12 |
18 |
19 | {{ end }}
20 |
--------------------------------------------------------------------------------
/docs/guides/index.md:
--------------------------------------------------------------------------------
1 | # Getting started
2 |
3 | Follow the 3 guides below to understand how to use Burrito:
4 |
5 | - [IaC Drift detection](./iac-drift-detection.md): Quickly set up Burrito and start monitoring Terraform state drift.
6 | - [PR/MR plan/apply Workflow](./pr-mr-workflow.md): Configure Burrito to automatically plan and apply Terraform code on PR/MR.
7 | - [UI Overview](./ui.md): Learn how to navigate the Burrito UI.
8 |
--------------------------------------------------------------------------------
/internal/datastore/storage/error/error.go:
--------------------------------------------------------------------------------
1 | package error
2 |
3 | type StorageError struct {
4 | Err error
5 | Nil bool
6 | }
7 |
8 | func (s *StorageError) Error() string {
9 | return s.Err.Error()
10 | }
11 |
12 | func NotFound(err error) bool {
13 | ce, ok := err.(*StorageError)
14 | if ok {
15 | return ce.Nil
16 | }
17 | return false
18 | }
19 |
20 | func (c *StorageError) NotFound() bool {
21 | return c.Nil
22 | }
23 |
--------------------------------------------------------------------------------
/ui/src/clients/runs/client.ts:
--------------------------------------------------------------------------------
1 | import axios from 'axios';
2 |
3 | import { Attempts } from '@/clients/runs/types.ts';
4 |
5 | export const fetchAttempts = async (
6 | namespace: string,
7 | layer: string,
8 | runId: string
9 | ) => {
10 | const response = await axios.getPlan
13 | 14 | ```terraform 15 | {{ .PrettyPlan }} 16 | ``` 17 |
8 | Running
9 |
11 | );
12 | };
13 |
14 | export default Running;
15 |
--------------------------------------------------------------------------------
/internal/annotations/testdata/layer.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: config.terraform.padok.cloud/v1alpha1
2 | kind: TerraformLayer
3 | metadata:
4 | name: test
5 | namespace: default
6 | spec:
7 | branch: main
8 | path: test/
9 | remediationStrategy:
10 | autoApply: true
11 | repository:
12 | name: burrito
13 | namespace: default
14 | terraform:
15 | enabled: true
16 | version: 1.3.1
17 | terragrunt:
18 | enabled: true
19 | version: 0.45.4
20 |
--------------------------------------------------------------------------------
/internal/server/api/api.go:
--------------------------------------------------------------------------------
1 | package api
2 |
3 | import (
4 | "github.com/padok-team/burrito/internal/burrito/config"
5 | datastore "github.com/padok-team/burrito/internal/datastore/client"
6 | "sigs.k8s.io/controller-runtime/pkg/client"
7 | )
8 |
9 | type API struct {
10 | config *config.Config
11 | Client client.Client
12 | Datastore datastore.Client
13 | }
14 |
15 | func New(c *config.Config) *API {
16 | return &API{
17 | config: c,
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright © 2022 NAME HERE
17 |
20 | );
21 | };
22 |
23 | export default Layout;
24 |
--------------------------------------------------------------------------------
/cmd/server/server.go:
--------------------------------------------------------------------------------
1 | package server
2 |
3 | import (
4 | "github.com/padok-team/burrito/internal/burrito"
5 | cmdUtils "github.com/padok-team/burrito/internal/utils/cmd"
6 | "github.com/spf13/cobra"
7 | )
8 |
9 | func BuildServerCmd(app *burrito.App) *cobra.Command {
10 | cmd := &cobra.Command{
11 | Use: "server",
12 | Short: "cmd to use burrito's server",
13 | RunE: func(cmd *cobra.Command, args []string) error {
14 | // If we reach this point, it means no subcommand was matched
15 | cmdUtils.UnsupportedCommand(cmd, args)
16 | return cmd.Help()
17 | },
18 | }
19 | cmd.AddCommand(buildServerStartCmd(app))
20 | return cmd
21 | }
22 |
--------------------------------------------------------------------------------
/internal/utils/cmd/cmd.go:
--------------------------------------------------------------------------------
1 | package cmd
2 |
3 | import (
4 | "fmt"
5 | "os"
6 | "os/exec"
7 |
8 | "github.com/spf13/cobra"
9 | )
10 |
11 | func Verbose(cmd *exec.Cmd) {
12 | cmd.Stdout = os.Stdout
13 | cmd.Stderr = os.Stderr
14 | }
15 |
16 | func UnsupportedCommand(cmd *cobra.Command, args []string) {
17 | if len(args) > 0 {
18 | fmt.Fprintf(os.Stderr, "Error: unknown %s subcommand: %s\n", cmd.Use, args[0])
19 | }
20 | fmt.Fprintf(os.Stderr, "Run 'burrito %s --help' for usage\n", cmd.Use)
21 | if err := cmd.Help(); err != nil {
22 | fmt.Fprintf(os.Stderr, "Error displaying help: %v\n", err)
23 | os.Exit(1)
24 | }
25 | os.Exit(2)
26 | }
27 |
--------------------------------------------------------------------------------
/internal/lock/testdata/layer.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: config.terraform.padok.cloud/v1alpha1
2 | kind: TerraformLayer
3 | metadata:
4 | name: test
5 | namespace: default
6 | spec:
7 | branch: main
8 | path: test/
9 | remediationStrategy:
10 | autoApply: true
11 | repository:
12 | name: burrito
13 | namespace: default
14 | terraform:
15 | version: 1.3.1
16 | terragrunt:
17 | enabled: true
18 | version: 0.45.4
19 | ---
20 | apiVersion: config.terraform.padok.cloud/v1alpha1
21 | kind: TerraformRun
22 | metadata:
23 | name: test-run
24 | namespace: default
25 | spec:
26 | action: plan
27 | layer:
28 | name: test
29 | namespace: default
30 |
