feat: Initial commit (#1)

.checkov-config.yml

@@ -0,0 +1,5 @@
+download-external-modules: true
+quiet: true
+skip-check:
+  # Github: Ensure top-level permissions are not set to write-all
+  - CKV2_GHA_1

.flake8

@@ -0,0 +1,9 @@
+[flake8]
+extend-ignore =
+    # whitespace before ':'
+    E203
+max-line-length = 90
+max-complexity = 10
+exclude =
+    __pycache__
+    .venv

.gitattributes

@@ -0,0 +1,21 @@
+######################################
+### NORMALIZATION (convert crlf => lf)
+# https://adaptivepatchwork.com/2012/03/01/mind-the-end-of-your-line/
+######################################
+#
+# NB: WINDOWS USERS, please set:
+# git config --global core.autocrlf input
+#
+# Default is to normalize all text files
+*           text=auto
+
+# These files are explicitly text files and should be normalized
+*.tf        text=auto
+*.tfvars    text=auto
+*.yml       text=auto
+
+# These files are explicitly text files and should not be modified
+
+# These files are explicitly binary
+
+######################################

.github/.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+# Additional "pre-commit" checks that run remotely.
+# To clarify, these are run "post commit" using the
+# pre-commit framework for execution.
+
+exclude: '^modules/external/.*$'
+
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.74.1
+    hooks:
+      - id: terraform_tfsec
+        files: ^.*.tf$
+        # Configure tfsec by creating and updating the config file below.
+        args: ['--args=--config-file=__GIT_WORKING_DIR__/.tfsec-config.yml']
+      - id: terraform_checkov
+        # Configure checkov by creating and updating the config file below.
+        args: ['--args=--config-file __GIT_WORKING_DIR__/.checkov-config.yml']

.github/contributing.md

@@ -0,0 +1,49 @@
+# Contributing
+
+When contributing to this repository, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Development environment
+
+### Dev containers
+We suggest using [Visual Studio Code Dev Containers](https://code.visualstudio.com/docs/devcontainers/containers) to build a local, isolated development environment.
+
+Simply open this project in a remote container to get started.
+
+### Reducing clutter
+To improve focus while developing, you may want to configure VSCode to hide all files beginning with `.` from the Explorer view. These files are typically related to low-level environment configuration. To do so, you could add `"**/.*"` to the `files.exclude` setting.
+
+## Pull Request Process
+
+1. Update the code, examples and/or documentation where appropriate.
+1. Ideally, follow [conventional commits](https://www.conventionalcommits.org/) for your commit messages.
+1. Locally run pre-commit hooks `pre-commit run -a`
+1. Locally run tests via `pytest`
+1. Create pull request
+1. Once all checks pass, notify a reviewer.
+
+Once all outstanding comments and checklist items have been addressed, your contribution will be merged! Merged PRs will be included in the next release. The terraform-aws-vpc maintainers take care of updating the CHANGELOG as they merge.
+
+## Checklists for contributions
+
+- [ ] Add [semantics prefix](#semantic-pull-requests) to your PR or Commits (at least one of your commit groups)
+- [ ] CI tests are passing
+- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/cloudandthings/terraform-aws-clickops-notifer/#doc-generation
+- [ ] Run pre-commit hooks `pre-commit run -a`
+
+## Semantic Pull Requests
+
+To generate changelog, Pull Requests or Commits must have semantic and must follow conventional specs below:
+
+- `feat:` for new features
+- `fix:` for bug fixes
+- `improvement:` for enhancements
+- `docs:` for documentation and examples
+- `refactor:` for code refactoring
+- `test:` for tests
+- `ci:` for CI purpose
+- `chore:` for chores stuff
+
+The `chore` prefix skipped during changelog generation. It can be used for `chore: update changelog` commit message by example.

.github/workflows/pr-title.yml

@@ -0,0 +1,56 @@
+name: Validate PR title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: 👀 Validate PR title
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ${{ vars.RUNS_ON }}
+    steps:
+      # Please look up the latest version from
+      # https://github.com/amannn/action-semantic-pull-request/releases
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Configure which types are allowed.
+          # Default: https://github.com/commitizen/conventional-commit-types
+          types: |
+            fix
+            feat
+            docs
+            ci
+            chore
+          # Configure that a scope must always be provided.
+          requireScope: false
+          # Configure additional validation for the subject based on a regex.
+          # This example ensures the subject starts with a character.
+          subjectPattern: ^[A-Za-z].+$
+          # If `subjectPattern` is configured, you can use this property to override
+          # the default error message that is shown when the pattern doesn't match.
+          # The variables `subject` and `title` can be used within the message.
+          subjectPatternError: |
+            The subject "{subject}" found in the pull request title "{title}"
+            didn't match the configured pattern. Please ensure that the subject
+            starts with a character.
+          # For work-in-progress PRs you can typically use draft pull requests
+          # from Github. However, private repositories on the free plan don't have
+          # this option and therefore this action allows you to opt-in to using the
+          # special "[WIP]" prefix to indicate this state. This will avoid the
+          # validation of the PR title and the pull request checks remain pending.
+          # Note that a second check will be reported if this is enabled.
+          wip: true
+          # See: https://github.com/amannn/action-semantic-pull-request#legacy-configuration
+          # If the PR only contains a single commit, the action will validate that
+          # it matches the configured pattern.
+          validateSingleCommit: true
+          # Related to `validateSingleCommit` you can opt-in to validate that the PR
+          # title matches a single commit to avoid confusion.
+          validateSingleCommitMatchesPrTitle: true

