Feature/pre commit

.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: Pre-commit checks
+
+on:
+  push:
+    branches:
+      - develop
+      - master
+  pull_request:
+
+jobs:
+  pre_commit_checks:
+    name: Pre-Commit checks
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@main
+      - uses: hashicorp/setup-terraform@v3
+      - uses: terraform-linters/setup-tflint@v4
+
+      - uses: pre-commit/action@main

.pre-commit-config.yaml

@@ -0,0 +1,24 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-case-conflict
+      - id: detect-private-key
+
+  # - repo: https://github.com/terraform-docs/terraform-docs
+  #   rev: "v0.19.0"
+  #   hooks:
+  #     - id: terraform-docs-go
+  #       args: ["markdown", "table", "--output-file", "README-terraform.md", "./base-infrastructure/terraform"]
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: "v1.98.0"
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_tflint
+      - id: terraform_validate
+      # - id: terraform_trivy
+      # - id: infracost_breakdown

.tflint.hcl

@@ -0,0 +1,12 @@
+tflint {
+  required_version = ">= 0.55"
+}
+
+config {
+  format = "compact"
+}
+
+plugin "azurerm" {
+    enabled = true
+    deprecated = true
+}

README.md

@@ -12,4 +12,4 @@ The repository is structured as follows:
 - `base-infrastructure`: Contains the Terraform configuration files for deploying the Kubernetes clusters and other infrastructure components like managed databases, object storage etc on Azure.
 
 - `applications/go-api`: Contains the deployment scripts and Helm configurations for deploying Helm charts of IFRC GO ecosystem applications onto the Kubernetes clusters.
-- `applications/argocd`: Contains the definitions of kubernetes resoures for managing applications whose deployment is managed by [ArgoCD](https://argo-cd.readthedocs.io/en/stable/). 
+- `applications/argocd`: Contains the definitions of kubernetes resoures for managing applications whose deployment is managed by [ArgoCD](https://argo-cd.readthedocs.io/en/stable/).

applications/argocd/README.md

@@ -51,9 +51,9 @@ Azure Key Vault is used to securely store and manage sensitive information such
    - Install the Secrets Store CSI Driver on your AKS cluster. For our cluster this is done through terraform with this config on the AKS cluster:
      ```
      resource "azurerm_kubernetes_cluster" "ifrcgo" {
-     
+
        ... other config ....
-     
+
        key_vault_secrets_provider {
          secret_rotation_enabled  = true
          secret_rotation_interval = var.secret_rotation_interval
@@ -63,7 +63,7 @@ Azure Key Vault is used to securely store and manage sensitive information such
      }
      ```
      The above configuration also enables the AKS cluster to check for secret changes after a fixed interval.
-     
+
    - Ensure that the AKS cluster has the necessary permissions to access the Azure Key Vault.
 
 2. **Create a `SecretProviderClass`**:

applications/argocd/production/applications/alert-hub-backend.yaml

@@ -85,4 +85,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/argocd/production/applications/alert-hub-frontend.yaml

@@ -19,7 +19,7 @@ spec:
           value: nginx
         - name: ingress.tls.secretName
           value: "alerthub-helm-secret-cert"
-        - name: env.APP_GRAPHQL_API_ENDPOINT 
+        - name: env.APP_GRAPHQL_API_ENDPOINT
           value: https://alerthub-api.ifrc.org/graphql/
       valueFiles:
         - values.yaml
@@ -32,4 +32,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/argocd/production/platform/image-updater.yaml

@@ -25,4 +25,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/argocd/production/platform/reloader.yaml

@@ -17,4 +17,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/argocd/staging/applications/alert-hub-backend.yaml

