diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 5c48ae4..b7985b6 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -30,7 +30,7 @@ jobs: steps: # Git Checkout - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -39,7 +39,7 @@ jobs: id: ml # Use "cupcake" slim flavor which supports both Terraform and # Javascript. - uses: oxsecurity/megalinter/flavors/cupcake@v7 + uses: oxsecurity/megalinter/flavors/cupcake@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # v7.13.0 env: # All available variables are described in documentation # https://megalinter.io/configuration/ @@ -48,8 +48,8 @@ jobs: # (oxsecurity/megalinter#2699). TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN - - name: Upload MegaLinter scan results to GitHub Security tab - if: success() || failure() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'megalinter-reports/megalinter-report.sarif' + #- name: Upload MegaLinter scan results to GitHub Security tab + # if: success() || failure() + # uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4 + # with: + # sarif_file: 'megalinter-reports/megalinter-report.sarif' diff --git a/.github/workflows/opentofu-apply.yml b/.github/workflows/opentofu-apply.yml index 20349ae..4c3bd49 100644 --- a/.github/workflows/opentofu-apply.yml +++ b/.github/workflows/opentofu-apply.yml @@ -1,10 +1,87 @@ -name: "OpenTofu Apply" - +name: OpenTofu Apply on: - push: - branches: - - master - - main + workflow_call: + inputs: + environment: + description: 'Name of the environment to use' + required: true + type: string + opentofu_workspace: + description: 'Name of the OpenTofu workspace to use' + required: false + default: '' + type: string + opentofu_variables: + description: 'Variables to pass to OpenTofu' + required: false + default: '' + type: string + opentofu_backend_config: + description: 'Backend configuration for OpenTofu' + required: false + default: '' + type: string + opentofu_plan_label: + description: 'Label for the OpenTofu plan output' + required: false + default: '' + type: string + opentofu_var_file: + description: 'List of var file paths, one per line' + required: false + default: '' + type: string + opentofu_auto_approve: + description: 'Automatically approve and apply plan' + required: false + default: "false" + type: string + oidc_role_arn: + description: 'ARN of the IAM role to assume with OIDC' + required: false + default: 'arn:aws:iam::391835788720:role/terraform-deploy-oidc' + type: string + oidc_audience: + description: 'OIDC audience to authenticate against' + required: false + default: 'sts.amazonaws.com' + type: string + oidc_export_variables: + description: 'Whether to export OIDC variables' + required: false + default: true + type: boolean + trigger_apply: + description: 'Whether to trigger the OpenTofu apply job' + required: false + default: true + type: boolean + env: + description: 'Extra environment variables' + required: false + type: string + secrets_manager_keys: + description: 'List of keys to fetch from AWS Secrets Manager' + required: false + type: string + artifact_name: + description: "The artifact name to download" + required: false + type: string + artifact_path: + description: "The artifact path to download" + required: false + type: string + secrets: + env_secret: + description: 'Extra secret environment variables' + required: false + opentofu_secret_variables: + description: 'Variables that contains secrets to pass to OpenTofu' + required: false + opentofu_http_credentials: + description: 'Credentials that will be used for fetching modules sources' + required: false permissions: id-token: write @@ -12,26 +89,55 @@ permissions: pull-requests: write jobs: - opentofu_apply_dev: - name: "OpenTofu Apply - Dev" - uses: LF-Engineering/lfx-cloudops-misc/.github/workflows/lfx-opentofu-apply.yml@main - with: - environment: dev - opentofu_backend_config: | - bucket=lfx-terraform-state- - dynamodb_table=lfx-terraform-state- - secrets: - env_secret: | - GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} - opentofu_apply_prod: - name: "OpenTofu Apply - Prod" - needs: opentofu_apply_dev - uses: LF-Engineering/lfx-cloudops-misc/.github/workflows/lfx-opentofu-apply.yml@main - with: - environment: prod - opentofu_backend_config: | - bucket=lfx-terraform-state- - dynamodb_table=lfx-terraform-state- - secrets: - env_secret: | - GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} + opentofu_apply: + runs-on: ubuntu-latest + name: "OpenTofu Apply - ${{ inputs.environment }}" + environment: ${{ inputs.environment }} + if: ${{ inputs.trigger_apply }} + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set Environment Variables + id: set-env + run: | + echo -e "${{ inputs.env }}" >> "$GITHUB_ENV" + for val in $(echo -e "${{ secrets.env_secret }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + for val in $(echo -e "${{ secrets.opentofu_secret_variables }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + echo -e "${{ secrets.env_secret }}" >> "$GITHUB_ENV" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + audience: ${{ inputs.oidc_audience }} + role-to-assume: ${{ inputs.oidc_role_arn }} + aws-region: us-west-2 + + - name: Read secrets from AWS Secrets Manager into environment variables + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10 + with: + secret-ids: ${{ inputs.secrets_manager_keys }} + + # Conditionally download the artifact if the artifact_name input is provided + - name: Download artifact + if: ${{ inputs.artifact_name != '' }} + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ inputs.artifact_name }} + path: ${{ inputs.artifact_path || '.' }} + + - name: OpenTofu Apply + uses: dflook/tofu-apply@aabe748c21fba55bcd741a53211a8af90506962f # v1.49.0 + with: + label: ${{ inputs.opentofu_plan_label || inputs.environment }} + workspace: ${{ inputs.opentofu_workspace || inputs.environment }} + backend_config: ${{ inputs.opentofu_backend_config }} + var_file: ${{ inputs.opentofu_var_file }} + auto_approve: ${{ inputs.opentofu_auto_approve }} + variables: | + ${{ inputs.opentofu_variables }} + ${{ secrets.opentofu_secret_variables }} + env: + OPENTOFU_HTTP_CREDENTIALS: ${{ secrets.opentofu_http_credentials }} + OPENTOFU_VERSION: 1.10.3 diff --git a/.github/workflows/opentofu-check-drift.yml b/.github/workflows/opentofu-check-drift.yml deleted file mode 100644 index 77d9eb8..0000000 --- a/.github/workflows/opentofu-check-drift.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# Copyright The Linux Foundation and each contributor. -# SPDX-License-Identifier: MIT - -name: "OpenTofu Check Drift" - -on: - schedule: - # Runs at 9:00 AM PST every Tuesday - # Note: GitHub Actions uses UTC time - # 9:00 AM PST = 17:00 UTC (during standard time) - - cron: '0 17 * * 2' - -permissions: - id-token: write - contents: read - pull-requests: write - -jobs: - opentofu_check_drift: - name: "OpenTofu Check Drift" - strategy: - matrix: - environment: - - dev - - prod - uses: LF-Engineering/lfx-cloudops-misc/.github/workflows/lfx-opentofu-check.yml@main - with: - environment: ${{ matrix.environment }} - opentofu_backend_config: | - bucket=lfx-terraform-state- - dynamodb_table=lfx-terraform-state- - secrets: - env_secret: | - GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/opentofu-check-schedule.yml b/.github/workflows/opentofu-check-schedule.yml new file mode 100644 index 0000000..ef82a77 --- /dev/null +++ b/.github/workflows/opentofu-check-schedule.yml @@ -0,0 +1,204 @@ +--- +# Copyright The Linux Foundation and each contributor. +# SPDX-License-Identifier: MIT + +name: "OpenTofu Check Schedule" + +on: + workflow_call: + inputs: + environment: + description: 'Name of the environment to use' + required: true + type: string + opentofu_workspace: + description: 'Name of the OpenTofu workspace to use' + required: false + default: '' + type: string + opentofu_variables: + description: 'Variables to pass to OpenTofu' + required: false + default: '' + type: string + opentofu_backend_config: + description: 'Backend configuration for OpenTofu' + required: false + default: '' + type: string + opentofu_plan_label: + description: 'Label for the OpenTofu plan output' + required: false + default: '' + type: string + opentofu_var_file: + description: 'List of var file paths, one per line' + required: false + default: '' + type: string + opentofu_path: + description: 'Path to the OpenTofu directory' + required: false + default: '.' + type: string + oidc_role_arn: + description: 'ARN of the IAM role to assume with OIDC' + required: false + default: 'arn:aws:iam::391835788720:role/terraform-deploy-oidc' + type: string + oidc_audience: + description: 'OIDC audience to authenticate against' + required: false + default: 'sts.amazonaws.com' + type: string + oidc_export_variables: + description: 'Whether to export OIDC variables' + required: false + default: true + type: boolean + trigger_check: + description: 'Whether to trigger the OpenTofu check job' + required: false + default: true + type: boolean + env: + description: 'Extra environment variables' + required: false + type: string + secrets_manager_keys: + description: 'List of keys to fetch from AWS Secrets Manager' + required: false + type: string + artifact_name: + description: "The artifact name to download" + required: false + type: string + artifact_path: + description: "The artifact path to download" + required: false + type: string + secrets: + env_secret: + description: 'Extra secret environment variables' + required: false + opentofu_secret_variables: + description: 'Variables that contains secrets to pass to OpenTofu' + required: false + opentofu_http_credentials: + description: 'Credentials that will be used for fetching modules sources' + required: false + schedule: + # Runs at 9:00 AM PST every Tuesday + # Note: GitHub Actions uses UTC time + # 9:00 AM PST = 17:00 UTC (during standard time) + - cron: '0 17 * * 2' + +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + opentofu_check_drift: + name: "OpenTofu Check - ${{ matrix.environment }}" + strategy: + matrix: + environment: + - dev + - prod + runs-on: ubuntu-latest + if: ${{ github.event_name == 'schedule' }} + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set Environment Variables + id: set-env + run: | + echo -e "${{ inputs.env }}" >> "$GITHUB_ENV" + for val in $(echo -e "${{ secrets.env_secret }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + for val in $(echo -e "${{ secrets.opentofu_secret_variables }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + echo -e "${{ secrets.env_secret }}" >> "$GITHUB_ENV" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + audience: sts.amazonaws.com + role-to-assume: arn:aws:iam::391835788720:role/terraform-deploy-oidc + aws-region: us-west-2 + + # This is used to fetch build time secrets from AWS Secrets Manager + - name: Read secrets from AWS Secrets Manager into environment variables + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10 + if: ${{ vars.SECRETS_MANAGER_KEYS != '' }} + with: + secret-ids: ${{ vars.SECRETS_MANAGER_KEYS }} + name-transformation: none + + - name: OpenTofu Check + uses: dflook/tofu-check@906f68064a99656755c320d74959150782d42757 # v1.49.0 + with: + workspace: ${{ vars.OPENTOFU_WORKSPACE || matrix.environment }} + backend_config: ${{ vars.OPENTOFU_BACKEND_CONFIG || '' }} + var_file: ${{ vars.OPENTOFU_VAR_FILE || '' }} + path: ${{ vars.OPENTOFU_PATH || '.' }} + variables: | + ${{ vars.OPENTOFU_VARIABLES || '' }} + ${{ secrets.opentofu_secret_variables }} + env: + OPENTOFU_HTTP_CREDENTIALS: ${{ secrets.opentofu_http_credentials }} + OPENTOFU_VERSION: 1.10.3 + + opentofu_check: + runs-on: ubuntu-latest + name: "OpenTofu Check - ${{ inputs.environment }}" + if: ${{ github.event_name == 'workflow_call' && inputs.trigger_check }} + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set Environment Variables + id: set-env + run: | + echo -e '${{ inputs.env }}' >> "$GITHUB_ENV" + for val in $(echo -e '${{ secrets.env_secret }}' | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + for val in $(echo -e '${{ secrets.opentofu_secret_variables }}' | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + echo -e '${{ secrets.env_secret }}' >> "$GITHUB_ENV" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + audience: ${{ inputs.oidc_audience }} + role-to-assume: ${{ inputs.oidc_role_arn }} + aws-region: us-west-2 + + - name: Read secrets from AWS Secrets Manager into environment variables + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10 + if: ${{ inputs.secrets_manager_keys != '' }} + with: + secret-ids: ${{ inputs.secrets_manager_keys }} + name-transformation: none + + # Conditionally download the artifact if the artifact_name input is provided + - name: Download artifact + if: ${{ inputs.artifact_name != '' }} + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ inputs.artifact_name }} + path: ${{ inputs.artifact_path || '.' }} + + - name: OpenTofu Check + uses: dflook/tofu-check@906f68064a99656755c320d74959150782d42757 # v1.49.0 + with: + workspace: ${{ inputs.opentofu_workspace || inputs.environment }} + backend_config: ${{ inputs.opentofu_backend_config }} + var_file: ${{ inputs.opentofu_var_file }} + path: ${{ inputs.opentofu_path }} + variables: | + ${{ inputs.opentofu_variables }} + ${{ secrets.opentofu_secret_variables }} + env: + OPENTOFU_HTTP_CREDENTIALS: ${{ secrets.opentofu_http_credentials }} + OPENTOFU_VERSION: 1.10.3 diff --git a/.github/workflows/opentofu-plan-apply.yml b/.github/workflows/opentofu-plan-apply.yml deleted file mode 100644 index 0fe118a..0000000 --- a/.github/workflows/opentofu-plan-apply.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Copyright The Linux Foundation and each contributor. -# SPDX-License-Identifier: MIT - -name: "OpenTofu Plan and Apply" - -on: - workflow_dispatch: - inputs: - environment: - description: 'Environment to deploy' - required: true - type: choice - options: - - dev - - prod - -permissions: - id-token: write - contents: read - pull-requests: write - -concurrency: - # Automatically cancel any previous plan workflows in the same PR for all - # stages. - # - # Note: this does not protect against failed runs due to lock contention by - # multiple PRs running plan at the same time as each other, or at the same - # time as an apply. This is intentional, as we don't want PRs cancelling each - # others pending jobs, or PRs canceling a pending apply. - group: ${{ github.ref }}-${{ inputs.environment }} - cancel-in-progress: true - -jobs: - opentofu_plan: - name: "OpenTofu Plan on Env: ${{ inputs.environment }}" - uses: LF-Engineering/lfx-cloudops-misc/.github/workflows/lfx-opentofu-plan.yml@main - with: - environment: ${{ inputs.environment }} - opentofu_backend_config: | - bucket=lfx-terraform-state- - dynamodb_table=lfx-terraform-state- - secrets: - env_secret: | - GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/opentofu-plan.yml b/.github/workflows/opentofu-plan.yml index 829069f..72aefe9 100644 --- a/.github/workflows/opentofu-plan.yml +++ b/.github/workflows/opentofu-plan.yml @@ -1,7 +1,88 @@ -name: "OpenTofu Plan" - +name: OpenTofu Plan on: - - pull_request + workflow_call: + inputs: + environment: + description: 'Name of the environment to use' + required: true + type: string + opentofu_workspace: + description: 'Name of the OpenTofu workspace to use' + required: false + default: '' + type: string + opentofu_variables: + description: 'Variables to pass to OpenTofu' + required: false + default: '' + type: string + opentofu_backend_config: + description: 'Backend configuration for OpenTofu' + required: false + default: '' + type: string + opentofu_plan_label: + description: 'Label for the OpenTofu plan output' + required: false + default: '' + type: string + opentofu_var_file: + description: 'List of var file paths, one per line' + required: false + default: '' + type: string + opentofu_add_github_comment: + description: 'Add the plan to a GitHub PR' + required: false + default: 'true' + type: string + oidc_role_arn: + description: 'ARN of the IAM role to assume with OIDC' + required: false + default: 'arn:aws:iam::391835788720:role/terraform-deploy-oidc' + type: string + oidc_audience: + description: 'OIDC audience to authenticate against' + required: false + default: 'sts.amazonaws.com' + type: string + oidc_export_variables: + description: 'Whether to export OIDC variables' + required: false + default: true + type: boolean + trigger_plan: + description: 'Whether to trigger the OpenTofu plan job' + required: false + default: true + type: boolean + env: + description: 'Extra environment variables' + required: false + type: string + secrets_manager_keys: + description: 'List of keys