chore: sync with template

.coderabbit.yaml

@@ -7,6 +7,7 @@ language: en
 tone_instructions: |
   Provide feedback in a professional, friendly, constructive, and concise tone.
   Offer clear, specific suggestions and best practices to help enhance the code quality and promote learning.
+  Be concise and only comment on significant issues.
 
 early_access: true
 
@@ -26,21 +27,25 @@ knowledge_base:
 reviews:
   profile: chill
   auto_review:
-    # Ignore reviewing if the title of the pull request contains any of these keywords (case-insensitive)
+    # Disable incremental code review on each push
+    auto_incremental_review: false
+    # The keywords are case-insensitive
     ignore_title_keywords:
       - wip
       - draft
       - test
-  # Set the commit status to 'pending' when the review is in progress and 'success' when it is complete.
   commit_status: false
-  # Post review details on each review. Additionally, post a review status when a review is skipped in certain cases.
-  review_status: false
   path_instructions:
     - path: "**/*.tf"
       instructions: |
         You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
         You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
         As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.
+  changed_files_summary: false
+  poem: false
+  # Don't post review details on each review.
+  review_status: false
+  sequence_diagrams: false
   tools:
     # By default, all tools are enabled.
     # Masterpoint uses Trunk (https://trunk.io) so we do not need a lot of this feedback due to overlap.

.github/CODEOWNERS

@@ -4,4 +4,4 @@
 # Order is important: the last matching pattern takes the most precedence
 
 # These owners will be the default owners for everything
-*             @masterpointio/masterpoint-internal
+*             @masterpointio/masterpoint-open-source

.github/renovate.json5

@@ -0,0 +1,37 @@
+{
+  "extends": [
+    "config:best-practices",
+    "github>aquaproj/aqua-renovate-config#2.7.5"
+  ],
+  "schedule": [
+    "after 9am on the first day of the month"
+  ],
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "addLabels": [
+    "auto-upgrade"
+  ],
+  "enabledManagers": [
+    "terraform"
+  ],
+  "terraform": {
+    "ignorePaths": [
+      "**/context.tf" // Mixin file https://github.com/cloudposse/terraform-null-label/blob/main/exports/context.tf
+    ]
+  },
+  "packageRules": [
+    {
+      "matchDepTypes": [
+        "optionalDependencies"
+      ],
+      // Allow auto merge if it's not a major version update
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": true
+    }
+  ]
+}

.github/workflows/release-please.yaml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   release-please:

.github/workflows/test.yaml

@@ -0,0 +1,45 @@
+name: TF Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  id-token: write
+  pull-requests: read
+
+jobs:
+  tf-test:
+    name: 🧪 ${{ matrix.tf }} test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        tf: [tofu, terraform]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Aqua Cache
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+
+      - name: Install Aqua
+        uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1
+        with:
+          aqua_version: v2.48.1
+
+      - name: Aqua Install
+        shell: bash
+        run: aqua install --tags ${{ matrix.tf }}
+
+      - run: ${{ matrix.tf }} init
+      - run: ${{ matrix.tf }} test

.github/workflows/trunk-upgrade.yaml

@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create Token for MasterpointBot App
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
@@ -27,7 +27,7 @@ jobs:
           private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
 
       - name: Upgrade
-        uses: trunk-io/trunk-action/upgrade@86b68ffae610a05105e90b1f52ad8c549ef482c2 #v1.1.16
+        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           reviewers: "@masterpointio/masterpoint-internal"

.gitignore

@@ -9,6 +9,10 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Ignore the root .terraform.lock.hcl file (Child modules don't want this)
+.terraform.lock.hcl
+!examples/**/.terraform.lock.hcl
+
 # IDE/Editor settings
 **/.idea
 **/*.iml
@@ -39,4 +43,4 @@ backend.tf.json
 **/*.temp
 **/*.bak
 **/*.*swp
-**/.DS_Store
+**/.DS_Store

.terraform-docs.yaml

@@ -0,0 +1,16 @@
+version: 0.20.0
+formatter: markdown table
+
+recursive:
+  enabled: false
+
+settings:
+  lockfile: false
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+    {{ .Content }}
+    <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

.trunk/configs/.markdownlint.yaml

@@ -12,3 +12,8 @@ whitespace: false
 # Ignore MD041/first-line-heading/first-line-h1
 # Error: First line in a file should be a top-level heading
 MD041: false
+
+# Ignore MD013/line-length
+MD013:
+  strict: false
+  line_length: 350

.trunk/trunk.yaml

@@ -2,12 +2,12 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.11
+  version: 1.22.12
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
     - id: trunk
-      ref: v1.6.7
+      ref: v1.6.8
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
@@ -20,22 +20,27 @@ lint:
     # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331
     - terrascan
   enabled:
-    - tofu@1.9.0
+    - tofu@1.9.1
     - actionlint@1.7.7
-    - checkov@3.2.394
+    - checkov@3.2.408
     - git-diff-check
     - markdownlint@0.44.0
     - prettier@3.5.3
     - tflint@0.56.0
-    - trivy@0.61.0
-    - trufflehog@3.88.20
+    - trivy@0.61.1
+    - trufflehog@3.88.25
     - yamllint@1.37.0
   ignore:
     - linters: [tofu]
       paths:
         - "**/backend.tf.json"
+    # Ignore CHANGELOG.md as release-please manages this file
+    - linters: [ALL]
+      paths:
+        - "**/CHANGELOG.md"
 actions:
   enabled:
+    - terraform-docs
     - trunk-announce
     - trunk-check-pre-push
     - trunk-fmt-pre-commit