@@ -48,7 +48,7 @@ spec:
           aksSecretsProviderAvailable: true
           keyvault:
             name: "alert-hub-staging-kv"
-            clientId: "99dd63fe-721e-4abb-b30d-e2b782d2893d" 
+            clientId: "99dd63fe-721e-4abb-b30d-e2b782d2893d"
             tenantId: "a2b53be5-734e-4e6c-ab0d-d184f60fd917"
         env:
           APP_FRONTEND_HOST: "https://alerthub-stage.ifrc.org"

applications/argocd/staging/applications/alert-hub-frontend.yaml

@@ -19,7 +19,7 @@ spec:
           value: nginx
         - name: ingress.tls.secretName
           value: "alerthub-helm-secret-cert"
-        - name: env.APP_GRAPHQL_API_ENDPOINT 
+        - name: env.APP_GRAPHQL_API_ENDPOINT
           value: https://alerthub-stage-api.ifrc.org/graphql/
       valueFiles:
         - values.yaml

applications/argocd/staging/applications/montandon-etl.yaml

@@ -79,4 +79,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/argocd/staging/platform/image-updater.yaml

@@ -25,4 +25,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/argocd/staging/platform/reloader.yaml

@@ -17,4 +17,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true

applications/go-api/azure-pipelines.yaml

@@ -197,4 +197,3 @@ jobs:
       OIDC_ENABLE: $(PRODUCTION_OIDC_ENABLE)
       OIDC_RSA_PRIVATE_KEY_BASE64_ENCODED: $(PRODUCTION_OIDC_RSA_PRIVATE_KEY_BASE64_ENCODED)
       OIDC_RSA_PUBLIC_KEY_BASE64_ENCODED: $(PRODUCTION_OIDC_RSA_PUBLIC_KEY_BASE64_ENCODED)
-

base-infrastructure/terraform/app_resources.tf

@@ -13,9 +13,9 @@ module "risk_module_resources" {
 }
 
 locals {
-  alerthub_db_name  = "alerthubdb"
-  montandon_db_name = "montandondb"
-  sdt_db_name       = "sdtdb"
+  alerthub_db_name        = "alerthubdb"
+  montandon_db_name       = "montandondb"
+  sdt_db_name             = "sdtdb"
   montandon_eoapi_db_name = "montandoneoapidb"
 }
 
@@ -194,4 +194,4 @@ module "montandon_eoapi_resources" {
     "c31baae7-afbf-4ad3-8e01-5abbd68adb16",
     "32053268-3970-48f3-9b09-c4280cd0b67d"
   ]
-}
+}

base-infrastructure/terraform/app_resources/data.tf

@@ -3,4 +3,4 @@ data "azurerm_client_config" "current" {
 
 data "azurerm_resource_group" "app_rg" {
   name = var.resource_group_name
-}
+}

base-infrastructure/terraform/app_resources/database.tf

@@ -9,4 +9,4 @@ resource "azurerm_postgresql_flexible_server_database" "app" {
   lifecycle {
     prevent_destroy = true
   }
-}
+}

base-infrastructure/terraform/app_resources/iam.tf

@@ -41,4 +41,4 @@ resource "azurerm_role_assignment" "key_vault_devs" {
   scope                = azurerm_key_vault.app_kv.id
   role_definition_name = "Key Vault Administrator"
   principal_id         = var.vault_admin_ids[count.index]
-}
+}

base-infrastructure/terraform/app_resources/key-vault.tf

@@ -24,4 +24,4 @@ resource "azurerm_key_vault" "app_kv" {
     ip_rules                   = var.key_vault_network_acls.ip_rules
     virtual_network_subnet_ids = var.key_vault_network_acls.virtual_network_subnet_ids
   }
-}
+}

base-infrastructure/terraform/app_resources/outputs.tf

@@ -24,4 +24,4 @@ output "workload_client_id" {
 
 output "workload_id" {
   value = azurerm_user_assigned_identity.workload.id
-}
+}

base-infrastructure/terraform/app_resources/providers.tf

@@ -9,4 +9,4 @@ terraform {
       version = "=3.117.0"
     }
   }
-}
+}

base-infrastructure/terraform/app_resources/secrets.tf

@@ -13,4 +13,4 @@ resource "azurerm_key_vault_secret" "secret_" {
   lifecycle {
     ignore_changes = all
   }
-}
+}

base-infrastructure/terraform/app_resources/storage_containers.tf

@@ -14,4 +14,4 @@ resource "azurerm_role_assignment" "storage_blob_reader" {
   scope                = "${var.storage_config.storage_account_id}/blobServices/default/containers/${azurerm_storage_container.app_container[count.index].name}"
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.workload.principal_id
-}
+}