--------------------------------------------------------------------------------
/cmd/datastore/start.go:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright © 2022 NAME HERE
24 | {children}
25 |
26 | );
27 | };
28 |
29 | export default Box;
30 |
--------------------------------------------------------------------------------
/docs/user-guide/ssh-known-hosts.md:
--------------------------------------------------------------------------------
1 | # Manage SSH known hosts
2 |
3 | ## Defaults
4 |
5 | By default, we provide a list of known hosts with public repositories:
6 |
7 | - Azure
8 | - Bitbucket
9 | - GitHub
10 | - Gitlab
11 | - Visual Studio
12 |
13 | ## Override known hosts
14 |
15 | If you need to provide your own keys for other repositories, you can override the default value in the chart with:
16 |
17 | ```yaml
18 | global:
19 | sshKnownHosts: |-
20 | git.domain.com ssh-ed25519 AAAAC3Nxxx
21 | git.domain.com ssh-rsa AAAAB3Nxxx
22 | git.domain.com ecdsa-sha2-nistp256 AAAAE2Vxxx
23 | ```
24 |
25 | To get those keys, you can run: `ssh-keyscan git.domain.com 2>&1| grep -vE '^#'`
26 |
--------------------------------------------------------------------------------
/cmd/runner/runner.go:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright © 2022 NAME HERE
11 |
25 | );
26 | };
27 |
28 | export default Pulls;
29 |
--------------------------------------------------------------------------------
/ui/README.md:
--------------------------------------------------------------------------------
1 | # Burrito UI
2 |
3 |
12 |
24 | 
4 |
5 | Web UI for [Burrito](https://github.com/padok-team/burrito).
6 |
7 | ## Getting started
8 |
9 | 1. Install [NodeJS](https://nodejs.org/en/download/) and [Yarn](https://yarnpkg.com).
10 | 2. Run `yarn install` to install local prerequisites.
11 | 3. Run `yarn dev` to launch the dev UI server.
12 | 4. Run `yarn build` to bundle static resources into the `./dist` directory.
13 |
14 | ## Build Docker production image
15 |
16 | Run the following commands to build the Docker image:
17 |
18 | ```bash
19 | TAG=latest # or any other tag
20 | BURRITO_API_BASE_URL=https://burrito.example.cloud/api # or any other API base URL
21 | docker build -t burrito-ui:$TAG --build-arg API_BASE_URL=$BURRITO_API_BASE_URL .
22 | ```
23 |
--------------------------------------------------------------------------------
/internal/webhook/event/common.go:
--------------------------------------------------------------------------------
1 | package event
2 |
3 | import (
4 | "strings"
5 |
6 | configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
7 | "sigs.k8s.io/controller-runtime/pkg/client"
8 | )
9 |
10 | const PullRequestOpened = "opened"
11 | const PullRequestClosed = "closed"
12 |
13 | type ChangeInfo struct {
14 | ShaBefore string
15 | ShaAfter string
16 | }
17 |
18 | type Event interface {
19 | Handle(client.Client) error
20 | }
21 |
22 | func ParseReference(ref string) string {
23 | refParts := strings.SplitN(ref, "/", 3)
24 | return refParts[len(refParts)-1]
25 | }
26 |
27 | func isPRLinkedToAnyRepositories(pr configv1alpha1.TerraformPullRequest, repos []configv1alpha1.TerraformRepository) bool {
28 | for _, r := range repos {
29 | if r.Name == pr.Spec.Repository.Name && r.Namespace == pr.Spec.Repository.Namespace {
30 | return true
31 | }
32 | }
33 | return false
34 | }
35 |
--------------------------------------------------------------------------------
/deploy/charts/burrito/templates/rbac-runner.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | name: burrito-runner
6 | {{- with mergeOverwrite (deepCopy .Values.global.metadata) .Values.runners.rbac.metadata }}
7 | labels:
8 | {{- toYaml .labels | nindent 4}}
9 | annotations:
10 | {{- toYaml .annotations | nindent 4}}
11 | {{- end }}
12 | rules:
13 | - apiGroups:
14 | - coordination.k8s.io
15 | resources:
16 | - leases
17 | verbs:
18 | - get
19 | - delete
20 | - apiGroups:
21 | - config.terraform.padok.cloud
22 | resources:
23 | - terraformlayers
24 | verbs:
25 | - get
26 | - patch
27 | - apiGroups:
28 | - config.terraform.padok.cloud
29 | resources:
30 | - terraformruns
31 | verbs:
32 | - get
33 | - apiGroups:
34 | - config.terraform.padok.cloud
35 | resources:
36 | - terraformrepositories
37 | verbs:
38 | - get
39 |
--------------------------------------------------------------------------------
/internal/controllers/terraformrun/testdata/controller/parallel-case.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: config.terraform.padok.cloud/v1alpha1
2 | kind: TerraformRun
3 | metadata:
4 | name: parallel-case-1
5 | namespace: default
6 | spec:
7 | action: plan
8 | layer:
9 | name: parallel-case-1
10 | namespace: default
11 | revision: TEST_REVISION
12 | ---
13 | apiVersion: config.terraform.padok.cloud/v1alpha1
14 | kind: TerraformRun
15 | metadata:
16 | name: parallel-case-2
17 | namespace: default
18 | spec:
19 | action: plan
20 | layer:
21 | name: parallel-case-2
22 | namespace: default
23 | revision: TEST_REVISION
24 | ---
25 | apiVersion: config.terraform.padok.cloud/v1alpha1
26 | kind: TerraformRun
27 | metadata:
28 | name: parallel-case-3
29 | namespace: default
30 | spec:
31 | action: plan
32 | layer:
33 | name: parallel-case-3
34 | namespace: default
35 | revision: TEST_REVISION
36 |
--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
1 | # Burrito Documentation
2 |
3 | This is the home of the Burrito documentation. Here you will find all the information you need to get started with Burrito.
