Merge pull request #1 from meshcloud/feature/refactoring

Feature/refactoring

Author: florianow

.github/actions/setup-nix-shell/action.yml

@@ -0,0 +1,27 @@
+name: 'Setup nix shell'
+inputs:
+  prepare_terraform:
+    description: prepare a terraform execution environment with cache and backend authentication
+    default: false
+    required: false
+outputs: {}
+runs:
+  using: "composite"
+  steps:
+    - uses: nixbuild/nix-quick-install-action@v26
+      with:
+        # gh actions runners have 16 GiB of memory by default, we happily trade some of that for a significant speedup
+        # of nix install (empirically this cut install times from from 75s to 30s when introduced)
+        nix_on_tmpfs: true
+
+    - uses: rrbutani/use-nix-shell-action@v1
+      with:
+        devShell: .#github_actions # use a special github actions shell
+
+    - name: create terraform cache
+      if: ${{ inputs.prepare_terraform }}
+      shell: bash
+      run: |
+        dir=${{ runner.temp }}/.terraform.d/plugin-cache
+        mkdir -p $dir # create terraform plugin cache
+        echo "TF_PLUGIN_CACHE_DIR=$dir" >> $GITHUB_ENV

.github/workflows/build-container.yml

@@ -0,0 +1,157 @@
+name: Build and Push Coraza-Caddy Container
+
+on:
+  schedule:
+    # Build weekly to get latest security updates
+    - cron: '0 2 * * 1'
+  push:
+    branches: [ main, feature/* ]
+    paths:
+      - 'Dockerfile'
+      - 'Caddyfile'
+      - '.github/workflows/build-container.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+      - 'Caddyfile'
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to build from'
+        required: false
+        default: 'main'
+        type: string
+      caddy_version:
+        description: 'Caddy version to build'
+        required: false
+        default: '2.7'
+        type: string
+      coraza_version:
+        description: 'Coraza version to build'
+        required: false
+        default: 'v2'
+        type: string
+      push_image:
+        description: 'Push image to registry'
+        required: false
+        default: true
+        type: boolean
+      test_locally:
+        description: 'Run local container tests'
+        required: false
+        default: true
+        type: boolean
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/coraza-caddy
+
+jobs:
+  check:
+    name: Container Checks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup environment
+        uses: ./.github/actions/setup-nix-shell
+
+      - name: Run container-specific pre-commit hooks
+        run: pre-commit run --files Dockerfile Caddyfile --show-diff-on-failure
+
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=raw,value=caddy-${{ github.event.inputs.caddy_version || '2.8' }}-coraza-${{ github.event.inputs.coraza_version || 'v2.0.0' }}
+          type=sha,prefix=build-
+          type=raw,value=latest,enable={{is_default_branch}}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        platforms: linux/amd64,linux/arm64
+        push: ${{ github.ref == 'refs/heads/main' || (github.event.inputs.push_image == 'true') }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        build-args: |
+          CADDY_VERSION=${{ github.event.inputs.caddy_version || '2.8' }}
+          CORAZA_VERSION=${{ github.event.inputs.coraza_version || 'v2.0.0' }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    - name: Test container
+      if: ${{ github.event.inputs.test_locally != 'false' }}
+      run: |
+        set -euo pipefail
+        IMAGE_TAG=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+        echo "🧪 Testing image: $IMAGE_TAG"
+
+        echo "Testing built container..."
+        docker run --rm -d --name test-coraza \
+          -p 8080:8080 -p 8443:8443 \
+          $IMAGE_TAG
+
+        sleep 15
+
+        # Test health endpoint
+        echo "Testing health endpoint..."
+        curl -f http://localhost:8080/health || exit 1
+
+        # Test WAF is responding
+        echo "Testing WAF response..."
+        curl -k -f https://localhost:8443/ -o /dev/null -w "%{http_code}" || echo "Expected failure - no backend"
+
+        docker stop test-coraza
+        echo "Container tests completed successfully!"
+
+    - name: Build summary
+      run: |
+        echo "## 🐳 Container Build Summary" >> $GITHUB_STEP_SUMMARY
+        echo "- **Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
+        echo "- **Image:** ${{ fromJSON(steps.meta.outputs.json).tags[0] }}" >> $GITHUB_STEP_SUMMARY
+        if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+          echo "- **Status:** ✅ Built and pushed to registry" >> $GITHUB_STEP_SUMMARY
+        else
+          echo "- **Status:** ✅ Built successfully (not pushed - feature branch)" >> $GITHUB_STEP_SUMMARY
+        fi

