chore: update template files and scripts (#7)

.github/workflows/pull-request-opened-by-renovate.yml

@@ -0,0 +1,36 @@
+# If Renovate is not the author of the PR that triggers this workflow, it will do nothing.
+# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing.
+# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will:
+#   1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes.
+#   2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically.
+#
+# See ADR #0008.
+name: auto-test
+on:
+  pull_request:
+    # WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop.
+    types:
+      - opened
+
+permissions:
+  id-token: write
+  contents: write
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  renovate-test:
+    if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]'
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
+    with:
+      # we don't want checks here
+      checks: |-
+        checks: []

.pre-commit-config.yaml

@@ -16,11 +16,11 @@ repos:
       - id: check-yaml
         args:
           - "--allow-multiple-documents"
-  - repo: https://github.com/sirosen/fix-smartquotes
-    rev: 0.2.0
+  - repo: https://github.com/sirosen/texthooks
+    rev: 0.6.2
     hooks:
       - id: fix-smartquotes
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 37.22.0
+    rev: 37.59.7
     hooks:
       - id: renovate-config-validator

Makefile

@@ -77,3 +77,24 @@ push-terraform: ## push changes to terraform repos
 .PHONY: debug-terraform
 debug-terraform: ## push changes to terraform repos
 	./scripts/entrypoint.sh -t terraform -b $(BRANCH_NAME) --no-skip-ci --loglevel debug --dry-run
+
+.PHONY: renovate-local-debug
+renovate-local: ## run renovate locally to debug
+	@TOKEN=$$(gh auth token); \
+	if [ -z "$$TOKEN" ]; then \
+		echo "GitHub token not found"; \
+		exit 1; \
+	fi; \
+	export RENOVATE_TOKEN=$$TOKEN; \
+	export GITHUB_COM_TOKEN=$$TOKEN; \
+	RENOVATE_CONFIG_FILE=./renovate.json5 \
+	RENOVATE_DRY_RUN="" \
+	npx renovate \
+	--schedule="" \
+	--require-config=ignored \
+	--log-file=/tmp/renovate/log.json \
+	--log-file-level=debug \
+	--print-config=true \
+	--platform=local \
+	--github-token-warn; \
+	code-insiders -r /tmp/renovate/log.json

renovate.json5

@@ -1,7 +1,6 @@
 {
-  $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: [
-    // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
     ":dependencyDashboard",
     // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers
     ":semanticPrefixFixDepsChoreOthers",
@@ -14,34 +13,31 @@
     "workarounds:all"
   ],
   // If we don't specify a timezone then Renovate will use UTC
-  timezone: "America/New_York",
-  // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to.
-  // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with.
-  schedule: [
-    "after 7am and before 9am every weekday"
+  "timezone": "America/New_York",
+  "schedule": [
+    "after 7am and before 8am every weekday",
+    "after 7pm and before 8pm every weekday"
   ],
-  // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off.
+  // This will prevent Renovate from automatically rebasing PRs.
+  // Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off.
   // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen
-  rebaseWhen: "never",
+  "rebaseWhen": "never",
   // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels
-  labels: [
+  "labels": [
     "renovate"
   ],
   // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit
-  prHourlyLimit: 0,
+  "prHourlyLimit": 1,
   // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit
-  prConcurrentLimit: 0,
-  // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes
-  prBodyNotes: [
-    "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`"
-  ],
+  "prConcurrentLimit": 0,
   // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/
   "pre-commit": {
-    enabled: true
+    "enabled": true
   },
-  "regexManagers": [
+  "customManagers": [
     // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
     {
+      "customType": "regex",
       "fileMatch": ["^.env"],
       "matchStrings": [
         "datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*?_VERSION=(?<currentValue>.*)\\s"
@@ -51,6 +47,7 @@
     },
     // Custom regex manager for the .tool-versions file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
     {
+      "customType": "regex",
       "fileMatch": ["^.tool-versions$"],
       "matchStrings": [
         "datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*? (?<currentValue>.*)\\s"
@@ -59,30 +56,16 @@
       "extractVersionTemplate": "^v?(?<version>.*)$"
     }
   ],
-  packageRules: [
+  "packageRules": [
     {
-      matchPackageNames: ["k8s.io/client-go"],
-      allowedVersions: "<1.0.0"
+      "matchPackageNames": ["k8s.io/client-go"],
+      "allowedVersions": "<1.0.0"
     },
     {
-      matchManagers: ["terraform"],
-      matchDepTypes: ["module"],
-      matchDatasources: ["github-tags", "git-tags"],
-      versioning: "loose"
+      "matchManagers": ["terraform"],
+      "matchDepTypes": ["module"],
+      "matchDatasources": ["github-tags", "git-tags"],
+      "versioning": "loose"
     }
-  ],
-  "vulnerabilityAlerts": {
-    "enabled": true,
-    "groupName": null,
-    "schedule": [],
-    "dependencyDashboardApproval": false,
-    "minimumReleaseAge": null,
-    "rangeStrategy": "update-lockfile",
-    "commitMessageSuffix": "[SECURITY]",
-    "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
-    "prCreation": "immediate",
-    "labels": ["security"],
-    "automerge": true,
-    "assignees": ["@defenseunicorns/delivery-aws-iac"]
-  }
+  ]
 }