.github/workflows/pre-commit-and-tests.yml

@@ -0,0 +1,117 @@
+name: pre-commit & tests
+
+env:
+  AWS_REGION: af-south-1
+  AWS_ROLE_ARN: arn:aws:iam::353444730604:role/cat-genrl-prd-infra-github-workflows
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+
+concurrency:
+  # https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+defaults:
+  # Set shell for steps inside containers (default=sh)
+  run:
+    shell: bash
+
+jobs:
+  check-vars:
+    name: 🔍 check vars
+    runs-on: ${{ vars.RUNS_ON }}
+    container: ${{ vars.CONTAINER }}
+    steps:
+      - name: check vars.CONTAINER is configured
+        run: |
+          VARS_CONTAINER=${{ vars.CONTAINER }}
+          echo VARS_CONTAINER=$VARS_CONTAINER
+          [[ $VARS_CONTAINER ]] || { echo "vars.CONTAINER is empty" ; exit 1; }
+
+  #--------------------------------------------------------------
+  # PRE-COMMIT
+  #--------------------------------------------------------------
+  pre_commit:
+    name: 💍 pre-commit
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ${{ vars.RUNS_ON }}
+    container: ${{ vars.CONTAINER }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+      - uses: hashicorp/setup-terraform@v2
+      - name: Install requirements
+        run: |
+          python -m venv .venv
+          source .venv/bin/activate
+          pip install pre-commit
+      - name: pre-commit run
+        run: |
+          source .venv/bin/activate
+          if [[ "${{ env.GITHUB_REPOSITORY}}" == "cloudandthings/terraform-aws-template" ]]; then
+            export SKIP=no-vanilla-readme
+          fi
+          echo ...running developer pre-commit checks...
+          pre-commit run --config .pre-commit-config.yaml --all-files --show-diff-on-failure
+          if [[ -f .github/.pre-commit-config.yaml ]]; then
+            echo ...running remote pre-commit checks...
+            pip install checkov
+            pre-commit run --config .github/.pre-commit-config.yaml --all-files --show-diff-on-failure
+          fi
+      - name: cat pre-commit log
+        if: failure()
+        run: |
+          LOG_FILE=~/.cache/pre-commit/pre-commit.log
+          if [ -f "$LOG_FILE" ]; then
+            cat $LOG_FILE
+          fi
+
+  #--------------------------------------------------------------
+  # TESTS
+  #--------------------------------------------------------------
+  tests:
+    needs: [pre_commit]
+    name: ✅ tests
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ${{ vars.RUNS_ON }}
+    container: ${{ vars.CONTAINER }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+      - uses: hashicorp/setup-terraform@v2
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ env.AWS_ROLE_ARN }}
+          role-duration-seconds: 3600
+      - name: Install requirements
+        run: |
+          python -m venv .venv
+          source .venv/bin/activate
+          pip install -r tests/requirements.txt
+      - name: Run
+        run: |
+          source .venv/bin/activate
+          echo "::echo::off"
+          pytest
+        env:
+          PYTEST_ADDOPTS: "--color=yes"
+        timeout-minutes: 15

.github/workflows/release.yml

@@ -0,0 +1,35 @@
+name: release
+
+# Overview ref: https://github.com/googleapis/release-please
+# Configuration ref: https://github.com/google-github-actions/release-please-action
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+
+jobs:
+  release:
+    name: 🙏 release-please
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ${{ vars.RUNS_ON }}
+    outputs:
+      release_created: ${{ steps.release-please.outputs.release_created }}
+      tag_name: ${{ steps.release-please.outputs.tag_name }}
+    steps:
+      - name: release-please
+        uses: google-github-actions/release-please-action@v3
+        id: release-please
+        with:
+          release-type: simple
+          # These bumps are honoured only if there is an
+          # initial tag of v0.1.0 . Create it manually if needed.
+          #
+          # BREAKING CHANGE only bumps semver minor if version < 1.0.0
+          bump-minor-pre-major: true
+          # feat commits bump semver patch instead of minor if version < 1.0.0
+          bump-patch-for-minor-pre-major: true

.github/workflows/terraform-min-max.yml.disabled

@@ -0,0 +1,66 @@
+name: Terraform min-max
+
+on:
+  pull_request:
+
+concurrency:
+  # https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  collectDirectories:
+    name: 🍱 collect directories
+    # Outputs a list of all unique directories
+    # that contain *.tf files and do not start with .
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ${{ vars.RUNS_ON }}
+    outputs:
+      directories: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v3
+      - id: set-matrix
+        run: |
+          DIRS=$(find . -type f -name '*.tf' -not -path '**/.*' | sed -r 's|/[^/]+$||' | sort | uniq)
+          DIRS_JSON=$(jq -ncR '[inputs]' <<< "$DIRS")
+          cat <<< matrix=$DIRS_JSON >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+  validateTerraformMinMaxVersions:
+    name: 🏗️ Validate Terraform min/max versions
+    needs: collectDirectories
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ${{ vars.RUNS_ON }}
+    container: ${{ vars.CONTAINER }}
+    strategy:
+      matrix:
+        directory: ${{ fromJson(needs.collectDirectories.outputs.directories) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@v1.2.4
+        with:
+          directory: ${{ matrix.directory }}
+
+      - name: Validate min Terraform version (${{ steps.minMax.outputs.minVersion }})
+        run: |
+          ls -la ~
+          tfenv install ${{ steps.minMax.outputs.minVersion }}
+          tfenv use ${{ steps.minMax.outputs.minVersion }}
+          terraform --version
+          terraform init -backend=false
+          terraform validate
+
+      - name: Validate max Terraform version (${{ steps.minMax.outputs.maxVersion }})
+        run: |
+          ls -la ~
+          tfenv install ${{ steps.minMax.outputs.maxVersion }}
+          tfenv use ${{ steps.minMax.outputs.maxVersion }}
+          terraform --version
+          terraform init -backend=false
+          terraform validate