From fdf32333fbf0b2bdf8e7f38fc55e91b182c855bb Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Tue, 13 May 2025 18:15:10 +0300 Subject: [PATCH 1/2] chore: update with the latest template state --- .coderabbit.yaml | 13 ++++-- .github/renovate.json5 | 61 +++++++++++++++++++++------ .github/workflows/lint.yaml | 15 ++++++- .github/workflows/release-please.yaml | 2 +- .github/workflows/test.yaml | 27 +++--------- .github/workflows/trunk-upgrade.yaml | 13 +++++- .gitignore | 10 ++++- .terraform-docs.yaml | 1 - .trunk/configs/.markdownlint.yaml | 5 +++ .trunk/trunk.yaml | 16 +++---- LICENSE | 2 +- aqua.yaml | 6 ++- 12 files changed, 114 insertions(+), 57 deletions(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index e279a6f..39f44bd 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -7,6 +7,7 @@ language: en tone_instructions: | Provide feedback in a professional, friendly, constructive, and concise tone. Offer clear, specific suggestions and best practices to help enhance the code quality and promote learning. + Be concise and only comment on significant issues. early_access: true @@ -26,21 +27,25 @@ knowledge_base: reviews: profile: chill auto_review: - # Ignore reviewing if the title of the pull request contains any of these keywords (case-insensitive) + # Disable incremental code review on each push + auto_incremental_review: false + # The keywords are case-insensitive ignore_title_keywords: - wip - draft - test - # Set the commit status to 'pending' when the review is in progress and 'success' when it is complete. commit_status: false - # Post review details on each review. Additionally, post a review status when a review is skipped in certain cases. - review_status: false path_instructions: - path: "**/*.tf" instructions: | You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/. You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions. As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines. + changed_files_summary: false + poem: false + # Don't post review details on each review. + review_status: false + sequence_diagrams: false tools: # By default, all tools are enabled. # Masterpoint uses Trunk (https://trunk.io) so we do not need a lot of this feedback due to overlap. diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 0ab4bd8..275d017 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -3,27 +3,62 @@ "config:best-practices", "github>aquaproj/aqua-renovate-config#2.7.5" ], - "schedule": [ - "after 9am on the first day of the month" - ], - "assigneesFromCodeOwners": true, - "dependencyDashboardAutoclose": true, - "addLabels": [ - "auto-upgrade" - ], "enabledManagers": [ - "terraform" + "terraform", + "github-actions" ], "terraform": { "ignorePaths": [ "**/context.tf" // Mixin file https://github.com/cloudposse/terraform-null-label/blob/main/exports/context.tf + ], + "fileMatch": [ + "\\.tf$", + "\\.tofu$" ] }, + "schedule": [ + "after 9am on the first day of the month" + ], + "assigneesFromCodeOwners": true, + "dependencyDashboardAutoclose": true, + "addLabels": ["{{manager}}"], "packageRules": [ { - "matchDepTypes": [ - "optionalDependencies" - ] + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor", "patch", "pin", "digest"], + "automerge": true, + "automergeType": "branch", + "groupName": "github-actions-auto-upgrade", + "addLabels": ["auto-upgrade"] + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["major"], + "groupName": "github-actions-needs-review", + "addLabels": ["needs-review"] + }, + { + "matchManagers": ["terraform"], + "groupName": "tf", + "addLabels": ["needs-review"] + }, + { + "matchFileNames": ["**/*.tofu", "**/*.tf"], + "matchDatasources": ["terraform-provider", "terraform-module"], + "registryUrls": ["https://registry.opentofu.org"], + "groupName": "tf" + }, + { + "matchFileNames": ["**/*.tofu"], + "matchDepTypes": ["required_version"], + "registryUrls": ["https://registry.opentofu.org"], + "groupName": "tf" + }, + { + "matchFileNames": ["**/*.tf"], + "matchDepTypes": ["required_version"], + "registryUrls": ["https://registry.terraform.io"], + "groupName": "tf" } ] -} \ No newline at end of file +} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 092d215..2bbb389 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,5 +1,9 @@ name: Lint +concurrency: + group: lint-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + on: pull_request permissions: @@ -13,6 +17,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check - uses: trunk-io/trunk-action@v1 + uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + + conventional-title: + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index 421aab2..e9e712a 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -8,7 +8,7 @@ on: permissions: contents: write pull-requests: write - issues: write # required for label creation + issues: write jobs: release-please: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 400b365..1574792 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -15,31 +15,14 @@ permissions: jobs: tf-test: - name: ${{ matrix.tf }} Test + name: 🧪 ${{ matrix.tf }} test runs-on: ubuntu-latest strategy: matrix: tf: [tofu, terraform] steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Aqua Cache - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing - with: - path: ~/.local/share/aquaproj-aqua - key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}} - restore-keys: | - v1-aqua-installer-${{runner.os}}-${{runner.arch}}- - - - name: Install Aqua - uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1 + - uses: masterpointio/github-action-tf-test@c3b619f3bca9e4f482b9e0fb3166ab3f02d9d54c # v1.0.0 with: - aqua_version: v2.48.1 - - - name: Aqua Install - shell: bash - run: aqua install --tags ${{ matrix.tf }} - - - run: ${{ matrix.tf }} init - - run: ${{ matrix.tf }} test + tf_type: ${{ matrix.tf }} + aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index 8b14fcc..d9cf480 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -17,7 +17,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create Token for MasterpointBot App uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 @@ -27,8 +27,17 @@ jobs: private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} - name: Upgrade - uses: trunk-io/trunk-action/upgrade@86b68ffae610a05105e90b1f52ad8c549ef482c2 #v1.1.16 + id: trunk-upgrade + uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 with: github-token: ${{ steps.generate-token.outputs.token }} reviewers: "@masterpointio/masterpoint-internal" prefix: "chore: " + + - name: Merge PR automatically + if: steps.trunk-upgrade.outputs.pull-request-number != '' + env: + GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }} + run: | + gh pr merge "$PR_NUMBER" --squash --auto --delete-branch diff --git a/.gitignore b/.gitignore index e6c8f16..9636abe 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,10 @@ # Local .terraform directories **/.terraform/* +# Ignore the root .terraform.lock.hcl file (Child modules don't want this) +.terraform.lock.hcl +!examples/**/.terraform.lock.hcl + # IDE/Editor settings **/.idea **/*.iml @@ -17,6 +21,10 @@ *.draft *~ +# Build Harness https://github.com/cloudposse/build-harness +**/.build-harness +**/build-harness + # Log files *.log @@ -35,4 +43,4 @@ backend.tf.json **/*.temp **/*.bak **/*.*swp -**/.DS_Store \ No newline at end of file +**/.DS_Store diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml index 60052e1..710c102 100644 --- a/.terraform-docs.yaml +++ b/.terraform-docs.yaml @@ -6,7 +6,6 @@ recursive: settings: lockfile: false - path: . output: file: README.md diff --git a/.trunk/configs/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml index c97ae62..33a98b8 100644 --- a/.trunk/configs/.markdownlint.yaml +++ b/.trunk/configs/.markdownlint.yaml @@ -12,3 +12,8 @@ whitespace: false # Ignore MD041/first-line-heading/first-line-h1 # Error: First line in a file should be a top-level heading MD041: false + +# Ignore MD013/line-length +MD013: + strict: false + line_length: 350 diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 76e8ced..8f2a801 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,7 +2,7 @@ # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml version: 0.1 cli: - version: 1.22.12 + version: 1.22.15 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) plugins: sources: @@ -20,17 +20,17 @@ lint: # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331 - terrascan enabled: - - renovate@39.245.3 - - tofu@1.9.0 + - renovate@40.0.6 + - tofu@1.9.1 - actionlint@1.7.7 - - checkov@3.2.405 + - checkov@3.2.420 - git-diff-check - markdownlint@0.44.0 - prettier@3.5.3 - - tflint@0.56.0 - - trivy@0.61.0 - - trufflehog@3.88.23 - - yamllint@1.37.0 + - tflint@0.57.0 + - trivy@0.62.1 + - trufflehog@3.88.29 + - yamllint@1.37.1 ignore: - linters: [tofu] paths: diff --git a/LICENSE b/LICENSE index 6b571c5..56d75ee 100644 --- a/LICENSE +++ b/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2024 Masterpoint + Copyright 2025 Masterpoint Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/aqua.yaml b/aqua.yaml index 1d68586..264e850 100644 --- a/aqua.yaml +++ b/aqua.yaml @@ -8,8 +8,10 @@ # - all registries: - type: standard - ref: v4.346.0 # renovate: depName=aquaproj/aqua-registry + ref: v4.355.0 # renovate: depName=aquaproj/aqua-registry packages: - name: terraform-docs/terraform-docs@v0.20.0 - name: hashicorp/terraform@v1.11.4 - - name: opentofu/opentofu@v1.9.0 + tags: [terraform] + - name: opentofu/opentofu@v1.9.1 + tags: [tofu] From 62a5b136b208445cc59571d1039fa11798332d83 Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Tue, 24 Jun 2025 19:51:36 +0300 Subject: [PATCH 2/2] chore: update with the latest template state --- .trunk/configs/.checkov.yaml => .checkov.yaml | 0 .github/workflows/lint.yaml | 6 ++- .github/workflows/release-please.yaml | 8 ++++ .github/workflows/test.yaml | 2 +- .github/workflows/trunk-upgrade.yaml | 25 +++++++++-- .gitignore | 5 +++ .../.markdownlint.yaml => .markdownlint.yaml | 0 .tflint.hcl | 42 +++++++++++++++++++ .trunk/.gitignore | 2 +- .trunk/trunk.yaml | 18 ++++---- .../configs/.yamllint.yaml => .yamllint.yaml | 0 11 files changed, 93 insertions(+), 15 deletions(-) rename .trunk/configs/.checkov.yaml => .checkov.yaml (100%) rename .trunk/configs/.markdownlint.yaml => .markdownlint.yaml (100%) create mode 100644 .tflint.hcl rename .trunk/configs/.yamllint.yaml => .yamllint.yaml (100%) diff --git a/.trunk/configs/.checkov.yaml b/.checkov.yaml similarity index 100% rename from .trunk/configs/.checkov.yaml rename to .checkov.