.github/workflows/terraform-test.yml

@@ -0,0 +1,71 @@
+name: Terraform Validation and Testing
+
+on:
+  push:
+    branches: [ main, feature/* ]
+    paths:
+      - '*.tf'
+      - '*.tfvars'
+      - '*.tftest.hcl'
+      - '.terraform-docs.yml'
+      - '.tflint.hcl'
+      - '.pre-commit-config.yaml'
+      - '.github/workflows/terraform-test.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - '*.tf'
+      - '*.tfvars'
+      - '*.tftest.hcl'
+      - '.terraform-docs.yml'
+      - '.tflint.hcl'
+      - '.pre-commit-config.yaml'
+  workflow_dispatch:
+
+jobs:
+  terraform-checks:
+    name: Terraform Checks & Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Setup environment
+      uses: ./.github/actions/setup-nix-shell
+      with:
+        prepare_terraform: true
+
+    - name: Run pre-commit hooks
+      run: pre-commit run --all-files --show-diff-on-failure
+
+    - name: Terraform Init
+      run: terraform init -backend=false
+
+    - name: Terraform Validate
+      run: terraform validate
+
+# TODO: creating a subccription and a service principal for testing
+  # terraform-test:
+  #   name: Terraform Test Suite
+  #   runs-on: ubuntu-latest
+  #   needs: terraform-checks
+  #   permissions:
+  #     contents: read
+
+  #   steps:
+  #   - name: Checkout repository
+  #     uses: actions/checkout@v4
+
+  #   - name: Setup environment
+  #     uses: ./.github/actions/setup-nix-shell
+  #     with:
+  #       prepare_terraform: true
+
+  #   - name: Terraform Init
+  #     run: terraform init -backend=false
+
+  #   - name: Terraform Test
+  #     run: terraform test

.gitignore

@@ -79,4 +79,4 @@ helpers/foundation-deployer/.steps.json
 *.tf-e
 
 # Go multi-module workspace sum
-go.work.sum
+go.work.sum

.pre-commit-config.yaml

@@ -0,0 +1,52 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.88.4
+    hooks:
+      - id: terraform_docs
+        args:
+            - --args=--config=.terraform-docs.yml
+      - id: terraform_fmt
+      - id: terragrunt_fmt
+      - id: terragrunt_providers_lock
+        stages:
+          - manual # note: this step is very expensive, so you need to invoke it explicitly via `--hook-stage manual`
+        args:
+          - --args=-platform=darwin_arm64
+          - --args=-platform=darwin_amd64
+          - --args=-platform=linux_amd64
+
+      - id: terraform_tflint
+        args:
+          - --args=--config=.tflint.hcl
+
+      # tfupdate hooks for aligning terraform and provider versions
+      # aligning versions helps build performance becuase there's less providers to download/cache across all our modules
+      - id: tfupdate
+        name: tfupdate terraform
+        args:
+          - --args=terraform
+          - --args=--version ">= 1.0"
+
+      - id: tfupdate
+        name: tfupdate hashicorp/azurerm
+        args:
+          - --args=provider hashicorp/azurerm
+          - --args=--version "4.36.0"
+          - --args=--ignore-path "kit/.*/buildingblocks/.*"
+          - --args=--ignore-path "kit/.*/demos/.*"
+          - --args=--ignore-path "kit/azure/meshplatform-au"
+          - --args=--ignore-path "kit/azure/landingzones/au-cloud-native"
+
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0  # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-merge-conflict
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker
+        args: ['--ignore', 'DL3008', '--ignore', 'DL3009', '--ignore', 'DL3018']

.terraform-docs.yml

@@ -0,0 +1,25 @@
+formatter: "markdown" # this is required
+
+version: ""
+
+recursive:
+  enabled: false
+  path: kit
+
+content: ""
+
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+sort:
+  enabled: true
+  by: name
+
+sections:
+  hide:
+    - providers

.tflint.hcl

@@ -0,0 +1,12 @@
+rule "terraform_typed_variables" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}
+
+//terraform_unused_declarations
+rule "terraform_unused_declarations" {
+  enabled = false
+}