4 |
5 | - [Overview](./overview.md) helps you understand what Burrito is all about.
6 | - [Getting Started](./getting-started.md) is a step-by-step guide to help you get started with Burrito.
7 | - [Guides](./guides/index.md) provides detailed tutorials to help you understand how to use Burrito.
8 | - [Operator Manual](./operator-manual/index.md) is a detailed guide to help you understand how to install and configure Burrito.
9 | - [User Guide](./user-guide/index.md) is a detailed guide to help you understand how to setup and use Burrito resources.
10 | - [Contributing](./contributing.md) provides information on how to contribute to the Burrito project.
11 |
13 |
--------------------------------------------------------------------------------
/internal/controllers/terraformpullrequest/comment/default_test.go:
--------------------------------------------------------------------------------
1 | package comment
2 |
3 | import (
4 | _ "embed"
5 | )
6 |
7 | // func TestDefaultComment_Generate(t *testing.T) {
8 | // type fields struct {
9 | // layers []configv1alpha1.TerraformLayer
10 | // storage storage.Storage
11 | // }
12 | // tests := []struct {
13 | // name string
14 | // fields fields
15 | // want string
16 | // wantErr bool
17 | // }{
18 | // // TODO: Add test cases.
19 | // }
20 | // for _, tt := range tests {
21 | // t.Run(tt.name, func(t *testing.T) {
22 | // c := &DefaultComment{
23 | // layers: tt.fields.layers,
24 | // storage: tt.fields.storage,
25 | // }
26 | // got, err := c.Generate()
27 | // if (err != nil) != tt.wantErr {
28 | // t.Errorf("DefaultComment.Generate() error = %v, wantErr %v", err, tt.wantErr)
29 | // return
30 | // }
31 | // if got != tt.want {
32 | // t.Errorf("DefaultComment.Generate() = %v, want %v", got, tt.want)
33 | // }
34 | // })
35 | // }
36 | // }
37 |
--------------------------------------------------------------------------------
/internal/controllers/terraformpullrequest/testdata/error-case.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: config.terraform.padok.cloud/v1alpha1
2 | kind: TerraformPullRequest
3 | metadata:
4 | name: pr-error-case-1
5 | namespace: default
6 | labels:
7 | app.kubernetes.io/instance: in-cluster-burrito
8 | annotations:
9 | webhook.terraform.padok.cloud/branch-commit: 04410b5b7d90b82ad658b86564a9aa4bce411ac9
10 | spec:
11 | branch: feature-branch
12 | id: "42"
13 | base: main
14 | repository:
15 | name: no-exist
16 | namespace: default
17 | ---
18 | apiVersion: config.terraform.padok.cloud/v1alpha1
19 | kind: TerraformPullRequest
20 | metadata:
21 | name: pr-error-case-2
22 | namespace: default
23 | labels:
24 | app.kubernetes.io/instance: in-cluster-burrito
25 | annotations:
26 | webhook.terraform.padok.cloud/branch-commit: 04410b5b7d90b82ad658b86564a9aa4bce411ac9
27 | spec:
28 | branch: feature-branch
29 | id: "42"
30 | base: main
31 | repository:
32 | name: burrito-no-provider
33 | namespace: default
34 |
--------------------------------------------------------------------------------
/ui/src/assets/icons/GithubIcon.tsx:
--------------------------------------------------------------------------------
1 | import { SVGProps } from 'react';
2 |
3 | const GithubIcon = (props: SVGProps
27 |
38 | );
39 | };
40 |
41 | export default ProgressBar;
42 |
--------------------------------------------------------------------------------
/internal/burrito/burrito.go:
--------------------------------------------------------------------------------
1 | package burrito
2 |
3 | import (
4 | "io"
5 | "os"
6 |
7 | "github.com/padok-team/burrito/internal/burrito/config"
8 | "github.com/padok-team/burrito/internal/controllers"
9 | "github.com/padok-team/burrito/internal/datastore"
10 | "github.com/padok-team/burrito/internal/runner"
11 | "github.com/padok-team/burrito/internal/server"
12 | )
13 |
14 | type App struct {
15 | Config *config.Config
16 |
17 | Runner Runner
18 | Controllers Controllers
19 | Server Server
20 | Datastore Datastore
21 |
22 | Out io.Writer
23 | Err io.Writer
24 | }
25 |
26 | type Server interface {
27 | Exec()
28 | }
29 |
30 | type Runner interface {
31 | Exec() error
32 | }
33 |
34 | type Controllers interface {
35 | Exec()
36 | }
37 |
38 | type Datastore interface {
39 | Exec()
40 | }
41 |
42 | func New() (*App, error) {
43 | c := &config.Config{}
44 | app := &App{
45 | Config: c,
46 | Runner: runner.New(c),
47 | Controllers: controllers.New(c),
48 | Server: server.New(c),
49 | Datastore: datastore.New(c),
50 | Out: os.Stdout,
51 | Err: os.Stderr,
52 | }
53 | return app, nil
54 | }
55 |
--------------------------------------------------------------------------------
/deploy/charts/burrito/values-example.yaml:
