Initial commit

Author: matt-mercer

.ansible-lint

@@ -0,0 +1,8 @@
+parseable: true
+use_default_rules: true
+skip_list:
+  - name[casing]
+  - fqcn[action-core]
+  - yaml[line-length]
+  - var-naming[no-role-prefix]
+  - name[template]

.dockerignore

@@ -0,0 +1,25 @@
+.dockerignore
+.git/
+.idea
+.venv/
+.vscode/
+**/*.pyc
+**/__pycache__
+**/.venv
+dist/
+**/dist/
+build/
+**/build/
+.pytest_cache/
+**/.pytest_cache/
+.lock-hash
+poetry-cmd.sh
+.coverage
+.coverage-out/
+.mypy_cache/
+**/.mypy_cache/
+reports/
+resources/
+scripts/
+*.pem
+.behave.log

.gitallowed

@@ -0,0 +1,4 @@
+.gitallowed:[0-9]+:.*
+.gitdisallowed:[0-9]+:.*
+.git/(?!COMMIT_EDITMSG|OTHERFILE)\w+:.*
+terraform/modules/account/s3.tf:[0-9]+:\s+"arn:aws:iam::652711504416:root"

.gitdisallowed

@@ -0,0 +1,21 @@
+https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8,12}/[a-zA-Z0-9_]{24}
+amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
+arn:aws:iam::0*[0-9][0-9]*
+ghp_[0-9a-zA-Z]{36}
+gho_[0-9a-zA-Z]{36}
+(ghu|ghs)_[0-9a-zA-Z]{36}
+ghr_[0-9a-zA-Z]{76}
+xox[baprs]-([0-9a-zA-Z]{10,48})?
+-----BEGIN\ ((EC|PGP|DSA|RSA|OPENSSH)\ )?PRIVATE KEY( BLOCK)?-----
+AIza[0-9A-Za-z\\-_]{35}
+'"type": "service_account"'
+[a-z]{2}-[a-z-]*-[1,2,3]\.rds\.amazonaws\.com
+[a-z]{2}-[a-z-]*-[1,2,3]\.es\.amazonaws\.com
+[a-z]*[1-3]\.cache\.amazonaws\.com
+-----BEGIN[[:blank:]]CERTIFICATE-----
+[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}
+(CLIENT|client|Client)(_|\s)(SECRET|secret|Secret)\s*(:|=>|=)\s*("|')?(\{)?[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\})?("|')?
+("|'?)[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]("|'?)\s*(=|:)\s*.+
+("|'?)[Tt][Oo][Kk][Ee][Nn]("|'?)\s*(=|:)\s*.+
+
+###_NOTE_REMOVED_PREVIOUS_IP_RULE_:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}###

.github/dependabot.yml

@@ -0,0 +1,37 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    open-pull-requests-limit: 2
+    schedule:
+      interval: "monthly"
+    commit-message:
+      prefix: "github actions "
+      include: scope
+
+  - package-ecosystem: "pip"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+      time: "08:00"
+
+    groups:
+      dev-dependencies:
+        patterns:
+          - "ansible-lint"
+          - "black"
+          - "boto3"
+          - "coverage"
+          - "black"
+          - "ipython"
+          - "mypy"
+          - "petname"
+          - "pytest"
+          - "pytest-*"
+          - "ruff"
+          - "types-*"

.github/workflows/merge-develop.yml

@@ -0,0 +1,27 @@
+name: odin-merge
+on:
+  push:
+    branches:
+      - develop
+
+env:
+  ACCOUNT_ID: ${{ secrets.DEV_ACCOUNT_ID }}
+
+jobs:
+
+  on-merge:
+    uses: NHSDigital/odin-actions/.github/workflows/on-merge-pipeline.yml@v1
+    with:
+      repo-name: odin-template
+      terraform-approvals: false
+
+  create-release:
+    needs:
+      - on-merge
+      # - tests
+    uses: NHSDigital/odin-actions/.github/workflows/on-merge-create-release.yml@v1
+    with:
+      repo-name: odin-template
+      application: "replace-me"
+#      stack: "main"
+      on-merge-execution-id: "${{ needs.on-merge.outputs.on-merge-execution-id }}"

.github/workflows/pull-request.yml

@@ -0,0 +1,52 @@
+name: pull-request
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - develop
+
+env:
+  ACCOUNT_ID: "${{ secrets.DEV_ACCOUNT_ID }}"
+
+jobs:
+
+  lint:
+    uses: NHSDigital/odin-actions/.github/workflows/standard-linting.yml@v1
+
+  validate-build:
+
+    runs-on:
+      - codebuild-runner-odin-template-${{ github.run_id }}-${{ github.run_attempt }}
+      - buildspec-override:true
+    steps:
+
+      - name: checkout the calling repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: common build setup
+        uses: NHSDigital/odin-actions/.github/actions/build-common@v1
+
+      - name: build artifacts
+        id: build-artifacts
+        uses: NHSDigital/odin-actions/.github/actions/build-artifacts@v1
+        with:
+          application: "replace-me"
+
+#      - name: terraform-plan
+#        uses: NHSDigital/odin-actions/.github/actions/terraform-stack-plan-no-lock-codepipeline@v1
+#        with:
+#          application: "replace-me"
+#          version: ${{ steps.build-artifacts.outputs.version }}
+
+  auto-merge-dependabot:
+    needs:
+      - lint
+      - validate-build
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    uses: NHSDigital/odin-actions/.github/workflows/dependabot-automation.yml@v1
+    with:
+      repo-name: "${{ github.repository }}"
+      auto-approve: true
+      auto-merge: true