base-infrastructure/terraform/app_resources/variables.tf

@@ -105,4 +105,4 @@ variable "vault_admin_ids" {
   description = "the Azure principals that shall have access to the vault"
   type        = list(string)
   default     = []
-}
+}

base-infrastructure/terraform/main.tf

@@ -1,9 +1,9 @@
 module "resources" {
-  source = "./resources/"
-  environment = var.environment
-  subscriptionId = var.subscriptionId
-  REGION = var.REGION
-  RESOURCES_DB_NAME = var.RESOURCES_DB_NAME
+  source              = "./resources/"
+  environment         = var.environment
+  subscriptionId      = var.subscriptionId
+  REGION              = var.REGION
+  RESOURCES_DB_NAME   = var.RESOURCES_DB_NAME
   RESOURCES_DB_SERVER = var.RESOURCES_DB_SERVER
 }
 
@@ -14,11 +14,11 @@ terraform {
     container_name       = "terraform"
     # this is meant to be replaced in base-infrastructure/scripts/setup-infra.sh
     # so that the correct environment is deployed
-    key                  = "ENVIRONMENT_TO_REPLACE"
+    key = "ENVIRONMENT_TO_REPLACE"
   }
 }
 
 output "resources" {
   value     = module.resources
   sensitive = true
-}
+}

base-infrastructure/terraform/output.tf

@@ -20,21 +20,21 @@ output "risk_module_app_resource_details" {
 
 output "sdt_app_resource_details" {
   value = {
-    key_vault_name     = module.sdt_resources.key_vault_name
-    workload_id        = module.sdt_resources.workload_client_id
+    key_vault_name = module.sdt_resources.key_vault_name
+    workload_id    = module.sdt_resources.workload_client_id
   }
 }
 
 output "motandon_etl_app_resource_details" {
   value = {
-    key_vault_name     = module.montandon_etl_resources.key_vault_name
-    workload_id        = module.montandon_etl_resources.workload_client_id
+    key_vault_name = module.montandon_etl_resources.key_vault_name
+    workload_id    = module.montandon_etl_resources.workload_client_id
   }
 }
 
 output "motandon_eoapi_app_resource_details" {
   value = {
-    key_vault_name     = module.montandon_eoapi_resources.key_vault_name
-    workload_id        = module.montandon_eoapi_resources.workload_client_id
+    key_vault_name = module.montandon_eoapi_resources.key_vault_name
+    workload_id    = module.montandon_eoapi_resources.workload_client_id
   }
-}
+}

base-infrastructure/terraform/registry.tf

@@ -10,4 +10,4 @@ module "go_shared_registry" {
 
   registry_sku        = "Standard"
   resource_group_name = module.resources.resource_group
-}
+}

base-infrastructure/terraform/registry/ci_access.tf

@@ -57,4 +57,4 @@ resource "azurerm_role_assignment" "acr_token_password_access" {
   scope              = azurerm_container_registry.shared.id
   role_definition_id = azurerm_role_definition.acr_token_password_reader.role_definition_resource_id
   principal_id       = data.azurerm_client_config.current.object_id
-}
+}

base-infrastructure/terraform/registry/cluster_access_principals.tf

@@ -4,4 +4,4 @@ resource "azurerm_role_assignment" "acr_pull" {
   scope                = azurerm_container_registry.shared.id
   role_definition_name = "AcrPull" # Grants the "ACR pull" permission
   principal_id         = var.pull_principal_ids[count.index]
-}
+}

base-infrastructure/terraform/registry/data.tf

@@ -4,4 +4,4 @@ data "azurerm_resource_group" "app_rg" {
 }
 
 data "azurerm_client_config" "current" {
-}
+}

base-infrastructure/terraform/registry/main.tf

@@ -4,4 +4,4 @@ resource "azurerm_container_registry" "shared" {
   location            = data.azurerm_resource_group.app_rg.location
   sku                 = var.registry_sku
   admin_enabled       = var.admin_enabled
-}
+}

base-infrastructure/terraform/registry/outputs.tf

@@ -10,4 +10,4 @@ output "acr_token_password" {
 
 output "registry_server" {
   value = azurerm_container_registry.shared.login_server
-}
+}