--------------------------------------------------------------------------------
1 | global:
2 | deployment:
3 | image:
4 | tag: "custom-version"
5 |
6 | config:
7 | burrito:
8 | controller:
9 | timers:
10 | driftDetection: 5m
11 |
12 | controllers:
13 | deployment:
14 | envFrom:
15 | - secretRef:
16 | name: burrito-gh-token
17 |
18 | server:
19 | deployment:
20 | envFrom:
21 | - secretRef:
22 | name: burrito-webhook-secret
23 | ingress:
24 | enabled: true
25 | annotations:
26 | ingress.kubernetes.io/ssl-redirect: "true"
27 | ingressClassName: nginx
28 | host: burrito.padok.cloud
29 | tls:
30 | - secretName: wildcard-padok-cloud-tls
31 |
32 | tenants:
33 | - namespace:
34 | create: true
35 | name: "burrito-project-1"
36 | labels: {}
37 | annotations: {}
38 | serviceAccounts:
39 | - name: runner-project-1
40 | additionalRoleBindings:
41 | - name: custom
42 | role:
43 | kind: ClusterRole
44 | name: my-custom-role
45 | annotations:
46 | iam.cloud.provider/role: cloud-provider-role
47 | labels: {}
48 |
--------------------------------------------------------------------------------
/ui/src/assets/icons/BarsIcon.tsx:
--------------------------------------------------------------------------------
1 | import { SVGProps } from 'react';
2 |
3 | const BarsIcon = (props: SVGProps
35 | {label && {label}}
36 |
37 |
48 | {getContent()}
49 |
50 | );
51 | };
52 |
53 | export default Tag;
54 |
--------------------------------------------------------------------------------
/internal/controllers/terraformlayer/testdata/unknown-cases.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: config.terraform.padok.cloud/v1alpha1
3 | kind: TerraformLayer
4 | metadata:
5 | name: non-existent-repository
6 | namespace: default
7 | annotations:
8 | webhook.terraform.padok.cloud/relevant-commit: cb9f15b90861c8c4364cdde63d17837c7a9ccca9
9 | spec:
10 | branch: main
11 | path: nominal-case-one/
12 | remediationStrategy:
13 | autoApply: true
14 | repository:
15 | name: non-existent
16 | namespace: default
17 | terraform:
18 | enabled: true
19 | version: 1.3.1
20 | terragrunt:
21 | enabled: true
22 | version: 0.45.4
23 |
24 | ---
25 | apiVersion: config.terraform.padok.cloud/v1alpha1
26 | kind: TerraformLayer
27 | metadata:
28 | name: last-run-not-exist
29 | namespace: default
30 | annotations:
31 | webhook.terraform.padok.cloud/relevant-commit: cb9f15b90861c8c4364cdde63d17837c7a9ccca9
32 | spec:
33 | branch: main
34 | path: last-run-not-exist/
35 | remediationStrategy:
36 | autoApply: true
37 | repository:
38 | name: burrito
39 | namespace: default
40 | terraform:
41 | enabled: true
42 | version: 1.3.1
43 | status:
44 | lastRun:
45 | name: run-does-not-exist
46 | namespace: default
47 |
--------------------------------------------------------------------------------
/internal/server/api/runs.go:
--------------------------------------------------------------------------------
1 | package api
2 |
3 | import (
4 | "context"
5 | "fmt"
6 | "net/http"
7 |
8 | "github.com/labstack/echo/v4"
9 | configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
10 | "k8s.io/apimachinery/pkg/types"
11 | )
12 |
13 | type GetAttemptsResponse struct {
14 | Count int `json:"count"`
15 | }
16 |
17 | func getRunAttemptArgs(c echo.Context) (string, string, error) {
18 | namespace := c.Param("namespace")
19 | run := c.Param("run")
20 | if namespace == "" || run == "" {
21 | return "", "", fmt.Errorf("missing query parameters")
22 | }
23 | return namespace, run, nil
24 | }
25 |
26 | func (a *API) GetAttemptsHandler(c echo.Context) error {
27 | namespace, run, err := getRunAttemptArgs(c)
28 | if err != nil {
29 | return c.String(http.StatusBadRequest, err.Error())
30 | }
31 | runObject := &configv1alpha1.TerraformRun{}
32 | err = a.Client.Get(context.Background(), types.NamespacedName{Name: run, Namespace: namespace}, runObject)
33 | if err != nil {
34 | return c.String(http.StatusInternalServerError, "could not get run attempt, there's an issue with the cluster: "+err.Error())
35 | }
36 | response := GetAttemptsResponse{Count: len(runObject.Status.Attempts)}
37 | return c.JSON(http.StatusOK, &response)
38 | }
39 |
--------------------------------------------------------------------------------
/ui/src/assets/icons/CheckIcon.tsx:
--------------------------------------------------------------------------------
1 | import { SVGProps } from 'react';
2 |
3 | const CheckIcon = (props: SVGProps
32 |
60 | );
61 | };
62 |
63 | export default GenericIconButton;
64 |
--------------------------------------------------------------------------------
/manifests/base/server/deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: burrito-server
5 | labels:
