Merge pull request #4 from sterliakov/feature/st-initial

feat: Initial setup

Author: sterliakov

.github/dependabot.yml

@@ -1,40 +1,30 @@
 version: 2
 updates:
-
   # GitHub actions
-  - package-ecosystem: "github-actions"
-    directory: "/"  # For GitHub Actions "/" must be used for workflow files in ".github/workflows"
+-   package-ecosystem: github-actions
+    directory: /    # For GitHub Actions "/" must be used for workflow files in ".github/workflows"
     schedule:
-      interval: "weekly"
+        interval: monthly
     commit-message:
-      prefix: "chore: "
+        prefix: 'chore: '
     labels:
-      - "release/patch"
+    -   release/patch
 
   # Terraform
-  - package-ecosystem: "terraform"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: "chore: "
-    labels:
-      - "release/patch"
-
-  - package-ecosystem: "terraform"
-    directory: "/examples/complete/"
+-   package-ecosystem: terraform
+    directory: /
     schedule:
-      interval: "weekly"
+        interval: monthly
     commit-message:
-      prefix: "chore: "
+        prefix: 'chore: '
     labels:
-      - "release/patch"
+    -   release/patch
 
-  - package-ecosystem: "terraform"
-    directory: "/examples/simple/"
+-   package-ecosystem: terraform
+    directory: /examples/lambda/
     schedule:
-      interval: "weekly"
+        interval: monthly
     commit-message:
-      prefix: "chore: "
+        prefix: 'chore: '
     labels:
-      - "release/patch"
+    -   release/patch

.github/workflows/check.yml

@@ -0,0 +1,72 @@
+name: Lint and Test
+
+permissions:
+    contents: read
+
+on:
+    pull_request:
+        branches:
+        -   main
+    schedule:
+    -   cron: 0 12 * * 1
+
+env:
+    TEST_ROLE: arn:aws:iam::533267002298:role/ecr-test-role
+
+jobs:
+    pre-commit:
+        name: Pre-commit hooks
+        runs-on: ubuntu-latest
+        steps:
+        -   uses: actions/checkout@v4
+
+        -   uses: actions/setup-python@v5
+            with:
+                python-version: '3.12'
+        -   uses: hashicorp/setup-terraform@v3
+        -   uses: terraform-linters/setup-tflint@v4
+            name: Setup TFLint
+            with:
+                tflint_version: latest
+        -   name: Install terraform-docs
+            run: |
+                cd "$(mktemp -d)"
+                curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-$(uname)-amd64.tar.gz
+                tar -xzf terraform-docs.tar.gz
+                chmod +x terraform-docs
+                echo "$PWD" >> $GITHUB_PATH
+
+        -   name: Init TFLint
+            run: tflint --init
+            env:
+                # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+                GITHUB_TOKEN: ${{ github.token }}
+
+        -   uses: pre-commit/[email protected]
+            with:
+                extra_args: --all-files --show-diff-on-failure
+
+    test:
+        name: Test
+        needs: pre-commit
+        runs-on: ubuntu-latest
+        permissions:
+            id-token: write
+            contents: read
+        strategy:
+            fail-fast: false
+            matrix:
+                terraform_version: [1.7.0, latest]
+        steps:
+        -   uses: actions/checkout@v4
+        -   uses: hashicorp/setup-terraform@v3
+            with:
+                terraform_version: ${{ matrix.terraform_version }}
+        -   uses: aws-actions/configure-aws-credentials@v4
+            with:
+                role-to-assume: ${{ env.TEST_ROLE }}
+                aws-region: us-east-1
+        -   name: test
+            run: |
+                terraform init
+                terraform test

.github/workflows/pr-title.yml

@@ -1,16 +1,23 @@
 name: Validate PR title
 
 permissions:
-  pull-requests: read
-  statuses: write
+    pull-requests: read
 
 on:
-  pull_request_target:
-    types:
-      - opened
-      - edited
-      - synchronize
+    pull_request_target:
+        branches:
+        -   main
+        types:
+        -   opened
+        -   edited
+        -   synchronize
+        -   reopened
 
 jobs:
-  main:
-    uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v1
+    main:
+        name: Validate PR title
+        runs-on: ubuntu-latest
+        steps:
+        -   uses: amannn/action-semantic-pull-request@v5
+            env:
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pre-commit.yml

@@ -1,13 +1,17 @@
-name: Create new release with changelog
+name: Publish Release
 
 permissions:
-  contents: write
-  pull-requests: write
+    contents: write
 
 on:
-  pull_request_target:
-    types: [closed]
+    push:
+        tags:
+        -   v*.*.*
 
 jobs:
-  release:
-    uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v1
+    build:
+        runs-on: ubuntu-latest
+        steps:
+        -   uses: actions/checkout@v4
+        -   name: Release
+            uses: softprops/action-gh-release@v2

