diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..149c073 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# repository owner +@matchan26 diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..5336c1b --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,28 @@ + + +Resolves #ISSUE_NUMBER + +---- + +### Before the change? + + +* + +### After the change? + + +* + +### Pull request checklist +- [ ] Tests for the changes have been added (for bug fixes / features) +- [ ] Docs have been reviewed and added / updated if needed (for bug fixes / features) + +### Does this introduce a breaking change? + + + +- [ ] Yes +- [ ] No + +---- diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml new file mode 100644 index 0000000..fb38209 --- /dev/null +++ b/.github/workflows/actionlint.yaml @@ -0,0 +1,20 @@ +--- +name: actionlint +on: + pull_request: + branches: [main] + paths: + - .github/** + - aqua/actionlint.yaml +jobs: + actionlint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: read + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + - uses: suzuki-shunsuke/github-action-actionlint@60449a33b52da4f92a069b8af50d04515d6177bf # v0.1.3 diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml new file mode 100644 index 0000000..d30c79c --- /dev/null +++ b/.github/workflows/apply.yaml @@ -0,0 +1,87 @@ +--- +name: apply +on: + push: + branches: [main] # Disabled. CHANGEME Replace dummy with main +env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TFACTION_IS_APPLY: 'true' +permissions: + id-token: write + contents: read + issues: read # this is required to `gh pr list`'s `-l` option + pull-requests: write + actions: read +jobs: + setup: + runs-on: ubuntu-latest + outputs: + targets: ${{ steps.list-targets.outputs.targets }} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + + - uses: suzuki-shunsuke/tfaction/list-targets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + id: list-targets + + apply: + name: "apply (${{matrix.target.target}})" + runs-on: ${{matrix.target.runs_on}} + needs: setup + # if services is empty, the build job is skipped + if: "join(fromJSON(needs.setup.outputs.targets), '') != ''" + strategy: + fail-fast: false + matrix: + target: ${{fromJSON(needs.setup.outputs.targets)}} + env: + TFACTION_TARGET: ${{matrix.target.target}} + TFACTION_JOB_TYPE: ${{matrix.target.job_type}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + + - uses: suzuki-shunsuke/tfaction/export-secrets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + secrets: ${{ toJSON(secrets) }} + + # This is required to download private modules in `terraform init` + - run: gh auth setup-git + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + + - run: tfaction get-or-create-drift-issue + shell: bash + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + + - uses: suzuki-shunsuke/tfaction/setup@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{ steps.generate_token.outputs.token }} + ssh_key: ${{ secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY }} # This isn't needed if you don't use SSH key to checkout private Terraform Modules + + - uses: suzuki-shunsuke/tfaction/apply@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{ steps.generate_token.outputs.token }} + + - uses: suzuki-shunsuke/tfaction/create-follow-up-pr@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + if: failure() + with: + github_app_token: ${{ steps.generate_token.outputs.token }} + + - uses: suzuki-shunsuke/tfaction/update-drift-issue@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + if: always() + with: + status: ${{job.status}} + github_token: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/release-module.yaml b/.github/workflows/release-module.yaml new file mode 100644 index 0000000..2bbc525 --- /dev/null +++ b/.github/workflows/release-module.yaml @@ -0,0 +1,30 @@ +--- +name: Release a Terraform Module +run-name: Release a Terraform Module (${{inputs.module_path}} ${{inputs.version}}) +on: + workflow_dispatch: + inputs: + module_path: + description: 'Module path' + required: true + version: + description: 'Module version' + required: true +permissions: + contents: write +env: + TFACTION_TARGET: ${{github.event.inputs.module_path}} +jobs: + release-module: + name: "release-module (${{github.event.inputs.module_path}})" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + + - uses: suzuki-shunsuke/tfaction/release-module@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + version: ${{ github.event.inputs.version }} + module_path: ${{ github.event.inputs.module_path }} diff --git a/.github/workflows/scaffold-module.yaml b/.github/workflows/scaffold-module.yaml new file mode 100644 index 0000000..ed1a7e9 --- /dev/null +++ b/.github/workflows/scaffold-module.yaml @@ -0,0 +1,32 @@ +--- +name: Scaffold Terraform Module +run-name: Scaffold Terraform Module (${{inputs.module_path}}) +on: + workflow_dispatch: + inputs: + module_path: + description: 'module path' + required: true +permissions: + contents: read + pull-requests: write +jobs: + scaffold: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + + - uses: suzuki-shunsuke/tfaction/scaffold-module@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_token: ${{ steps.generate_token.outputs.token }} + module_path: ${{ github.event.inputs.module_path }} diff --git a/.github/workflows/scaffold-tfmigrate.yaml b/.github/workflows/scaffold-tfmigrate.yaml new file mode 100644 index 0000000..6b40dea --- /dev/null +++ b/.github/workflows/scaffold-tfmigrate.yaml @@ -0,0 +1,44 @@ +--- +name: Scaffold tfmigrate +run-name: Scaffold tfmigrate (${{inputs.target}}) +on: + workflow_dispatch: + inputs: + target: + description: 'target' + required: true + migration_name: + description: 'migration name. e.g. "import_foo"' + required: true + pr_number: + description: Pull Request Number + required: false +env: + TFACTION_TARGET: ${{github.event.inputs.target}} +permissions: + contents: read + pull-requests: write +jobs: + scaffold: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.APP_ID}} + private_key: ${{secrets.APP_PRIVATE_KEY}} + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/scaffold-tfmigrate@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{steps.generate_token.outputs.token}} + migration_name: ${{github.event.inputs.migration_name}} + pr_number: ${{inputs.pr_number}} diff --git a/.github/workflows/scaffold-working-directory.yaml b/.github/workflows/scaffold-working-directory.yaml new file mode 100644 index 0000000..b3d6c70 --- /dev/null +++ b/.github/workflows/scaffold-working-directory.yaml @@ -0,0 +1,36 @@ +--- +name: Scaffold a working directory +run-name: Scaffold a working directory (${{inputs.working_dir}}) +on: + workflow_dispatch: + inputs: + working_dir: + description: working directory + required: true +env: + TFACTION_WORKING_DIR: ${{github.event.inputs.working_dir}} +permissions: + id-token: write + contents: read + pull-requests: write +jobs: + scaffold: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + + - uses: suzuki-shunsuke/tfaction/scaffold-working-dir@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + + - uses: suzuki-shunsuke/tfaction/create-scaffold-pr@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{ steps.generate_token.outputs.token }} diff --git a/.github/workflows/schedule-create-drift-issues.yaml b/.github/workflows/schedule-create-drift-issues.yaml new file mode 100644 index 0000000..2ef1378 --- /dev/null +++ b/.github/workflows/schedule-create-drift-issues.yaml @@ -0,0 +1,18 @@ +name: Create drift issues +on: + workflow_dispatch: + inputs: {} + # schedule: + # # daily + # - cron: '0 0 * * *' +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + - run: tfaction create-drift-issues + env: + GITHUB_TOKEN: ${{github.token}} diff --git a/.github/workflows/schedule-detect-drifts.yaml b/.github/workflows/schedule-detect-drifts.yaml new file mode 100644 index 0000000..bbf7544 --- /dev/null +++ b/.github/workflows/schedule-detect-drifts.yaml @@ -0,0 +1,81 @@ +name: Detect drift +on: + workflow_dispatch: + inputs: {} + # schedule: + # # hourly + # - cron: '0 * * * *' +jobs: + pick-out-drift-issues: + runs-on: ubuntu-latest + outputs: + issues: ${{steps.pick-out-drift-issues.outputs.issues}} + has_issues: ${{steps.pick-out-drift-issues.outputs.has_issues}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + - run: tfaction pick-out-drift-issues + id: pick-out-drift-issues + env: + GITHUB_TOKEN: ${{github.token}} + + detect-drift: + name: "detect-drift (${{matrix.issue.target}})" + runs-on: ${{matrix.issue.runs_on}} + needs: pick-out-drift-issues + permissions: + issues: write # For github-comment and tfcmt + contents: write # To push commits + id-token: write # For OIDC + if: fromJSON(needs.pick-out-drift-issues.outputs.has_issues) + strategy: + fail-fast: false + matrix: + issue: ${{fromJSON(needs.pick-out-drift-issues.outputs.issues)}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.APP_ID}} + private_key: ${{secrets.APP_PRIVATE_KEY}} + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + GITHUB_TOKEN: ${{github.token}} + + - uses: suzuki-shunsuke/tfaction/set-drift-env@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + issue: ${{toJSON(matrix.issue)}} + + - uses: suzuki-shunsuke/tfaction/setup@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + github_app_token: ${{steps.generate_token.outputs.token}} + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/test@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + github_app_token: ${{steps.generate_token.outputs.token}} + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/terraform-plan@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + github_app_token: ${{steps.generate_token.outputs.token}} + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/update-drift-issue@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + if: always() + with: + status: ${{job.status}} + github_token: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/self-approval.yaml b/.github/workflows/self-approval.yaml new file mode 100644 index 0000000..0ac1bd6 --- /dev/null +++ b/.github/workflows/self-approval.yaml @@ -0,0 +1,20 @@ +name: Self-Approve Action + +on: + pull_request: + +jobs: + self-approve-action: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Self-Approve Action + uses: nicklegan/github-repo-self-approve-action@v1.0.0 + if: github.actor == 'matchan26' + with: + appid: ${{ secrets.APP_ID }} + privatekey: ${{ secrets.APP_PRIVATE_KEY }} + installationid: ${{ secrets.APP_INSTALLATION_ID }} diff --git a/.github/workflows/sync-drift-issue-description.yaml b/.github/workflows/sync-drift-issue-description.yaml new file mode 100644 index 0000000..bff970a --- /dev/null +++ b/.github/workflows/sync-drift-issue-description.yaml @@ -0,0 +1,17 @@ +name: Synchronize drift issue description + +on: + issue_comment: + types: + - created + +jobs: + sync-issue: + runs-on: ubuntu-latest + # PLEASE CHANGE github.actor + if: | + !github.event.issue.pull_request && startsWith(github.event.issue.title, 'Terraform Drift (') && endsWith(github.event.issue.title, ')') && github.actor == 'suzuki-shunsuke' + permissions: + issues: write + steps: + - uses: suzuki-shunsuke/tfaction/sync-drift-issue-description@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..a35d5fb --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,152 @@ +--- +name: test +on: pull_request_target + +concurrency: + group: ${{ github.workflow }}--${{ github.ref }} + cancel-in-progress: true + +jobs: + path-filter: + # Get changed files to filter jobs + outputs: + merge_commit_sha: ${{steps.pr.outputs.merge_commit_sha}} + + update-aqua-checksums: ${{steps.changes.outputs.update-aqua-checksums}} + renovate-config-validator: ${{steps.changes.outputs.renovate-config-validator}} + conftest-verify: ${{steps.changes.outputs.conftest-verify}} + opa-fmt: ${{steps.changes.outputs.opa-fmt}} + runs-on: ubuntu-latest + permissions: + pull-requests: read # To get pull requests of the private repository + steps: + - uses: suzuki-shunsuke/get-pr-action@b002e41164d7a39586b41f17f9caca4e98a1efe4 # v0.1.0 + id: pr + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 + id: changes + with: + filters: | + update-aqua-checksums: + - aqua.yaml + - aqua/*.yaml + - aqua-checksums.json + - .github/workflows/test.yaml + - .github/workflows/wc-update-aqua-checksums.yaml + renovate-config-validator: + - renovate.json5 + - .github/workflows/test.yaml + - .github/workflows/wc-renovate-config-validator.yaml + conftest-verify: + - "**.rego" + - aqua/conftest.yaml + - .github/workflows/wc-conftest-verify.yaml + - .github/workflows/test.yaml + opa-fmt: + - "**.rego" + - .github/workflows/wc-opa-fmt.yaml + - .github/workflows/test.yaml + - aqua/opa.yaml + + enable-automerge: + # This job is used for main branch's branch protection rule's status check. + # If all dependent jobs succeed or are skipped this job succeeds. + uses: ./.github/workflows/wc-enable-automerge.yaml + needs: + - status-check + permissions: {} + secrets: + gh_app_id: ${{secrets.APP_ID}} + gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} + if: | + ! failure() && ! cancelled() && github.event.pull_request.user.login == 'renovate[bot]' && contains(github.event.pull_request.body, ' **Automerge**: Enabled.') + + # This job is used for branch protection rule + # Add this job to `Status checks that are required` + status-check: + runs-on: ubuntu-latest + needs: + - test + - conftest-verify + - opa-fmt + - hide-comment + - renovate-config-validator + - update-aqua-checksums + if: failure() + steps: + - run: exit 1 + + test: + uses: ./.github/workflows/wc-test.yaml + needs: path-filter + permissions: + id-token: write + contents: read + pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + secrets: + gh_app_id: ${{secrets.APP_ID}} + gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} + terraform_private_module_ssh_key: ${{secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY}} + secrets: ${{toJSON(secrets)}} + + conftest-verify: + uses: ./.github/workflows/wc-conftest-verify.yaml + needs: path-filter + if: | + needs.path-filter.outputs.conftest-verify == 'true' + permissions: + contents: read + pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + secrets: + gh_app_id: ${{secrets.APP_ID}} + gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} + + opa-fmt: + uses: ./.github/workflows/wc-opa-fmt.yaml + needs: path-filter + if: | + needs.path-filter.outputs.opa-fmt == 'true' + permissions: + contents: read + pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + secrets: + gh_app_id: ${{secrets.APP_ID}} + gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} + + hide-comment: + uses: ./.github/workflows/wc-hide-comment.yaml + needs: path-filter + permissions: + contents: read + pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + secrets: + gh_app_id: ${{secrets.APP_ID}} + gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} + + renovate-config-validator: + uses: ./.github/workflows/wc-renovate-config-validator.yaml + needs: path-filter + if: needs.path-filter.outputs.renovate-config-validator == 'true' + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + permissions: + contents: read + + update-aqua-checksums: + uses: ./.github/workflows/wc-update-aqua-checksums.yaml + needs: path-filter + if: needs.path-filter.outputs.update-aqua-checksums == 'true' + permissions: + contents: read + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + secrets: + gh_app_id: ${{secrets.APP_ID}} + gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} diff --git a/.github/workflows/wc-conftest-verify.yaml b/.github/workflows/wc-conftest-verify.yaml new file mode 100644 index 0000000..01afb7c --- /dev/null +++ b/.github/workflows/wc-conftest-verify.yaml @@ -0,0 +1,42 @@ +--- +name: conftest-verify +on: + workflow_call: + inputs: + ref: + required: false + type: string + secrets: + gh_token: + required: false + gh_app_id: + required: false + gh_app_private_key: + required: false +env: + GH_COMMENT_SHA1: ${{inputs.ref}} +jobs: + conftest-verify: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 + id: token + with: + github_token: ${{secrets.gh_token}} + github_app_id: ${{secrets.gh_app_id}} + github_app_private_key: ${{secrets.gh_app_private_key}} + default_github_token: ${{github.token}} + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + - run: github-comment exec -- conftest verify --no-color -p policy/terraform + env: + GITHUB_TOKEN: ${{steps.token.outputs.token}} diff --git a/.github/workflows/wc-enable-automerge.yaml b/.github/workflows/wc-enable-automerge.yaml new file mode 100644 index 0000000..a34af5f --- /dev/null +++ b/.github/workflows/wc-enable-automerge.yaml @@ -0,0 +1,29 @@ +--- +name: enable-automerge +on: + workflow_call: + secrets: + gh_app_id: + required: false + gh_app_private_key: + required: false + +jobs: + enable-automerge: + runs-on: ubuntu-latest + permissions: {} + steps: + - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + id: token + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + permissions: >- + {"pull_requests": "write", "contents": "write"} + # repositories: >- + # ["${{github.repository}}"] + + - run: gh -R "$GITHUB_REPOSITORY" pr merge --squash --auto --delete-branch "$PR_NUMBER" + env: + GITHUB_TOKEN: ${{steps.token.outputs.token}} # Use GitHub App to trigger GitHub Actions Workflow by merge commit. + PR_NUMBER: ${{github.event.pull_request.number}} diff --git a/.github/workflows/wc-hide-comment.yaml b/.github/workflows/wc-hide-comment.yaml new file mode 100644 index 0000000..d055116 --- /dev/null +++ b/.github/workflows/wc-hide-comment.yaml @@ -0,0 +1,42 @@ +--- +name: Hide comments +on: + workflow_call: + inputs: + ref: + required: false + type: string + secrets: + gh_token: + required: false + gh_app_id: + required: false + gh_app_private_key: + required: false +permissions: + contents: read + pull-requests: write +env: + GH_COMMENT_SHA1: ${{inputs.ref}} +jobs: + hide-comment: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 + id: token + with: + github_token: ${{secrets.gh_token}} + github_app_id: ${{secrets.gh_app_id}} + github_app_private_key: ${{secrets.gh_app_private_key}} + default_github_token: ${{github.token}} + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + - run: github-comment exec -- github-comment hide + env: + GITHUB_TOKEN: ${{steps.token.outputs.token}} diff --git a/.github/workflows/wc-opa-fmt.yaml b/.github/workflows/wc-opa-fmt.yaml new file mode 100644 index 0000000..6a8f873 --- /dev/null +++ b/.github/workflows/wc-opa-fmt.yaml @@ -0,0 +1,40 @@ +--- +name: opa-fmt +on: + workflow_call: + inputs: + ref: + required: false + type: string + secrets: + gh_token: + required: false + gh_app_id: + required: false + gh_app_private_key: + required: false +jobs: + opa-fmt: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 + id: token + with: + github_token: ${{secrets.gh_token}} + github_app_id: ${{secrets.gh_app_id}} + github_app_private_key: ${{secrets.gh_app_private_key}} + default_github_token: ${{github.token}} + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + - uses: suzuki-shunsuke/github-action-opa-fmt@59d2b3726741e2aeb3fc96ba2cbdfd05ae879f28 # v0.1.0 + with: + github_token: ${{steps.token.outputs.token}} diff --git a/.github/workflows/wc-renovate-config-validator.yaml b/.github/workflows/wc-renovate-config-validator.yaml new file mode 100644 index 0000000..8147056 --- /dev/null +++ b/.github/workflows/wc-renovate-config-validator.yaml @@ -0,0 +1,16 @@ +--- +name: renovate-config-validator +on: + workflow_call: + inputs: + ref: + required: false + type: string +jobs: + renovate-config-validator: + # Validate Renovate Configuration by renovate-config-validator. + uses: suzuki-shunsuke/renovate-config-validator-workflow/.github/workflows/validate.yaml@4a378742d05b4e67aae34039d7c779ac913cd79d # v0.2.3 + with: + ref: ${{inputs.ref}} + permissions: + contents: read diff --git a/.github/workflows/wc-test.yaml b/.github/workflows/wc-test.yaml new file mode 100644 index 0000000..fb0ab9b --- /dev/null +++ b/.github/workflows/wc-test.yaml @@ -0,0 +1,171 @@ +--- +name: wc-test +on: + workflow_call: + inputs: + ref: + required: false + type: string + secrets: + gh_token: + required: false + gh_app_id: + required: false + gh_app_private_key: + required: false + terraform_private_module_ssh_key: # This isn't needed if you don't use SSH key to checkout private Terraform Modules + required: false + secrets: + required: false + +env: + TFACTION_IS_APPLY: 'false' + GH_COMMENT_SHA1: ${{inputs.ref}} + TFCMT_SHA: ${{inputs.ref}} + + +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + targets: ${{ steps.list-targets.outputs.targets }} + modules: ${{ steps.list-targets.outputs.modules }} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 + id: token + with: + github_token: ${{secrets.gh_token}} + github_app_id: ${{secrets.gh_app_id}} + github_app_private_key: ${{secrets.gh_app_private_key}} + default_github_token: ${{github.token}} + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/list-targets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + id: list-targets + + test-module: + name: "test-module (${{matrix.target}})" + runs-on: ubuntu-latest + needs: setup + # if services is empty, the build job is skipped + if: "join(fromJSON(needs.setup.outputs.modules), '') != ''" + env: + TFACTION_TARGET: ${{matrix.target}} + strategy: + matrix: + target: ${{fromJSON(needs.setup.outputs.modules)}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 + id: token + with: + github_token: ${{secrets.gh_token}} + github_app_id: ${{secrets.gh_app_id}} + github_app_private_key: ${{secrets.gh_app_private_key}} + default_github_token: ${{github.token}} + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + aqua_opts: -l -a + working_directory: ${{matrix.target}} + env: + AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/test-module@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{steps.token.outputs.token}} + + plan: + name: "plan (${{matrix.target.target}})" + runs-on: ${{matrix.target.runs_on}} + needs: setup + # if services is empty, the build job is skipped + if: "join(fromJSON(needs.setup.outputs.targets), '') != ''" + strategy: + fail-fast: true + matrix: + target: ${{fromJSON(needs.setup.outputs.targets)}} + env: + TFACTION_TARGET: ${{matrix.target.target}} + TFACTION_JOB_TYPE: ${{matrix.target.job_type}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 + id: token + with: + github_token: ${{secrets.gh_token}} + github_app_id: ${{secrets.gh_app_id}} + github_app_private_key: ${{secrets.gh_app_private_key}} + default_github_token: ${{github.token}} + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.17.2 + env: + AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/export-secrets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + secrets: ${{secrets.secrets}} + + # This is required to download private modules in `terraform init` + - run: gh auth setup-git + env: + GITHUB_TOKEN: ${{steps.token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/setup@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{steps.token.outputs.token}} + ssh_key: ${{secrets.terraform_private_module_ssh_key}} # This isn't needed if you don't use SSH key to checkout private Terraform Modules + + - uses: suzuki-shunsuke/tfaction/get-target-config@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + id: target-config + + - name: tfprovider check + run: | + set -euo pipefail + github-comment exec -var "tfaction_target:$TFACTION_TARGET" -- tfprovidercheck -v + github-comment exec -var "tfaction_target:$TFACTION_TARGET" -- terraform version -json | github-comment exec -- tfprovidercheck + working-directory: ${{ steps.target-config.outputs.working_directory }} + env: + TFPROVIDERCHECK_CONFIG_BODY: | + providers: + - name: registry.terraform.io/hashicorp/google + - name: registry.terraform.io/hashicorp/google-beta + - name: registry.terraform.io/hashicorp/aws + - name: registry.terraform.io/hashicorp/null + - name: registry.terraform.io/integrations/github + - name: registry.terraform.io/hashicorp/local + - name: registry.terraform.io/hashicorp/template + - name: registry.terraform.io/hashicorp/random + - name: registry.terraform.io/hashicorp/tls + - name: registry.terraform.io/hashicorp/kubernetes + - name: registry.terraform.io/hashicorp/helm + - name: registry.terraform.io/hashicorp/external + GITHUB_TOKEN: ${{steps.token.outputs.token}} # For github-comment + + - uses: suzuki-shunsuke/tfaction/test@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{steps.token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/plan@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 + with: + github_app_token: ${{steps.token.outputs.token}} diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml new file mode 100644 index 0000000..19c5112 --- /dev/null +++ b/.github/workflows/wc-update-aqua-checksums.yaml @@ -0,0 +1,29 @@ +--- +name: update-aqua-checksums +on: + workflow_call: + inputs: + ref: + required: false + type: string + secrets: + gh_token: + required: false + gh_app_id: + required: false + gh_app_private_key: + required: false +jobs: + update-aqua-checksums: + # Update aqua-checksums.json and push a commit + uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@9ccbd9ade4e8b92b0dd5757cacf6cd3ebcf7d876 # v0.1.8 + permissions: + contents: read + with: + aqua_version: v2.17.2 + prune: true + ref: ${{inputs.ref}} + secrets: + gh_token: ${{secrets.gh_token}} + gh_app_id: ${{secrets.gh_app_id}} + gh_app_private_key: ${{secrets.gh_app_private_key}} diff --git a/.gitignore b/.gitignore index 9b8a46e..3168e62 100644 --- a/.gitignore +++ b/.gitignore @@ -1,20 +1,66 @@ +# Created by https://www.toptal.com/developers/gitignore/api/terraform,terragrunt,windows,macos,linux,vscode,vim +# Edit at https://www.toptal.com/developers/gitignore?templates=terraform,terragrunt,windows,macos,linux,vscode,vim + +### Linux ### +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### macOS ### +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### Terraform ### # Local .terraform directories **/.terraform/* # .tfstate files *.tfstate *.tfstate.* +_backend.tf # Crash log files crash.log -crash.*.log -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars # Ignore override files as they are usually used to override resources locally and so # are not checked in @@ -29,6 +75,64 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* -# Ignore CLI configuration files -.terraformrc -terraform.rc +### Terragrunt ### +# terragrunt cache directories +**/.terragrunt-cache/* + +### Vim ### +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + +### vscode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +### Windows ### +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# End of https://www.toptal.com/developers/gitignore/api/terraform,terragrunt,windows,macos,linux,vscode,vim + +notes.txt diff --git a/aqua/aqua-checksums.json b/aqua/aqua-checksums.json new file mode 100644 index 0000000..b47cda4 --- /dev/null +++ b/aqua/aqua-checksums.json @@ -0,0 +1,384 @@ +{ + "checksums": [ + { + "id": "github_release/github.com/cli/cli/v2.37.0/gh_2.37.0_linux_amd64.tar.gz", + "checksum": "A1D79712C20AF6FE36E388E762BDA60C3FC8FB4AF2F0CFF666143F2C7D3BAA88", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/cli/cli/v2.37.0/gh_2.37.0_linux_arm64.tar.gz", + "checksum": "EF10A152030456F9455F2A321F2D22CB2654E987F5A008731E4C49A4EB4C29C2", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/cli/cli/v2.37.0/gh_2.37.0_macOS_amd64.zip", + "checksum": "0EECB97C52A90F86BD4466A63610CD27E10EA9714B88EE4EE86FDEB1F000E974", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/cli/cli/v2.37.0/gh_2.37.0_macOS_arm64.zip", + "checksum": "B198E750C164A85DF371819C1F89C958C0EB4839AF2CC07C8B8D03077D5A8255", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/cli/cli/v2.37.0/gh_2.37.0_windows_amd64.zip", + "checksum": "466CB9703D13CF55329ED7182D3B598CDABF10C642EF07C7D60700AC187BA1FC", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/cli/cli/v2.37.0/gh_2.37.0_windows_arm64.zip", + "checksum": "D88A2E695DF05AF1F3D4E67849695D989465DDC0773E60BF574BF995FA5B3EFE", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/int128/ghcp/v1.13.2/ghcp_darwin_amd64.zip", + "checksum": "8221F411AC4F2465B7CFD31EFB6DA4568E5FD20BAD9F66AC312B23AFA4520FDD", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/int128/ghcp/v1.13.2/ghcp_linux_amd64.zip", + "checksum": "6B9D9C9A7B834237B6579353477DF3BB3730C11788170AD2A9E5D1230ABC6216", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/int128/ghcp/v1.13.2/ghcp_windows_amd64.zip", + "checksum": "2297D27978C61272184589C3C521514291E6258C3C87EBCB16FB61B32663414E", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/koalaman/shellcheck/v0.9.0/shellcheck-v0.9.0.darwin.x86_64.tar.xz", + "checksum": "9F236690AC20CC320088E0E631C4FDC4B32CDAF7A1BC65459C278BE88E97B1A33F0BA606B2E62186BB1E6FFA811EFC3136BCB4EE72388D02863250DCFE9ACA96", + "algorithm": "sha512" + }, + { + "id": "github_release/github.com/koalaman/shellcheck/v0.9.0/shellcheck-v0.9.0.linux.aarch64.tar.xz", + "checksum": "3C11BC1901D470BA7F95334FCD4D8EA9C39C73EBB15655CD0CC478826279B02413409FA3F7B011C7ECDBA98530953BE54906B4A99B898B064C236F146F3EC749", + "algorithm": "sha512" + }, + { + "id": "github_release/github.com/koalaman/shellcheck/v0.9.0/shellcheck-v0.9.0.linux.x86_64.tar.xz", + "checksum": "157FD8B2C18A257F3876E23015580EA63D27B12C4F13F87D625A180E8CA042E7501271D15EDEB36E7B5780DA73815B45386A33E063AB1C891D838F35C778A8AC", + "algorithm": "sha512" + }, + { + "id": "github_release/github.com/koalaman/shellcheck/v0.9.0/shellcheck-v0.9.0.zip", + "checksum": "31F415A995864D238E4C286CFD0227DAE3C9BCC6C327B925E182A390C9258A1783F815BA4389D85BEA504CFE62B1BABDC862303F2EF014AF66D4189A42797BD0", + "algorithm": "sha512" + }, + { + "id": "github_release/github.com/minamijoyo/tfmigrate/v0.3.18/tfmigrate_0.3.18_darwin_amd64.tar.gz", + "checksum": "571D21DEC5C762FE54D6F9C8096A9D97FE8B297525AF1F8885FC3024E561FF84", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/minamijoyo/tfmigrate/v0.3.18/tfmigrate_0.3.18_darwin_arm64.tar.gz", + "checksum": "196312B365D8FCBE4C8159F0343FDD2F8ACFFB17C8636E955A37380954D4F21A", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/minamijoyo/tfmigrate/v0.3.18/tfmigrate_0.3.18_linux_amd64.tar.gz", + "checksum": "796A67893FE3875EE362DBAFAEAB29EAF8B7835F6FC8E25576B0FD047526F78F", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/minamijoyo/tfmigrate/v0.3.18/tfmigrate_0.3.18_linux_arm64.tar.gz", + "checksum": "4780E9211D54C4F49C7A302BAD0138A49F9B81A7F2D036EB63FF71A856A69964", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/conftest/v0.46.0/conftest_0.46.0_Darwin_arm64.tar.gz", + "checksum": "6C3BBABE1B1EB8620792C3D3C894FC3D5FCF00A13B043F1FE43773500839A73C", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/conftest/v0.46.0/conftest_0.46.0_Darwin_x86_64.tar.gz", + "checksum": "AA3B45DB7FB7C212609FB0C8C6E84639C336FD652D56F943ADB7C8A2BE0380EC", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/conftest/v0.46.0/conftest_0.46.0_Linux_arm64.tar.gz", + "checksum": "A125F4E993364C6C3B3CECDCB397E9A1DE43CCB446388FF99D26F553A7EBCB9A", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/conftest/v0.46.0/conftest_0.46.0_Linux_x86_64.tar.gz", + "checksum": "0BEC3E90E1812E83B1B28714B51F4075FC48F7388884AD9018E5499D96F02C11", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/conftest/v0.46.0/conftest_0.46.0_Windows_arm64.zip", + "checksum": "A96CCB8FC2E1081205AD19817F98EC8CA6BF876B63F06E28A692ECFC80C98F0A", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/conftest/v0.46.0/conftest_0.46.0_Windows_x86_64.zip", + "checksum": "E8C008FED8C2B793686D8EC14ED2C6795BC8B8E4E2398F6CF11A06298F6F6D27", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/opa/v0.57.1/opa_darwin_amd64", + "checksum": "54A2D229638BADDB0AC6F7C283295E547E6F491AB2DDCAF714FA182427E8421D", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/opa/v0.57.1/opa_darwin_arm64_static", + "checksum": "367ADBA9C1380297C87A83019965A28BB0F33FE7C0854FF6BEEDB4AA563E4B4F", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/opa/v0.57.1/opa_linux_amd64", + "checksum": "5212D513DAD9BD90BC67743D7812E5EC7019B2A994F30C0D8DBB2B2C6772F094", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/opa/v0.57.1/opa_linux_arm64_static", + "checksum": "6D581EF6F9A066C0D2A36F3CB7EE605EC8195E49631121D1707248549758806B", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/open-policy-agent/opa/v0.57.1/opa_windows_amd64.exe", + "checksum": "9A6D3EF2279760EFBCEAD6A7095393E04ADAA1BE3C7458EB62A2B79D93DF4BC3", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/reviewdog/reviewdog/v0.15.0/reviewdog_0.15.0_Darwin_arm64.tar.gz", + "checksum": "DB5FE19D29346C23D7468B6A1ACEBBF9C369C805AE8CB97159881BFAADFECB5A", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/reviewdog/reviewdog/v0.15.0/reviewdog_0.15.0_Darwin_x86_64.tar.gz", + "checksum": "361F3513252D5F64C822CFAC273A7F9AC9C4DCC1D38FAD7974100070A09CFC7B", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/reviewdog/reviewdog/v0.15.0/reviewdog_0.15.0_Linux_arm64.tar.gz", + "checksum": "E8BC967EE94390E2ACA889E1B8622AD598CD15D5B5B67C4B42AC8EA2EDE6B5BD", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/reviewdog/reviewdog/v0.15.0/reviewdog_0.15.0_Linux_x86_64.tar.gz", + "checksum": "736DEC2BDECE94F5A17DBB67A3CC6CA6279ABA614C2AFCAD466E824452E53305", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/reviewdog/reviewdog/v0.15.0/reviewdog_0.15.0_Windows_arm64.tar.gz", + "checksum": "ACFFCA88DE97D85F9CF7A84C2CADAE42C3F886AA4A51D956CF39FA3E97DA1739", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/reviewdog/reviewdog/v0.15.0/reviewdog_0.15.0_Windows_x86_64.tar.gz", + "checksum": "64745567CDA57D1138D6185E1CE6C3FFC615AC4DC385F6CB89ECA82F2FDB2A43", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/rhysd/actionlint/v1.6.26/actionlint_1.6.26_darwin_amd64.tar.gz", + "checksum": "BFA890E77A8508603C785AF09A30BBAB3A3255D291D8D27EFC3F20AC8E303A8E", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/rhysd/actionlint/v1.6.26/actionlint_1.6.26_darwin_arm64.tar.gz", + "checksum": "5E131AB7DE7AD051E1923B80D167AAA414734E97C720698C48778250E1DD2590", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/rhysd/actionlint/v1.6.26/actionlint_1.6.26_linux_amd64.tar.gz", + "checksum": "F0294C342AF98FAD4FF917BC32032F28E1B55F76AEDF291886EC10BBED7C12E1", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/rhysd/actionlint/v1.6.26/actionlint_1.6.26_linux_arm64.tar.gz", + "checksum": "A1056D85D614AF4F6E5517ED2911DAB2621B8E97C368C8B265328F9C22801648", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/rhysd/actionlint/v1.6.26/actionlint_1.6.26_windows_amd64.zip", + "checksum": "8E31F6D623CDC3C12D2236E1E444FAA191126434A2007F4D2BECC0D0D416469B", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/rhysd/actionlint/v1.6.26/actionlint_1.6.26_windows_arm64.zip", + "checksum": "2545EEA6E1F02A24619514F50DCCE7543B8C0028B50E3EFBCEC3DC79E16AE5EA", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/ci-info/v2.1.3/ci-info_2.1.3_darwin_amd64.tar.gz", + "checksum": "3924ED8223B3E3D4FB8AE011C730CBC11DD05DB01EB7E1E9635A4AD7220C7DDB", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/ci-info/v2.1.3/ci-info_2.1.3_darwin_arm64.tar.gz", + "checksum": "71EF22031AE9AB383653FCF4DFFFE41C57CFC242B89B87510D65484C7C6BB3A0", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/ci-info/v2.1.3/ci-info_2.1.3_linux_amd64.tar.gz", + "checksum": "51C75F37058DD1B9F1A2EA011057BD9911CDC6C1DDAAE42017B680E295DC5076", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/ci-info/v2.1.3/ci-info_2.1.3_linux_arm64.tar.gz", + "checksum": "AF0BC274F3823E1895D3477F4F18356342DB867DC1188085D08F48D4AEC8333C", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/ci-info/v2.1.3/ci-info_2.1.3_windows_amd64.tar.gz", + "checksum": "2974711C48AF1E07F2009626A326D8B17A6806272FC586B7AAB4FFE7C643CB01", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/ci-info/v2.1.3/ci-info_2.1.3_windows_arm64.tar.gz", + "checksum": "F4B3BE86A1604912745E065FAA76AD2C934624D548D7CD8EF5C93685FF04756B", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/github-comment/v6.0.2/github-comment_6.0.2_darwin_amd64.tar.gz", + "checksum": "9618BB130F7F2EF6F2AAA99A24553A563432F0768A312B9425E74D96C94F0A9F", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/github-comment/v6.0.2/github-comment_6.0.2_darwin_arm64.tar.gz", + "checksum": "FD80DB295A066A2C081CD8C25607EACC1CC0FE1B2624FAAB554A098FD79762DA", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/github-comment/v6.0.2/github-comment_6.0.2_linux_amd64.tar.gz", + "checksum": "0987B3448724AD982360CFA4B71C2B90CD937F7FDE4AA1D80F7FA5ABA5D10D1A", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/github-comment/v6.0.2/github-comment_6.0.2_linux_arm64.tar.gz", + "checksum": "977699851D5256808EC8D8FA7A4B8069E32148C4957C1EAA10CE75EFBD8A360C", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/github-comment/v6.0.2/github-comment_6.0.2_windows_amd64.tar.gz", + "checksum": "9ACCB7EA6F194401D2B4E4CBC17D83A76657F272D9871679B233DD1509C4FA7D", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/github-comment/v6.0.2/github-comment_6.0.2_windows_arm64.tar.gz", + "checksum": "CD34913DB8D05FA36F886BC5752C1B16D29FC4A8D24B1A0389FDC361E391A23E", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfaction-go/v0.2.2/tfaction_darwin_amd64.tar.gz", + "checksum": "A1FDD90599640CB425459F3ABE58F5CA971057C56F00D4058F0859F23DFACCE1", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfaction-go/v0.2.2/tfaction_darwin_arm64.tar.gz", + "checksum": "8967DA39AEAD93F7080F5952644D3889717A92155130E2028BCD12353265B21B", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfaction-go/v0.2.2/tfaction_linux_amd64.tar.gz", + "checksum": "D06803C977F2DD4F4E47F4961B6C1CF2289164EAAC9AF17245A30C7432394880", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfaction-go/v0.2.2/tfaction_linux_arm64.tar.gz", + "checksum": "668EA40AA235269902424B264693513B8E92AD328C9448F81EED1D6DB9055F8B", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfaction-go/v0.2.2/tfaction_windows_amd64.tar.gz", + "checksum": "E3797D1A0ABFCBAC636C57E705986217DF4B5EAD468CCC3077E73A319F69C491", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfaction-go/v0.2.2/tfaction_windows_arm64.tar.gz", + "checksum": "2F4D0CD079B0D3F0831A9790AACC2531A1C0A449E44047E86929BC5C61541DC8", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfcmt/v4.7.1/tfcmt_darwin_amd64.tar.gz", + "checksum": "841ECE46A5719FE9802CE9F1483B220C6DDCC553C8CD9D9B626C1A23FDA46A56", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfcmt/v4.7.1/tfcmt_darwin_arm64.tar.gz", + "checksum": "CFABF56FD094E299DC91AD17D3E42C49100471B0C92EBF67A8A05C0243FE79DF", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfcmt/v4.7.1/tfcmt_linux_amd64.tar.gz", + "checksum": "9AE464A3E33BC7D9CE61FE6AAF70FBEB5320BFAD5FB4045C424CD735E9AFFFCB", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfcmt/v4.7.1/tfcmt_linux_arm64.tar.gz", + "checksum": "55686DD46BF0C81E111ACBE5ED0EDCB4A653188C2624C96A2189D365CA4787A2", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfcmt/v4.7.1/tfcmt_windows_amd64.tar.gz", + "checksum": "8CBAE7F26F0201BC9386E5B4FD71B6788A39A4DA93255862B9177A25D5A942AC", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfcmt/v4.7.1/tfcmt_windows_arm64.tar.gz", + "checksum": "3196C4361366BCD832D49A6DA7C4E4371DB5C56FDF9753DD60FB908D9C99FFC5", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfprovidercheck/v0.2.0/tfprovidercheck_darwin_amd64.tar.gz", + "checksum": "925946B23ACF2284F7C16A21FB9222F00BED30A000270FA9804B168102E386CF", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfprovidercheck/v0.2.0/tfprovidercheck_darwin_arm64.tar.gz", + "checksum": "2642EF830F55B239DA3E39B0C945C3F8404101448CE3B8133EFBE009A059C340", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfprovidercheck/v0.2.0/tfprovidercheck_linux_amd64.tar.gz", + "checksum": "8830574F4DB9BCE9DD5CBBCE31E512BABD405DA0D7EC1B80555FAACABC5C87E9", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfprovidercheck/v0.2.0/tfprovidercheck_linux_arm64.tar.gz", + "checksum": "3AE5BE3649AA8486D85268E01298CBEB5F092719AC2B40EE3FBC5EA3D87A0B56", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfprovidercheck/v0.2.0/tfprovidercheck_windows_amd64.zip", + "checksum": "B2EC6975A98E5EFA9AA65C43DAF1C86DB2DF72F98515B0F7F7C5EBA94D5BCBAC", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/suzuki-shunsuke/tfprovidercheck/v0.2.0/tfprovidercheck_windows_arm64.zip", + "checksum": "D11BB3ED8D8AC06262D7ABC621BE1FC82F9FA4E2D4DCEF70D43898AAD4A3BACB", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/terraform-docs/terraform-docs/v0.16.0/terraform-docs-v0.16.0-darwin-amd64.tar.gz", + "checksum": "F48422E2E3C4A30852992177DB17CB37B18810A3E8392401BA69E875C8BB1090", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/terraform-docs/terraform-docs/v0.16.0/terraform-docs-v0.16.0-darwin-arm64.tar.gz", + "checksum": "A7F0C2437424B20D89315D2A7B0581E7D32FDE539D0B06C49403949DF1EE62EA", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/terraform-docs/terraform-docs/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz", + "checksum": "328C16CD6552B3B5C4686B8D945A2E2E18D2B8145B6B66129CD5491840010182", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/terraform-docs/terraform-docs/v0.16.0/terraform-docs-v0.16.0-linux-arm64.tar.gz", + "checksum": "8208C19C7DC01660E6CAEFE32E33AC02E0E03FDC2E2ADE0BB37ABB6349153D25", + "algorithm": "sha256" + }, + { + "id": "github_release/github.com/terraform-docs/terraform-docs/v0.16.0/terraform-docs-v0.16.0-windows-amd64.zip", + "checksum": "B1E63CEDE84AE139045D5385C389232FBBCB369A99496B94EC1CD733B8D4D125", + "algorithm": "sha256" + }, + { + "id": "registries/github_content/github.com/aquaproj/aqua-registry/v4.88.0/registry.yaml", + "checksum": "8C315B6F866105A9D068875C900C1694DA6807EA7C15238D5B3CBF0DD8A8C6DF00F721625B69A329DED0999187D5EC7B305ED5629B23CFCA9C0C49EEAA879382", + "algorithm": "sha512" + } + ] +} diff --git a/aqua/aqua.yaml b/aqua/aqua.yaml new file mode 100644 index 0000000..473dbd8 --- /dev/null +++ b/aqua/aqua.yaml @@ -0,0 +1,8 @@ +checksum: + enabled: true + require_checksum: true +registries: + - type: standard + ref: v4.88.0 # renovate: depName=aquaproj/aqua-registry +packages: + - import: imports/*.yaml diff --git a/aqua/imports/actionlint.yaml b/aqua/imports/actionlint.yaml new file mode 100644 index 0000000..a529af7 --- /dev/null +++ b/aqua/imports/actionlint.yaml @@ -0,0 +1,2 @@ +packages: +- name: rhysd/actionlint@v1.6.26 diff --git a/aqua/imports/ci-info.yaml b/aqua/imports/ci-info.yaml new file mode 100644 index 0000000..c66d5d0 --- /dev/null +++ b/aqua/imports/ci-info.yaml @@ -0,0 +1,2 @@ +packages: + - name: suzuki-shunsuke/ci-info@v2.1.3 diff --git a/aqua/imports/conftest.yaml b/aqua/imports/conftest.yaml new file mode 100644 index 0000000..43b6655 --- /dev/null +++ b/aqua/imports/conftest.yaml @@ -0,0 +1,2 @@ +packages: +- name: open-policy-agent/conftest@v0.46.0 diff --git a/aqua/imports/gh.yaml b/aqua/imports/gh.yaml new file mode 100644 index 0000000..964716a --- /dev/null +++ b/aqua/imports/gh.yaml @@ -0,0 +1,2 @@ +packages: + - name: cli/cli@v2.37.0 diff --git a/aqua/imports/ghcp.yaml b/aqua/imports/ghcp.yaml new file mode 100644 index 0000000..1773e1f --- /dev/null +++ b/aqua/imports/ghcp.yaml @@ -0,0 +1,2 @@ +packages: + - name: int128/ghcp@v1.13.2 diff --git a/aqua/imports/github-comment.yaml b/aqua/imports/github-comment.yaml new file mode 100644 index 0000000..58670e6 --- /dev/null +++ b/aqua/imports/github-comment.yaml @@ -0,0 +1,2 @@ +packages: + - name: suzuki-shunsuke/github-comment@v6.0.2 diff --git a/aqua/imports/opa.yaml b/aqua/imports/opa.yaml new file mode 100644 index 0000000..b624bdd --- /dev/null +++ b/aqua/imports/opa.yaml @@ -0,0 +1,2 @@ +packages: +- name: open-policy-agent/opa@v0.57.1 diff --git a/aqua/imports/reviewdog.yaml b/aqua/imports/reviewdog.yaml new file mode 100644 index 0000000..eb43d9e --- /dev/null +++ b/aqua/imports/reviewdog.yaml @@ -0,0 +1,2 @@ +packages: + - name: reviewdog/reviewdog@v0.15.0 diff --git a/aqua/imports/shellcheck.yaml b/aqua/imports/shellcheck.yaml new file mode 100644 index 0000000..34f2f3c --- /dev/null +++ b/aqua/imports/shellcheck.yaml @@ -0,0 +1,2 @@ +packages: +- name: koalaman/shellcheck@v0.9.0 diff --git a/aqua/imports/terraform-docs.yaml b/aqua/imports/terraform-docs.yaml new file mode 100644 index 0000000..cae3191 --- /dev/null +++ b/aqua/imports/terraform-docs.yaml @@ -0,0 +1,2 @@ +packages: + - name: terraform-docs/terraform-docs@v0.16.0 diff --git a/aqua/imports/tfaction-go.yaml b/aqua/imports/tfaction-go.yaml new file mode 100644 index 0000000..38185b1 --- /dev/null +++ b/aqua/imports/tfaction-go.yaml @@ -0,0 +1,2 @@ +packages: + - name: suzuki-shunsuke/tfaction-go@v0.2.2 diff --git a/aqua/imports/tfcmt.yaml b/aqua/imports/tfcmt.yaml new file mode 100644 index 0000000..fdb9746 --- /dev/null +++ b/aqua/imports/tfcmt.yaml @@ -0,0 +1,2 @@ +packages: + - name: suzuki-shunsuke/tfcmt@v4.7.1 diff --git a/aqua/imports/tfmigrate.yaml b/aqua/imports/tfmigrate.yaml new file mode 100644 index 0000000..4efa5a7 --- /dev/null +++ b/aqua/imports/tfmigrate.yaml @@ -0,0 +1,2 @@ +packages: + - name: minamijoyo/tfmigrate@v0.3.18 diff --git a/aqua/imports/tfprovidercheck.yaml b/aqua/imports/tfprovidercheck.yaml new file mode 100644 index 0000000..45c3fdc --- /dev/null +++ b/aqua/imports/tfprovidercheck.yaml @@ -0,0 +1,8 @@ +packages: + - name: suzuki-shunsuke/tfprovidercheck@v0.2.0 + +providers: + - name: registry.terraform.io/hashicorp/aws + version: ">= 5.0.0" + - name: registry.terraform.io/hashicorp/tls + version: ">= 3.0.0" diff --git a/github-comment.yaml b/github-comment.yaml new file mode 100644 index 0000000..ebc132e --- /dev/null +++ b/github-comment.yaml @@ -0,0 +1,16 @@ +--- +# https://github.com/suzuki-shunsuke/github-comment +hide: + default: | + Comment.HasMeta && Comment.Meta.SHA1 != Commit.SHA1 && ! (Comment.Meta.Program == "tfcmt" && Comment.Meta.Command == "apply") +exec: + default: + - when: ExitCode != 0 + template: | + ## :x: Failed {{if .Vars.tfaction_target}}({{.Vars.tfaction_target}}){{end}} + + {{template "link" .}} + + {{template "join_command" .}} + + {{template "hidden_combined_output" .}} diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..c7a1eb4 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,29 @@ +{ + "extends": [ + "config:base", + "github>aquaproj/aqua-renovate-config#1.12.0", + "github>aquaproj/aqua-renovate-config:file#1.12.0(^(.*/)?aqua/[^/]*\\.ya?ml$)", + "github>suzuki-shunsuke/renovate-config#2.2.0", + ], + "labels": [ + "renovate:{{depName}}", "renovate:{{depName}}/{{newVersion}}", + "datasource:{{datasource}}" + ], + + "major": { + "automerge": false, + }, + "automerge": true, + + "prHourlyLimit": 10, + "prConcurrentLimit": 10, + "branchConcurrentLimit": 20, + + "packageRules": [ + { + "additionalBranchPrefix": "{{packageFileDir}}-", + "commitMessageSuffix": "({{packageFileDir}})", + "matchPackagePatterns": [".*"] + }, + ], +} diff --git a/templates/aws/.tflint.hcl b/templates/aws/.tflint.hcl new file mode 100644 index 0000000..d3854c8 --- /dev/null +++ b/templates/aws/.tflint.hcl @@ -0,0 +1,62 @@ +# https://github.com/terraform-linters/tflint-ruleset-aws +plugin "aws" { + enabled = true + version = "0.27.0" # renovate: depName=terraform-linters/tflint-ruleset-aws + source = "github.com/terraform-linters/tflint-ruleset-aws" + + # https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/docs/deep_checking.md + deep_check = true +} + +# https://github.com/terraform-linters/tflint/tree/master/docs/rules +rule "terraform_deprecated_index" { + enabled = true +} + +rule "terraform_unused_declarations" { + enabled = true +} + +rule "terraform_comment_syntax" { + enabled = true +} + +rule "terraform_documented_outputs" { + enabled = true +} + +rule "terraform_documented_variables" { + enabled = true +} + +rule "terraform_typed_variables" { + enabled = true +} + +rule "terraform_naming_convention" { + enabled = true +} + +rule "terraform_required_version" { + enabled = true +} + +rule "terraform_required_providers" { + enabled = true +} + +rule "terraform_standard_module_structure" { + enabled = false +} + +rule "aws_elasticache_replication_group_default_parameter_group" { + # https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.6.0/docs/rules/aws_elasticache_replication_group_default_parameter_group.md + # This rule isn't needed. + enabled = false +} + +rule "aws_iam_policy_sid_invalid_characters" { + # https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/docs/rules/aws_iam_policy_sid_invalid_characters.md + # This doesn't work well + enabled = false +} diff --git a/templates/aws/aqua/aqua.yaml b/templates/aws/aqua/aqua.yaml new file mode 100644 index 0000000..33ee238 --- /dev/null +++ b/templates/aws/aqua/aqua.yaml @@ -0,0 +1,13 @@ +--- +# aqua - Declarative CLI Version Manager +# https://aquaproj.github.io/ +checksum: + enabled: true + require_checksum: true +# supported_envs: +# - all +registries: +- type: standard + ref: v4.88.0 # renovate: depName=aquaproj/aqua-registry +packages: + - import: imports/*.yaml diff --git a/templates/aws/aqua/imports/terraform.yaml b/templates/aws/aqua/imports/terraform.yaml new file mode 100644 index 0000000..f68449c --- /dev/null +++ b/templates/aws/aqua/imports/terraform.yaml @@ -0,0 +1,2 @@ +packages: + - name: hashicorp/terraform@v1.6.3 diff --git a/templates/aws/aqua/imports/tflint.yaml b/templates/aws/aqua/imports/tflint.yaml new file mode 100644 index 0000000..e55003d --- /dev/null +++ b/templates/aws/aqua/imports/tflint.yaml @@ -0,0 +1,2 @@ +packages: + - name: terraform-linters/tflint@v0.48.0 diff --git a/templates/aws/terraform.tf b/templates/aws/terraform.tf new file mode 100644 index 0000000..8393612 --- /dev/null +++ b/templates/aws/terraform.tf @@ -0,0 +1,22 @@ +terraform { + required_version = ">= 1.0" + backend "s3" { + bucket = "" + key = "%%TARGET%%/v1/terraform.tfstate" + region = "ap-northeast-1" + encrypt = true + } +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = "ap-northeast-1" +} diff --git a/templates/gcp/.tflint.hcl b/templates/gcp/.tflint.hcl new file mode 100644 index 0000000..6af84c2 --- /dev/null +++ b/templates/gcp/.tflint.hcl @@ -0,0 +1,47 @@ +# https://github.com/terraform-linters/tflint-ruleset-google#installation +plugin "google" { + enabled = true + version = "0.26.0" # renovate: depName=terraform-linters/tflint-ruleset-google + source = "github.com/terraform-linters/tflint-ruleset-google" +} + +# https://github.com/terraform-linters/tflint/tree/master/docs/rules +rule "terraform_deprecated_index" { + enabled = true +} + +rule "terraform_unused_declarations" { + enabled = true +} + +rule "terraform_comment_syntax" { + enabled = true +} + +rule "terraform_documented_outputs" { + enabled = true +} + +rule "terraform_documented_variables" { + enabled = true +} + +rule "terraform_typed_variables" { + enabled = true +} + +rule "terraform_naming_convention" { + enabled = true +} + +rule "terraform_required_version" { + enabled = true +} + +rule "terraform_required_providers" { + enabled = true +} + +rule "terraform_standard_module_structure" { + enabled = false +} diff --git a/templates/gcp/aqua/aqua.yaml b/templates/gcp/aqua/aqua.yaml new file mode 100644 index 0000000..33ee238 --- /dev/null +++ b/templates/gcp/aqua/aqua.yaml @@ -0,0 +1,13 @@ +--- +# aqua - Declarative CLI Version Manager +# https://aquaproj.github.io/ +checksum: + enabled: true + require_checksum: true +# supported_envs: +# - all +registries: +- type: standard + ref: v4.88.0 # renovate: depName=aquaproj/aqua-registry +packages: + - import: imports/*.yaml diff --git a/templates/gcp/aqua/imports/terraform.yaml b/templates/gcp/aqua/imports/terraform.yaml new file mode 100644 index 0000000..324efe6 --- /dev/null +++ b/templates/gcp/aqua/imports/terraform.yaml @@ -0,0 +1,2 @@ +packages: + - name: hashicorp/terraform@v1.6.2 diff --git a/templates/gcp/aqua/imports/tflint.yaml b/templates/gcp/aqua/imports/tflint.yaml new file mode 100644 index 0000000..e55003d --- /dev/null +++ b/templates/gcp/aqua/imports/tflint.yaml @@ -0,0 +1,2 @@ +packages: + - name: terraform-linters/tflint@v0.48.0 diff --git a/templates/gcp/aqua/imports/trivy.yaml b/templates/gcp/aqua/imports/trivy.yaml new file mode 100644 index 0000000..23c58a5 --- /dev/null +++ b/templates/gcp/aqua/imports/trivy.yaml @@ -0,0 +1,2 @@ +packages: + - name: aquasecurity/trivy@v0.46.0 diff --git a/templates/gcp/terraform.tf b/templates/gcp/terraform.tf new file mode 100644 index 0000000..1633c98 --- /dev/null +++ b/templates/gcp/terraform.tf @@ -0,0 +1,23 @@ +terraform { + required_version = ">= 1.0" + backend "s3" { + bucket = "" + key = "%%TARGET%%/v1/terraform.tfstate" + region = "ap-northeast-1" + encrypt = true + } +} + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.0" + } + } +} + +provider "google" { + project = "virtual-signer-406313" + region = "asia-northeast1" +} diff --git a/templates/github/.tflint.hcl b/templates/github/.tflint.hcl new file mode 100644 index 0000000..5fd4b21 --- /dev/null +++ b/templates/github/.tflint.hcl @@ -0,0 +1,40 @@ +# https://github.com/terraform-linters/tflint/tree/master/docs/rules +rule "terraform_deprecated_index" { + enabled = true +} + +rule "terraform_unused_declarations" { + enabled = true +} + +rule "terraform_comment_syntax" { + enabled = true +} + +rule "terraform_documented_outputs" { + enabled = true +} + +rule "terraform_documented_variables" { + enabled = true +} + +rule "terraform_typed_variables" { + enabled = true +} + +rule "terraform_naming_convention" { + enabled = true +} + +rule "terraform_required_version" { + enabled = true +} + +rule "terraform_required_providers" { + enabled = true +} + +rule "terraform_standard_module_structure" { + enabled = false +} diff --git a/templates/github/aqua/aqua.yaml b/templates/github/aqua/aqua.yaml new file mode 100644 index 0000000..8ed4c15 --- /dev/null +++ b/templates/github/aqua/aqua.yaml @@ -0,0 +1,13 @@ +--- +# aqua - Declarative CLI Version Manager +# https://aquaproj.github.io/ +checksum: + enabled: true + require_checksum: true +# supported_envs: +# - all +registries: +- type: standard + ref: v4.89.0 # renovate: depName=aquaproj/aqua-registry +packages: + - import: imports/*.yaml diff --git a/templates/github/aqua/imports/terraform.yaml b/templates/github/aqua/imports/terraform.yaml new file mode 100644 index 0000000..324efe6 --- /dev/null +++ b/templates/github/aqua/imports/terraform.yaml @@ -0,0 +1,2 @@ +packages: + - name: hashicorp/terraform@v1.6.2 diff --git a/templates/github/aqua/imports/tflint.yaml b/templates/github/aqua/imports/tflint.yaml new file mode 100644 index 0000000..e55003d --- /dev/null +++ b/templates/github/aqua/imports/tflint.yaml @@ -0,0 +1,2 @@ +packages: + - name: terraform-linters/tflint@v0.48.0 diff --git a/templates/github/aqua/imports/trivy.yaml b/templates/github/aqua/imports/trivy.yaml new file mode 100644 index 0000000..23c58a5 --- /dev/null +++ b/templates/github/aqua/imports/trivy.yaml @@ -0,0 +1,2 @@ +packages: + - name: aquasecurity/trivy@v0.46.0 diff --git a/templates/github/terraform.tf b/templates/github/terraform.tf new file mode 100644 index 0000000..0cfa0a2 --- /dev/null +++ b/templates/github/terraform.tf @@ -0,0 +1,22 @@ +terraform { + required_version = ">= 1.0" + backend "s3" { + bucket = "" + key = "%%TARGET%%/v1/terraform.tfstate" + region = "ap-northeast-1" + encrypt = true + } +} + +terraform { + required_providers { + github = { + source = "integrations/github" + version = "~> 5.0" + } + } +} + +provider "github" { + owner = "matchan26" # CHANGEME Fix owner +}