Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
jamesiarmes authored Nov 15, 2024
0 parents commit 244b28e
Show file tree
Hide file tree
Showing 13 changed files with 463 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .cz.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
commitizen:
changelog_incremental: true
name: cz_conventional_commits
update_changelog_on_bump: true
version: 0.1.0
version_scheme: semver2
9 changes: 9 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
root = true

[*]
charset = utf-8
end_of_line = lf
indent_size = 2
indent_style = space
insert_final_newline = true
trim_trailing_whitespace = true
46 changes: 46 additions & 0 deletions .github/workflows/branch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Branch Checks

on:
push:
branches-ignore:
- main

jobs:
lint:
name: Lint updated files
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- uses: actions/cache@v4
name: Cache plugin directory
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
- name: Show version
run: tflint --version
- name: Init TFLint
run: tflint --init
- name: Run TFLint
run: tflint --format compact --recursive

trivy:
name: Run security scan
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Run Trivy vulnarability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: config
format: sarif
output: "trivy-results.sarif"
- name: Parse SARIF file
# Always run this step, even if a previous step failed.
if: always()
uses: Ayrx/sarif_to_github_annotations@v0.2.2
with:
sarif_file: "trivy-results.sarif"
47 changes: 47 additions & 0 deletions .github/workflows/codeql-analysis.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: CodeQL

on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: '45 13 * * *'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
# Using "javascript" to scan JSON and YAML files.
language: [ 'javascript' ]

steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: security-extended,security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
46 changes: 46 additions & 0 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Main Checks

on:
push:
branches:
- main

jobs:
lint:
name: Lint updated modules
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- uses: actions/cache@v4
name: Cache plugin directory
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
- name: Show version
run: tflint --version
- name: Init TFLint
run: tflint --init
- name: Run TFLint
run: tflint --format compact --recursive

trivy:
name: Run security scan
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Run Trivy vulnarability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: config
format: sarif
output: "trivy-results.sarif"
- name: Upload SARIF result
# Always run this step, even if a previous step failed.
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
100 changes: 100 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: Release New Version

on:
push:
branches:
- main

jobs:
# Builds a new release for the module by bumping the version number and
# generating a changelog entry. Commit the changes and open a pull request.
build-release:
name: Build new release
runs-on: ubuntu-latest
if: ${{ !startsWith(github.event.head_commit.message, 'bump:') }}
steps:
- name: Checkout source code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Bump version and create changelog
id: bump
uses: commitizen-tools/commitizen-action@master
with:
push: false
github_token: ${{ secrets.GITHUB_TOKEN }}
git_redirect_stderr: true
- name: Get the commit message
id: message
run: |
MESSAGE=$(git log --format=%B -n 1)
echo "message=${MESSAGE}" >> $GITHUB_OUTPUT
- name: Open a pull request for the release
uses: peter-evans/create-pull-request@v7
with:
branch: release-${{ steps.bump.outputs.version }}
title: ${{ steps.message.outputs.message }}

# Creates a new tag and GitHub release for the module.
release:
name: Release module
runs-on: ubuntu-latest
if: startsWith(github.event.head_commit.message, 'bump:')
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Get the module name
id: module_name
run: |
REPO_NAME="${{ github.event.repository.name }}"
REPO_NAME="${REPO_NAME/tofu-modules-/}"
MODULE_NAME="${REPO_NAME//-/_}"
echo "name=${MODULE_NAME}" >> $GITHUB_OUTPUT
- name: Get the version from the commit message
id: version
uses: actions/github-script@v7
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
with:
result-encoding: string
# Look for the last version number, expecting it to be in the format:
# `#.#.#-<suffix>.#` where the suffix is optional.
script: |
const message = process.env.COMMIT_MESSAGE;
const regex = /^bump:.+(?<version>\d+\.\d+\.\d+[\da-z.-]*) \(#\d+\)$/m;
const version = message.match(regex).groups.version;
console.log(version);
return version;
- name: Bundle the module
# We create an empty file first, so that tar doesn't complain about the
# contents changing while it's running.
run: |
touch '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz'
tar \
--exclude='.git' \
--exclude='.gitignore' \
--exclude='.github' \
--exclude='.cz.yaml' \
--exclude='*.tar.gz' \
--exclude='*.tfvars' \
--exclude='release.md' \
--exclude='CODEOWNERS' \
--exclude='trivy.yaml' \
--exclude='*.env' \
-czf '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz' \
.
- name: Get changelog entry
id: changelog
uses: artlaman/conventional-changelog-reader-action@v1.1.0
with:
version: ${{ steps.version.outputs.result }}
- name: Create release
uses: softprops/action-gh-release@v2
with:
body: |
## ${{ steps.changelog.outputs.version }} (${{ steps.changelog.outputs.date }})
${{ steps.changelog.outputs.changes }}
tag_name: ${{ steps.version.outputs.result }}
files: |
${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz
39 changes: 39 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Local .terraform directories
**/.terraform/*

# .tfstate files
*.tfstate
*.tfstate.*

# Crash log files
crash.log
crash.*.log

# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
.env

# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json

# Include override files you do wish to add to version control using negated pattern
# !example_override.tf

# Ignore the plan output of command: terraform plan -out=tfplan
*tfplan*

# Ignore CLI configuration files
.terraformrc
terraform.rc

# Ignore release artifacts
release.md
/*.tar.gz
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased

Initial release.
1 change: 1 addition & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @codeforamerica/devops
46 changes: 46 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Contributing

## Commit message format

All commit messages should follow the [Conventional Commits][commits] format.
This format allows us to automatically generate changelogs and version numbers
based on the commit messages.

Common commit types include:

* `fix`: A bug fix
* `feat`: A new feature
* `ci`: Changes to CI/CD
* `docs`: Changes to documentation

adding `!` after the type indicates a breaking change. For example, `feat!`
would indicate a new feature that breaks existing functionality, and would
therefore require a major version bump.

`bump` is a special type used to indicate a version bump. This is used by the
automated release process, and should be avoided in normal commits.

## Coding standards

Code should follow the [OpenTofu style conventions][style]. This ensures that
all code is consistent and easy to read and maintain.

To make resources easier to find, you may group them together in a single file
within your module. For example, while `main.tf` handles the main configuration,
you may create a `dns.tf` file to handle all DNS-related resources.

Additionally, the following should be grouped together within their own files:

* `data.tf` for data sources
* `local.tf` for local values
* `output.tf` for outputs

## Code reviews

All code should be contributing in the form of a pull request. Pull requests
should have an approval from _at least_ one required reviewer as defined in the
`CODEOWNERS` file. Additional reviews are welcome, and may be requested by
either the submitter or the required reviewer.

[commits]: https://www.conventionalcommits.org/en/v1.0.0/
[style]: https://opentofu.org/docs/language/syntax/style/
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2024 Code for America

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Loading

0 comments on commit 244b28e

Please sign in to comment.