.gitignore

@@ -0,0 +1,77 @@
+# IDE and various other developer tools
+.idea
+.ipynb_checkpoints
+*.swp
+
+# Misc
+!.gitkeep
+*.orig
+.github-artifacts
+scanner
+.scannerwork
+docker-compose.override.yml
+.vscode/*.log
+coverage.xml
+.coverage.*
+docker/digests.yml
+
+# Packaging
+build/
+dist/
+reports/
+
+#Ansible
+*.retry
+.ansible/
+
+# Python
+.env
+.venv
+venv
+*.pyc
+__pycache__
+.mypy_cache
+**/.pytest_cache/
+.python-version
+.coverage
+.coverage-out/
+requirements.txt
+**/requirements.txt
+.lock-hash
+
+# Node
+node_modules/
+
+# Terraform
+**/.terraform/*
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.plan
+terraform.log
+.tfplan.out
+.tfplan.exit
+terraform/stacks/local/.terraform.lock.hcl
+terraform/**/external-vars.json
+terraform.d/
+
+# certs/keys/pems
+*.crt
+*.csr
+*.key
+*.pem
+*.pfx
+*.srl*
+*.csr.cfg
+*id_rsa*
+
+# mailbox passwords etc.
+*secrets.json
+
+# Big binaries
+*.bz2
+*.gz
+*.jar
+*.tar.gz
+*.tgz
+*.zip

.pre-commit-config.yaml

@@ -0,0 +1,106 @@
+fail_fast: false
+exclude: '^.venv/.*'
+default_install_hook_types: [pre-commit, pre-push, commit-msg, prepare-commit-msg]
+default_stages: [pre-commit]
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-ast
+      - id: check-toml
+      - id: check-yaml
+        exclude: |
+          (?x)(^helm/.*/templates)
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: fix-byte-order-marker
+      - id: trailing-whitespace
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: destroyed-symlinks
+      - id: mixed-line-ending
+      - id: detect-aws-credentials
+      - id: detect-private-key
+      - id: fix-byte-order-marker
+      - id: requirements-txt-fixer
+
+  - repo: local
+    hooks:
+      - id: black
+        name: black
+        entry: make black
+        language: system
+        types_or: [python, pyi, jupyter]
+        pass_filenames: false
+      - id: ruff
+        name: ruff
+        entry: make ruff
+        language: system
+        types_or: [python, pyi, jupyter]
+        pass_filenames: false
+      - id: mypy
+        name: mypy
+        entry: make mypy
+        language: system
+        types_or: [python, pyi, jupyter]
+        pass_filenames: false
+      - id: trivy
+        name: trivy
+        entry: make tf-trivy
+        language: system
+        files: \.tf(vars)?$
+        pass_filenames: false
+      - id: tf-format
+        name: tf-format
+        entry: make tf-format
+        language: system
+        files: (\.tf|\.tfvars)$
+        exclude: \.terraform/.*$
+        pass_filenames: false
+      - id: tf-lint
+        name: tf-lint
+        entry: make tf-lint
+        language: system
+        files: (\.tf|\.tfvars)$
+        exclude: \.terraform/.*$
+        pass_filenames: false
+      - id: shellcheck
+        name: shellcheck
+        entry: make shellcheck
+        language: system
+        files: (\.sh)$
+        pass_filenames: false
+      - id: ansible-lint
+        name: ansible-lint
+        entry: make ansible-lint
+        language: system
+        files: (.*/)?ansible/.*(\.yml)$
+        pass_filenames: false
+      - id: hadolint
+        name: docker lint
+        entry: make hadolint
+        language: system
+        files: (/Dockerfile)$
+        pass_filenames: false
+      - id: secrets
+        name: git secrets
+        entry: scripts/check-secrets.sh
+        language: script
+        pass_filenames: false
+      - id: secrets-commit-msg
+        name: git secrets check commit message
+        entry: scripts/check-secrets.sh commit-msg
+        language: system
+        stages: [commit-msg]
+      - id: secrets-prep-commit-msg
+        name: git secrets pre check commit message
+        entry: scripts/check-secrets.sh commit-msg
+        language: system
+        stages: [prepare-commit-msg]
+      - id: commit-msg
+        name: validate commit message contains a ticket
+        language: pygrep
+        entry: '(?i)\A(?!(odin|mesh|obs|spinecore)-[0-9]+)'
+        args: [--multiline]
+        stages: [commit-msg]
+        types: [text]

.tflint.hcl

@@ -0,0 +1,14 @@
+
+plugin "aws" {
+  enabled = true
+  version = "0.37.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  plugin_dir = "~/.tflint.d/plugins"
+  call_module_type = "local"
+  ignore_module = {
+    "does-not-work" = true
+  }
+}