diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3ad7457 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,40 @@ +version: 2 +updates: + + # GitHub actions + - package-ecosystem: "github-actions" + directory: "/" # For GitHub Actions "/" must be used for workflow files in ".github/workflows" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + # Terraform + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/complete/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/simple/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml deleted file mode 100644 index 7ec13ba..0000000 --- a/.github/workflows/documentation.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Generate terraform docs -on: - - pull_request -jobs: - docs: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - - - name: Render terraform docs inside the README.md and push changes back to PR branch - uses: terraform-docs/gh-actions@v1.0.0 - with: - working-dir: . - config-file: .terraform-docs.yml - git-push: "true" diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 23b8c9d..40f63a1 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,4 +1,8 @@ -name: 'Validate PR title' +name: Validate PR title + +permissions: + pull-requests: read + statuses: write on: pull_request_target: @@ -9,42 +13,4 @@ on: jobs: main: - name: Validate PR title - runs-on: ubuntu-latest - steps: - # Please look up the latest version from - # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - # Configure which types are allowed. - # Default: https://github.com/commitizen/conventional-commit-types - types: | - feat - fix - improvement - docs - refactor - test - ci - chore - # Configure that a scope must always be provided. - requireScope: false - # Configure additional validation for the subject based on a regex. - # This example ensures the subject starts with an uppercase character. - subjectPattern: ^[A-Z].+$ - # If `subjectPattern` is configured, you can use this property to override - # the default error message that is shown when the pattern doesn't match. - # The variables `subject` and `title` can be used within the message. - subjectPatternError: | - The subject "{subject}" found in the pull request title "{title}" - didn't match the configured pattern. Please ensure that the subject - starts with an uppercase character. - # For work-in-progress PRs you can typically use draft pull requests - # from Github. However, private repositories on the free plan don't have - # this option and therefore this action allows you to opt-in to using the - # special "[WIP]" prefix to indicate this state. This will avoid the - # validation of the PR title and the pull request checks remain pending. - # Note that a second check will be reported if this is enabled. - wip: true + uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 7db5a4a..652dff0 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,4 +1,7 @@ -name: Pre-Commit +name: TF Pre-Commit + +permissions: + contents: read on: pull_request: @@ -6,77 +9,10 @@ on: - main - master -env: - TERRAFORM_DOCS_VERSION: v0.16.0 - jobs: - collectInputs: - name: Collect workflow inputs - runs-on: ubuntu-latest - outputs: - directories: ${{ steps.dirs.outputs.directories }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Get root directories - id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.8.3 - - preCommitMinVersions: - name: Min TF pre-commit - needs: collectInputs - runs-on: ubuntu-latest - strategy: - matrix: - directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - with: - directory: ${{ matrix.directory }} - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: "terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*" - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: "terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)" - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - - # Step required as tflint pre-commit hook requires module to be initialised - - run: terraform init - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.maxVersion }} - terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} - # tflint-version: ${{ env.TFLINT_VERSION }} # use this version with "Invicton-Labs/deepmerge/null" module + main: + uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1 + with: + # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 + # See .pre-commit-config.yaml for more details. + tflint-version: v0.46.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b533188..fb52469 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,67 +1,13 @@ name: Create new release with changelog +permissions: + contents: write + pull-requests: write + on: - pull_request: + pull_request_target: types: [closed] jobs: release: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 100 - - - name: Check release label - id: release-label - uses: actions-ecosystem/action-release-label@v1 - if: ${{ github.event.pull_request.merged == true }} - - - name: Get latest tag - id: get-latest-tag - uses: actions-ecosystem/action-get-latest-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - - - name: Bump semantic version - id: bump-semver - uses: actions-ecosystem/action-bump-semver@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - current_version: ${{ steps.get-latest-tag.outputs.tag }} - level: ${{ steps.release-label.outputs.level }} - - - name: Tag release - id: tag-relese - uses: actions-ecosystem/action-push-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - tag: ${{ steps.bump-semver.outputs.new_version }} - message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}" - - - name: Generate new release with changelog - id: release-with-changelog - uses: fregante/release-with-changelog@v3 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - token: "${{ secrets.GITHUB_TOKEN }}" - exclude: '^meta|^docs|^document|^lint|^ci|^refactor|readme|workflow|bump|dependencies|yml|^v?\d+\.\d+\.\d+' - tag: "${{ steps.bump-semver.outputs.new_version }}" - title: "Version ${{ steps.bump-semver.outputs.new_version }}" - commit-template: "- {title} ← {hash}" - skip-on-empty: true - template: | - ### Changelog - - {commits} - - {range} - - - name: Comment PR - id: add-comment - uses: actions-ecosystem/action-create-comment@v1 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - number: ${{ steps.get-merged-pull-request.outputs.number }} - body: | - The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada: + uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 087cdd1..2c59029 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,28 +1,35 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - rev: "v0.1.17" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102 + # When updating, also check if tflint version in pre-commit workflow can be updated. + rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: + - id: terraform-validate # It should be the first step as it runs terraform init required by tflint + - id: terraform-fmt - id: tflint args: - --module - --config=.tflint.hcl - - id: terraform-validate - - id: terraform-fmt - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.16.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases hooks: - id: terraform-docs-go args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov - args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions + args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision - repo: https://github.com/pre-commit/pre-commit-hooks - rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: check-merge-conflict + args: ["--assume-in-merge"] + - id: mixed-line-ending + args: ["--fix=no"] - id: end-of-file-fixer + - id: check-case-conflict + - id: check-yaml diff --git a/.tflint.hcl b/.tflint.hcl index b3cc62f..6a33dcb 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -4,35 +4,13 @@ config { } } -rule "terraform_deprecated_interpolation" { - enabled = true +plugin "terraform" { + enabled = true + version = "0.5.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" + preset = "all" } -rule "terraform_documented_outputs" { - enabled = true -} - -rule "terraform_documented_variables" { - enabled = true -} - -rule "terraform_typed_variables" { - enabled = true -} - -rule "terraform_required_version" { - enabled = true -} - -rule "terraform_required_providers" { - enabled = true -} - -rule "terraform_unused_required_providers" { - enabled = true -} - -rule "terraform_naming_convention" { - enabled = true - format = "snake_case" +rule "terraform_standard_module_structure" { + enabled = false # Fails on context.tf }