repo_templates/common/repo_files/renovate.json5

@@ -1,6 +1,6 @@
 {
-  $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: [
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
     // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard
     ":dependencyDashboard",
     // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers
@@ -14,30 +14,25 @@
     "workarounds:all"
   ],
   // If we don't specify a timezone then Renovate will use UTC
-  timezone: "America/New_York",
-  // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to.
-  // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with.
-  schedule: [
-    "after 7am and before 9am every weekday"
+  "timezone": "America/New_York",
+  // fires between 4 am and 5 am EST on mondays
+  "schedule": [
+    "after 4am and before 5am on Monday"
   ],
   // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off.
   // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen
-  rebaseWhen: "conflicted",
+  "rebaseWhen": "never",
   // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels
-  labels: [
+  "labels": [
     "renovate"
   ],
   // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit
-  prHourlyLimit: 0,
+  "prHourlyLimit": 1,
   // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit
-  prConcurrentLimit: 0,
-  // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes
-  prBodyNotes: [
-    "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`"
-  ],
+  "prConcurrentLimit": 0,
   // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/
   "pre-commit": {
-    enabled: true
+    "enabled": true
   },
   "regexManagers": [
     // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
@@ -59,30 +54,16 @@
       "extractVersionTemplate": "^v?(?<version>.*)$"
     }
   ],
-  packageRules: [
+  "packageRules": [
     {
-      matchPackageNames: ["k8s.io/client-go"],
-      allowedVersions: "<1.0.0"
+      "matchPackageNames": ["k8s.io/client-go"],
+      "allowedVersions": "<1.0.0"
     },
     {
-      matchManagers: ["terraform"],
-      matchDepTypes: ["module"],
-      matchDatasources: ["github-tags", "git-tags"],
-      versioning: "loose"
+      "matchManagers": ["terraform"],
+      "matchDepTypes": ["module"],
+      "matchDatasources": ["github-tags", "git-tags"],
+      "versioning": "loose"
     }
-  ],
-  "vulnerabilityAlerts": {
-    "enabled": true,
-    "groupName": null,
-    "schedule": [],
-    "dependencyDashboardApproval": false,
-    "minimumReleaseAge": null,
-    "rangeStrategy": "update-lockfile",
-    "commitMessageSuffix": "[SECURITY]",
-    "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
-    "prCreation": "immediate",
-    "labels": ["security"],
-    "automerge": true,
-    "assignees": ["@defenseunicorns/delivery-aws-iac"]
-  }
+  ]
 }

repo_templates/common/repos.txt

@@ -1,2 +1,4 @@
-defenseunicorns/terraform-aws-rolesanywhere
-defenseunicorns/terraform-aws-vpc
+defenseunicorns/helm-charts
+defenseunicorns/delivery-aws-iac-utils
+defenseunicorns/delivery-github-actions-workflows
+defenseunicorns/delivery-github-repo-management

repo_templates/terraform/alt_repotxts/not_tested_repos.txt

@@ -0,0 +1,4 @@
+defenseunicorns/terraform-aws-workspaces
+defenseunicorns/terraform-aws-iam-saml-idp
+defenseunicorns/terraform-aws-appstream
+defenseunicorns/terraform-aws-uds-sops

repo_templates/terraform/alt_repotxts/repos copy 2.txt

@@ -0,0 +1,18 @@
+#old, before uds rename
+
+defenseunicorns/delivery-aws-iac
+defenseunicorns/terraform-aws-appstream
+defenseunicorns/terraform-aws-eks
+defenseunicorns/terraform-aws-iam-saml-idp
+defenseunicorns/terraform-aws-rolesanywhere
+defenseunicorns/terraform-aws-uds-bastion
+defenseunicorns/terraform-aws-uds-cloudtrail
+defenseunicorns/terraform-aws-uds-eks
+defenseunicorns/terraform-aws-uds-kms
+defenseunicorns/terraform-aws-uds-lambda
+defenseunicorns/terraform-aws-uds-rds
+defenseunicorns/terraform-aws-uds-s3
+defenseunicorns/terraform-aws-uds-s3-irsa
+defenseunicorns/terraform-aws-uds-sops
+defenseunicorns/terraform-aws-uds-vpc
+defenseunicorns/terraform-aws-workspaces

repo_templates/terraform/repo_files/.github/workflows/pull-request-opened-by-renovate.yml

@@ -2,7 +2,15 @@
 # If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing.
 # If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will:
 #   1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes.
-#   2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically.
+#   2. Change the branch protection rules to turn off require codeowner approval due to github apps not being able to be codeowners or added to teams.
+#   3. narwhal-bot approves the PR.
+#   4. narwhal-bot merges the PR.
+#   5. PR is added to merge queue.
+#   6. tests are ran.
+#     a. If tests pass, PR is merged.
+#       i. If PR is merged, it is closed and branch is deleted.
+#     b. If tests fail, PR stays open and it is removed from merge queue.
+#   7. Branch protection is always set back to the original state.
 #
 # See ADR #0008.
 name: auto-test

repo_templates/terraform/repo_files/.golangci.yml

@@ -21,6 +21,21 @@ linters:
 linters-settings:
   funlen:
     lines: 120
+  testifylint:
+    enable-all: false
+    enable:
+      - bool-compare
+      - compares
+      - empty
+      - error-is-as
+      - error-nil
+      - expected-actual
+      - float-compare
+      - len
+      - suite-dont-use-pkg
+      - suite-extra-assert-call
+      - suite-thelper
+      # -require-error causes errors in our e2e test patterns
 issues:
   exclude:
     - "G304" # Potential file inclusion via variable