6 | app.kubernetes.io/component: server
7 | app.kubernetes.io/name: burrito-server
8 | app.kubernetes.io/part-of: burrito
9 | spec:
10 | selector:
11 | matchLabels:
12 | app.kubernetes.io/name: burrito-server
13 | replicas: 1
14 | template:
15 | metadata:
16 | annotations:
17 | kubectl.kubernetes.io/default-container: burrito
18 | labels:
19 | app.kubernetes.io/name: burrito-server
20 | spec:
21 | securityContext:
22 | runAsNonRoot: true
23 | containers:
24 | - name: burrito
25 | args:
26 | - server
27 | - start
28 | ports:
29 | - containerPort: 8080
30 | name: http
31 | envFrom:
32 | - configMapRef:
33 | name: burrito-config
34 | optional: true
35 | - secretRef:
36 | name: burrito-config
37 | optional: true
38 | image: ghcr.io/padok-team/burrito:main
39 | imagePullPolicy: Always
40 | securityContext:
41 | allowPrivilegeEscalation: false
42 | capabilities:
43 | drop:
44 | - "ALL"
45 | livenessProbe:
46 | httpGet:
47 | path: /healthz
48 | port: 8080
49 | initialDelaySeconds: 15
50 | periodSeconds: 20
51 | readinessProbe:
52 | httpGet:
53 | path: /healthz
54 | port: 8080
55 | initialDelaySeconds: 5
56 | periodSeconds: 10
57 | serviceAccountName: burrito-server
58 | terminationGracePeriodSeconds: 10
59 |
--------------------------------------------------------------------------------
/ui/src/components/navigation/NavigationLink.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { twMerge } from 'tailwind-merge';
3 |
4 | import { Link, LinkProps } from 'react-router-dom';
5 |
6 | export interface NavigationLinkProps {
7 | className?: string;
8 | to: LinkProps['to'];
9 | children: React.ReactNode;
10 | disabled?: boolean;
11 | }
12 |
13 | const NavigationLink: React.FC
53 | {children}
54 |
55 |
56 | ) : (
57 |
64 | {children}
65 |
66 | );
67 | };
68 |
69 | export default NavigationLink;
70 |
--------------------------------------------------------------------------------
/.github/workflows/docs.yaml:
--------------------------------------------------------------------------------
1 | name: Documentation
2 | on:
3 | push:
4 | branches:
5 | - main
6 | tags:
7 | - v*
8 | pull_request:
9 | branches:
10 | - main
11 | paths:
12 | - ".github/workflows/docs.yaml"
13 | - "docs/**"
14 |
15 | permissions:
16 | contents: write
17 |
18 | jobs:
19 | deploy:
20 | runs-on: ubuntu-latest
21 | steps:
22 | - uses: actions/checkout@v6
23 | with:
24 | fetch-depth: 0 # Fetch all branches to include 'gh-pages' branch
25 | - uses: actions/setup-python@v6
26 | with:
27 | python-version: 3.x
28 | - uses: actions/cache@v4
29 | with:
30 | key: mkdocs-material-${{ github.ref }}
31 | path: .cache
32 | restore-keys: |
33 | mkdocs-material-
34 |
35 | - name: Install dependencies
36 | run: pip install mkdocs-material mike
37 |
38 | - name: Lint Markdown files
39 | uses: DavidAnson/markdownlint-cli2-action@v20
40 | with:
41 | config: 'docs/.markdownlint.jsonc'
42 | globs: 'docs/**/*.md'
43 |
44 | - name: Build pages
45 | run: mkdocs build --strict
46 |
47 | - name: Configure Git user
48 | run: |
49 | git config --local user.email "github-actions[bot]@users.noreply.github.com"
50 | git config --local user.name "github-actions[bot]"
51 |
52 | - name: Deploy pages (unstable)
53 | if: github.ref == 'refs/heads/main'
54 | run: mike deploy --push --update-aliases unstable
55 |
56 | - name: Deploy pages (new release)
57 | if: startsWith(github.ref, 'refs/tags/')
58 | run: |
59 | mike deploy --push --update-aliases ${{ github.ref_name }} latest
60 | echo "Deployed version ${{ github.ref_name }} to GitHub Pages"
61 |
--------------------------------------------------------------------------------
/internal/datastore/storage/encryption.go:
--------------------------------------------------------------------------------
1 | package storage
2 |
3 | import (
4 | "fmt"
5 | "os"
6 |
7 | "github.com/padok-team/burrito/internal/burrito/config"
8 | "github.com/padok-team/burrito/internal/utils/encryption"
9 | )
10 |
11 | type EncryptionManager struct {
12 | DefaultEncryptor *encryption.Encryptor
13 | config config.EncryptionConfig
14 | }
15 |
16 | func NewEncryptionManager(config config.EncryptionConfig) (*EncryptionManager, error) {
17 | em := &EncryptionManager{
18 | config: config,
19 | }
20 |
21 | encryptionKey := os.Getenv("BURRITO_DATASTORE_STORAGE_ENCRYPTION_KEY")
22 |
23 | if config.Enabled && encryptionKey == "" {
24 | return nil, fmt.Errorf("encryption is enabled but no encryption key is provided in the environment variable BURRITO_DATASTORE_STORAGE_ENCRYPTION_KEY")
25 | } else if config.Enabled && encryptionKey != "" {
26 | encryptor, err := encryption.NewEncryptor(encryptionKey)
27 | if err != nil {
28 | return nil, fmt.Errorf("failed to create encryptor: %w", err)
