            echo "$output"
+          }
+          prefix_check() {
+            message="$1"
+            if [ "" != "$(filter "$message")" ]; then
+              echo "...Commit message does not start with the required prefix.
+              Please use one of the following prefixes: "fix:", "feature:", "feat:", "refactor!:", "feature!:", or "feat!:".
+              This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message.
+              $message"
+              exit 1
+            else
+              echo "...Commit message starts with the required prefix."
+            fi
+          }
+          empty_check() {
+            message="$1"
+            if [ "" == "$message" ]; then
+              echo "...Empty commit message."
+              exit 1
+            else
+              echo "...Commit message isnt empty."
+            fi
+          }
+          length_check() {
+            message="$1"
+            if [ "$(wc -m <<<"$message")" -gt 50 ]; then
+              echo "...Commit message subject line should be less than 50 characters, found $(wc -m "$message")."
+              exit 1
+            else
+              echo "...Commit message subject line is less than 50 characters."
+            fi
+          }
+          spell_check() {
+            message="$1"
+            WORDS="$(aspell list <<<"$message")"
+            if [ "" != "$WORDS" ]; then
+              echo "...Commit message contains spelling errors on: ^$WORDS\$"
+              echo "...Also try updating the PR title."
+              exit 1
+            else
+              echo "...Commit message doesnt contain spelling errors."
+            fi
+          }
+
+          # Fetch the commit messages
+
+          COMMIT_MESSAGES="$(gh pr view ${{github.event.number}} --json commits | jq -r '.commits[].messageHeadline')"
+          echo "Commit messages found: "
+          echo "$COMMIT_MESSAGES"
+
+          while read -r message; do
+            echo "checking message ^$message\$"
+            empty_check "$message"
+            prefix_check "$message"
+            length_check "$message"
+            spell_check "$message"
+            echo "message ^$message\$ passed all checks"
+          done <<<"$COMMIT_MESSAGES"
+
+  gitleaks:
+    name: 'Scan for Secrets'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: install-nix
+        run: |
+          curl -L https://nixos.org/nix/install | sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
+      - name: Check for secrets
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
+        run: |
+          gitleaks detect --no-banner -v --no-git
+          gitleaks detect --no-banner -v
+        continue-on-error: true

.github/workflows/release.yaml

@@ -44,8 +44,8 @@ jobs:
           echo '${{ env.GPG_PASSPHRASE }}' | gpg --detach-sig --pinentry-mode loopback --passphrase-fd 0 --output "${SHASUM_FILE}.sig" --sign "${SHASUM_FILE}"
 
           echo "Validating signature..."
-          gpg --verify "${SHASUM_FILE}.sig" "${SHASUM_FILE}"
-          if [ $? -eq 0 ]; then
+
+          if ! gpg --verify "${SHASUM_FILE}.sig" "${SHASUM_FILE}"; then
             echo "Signature is valid..."
           else
             echo "Signature verification failed!"

.gitignore

@@ -8,3 +8,9 @@ test/data
 .terraform.lock.hcl
 */.terraform.lock.hcl
 .terraform
+*/*.test
+examples/**/rke2
+terraform.tfstate
+*.tfstate.*
+tf-*
+*.env

docs/resources/namespace.md

@@ -134,8 +134,8 @@ Namespaces can be imported using the namespace ID in the format `<project_id>.<n
 $ terraform import rancher2_namespace.foo &lt;project_id&gt;.&lt;namespaces_id&gt;
 ```
 
-`<project_id>` is in the format `<cluster_id>:<id>`, but <id> part is optional: 
+`<project_id>` is in the format `<cluster_id>:<id>`, this is the output from `data.rancher2_cluster.downstream_cluster.default_project_id`
 
-- If full project_id is provided, `<project_id>=<cluster_id>:<id>`, the namespace'll be assigned to corresponding cluster project once it's imported. 
-- If `<id>` part is omitted `<project_id>=<cluster_id>`, the namespace'll not be assigned to any project. To move it into a project, `<project_id>=<cluster_id>:<id>` needs to be updated in tf file. Namespace movement is only supported inside same `cluster_id`.
+The `<project_id>` must match the actual resource, importing will error on project mismatch.
 
+In past versions you could modify the namespace while importing it, this functionality is no longer available.

examples/deploy_rke2/README.md

@@ -0,0 +1,53 @@
+# Deploy RKE2
+
+This example module configures Rancher to deploy a downstream RKE2 cluster.
+
+## Deploy Rancher
+
+This module starts by using the rancher-aws module to deploy Rancher on AWS.
+
+## Downstream
+
+This module has a local module that provides a logical separation for deploying a downstream cluster using the rancher2_cluster_v2 resource.
+
+## Machine Config Patch
+
+There is a local exec that runs kubectl to patch the Amazonec2Config objects.
+The AWS access key id and secret access key attributes are obfuscated and unable to be set directly in favor of the Amazonec2Credential object.
+The Amazonec2Credential object doesn't support a session token making it impossible to use temporary credentials.
+Our CI must use temporary AWS credentials supplied via OIDC, so this may be something that you eliminate from the example in your implementation.
+We bypass the Amazonec2Credential object by manually patching the Amazonec2Config objects with the aws_access_key_id and aws_secret_access_key.
+The AWS session token isn't obfuscated and is available as an argument when creating a rancher2_machine_config_v2 resource.
+
+## Dependencies
+
+The Flake.nix in the root of the module explains all of the dependencies for the development of the module, it also includes the dependencies to run it.
+You can see the list on lines 50-80, but a more specific list is below (with explanations).
+- bash -> born again shell with linux core utils
+- git -> required by Terraform
+- curl -> required by Terraform as well as dependent modules (when downloading RKE2 for install)
+- openssh -> required by Terraform and used in dependent modules to connect to servers for initial configuration
+- ssh-agent -> used for connecting to remote server for initial configuration, you need to have the key you send into the module loaded in your agent
+- gh -> the github cli tool, used to find releases when downloading RKE2 for install
+- jq -> json parsing tool, used in dependent modules to parse submodule outputs
+- openssl -> required by Terraform and used in dependent modules to verify TLS certificates
+- kubectl -> used in local exec to patch kubernetes objects
+- awscli2 -> the aws cli tool, used in some dependent modules in some use cases (dualstack)
+- tfswitch -> handy for installing Terraform
+- yq -> yaml parsing tool, used in dependent modules to parse kubectl outputs
+- go -> necessary to run tests
+
+## Environment Variables
+
+I like to set my AWS credentials in environment variables:
+- AWS_ROLE -> role to assume when using OIDC
+- AWS_REGION -> AWS region to deploy to, make sure there are multiple availability zones when needing HA
+- AWS_DEFAULT_REGION -> same as region
+- AWS_ACCESS_KEY_ID -> access key, this will make it into the state, please secure it properly
+- AWS_SECRET_ACCESS_KEY -> secret key, this will make it into the state, please secure it properly
+- AWS_SESSION_TOKEN -> used with temporary AWS credentials, this will make it into the state, please secure it properly
+- TF_VAR_aws_access_key_id -> access key, this will make it into the state, please secure it properly
+- TF_VAR_aws_secret_access_key -> secret key, this will make it into the state, please secure it properly
+- TF_VAR_aws_session_token -> used with temporary AWS credentials, this will make it into the state, please secure it properly
+- TF_VAR_aws_region -> AWS region to deploy to, make sure there are multiple availability zones when needing HA
+