to fetch from AWS Secrets Manager' + required: false + type: string + artifact_name: + description: "The artifact name to download" + required: false + type: string + artifact_path: + description: "The artifact path to download" + required: false + type: string + secrets: + env_secret: + description: 'Extra secret environment variables' + required: false + opentofu_secret_variables: + description: 'Variables that contains secrets to pass to OpenTofu' + required: false + opentofu_http_credentials: + description: 'Credentials that will be used for fetching modules sources' + required: false + permissions: id-token: write @@ -10,18 +91,54 @@ permissions: jobs: opentofu_plan: - name: "OpenTofu Plan" - strategy: - matrix: - environment: - - dev - - prod - uses: LF-Engineering/lfx-cloudops-misc/.github/workflows/lfx-opentofu-plan.yml@main - with: - environment: ${{ matrix.environment }} - opentofu_backend_config: | - bucket=lfx-terraform-state- - dynamodb_table=lfx-terraform-state- - secrets: - env_secret: | - GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} + runs-on: ubuntu-latest + name: "OpenTofu Plan - ${{ inputs.environment }}" + environment: ${{ inputs.environment }} + if: ${{ inputs.trigger_plan }} + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set Environment Variables + id: set-env + run: | + echo -e "${{ inputs.env }}" >> "$GITHUB_ENV" + for val in $(echo -e "${{ secrets.env_secret }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + for val in $(echo -e "${{ secrets.opentofu_secret_variables }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done + echo -e "${{ secrets.env_secret }}" >> "$GITHUB_ENV" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + audience: ${{ inputs.oidc_audience }} + role-to-assume: ${{ inputs.oidc_role_arn }} + aws-region: us-west-2 + + - name: Read secrets from AWS Secrets Manager into environment variables + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10 + with: + secret-ids: ${{ inputs.secrets_manager_keys }} + + # Conditionally download the artifact if the artifact_name input is provided + - name: Download artifact + if: ${{ inputs.artifact_name != '' }} + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ inputs.artifact_name }} + path: ${{ inputs.artifact_path || '.'}} + + - name: OpenTofu Plan + uses: dflook/tofu-plan@b4e6563f4a048d647afb2c0dc0f2b9985fec5aed # v1.49.0 + with: + label: ${{ inputs.opentofu_plan_label || inputs.environment }} + workspace: ${{ inputs.opentofu_workspace || inputs.environment }} + backend_config: ${{ inputs.opentofu_backend_config }} + var_file: ${{ inputs.opentofu_var_file }} + add_github_comment: ${{ inputs.opentofu_add_github_comment }} + variables: | + ${{ inputs.opentofu_variables }} + ${{ secrets.opentofu_secret_variables }} + env: + OPENTOFU_HTTP_CREDENTIALS: ${{ secrets.opentofu_http_credentials }} + OPENTOFU_VERSION: 1.10.3 diff --git a/.mega-linter.yml b/.mega-linter.yml index c96a627..03c8941 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -2,7 +2,7 @@ # Copyright The Linux Foundation and each contributor. # SPDX-License-Identifier: MIT GITHUB_COMMENT_REPORTER: false -SARIF_REPORTER: true +SARIF_REPORTER: false DISABLE_LINTERS: # We aren't publishing a module; these are just build dependencies. - JSON_NPM_PACKAGE_JSON_LINT diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..912777e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,105 @@ +# SPDX-FileCopyrightText: 2025 2025 The Linux Foundation +# +# SPDX-License-Identifier: Apache-2.0 + +--- +ci: + autofix_commit_msg: | + Chore: pre-commit autofixes + + Signed-off-by: pre-commit-ci[bot] + autoupdate_commit_msg: | + Chore: pre-commit autoupdate + + Signed-off-by: pre-commit-ci[bot] + +exclude: "^docs/conf.py" + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # frozen: v5.0.0 + hooks: + - id: trailing-whitespace + - id: check-added-large-files + - id: check-ast + - id: check-json + - id: check-merge-conflict + - id: check-xml + - id: check-yaml + - id: debug-statements + - id: end-of-file-fixer + - id: requirements-txt-fixer + - id: mixed-line-ending + args: ["--fix=lf"] + - id: no-commit-to-branch + args: + - --branch=dev + - --branch=master + - --branch=main + - --branch=rc + - --branch=production + + - repo: https://github.com/eclipse-csi/octopin + rev: 88826108188acef07eefab3bd6f04d9acd4b2cc2 # frozen: v0.1.3 + hooks: + - id: pin-versions + + - repo: https://github.com/jorisroovers/gitlint + rev: acc9d9de6369b76d22cb4167029d2035e8730b98 # frozen: v0.19.1 + hooks: + - id: gitlint + + - repo: https://github.com/adrienverge/yamllint.git + rev: 79a6b2b1392eaf49cdd32ac4f14be1a809bbd8f7 # frozen: v1.37.1 + hooks: + - id: yamllint + types: [yaml] + + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: 6c5418a077bd954e7078087a655421b85772095b # frozen: v0.12.4 + hooks: + - id: ruff + files: ^(scripts|tests|custom_components)/.+\.py$ + args: [--fix, --exit-non-zero-on-fix] + - id: ruff-format + files: ^(scripts|tests|custom_components)/.+\.py$ + + - repo: https://github.com/pre-commit/mirrors-mypy + rev: 850d8bf806620ef89a99381c5cf5ea2c1ea826dd # frozen: v1.17.0 + hooks: + - id: mypy + + - repo: https://github.com/btford/write-good + rev: ab66ce10136dfad5146e69e70f82a3efac8842c1 # frozen: v1.0.8 + hooks: + - id: write-good + files: "\\.(rst|md|markdown|mdown|mkdn)$" + + - repo: https://github.com/shellcheck-py/shellcheck-py + rev: a23f6b85d0fdd5bb9d564e2579e678033debbdff # frozen: v0.10.0.1 + hooks: + - id: shellcheck + + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: 192ad822316c3a22fb3d3cc8aa6eafa0b8488360 # frozen: v0.45.0 + hooks: + - id: markdownlint + args: ["--fix"] + + # Replaces: https://github.com/rhysd/actionlint + # Permits actionlint to run both locally and with precommit.ci/GitHub + - repo: https://github.com/Mateusz-Grzelinski/actionlint-py + rev: a185be0fd5b45112845b700d91b81050c75579e2 # frozen: v1.7.7.23 + hooks: + - id: actionlint + + # Check for misspellings in documentation files + - repo: https://github.com/codespell-project/codespell + rev: 63c8f8312b7559622c0d82815639671ae42132ac # frozen: v2.4.1 + hooks: + - id: codespell + exclude: | + (?x)^( + dist/index.js| + package-lock.json + )$ diff --git a/Makefile b/Makefile index f604442..f1ef6a3 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,17 @@ -# Define DNSIMPLE api credentials globally here to use with all aws accounts we have -export DNSIMPLE_TOKEN := $(shell pass show sysadmin/services/dnsimple/thelinuxfoundation/apikey) -export DNSIMPLE_ACCOUNT := 89897 -export TF_VAR_datadog_api_key := $(shell pass show sysadmin/keys/datadog/lfit/apikey) -export TF_VAR_datadog_app_key := $(shell pass show sysadmin/keys/datadog/lfit/appkeys/terraform) +# Set this to true to run Terraform manually export TF_VAR_run_manually := true -export TF_VAR_gitlab_token := $(shell pass show sysadmin/services/gitlab/linuxfoundation/lfgitlabbot/personal-access-token) -export PROJECT_NAME ?= "!!Set Project name!!" +export TF_VAR_cloudflare_api_token := $(shell pass show sysadmin/services/cloudflare/pytorch/api_token) +export TF_VAR_cloudflare_discuss_tunnel_secret := $(shell pass show sysadmin/services/cloudflare/pytorch/discuss_tunnel_secret) -.PHONY: error init refresh plan apply clean +export TF_VAR_datadog_api_key = $(shell pass show sysadmin/keys/datadog/pytorch/apikey) +export TF_VAR_datadog_app_key = $(shell pass show sysadmin/keys/datadog/pytorch/appkeys/terraform) + +export DD_API_KEY = $(shell pass sysadmin/keys/datadog/pytorch/apikey) +export DD_APP_KEY= $(shell pass sysadmin/keys/datadog/pytorch/appkeys/terraform) + +export PROJECT_NAME ?= "pytorch" + +.PHONY: error init refresh plan apply clean all test error: @echo "Valid targets: init refresh plan apply clean" @exit 2 @@ -16,20 +20,20 @@ error: # when the directory is missing. # XXX: for CI/CD we'd need to run this every time (or call it every time) init: - tofu init -backend-config="role_arn=arn:aws:iam::450177423209:role/lfit-sysadmins-mfa" \ - -backend-config="bucket=lfx-terraform-state-${PROJECT_NAME}" \ - -backend-config="dynamodb_table=lfx-terraform-state-${PROJECT_NAME}" \ + tofu init -backend-config="role_arn=arn:aws:iam::391835788720:role/lfit-sysadmins-mfa" \ + -backend-config="bucket=opentofu-state-${PROJECT_NAME}" \ + -backend-config="dynamodb_table=opentofu-state-${PROJECT_NAME}" \ -upgrade=true -.tofu: - tofu init -backend-config="role_arn=arn:aws:iam::450177423209:role/lfit-sysadmins-mfa" \ - -backend-config="bucket=lfx-terraform-state-${PROJECT_NAME}" \ - -backend-config="dynamodb_table=lfx-terraform-state-${PROJECT_NAME}" \ +.terraform: + tofu init -backend-config="role_arn=arn:aws:iam::391835788720:role/lfit-sysadmins-mfa" \ + -backend-config="bucket=opentofu-state-${PROJECT_NAME}" \ + -backend-config="dynamodb_table=opentofu-state-${PROJECT_NAME}" \ -upgrade=true refresh: tofu refresh -plan: .tofu +plan: .terraform pass git pull --rebase tofu get --update tofu plan -out tofu.tfplan $(ARGS) @@ -40,10 +44,17 @@ validate: init import: tofu import $(ARGS) +# This intentionally does NOT depend on tofu.tfplan because make and apply +# need to be separate make invocations. This target is just for convenience; +# running "tofu apply" directly is fine. apply: tofu apply tofu.tfplan clean: rm -vf tofu.tfplan - +test: + tofu fmt + tflint +all: + @echo "This is a checkmake required phony target" # vim: ai noet ts=4 sw=4 diff --git a/provider.tf b/provider.tf index 3018621..dec43e4 100644 --- a/provider.tf +++ b/provider.tf @@ -1,51 +1,66 @@ -# Change role based on terraform workspace +# IAM role to assume for manual Terraform runs using Makefile variable "provider_assume_role" { + description = "ARN of the IAM role to assume for manual Terraform runs using Makefile" + type = map(string) default = { - prod = "arn:aws:iam::716487311010:role/lfit-sysadmins-mfa" # prdct-prod - dev = "arn:aws:iam::395594542180:role/lfit-sysadmins-mfa" # prdct-dev + prod = "arn:aws:iam::391835788720:role/lfit-sysadmins-mfa" } } -# Roles to assume to Github Actions +# Roles to assume for Github Actions variable "provider_assume_role_ci" { - description = "ARN for PRDCT AWS accounts depending on Environment" + description = "ARN of the IAM role to assume for CI/CD, depending on the environment" type = map(string) default = { - prod = "arn:aws:iam::716487311010:role/terraform-deploy-oidc" # prdct-prod - dev = "arn:aws:iam::395594542180:role/terraform-deploy-oidc" # prdct-dev + prod = "arn:aws:iam::391835788720:role/terraform-deploy-oidc" } } -# Pick the right IAM role if run_manually is set +# Pick the right IAM role based on the run_manually flag locals { - prdct_role = var.run_manually ? var.provider_assume_role[terraform.workspace] : var.provider_assume_role_ci[terraform.workspace] + role_to_assume = var.run_manually ? var.provider_assume_role[terraform.workspace] : var.provider_assume_role_ci[terraform.workspace] } # Default AWS provider. provider "aws" { - region = "us-east-2" + region = "us-west-2" assume_role { - role_arn = local.prdct_role + role_arn = local.role_to_assume session_name = "terraform" } default_tags { tags = { - env = "${var.environment_tag[terraform.workspace]}" - product = "datalake" - owner = "CloudOps" - repo = "LF-Engineering/lfx-dbaas-terraform" + env = var.environment_tag[terraform.workspace] + product = "pytorch" + owner = "LF CloudOps" + repo = "pytorch-fdn/datadog-terraform" } } +} +provider "datadog" { + api_key = var.datadog_api_key + app_key = var.datadog_app_key } # State storage. terraform { backend "s3" { - region = "us-east-2" - key = "terraform.tfstate" + region = "us-west-2" + key = "terraform.tfstate" + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "< 6.0" + } + datadog = { + source = "DataDog/datadog" + version = "3.54.0" + } + } - required_version = "~> 1.0" + required_version = "~> 1.1" } diff --git a/variables.tf b/variables.tf index 832b7c4..97e5dbb 100644 --- a/variables.tf +++ b/variables.tf @@ -1,13 +1,27 @@ variable "run_manually" { - description = "Flag for manual TF runs" + description = "Flag for manual Terraform runs" type = bool default = false } variable "environment_tag" { + description = "Mapping of environment names to their corresponding tags" + type = map(string) default = { dev = "development" prod = "production" staging = "staging" } } + +variable "datadog_api_key" { + description = "Datadog API key" + type = string + sensitive = true +} + +variable "datadog_app_key" { + description = "Datadog application key" + type = string + sensitive = true +}