29 | }
30 | em.DefaultEncryptor = encryptor
31 | } else {
32 | em.DefaultEncryptor = nil
33 | }
34 |
35 | return em, nil
36 | }
37 |
38 | func (em *EncryptionManager) Encrypt(namespace string, plaintext []byte) ([]byte, error) {
39 | if em.DefaultEncryptor == nil {
40 | return plaintext, nil
41 | }
42 |
43 | return em.DefaultEncryptor.Encrypt(plaintext)
44 | }
45 |
46 | func (em *EncryptionManager) Decrypt(namespace string, ciphertext []byte) ([]byte, error) {
47 | if em.DefaultEncryptor == nil {
48 | return ciphertext, nil
49 | }
50 |
51 | // Try to decrypt the data. If it fails, return the original ciphertext as this might be a migration from an unencrypted state
52 | decrypted, err := em.DefaultEncryptor.Decrypt(ciphertext)
53 | if err != nil {
54 | return ciphertext, nil
55 | }
56 |
57 | return decrypted, nil
58 | }
59 |
--------------------------------------------------------------------------------
/internal/repository/providers/standard/standard.go:
--------------------------------------------------------------------------------
1 | package standard
2 |
3 | import (
4 | "errors"
5 | "fmt"
6 | "strings"
7 |
8 | "github.com/go-git/go-git/v5/plumbing/transport/http"
9 | "github.com/go-git/go-git/v5/plumbing/transport/ssh"
10 | configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
11 | "github.com/padok-team/burrito/internal/repository/credentials"
12 | "github.com/padok-team/burrito/internal/repository/types"
13 | )
14 |
15 | type Standard struct {
16 | Config credentials.Credential
17 | }
18 |
19 | func (s *Standard) GetWebhookProvider() (types.WebhookProvider, error) {
20 | return nil, fmt.Errorf("webhooks are not supported for standard git provider. Provide a specific credentials for providers such as GitHub or GitLab")
21 | }
22 |
23 | func (s *Standard) GetAPIProvider() (types.APIProvider, error) {
24 | return nil, fmt.Errorf("API is not supported for standard git provider. Provide a specific credentials for providers such as GitHub or GitLab")
25 | }
26 |
27 | func (s *Standard) GetGitProvider(repository *configv1alpha1.TerraformRepository) (types.GitProvider, error) {
28 | repoURL := repository.Spec.Repository.Url
29 | repositoryProvider := &GitProvider{
30 | RepoURL: repoURL,
31 | }
32 | if repoURL == "" {
33 | return nil, errors.New("repository URL is required")
34 | }
35 | isSSH := strings.HasPrefix(repoURL, "git@") || strings.Contains(repoURL, "ssh://")
36 |
37 | if isSSH && s.Config.SSHPrivateKey != "" {
38 | publicKeys, err := ssh.NewPublicKeys("git", []byte(s.Config.SSHPrivateKey), "")
39 | if err != nil {
40 | return nil, err
41 | }
42 | repositoryProvider.AuthMethod = publicKeys
43 | } else if s.Config.Username != "" && s.Config.Password != "" {
44 | repositoryProvider.AuthMethod = &http.BasicAuth{
45 | Username: s.Config.Username,
46 | Password: s.Config.Password,
47 | }
48 | }
49 | return repositoryProvider, nil
50 | }
51 |
--------------------------------------------------------------------------------
/docs/guides/ui.md:
--------------------------------------------------------------------------------
1 | # UI Overview
2 |
3 | The Burrito UI is a web-based interface that allows you to view the state of your Terraform layers and resources, as well as the drift between the desired and actual state of your infrastructure.
4 |
5 | ## Pre-requisites
6 |
7 | - A running Burrito installation
8 |
9 | ## Accessing the UI
10 |
11 | The Burrito UI is accessible via a web browser. To access the UI, you need to expose the `burrito-server` service locally or on a public URL.
12 |
13 | ## Authentication
14 |
15 | By default, Burrito uses basic authentication with a username and password. The default credentials are:
16 |
17 | - **Username:** `admin`
18 | - **Password:** Generated on install in a Kubernetes Secret named `burrito-admin-credentials` in the Burrito server namespace.
19 |
20 | More secure authentication methods like OpenID Connect (OIDC) can be configured for production use. For more details, see the [Authentication Guide](../operator-manual/user-authentication.md).
21 |
22 | ## Features
23 |
24 | ### Homepage
25 |
26 | The homepage displays a list of all the Terraform layers that have been added to Burrito. Each layer is displayed as a card with the following information:
27 |
28 | - Namespace
29 | - Repository
30 | - Branch
31 | - Code path
32 | - Last plan result
33 | - State (Error, Out-of-sync, OK)
34 |
35 | 
36 |
37 | ### Terraform / Terragrunt logs
38 |
39 | Click on the layer card to view the Terraform or Terragrunt logs for that layer. You can explore previous runs and view the logs for each run. The maximum number of logs to keep is configurable.