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2bbb389..9ed5d6e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -4,7 +4,7 @@ concurrency: group: lint-${{ github.head_ref || github.run_id }} cancel-in-progress: true -on: pull_request +on: pull_request_target permissions: actions: read @@ -20,6 +20,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} conventional-title: runs-on: ubuntu-latest diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index e9e712a..6de4368 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -14,6 +14,14 @@ jobs: release-please: runs-on: ubuntu-latest steps: + - name: Create Token for MasterpointBot App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.MP_BOT_APP_ID }} + private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 with: + token: ${{ steps.generate-token.outputs.token }} release-type: terraform-module diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 1574792..330fbbb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -4,7 +4,7 @@ on: push: branches: - main - pull_request: + pull_request_target: permissions: actions: read diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index d9cf480..5ea1ae9 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -34,10 +34,29 @@ jobs: reviewers: "@masterpointio/masterpoint-internal" prefix: "chore: " - - name: Merge PR automatically + - name: Wait for checks to pass + Merge PR if: steps.trunk-upgrade.outputs.pull-request-number != '' env: - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }} run: | - gh pr merge "$PR_NUMBER" --squash --auto --delete-branch + echo "Waiting for required status checks to pass on PR #$PR_NUMBER..." + while true; do + CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket) + echo "Current checks status: $CHECKS_JSON" + + if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then + echo "One or more required checks have failed. Exiting..." + exit 1 + fi + + FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length') + if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then + echo "All required checks passed. Merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..." + gh pr merge "$PR_NUMBER" --squash --delete-branch --admin + break + else + echo "Some required checks are still running or pending. Retrying in 30s..." + sleep 30 + fi + done diff --git a/.gitignore b/.gitignore index 9636abe..4c85809 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ # IDE/Editor settings **/.idea **/*.iml +.cursor/ .vscode/ *.orig *.draft @@ -44,3 +45,7 @@ backend.tf.json **/*.bak **/*.*swp **/.DS_Store + +# Claude Code - we beleive engineers are responsible for the code they push no matter how it's generated. +# Therefore, configs specific to their coding practices are their responsibilty to judiciously manage. +.claude/* diff --git a/.trunk/configs/.markdownlint.yaml b/.markdownlint.yaml similarity index 100% rename from .trunk/configs/.markdownlint.yaml rename to .markdownlint.yaml diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..f01f0f6 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,42 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +config { + format = "compact" + + # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module. + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md + call_module_type = "all" + + # default values but keeping them here for clarity + disabled_by_default = false + force = false +} + +# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN +# environment variable. Without it, you'll get an error like this: +# $ tflint --init +# Installing "aws" plugin... +# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] +# +# The solution is to provide a github PAT via a GITHUB_TOKEN env var, +# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 +# +# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting +plugin "aws" { + enabled = true + version = "0.39.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" + deep_check = false +} + +# Allow variables to exist in more files than ONLY variables.tf +# Example use cases where we prefer for variables to exist in context, +# - context.tf (applicable to the null-label module) +# - providers.tf (when passing in secret keys from SOPs - example, github provider) +# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md +rule "terraform_standard_module_structure" { + enabled = false +} \ No newline at end of file diff --git a/.trunk/.gitignore b/.trunk/.gitignore index 15966d0..072b680 100644 --- a/.trunk/.gitignore +++ b/.trunk/.gitignore @@ -6,4 +6,4 @@ plugins user_trunk.yaml user.yaml -tmp +tmp \ No newline at end of file diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 8f2a801..35c1009 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,17 +2,17 @@ # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml version: 0.1 cli: - version: 1.22.15 + version: 1.24.0 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) plugins: sources: - id: trunk - ref: v1.6.8 + ref: v1.7.0 uri: https://github.com/trunk-io/plugins # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) runtimes: enabled: - - node@18.20.5 + - node@22.16.0 - python@3.10.8 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) lint: @@ -20,16 +20,16 @@ lint: # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331 - terrascan enabled: - - renovate@40.0.6 + - renovate@40.36.2 - tofu@1.9.1 - actionlint@1.7.7 - - checkov@3.2.420 + - checkov@3.2.435 - git-diff-check - - markdownlint@0.44.0 + - markdownlint@0.45.0 - prettier@3.5.3 - - tflint@0.57.0 - - trivy@0.62.1 - - trufflehog@3.88.29 + - tflint@0.58.0 + - trivy@0.63.0 + - trufflehog@3.88.35 - yamllint@1.37.1 ignore: - linters: [tofu] diff --git a/.trunk/configs/.yamllint.yaml b/.yamllint.yaml similarity index 100% rename from .trunk/configs/.yamllint.yaml rename to .yamllint.yaml