.github/workflows/release.yml

@@ -33,3 +33,6 @@ override.tf.json
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 *tfplan*
+
+# Checkov
+.external_modules

.gitignore

@@ -1,32 +1,54 @@
 repos:
-  - repo: https://github.com/gruntwork-io/pre-commit
-    rev: "v0.1.23" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
     hooks:
-      - id: terraform-validate # It should be the first step as it runs terraform init required by tflint
-      - id: terraform-fmt
-      - id: tflint
-        args:
-          - "--config=__GIT_ROOT__/.tflint.hcl"
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-merge-conflict
+    -   id: check-executables-have-shebangs
+    -   id: check-shebang-scripts-are-executable
+    -   id: check-symlinks
+    -   id: mixed-line-ending
+        args: [--fix=lf]
+    -   id: check-yaml
+    -   id: check-json
+    -   id: pretty-format-json
+        args: [--autofix, --no-ensure-ascii]
 
-  - repo: https://github.com/terraform-docs/terraform-docs
-    rev: "v0.18.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases
+-   repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
+    rev: v2.14.0
     hooks:
-      - id: terraform-docs-go
-        args: ["."]
+    -   id: pretty-format-yaml
+        args: [--autofix, --indent, '4']
 
-  - repo: https://github.com/bridgecrewio/checkov.git
-    rev: "3.2.216" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
+-   repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
     hooks:
-      - id: checkov
-        args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision
+    -   id: shellcheck
+        args: [-x, -P, SCRIPTDIR, -S, style]
 
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: "v4.6.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+-   repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.96.1
     hooks:
-      - id: check-merge-conflict
-        args: ["--assume-in-merge"]
-      - id: mixed-line-ending
-        args: ["--fix=no"]
-      - id: end-of-file-fixer
-      - id: check-case-conflict
-      - id: check-yaml
+    -   id: terraform_validate
+    -   id: terraform_fmt
+    -   id: terraform_tflint
+    -   id: terraform_docs
+        args:
+        -   --hook-config=--config-file=.terraform-docs.yml
+
+-   repo: https://github.com/bridgecrewio/checkov.git
+    rev: 3.2.277
+    hooks:
+    -   id: checkov
+        args:
+        -   --download-external-modules
+        -   'true'
+        -   --compact
+        -   --skip-check
+          # Terraform module sources do not use a git url with a commit hash revision
+        -   CKV_TF_1
+        -   --skip-path
+        -   examples/
+        -   --skip-path
+        -   tests/

.pre-commit-config.yaml

@@ -1,59 +1,55 @@
-formatter: "md tbl" # this is required
+formatter: md tbl   # this is required
 
-version: ">= 0.14"
-
-recursive:
-  enabled: true
-  path: ./examples
+version: '>= 0.14'
 
 sections:
-  hide: []
-  show: [all]
+    hide: []
+    show: [all]
 
 content: |-
-  {{ .Header }}
+    {{ .Header }}
 
-  {{ .Footer }}
+    {{ .Footer }}
 
-  {{ .Inputs }}
+    {{ .Inputs }}
 
-  {{ .Modules }}
+    {{ .Modules }}
 
-  {{ .Outputs }}
+    {{ .Outputs }}
 
-  {{ .Providers }}
+    {{ .Providers }}
 
-  {{ .Requirements }}
+    {{ .Requirements }}
 
-  {{ .Resources }}
+    {{ .Resources }}
 
 output:
-  file: "README.md"
-  mode: inject
-  template: |-
-    <!-- BEGIN_TF_DOCS -->
-    {{ .Content }}
-    <!-- END_TF_DOCS -->
+    file: README.md
+    mode: inject
+    template: |-
+        <!-- BEGIN_TF_DOCS -->
+        {{ .Content }}
+        <!-- END_TF_DOCS -->
 
 output-values:
-  enabled: false
-  from: ""
+    enabled: false
+    from: ''
 
 sort:
-  enabled: true
-  by: name
+    enabled: true
+    by: name
 
 settings:
-  anchor: true
-  color: true
-  default: true
-  description: false
-  escape: true
-  hide-empty: false
-  html: true
-  indent: 2
-  lockfile: false
-  read-comments: true
-  required: true
-  sensitive: true
-  type: true
+    anchor: true
+    color: true
+    default: true
+    description: false
+    escape: true
+    hide-empty: false
+    html: true
+    indent: 2
+    lockfile: false
+    read-comments: true
+    required: true
+    sensitive: true
+    type: true