40 | 
41 |
42 | A dedicated page for exploring the logs is also available.
43 |
44 | ### More to come
45 |
46 | Burrito is under active development, and we are working on adding more features to the UI such as:
47 |
48 | - "Plan and apply" buttons
49 | - Notifications
50 | - User management
51 | - Pull request view
52 | ... and more!
53 |
--------------------------------------------------------------------------------
/internal/server/api/logs.go:
--------------------------------------------------------------------------------
1 | package api
2 |
3 | import (
4 | "fmt"
5 | "net/http"
6 | "strings"
7 |
8 | "github.com/labstack/echo/v4"
9 | )
10 |
11 | type GetLogsResponse struct {
12 | Results []string `json:"results"`
13 | }
14 |
15 | func getLogsArgs(c echo.Context) (string, string, string, string, error) {
16 | namespace := c.Param("namespace")
17 | layer := c.Param("layer")
18 | run := c.Param("run")
19 | attempt := c.Param("attempt")
20 | if namespace == "" || layer == "" || run == "" || attempt == "" {
21 | return "", "", "", "", fmt.Errorf("missing query parameters")
22 | }
23 | return namespace, layer, run, attempt, nil
24 | }
25 |
26 | // logs/${namespace}/${layer}/${runId}/${attemptId}
27 | func (a *API) GetLogsHandler(c echo.Context) error {
28 | namespace, layer, run, attempt, err := getLogsArgs(c)
29 | if err != nil {
30 | return c.String(http.StatusBadRequest, err.Error())
31 | }
32 | response := GetLogsResponse{}
33 | content, err := a.Datastore.GetLogs(namespace, layer, run, attempt)
34 | if err != nil {
35 | return c.String(http.StatusInternalServerError, "could not get logs, there's an issue with the storage backend")
36 | }
37 | response.Results = content
38 | return c.JSON(http.StatusOK, &response)
39 | }
40 |
41 | func (a *API) DownloadLogsHandler(c echo.Context) error {
42 | namespace, layer, run, attempt, err := getLogsArgs(c)
43 | if err != nil {
44 | return c.String(http.StatusBadRequest, err.Error())
45 | }
46 | content, err := a.Datastore.GetLogs(namespace, layer, run, attempt)
47 | file := strings.Join(content, "\n")
48 | if err != nil {
49 | return c.String(http.StatusInternalServerError, "could not get logs, there's an issue with the storage backend")
50 | }
51 | c.Response().Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s_%s_%s_%s.log", namespace, layer, run, attempt))
52 | c.Response().Header().Set("Content-Type", "application/octet-stream")
53 | return c.Blob(http.StatusOK, "application/octet-stream", []byte(file))
54 | }
55 |
--------------------------------------------------------------------------------
/docs/operator-manual/git-authentication/github-token.md:
--------------------------------------------------------------------------------
1 | # GitHub Token Authentication
2 |
3 | ## Generate a personal access token
4 |
5 | You need a personal access token to configure Burrito. You can generate a personal access token in your GitHub account.
6 |
7 | Follow the instructions in the GitHub documentation for [creating a personal access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token):
8 |
9 | - It should be a **fine-grained token**.
10 | - **Permissions**: Configure the following **Repository Permissions**:
11 | - **Metadata:** Select Read-only.
12 | - **Contents:** Select Read-only.
13 | - **Pull requests:** Select Read & write. This is required to issue comments on pull requests.
14 | - Under **Repository access**, select which repositories you want the token to access.
15 |
16 | ## Configure credentials with GitHub Token
17 |
18 | Set up a credentials secret with the `githubToken` field.
19 |
20 | ### Repository-specific credentials example
21 |
22 | ```yaml
23 | apiVersion: config.terraform.padok.cloud/v1alpha1
24 | kind: TerraformRepository
25 | metadata:
26 | name: my-repository
27 | namespace: burrito-project
28 | spec:
29 | repository:
30 | url: https://github.com/owner/repo
31 | terraform:
32 | enabled: true
33 | ---
34 | apiVersion: v1
35 | kind: Secret
36 | metadata:
37 | name: burrito-repo
38 | namespace: burrito-project
39 | type: credentials.burrito.tf/repository
40 | stringData:
41 | provider: github
42 | url: https://github.com/owner/repo
43 | githubToken: "github_pat_xxx"
44 | webhookSecret: "my-webhook-secret"
45 | ```
46 |
47 | ### Shared credentials example
48 |
49 | ```yaml
50 | apiVersion: v1
51 | kind: Secret
52 | metadata:
53 | name: github-token-credentials
54 | namespace: burrito-system
55 | type: credentials.burrito.tf/shared
56 | stringData:
57 | provider: github
58 | url: https://github.com/owner
59 | githubToken: "github_pat_xxx"
60 | webhookSecret: "my-webhook-secret"
61 | ```
62 |
--------------------------------------------------------------------------------
/internal/controllers/terraformrepository/polling.go:
--------------------------------------------------------------------------------
1 | package terraformrepository
2 |
3 | import (
4 | "context"
5 |
6 | configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
7 | "github.com/padok-team/burrito/internal/annotations"
8 | )
9 |
10 | // Returns the list of layers that are managed by this repository
11 | func (r *Reconciler) retrieveManagedLayers(ctx context.Context, repository *configv1alpha1.TerraformRepository) ([]configv1alpha1.TerraformLayer, error) {
12 | // get all layers that depends on the repository (layer.spec.repository.name == repository.name)
13 | layers := &configv1alpha1.TerraformLayerList{}
14 | if err := r.List(ctx, layers); err != nil {
15 | return nil, err
16 | }
17 | managedLayers := []configv1alpha1.TerraformLayer{}
18 | for _, layer := range layers.Items {
19 | if layer.Spec.Repository.Name == repository.Name {
20 | managedLayers = append(managedLayers, layer)
21 | }
22 | }
23 | return managedLayers, nil
24 | }
25 |
26 | // Returns a list of all refs (branches and tags) among a list of layers from the same repository (duplicated allowed)
27 | func retrieveAllLayerRefs(layers []configv1alpha1.TerraformLayer) []string {
28 | refs := []string{}
29 | for _, layer := range layers {
30 | refs = append(refs, layer.Spec.Branch)
31 | }
32 | return refs
33 | }
34 |
35 | // Returns a list of all layers referencing a specific ref
36 | func retrieveLayersForRef(ref string, layers []configv1alpha1.TerraformLayer) []configv1alpha1.TerraformLayer {
37 | result := []configv1alpha1.TerraformLayer{}
38 | for _, layer := range layers {
39 | if layer.Spec.Branch == ref {
40 | result = append(result, layer)
41 | }
42 | }
43 | return result
44 | }
45 |
46 | // Checks if there is at least one new layer in the list of layers (without last branch commit annotation)
47 | func isThereANewLayer(layers []configv1alpha1.TerraformLayer) bool {
48 | for _, layer := range layers {
49 | if _, ok := layer.Annotations[annotations.LastBranchCommit]; !ok {
50 | return true
51 | }
52 | }
53 | return false
54 | }
55 |
--------------------------------------------------------------------------------
/internal/controllers/terraformpullrequest/comment/default.go:
--------------------------------------------------------------------------------
1 | package comment
2 |
3 | import (
4 | "bytes"
5 | "text/template"
6 |
7 | configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
8 | datastore "github.com/padok-team/burrito/internal/datastore/client"
9 |
10 | _ "embed"
11 | )
12 |
13 | var (
14 | //go:embed templates/comment.md
15 | defaultTemplateRaw string
16 | defaultTemplate = template.Must(template.New("report").Parse(defaultTemplateRaw))
17 | )
18 |
19 | type ReportedLayer struct {
20 | Name string
21 | ShortDiff string
22 | Path string
23 | PrettyPlan string
24 | }
25 |
26 | type DefaultComment struct {
27 | layers []configv1alpha1.TerraformLayer
28 | datastore datastore.Client
29 | }
30 |
31 | type DefaultCommentInput struct {
32 | }
33 |
34 | func NewDefaultComment(layers []configv1alpha1.TerraformLayer, datastore datastore.Client) *DefaultComment {
35 | return &DefaultComment{
36 | layers: layers,
37 | datastore: datastore,
38 | }
39 | }
40 |
41 | func (c *DefaultComment) Generate(commit string) (string, error) {
42 | var reportedLayers []ReportedLayer
43 | for _, layer := range c.layers {
44 | plan, err := c.datastore.GetPlan(layer.Namespace, layer.Name, layer.Status.LastRun.Name, "", "pretty")
45 | if err != nil {
46 | return "", err
47 | }
48 | shortDiff, err := c.datastore.GetPlan(layer.Namespace, layer.Name, layer.Status.LastRun.Name, "", "short")
49 | if err != nil {
50 | return "", err
51 | }
52 | reportedLayer := ReportedLayer{
53 | Name: layer.Name,
54 | Path: layer.Spec.Path,
55 | ShortDiff: string(shortDiff),
56 | PrettyPlan: string(plan),
57 | }
58 | reportedLayers = append(reportedLayers, reportedLayer)
59 |
60 | }
61 | data := struct {
62 | Commit string
63 | Layers []ReportedLayer
64 | }{
65 | Commit: commit,
66 | Layers: reportedLayers,
67 | }
68 | comment := bytes.NewBufferString("")
69 | err := defaultTemplate.Execute(comment, data)
70 | if err != nil {
71 | return "", err
72 | }
73 | return comment.String(), nil
74 | }
75 |
--------------------------------------------------------------------------------
/ui/src/components/core/Dropdown.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { twMerge } from 'tailwind-merge';
3 |
4 | import AngleDownIcon from '@/assets/icons/AngleDownIcon';
5 |
6 | export interface DropdownProps {
7 | className?: string;
8 | variant?: 'light' | 'dark';
9 | label: string;
10 | filled?: boolean;
11 | disabled?: boolean;
12 | }
13 |
14 | const Dropdown = React.forwardRef
74 | {label}
75 |
77 | );
78 | }
79 | );
80 |
81 | export default Dropdown;
82 |
--------------------------------------------------------------------------------
/ui/src/assets/icons/DownloadAltIcon.tsx:
--------------------------------------------------------------------------------
1 | import { SVGProps } from 'react';
2 |
3 | const DownloadAltIcon = (props: SVGProps