Update chore/update-configs branch from delivery-github-repo-management

.checkov.yml

@@ -6,3 +6,6 @@ framework: terraform
 compact: true
 quiet: false
 summary-position: bottom
+
+skip-check:
+  - CKV_TF_1 # Ensure Terraform module sources use a commit hash // pending https://github.com/hashicorp/terraform/issues/29867

.env

@@ -1,3 +1,3 @@
 BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness
 # renovate: datasource=github-tags depName=defenseunicorns/build-harness
-BUILD_HARNESS_VERSION=1.11.2
+BUILD_HARNESS_VERSION=1.14.0

.github/ISSUE_TEMPLATE/general_issue.md

@@ -7,7 +7,7 @@ assignees: ''
 
 ---
 
-<!-- Thank you for submitting an issue! Please answer the following questions. This template is intended to guide the issue author toward meeting our Definition of Ready. You don't have to use this exact format if you don't want to, but whatever you submit must meet the DoR or the issue may be closed, and you will be asked to resubmit. -->
+<!-- Thank you for submitting an issue! Please answer the following questions. This template is intended to guide the issue author toward meeting our [Definition of Ready](https://github.com/defenseunicorns/delivery-aws-iac/blob/main/CONTRIBUTING.md#definition-of-ready-for-a-backlog-item). You don't have to use this exact format if you don't want to, but whatever you submit must meet the DoR or the issue may be closed, and you will be asked to resubmit. -->
 
 ### Persona
 

.github/workflows/pr-merge-group.yml

@@ -0,0 +1,25 @@
+# triggers on merge_group and pull_request events
+# only use this if merge queue is enabled, otherwise stick to test-command for e2e testing
+
+name: pr-merge-group
+on:
+  merge_group:
+    types: [checks_requested]
+  pull_request:
+
+defaults:
+  run:
+    shell: bash -eo pipefail {0}
+
+permissions:
+  id-token: write # needed for oidc auth for AWS creds
+  contents: read
+
+jobs:
+  pr-merge-group-test:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pr-merge-group-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}

.github/workflows/pre-commit.yml

@@ -0,0 +1,20 @@
+# If the workflow trigger is "pull_request", run pre-commit checks.
+name: pre-commit
+
+on:
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+
+permissions:
+  pull-requests: write
+  id-token: write
+  contents: read
+
+jobs:
+  pre-commit:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pre-commit.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}

.github/workflows/pull-request-opened-by-renovate.yml

@@ -0,0 +1,32 @@
+# If Renovate is not the author of the PR that triggers this workflow, it will do nothing.
+# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing.
+# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will:
+#   1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes.
+#   2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically.
+#
+# See ADR #0008.
+name: auto-test
+on:
+  pull_request:
+    # WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop.
+    types:
+      - opened
+
+permissions:
+  id-token: write
+  contents: write
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  renovate-test:
+    if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]'
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}

.github/workflows/release-please.yml

@@ -13,9 +13,7 @@ permissions:
 
 jobs:
   release-please:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: google-github-actions/release-please-action@v3
-        with:
-          token: ${{ secrets.PAT }}
-          command: manifest
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/release-please.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}

.github/workflows/repo-config.yml

@@ -0,0 +1,19 @@
+name: repo-config
+
+on:
+  schedule:
+    # daily at 11:00 UTC
+    - cron: '0 11 * * *'
+
+jobs:
+  repo-config:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/repo-config.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+    with:
+      branch: main
+      checks: |-
+        checks:
+          - context: 'e2e-tests'
+          - context: 'pre-commit-checks'

.github/workflows/slash-command-dispatch.yml

@@ -9,11 +9,10 @@ on:
 
 jobs:
 
-  slashCommandDispatchUpdate:
-    if: github.event.issue.pull_request && contains(github.event.comment.body, '/update')
+  slashCommandDispatchTest:
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/test')
     runs-on:  ubuntu-latest
     steps:
-
       - name: Get token
         id: get_workflow_token
         uses: peter-murray/workflow-application-token-action@v2
@@ -26,6 +25,26 @@ jobs:
         with:
           token: ${{ steps.get_workflow_token.outputs.token }}
           reaction-token: ${{ steps.get_workflow_token.outputs.token }}
-          commands: update
+          commands: test
           permission: write
           issue-type: pull-request
+
+  slashCommandDispatchUpdate:
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/update')
+    runs-on:  ubuntu-latest
+    steps:
+    - name: Get token
+      id: get_workflow_token
+      uses: peter-murray/workflow-application-token-action@v2
+      with:
+        application_id: ${{ secrets.NARWHAL_BOT_APP_ID }}
+        application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }}
+
+    - name: Slash Command Dispatch
+      uses: peter-evans/slash-command-dispatch@v3
+      with:
+        token: ${{ steps.get_workflow_token.outputs.token }}
+        reaction-token: ${{ steps.get_workflow_token.outputs.token }}
+        commands: update
+        permission: write
+        issue-type: pull-request

.github/workflows/test-command.yml

@@ -0,0 +1,38 @@
+# usage:
+  # A user with write status to the repo can from a PR comment:
+
+  # run a single test
+  # /test make=<make-target> region=<region>
+
+  # run ping test
+  # /test ping
+
+  # run all tests in the makefile
+  # /test
+
+name: test
+on:
+  repository_dispatch:
+    types: [test-command]
+
+
+permissions:
+  id-token: write
+  contents: read
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  e2e-test:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/e2e-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
+    with:
+      # check if the required slash command args are present, if so populate the json matrix, else pass in null and relevant e2e tests that would require a make target and region will be skipped
+      e2e-test-matrix: ${{ (contains(github.event.client_payload.slash_command_args.named, 'make') && contains(github.event.client_payload.slash_command_args.named, 'region')) && format('[{{"make-target":"{0}", "region":"{1}"}}]', github.event.client_payload.slash_command_args.named.make, github.event.client_payload.slash_command_args.named.region) || null }}

.gitignore

@@ -1,11 +1,12 @@
 .cache/
 .idea/
 .DS_Store
+.vscode
+
 
 # Local .terraform directories
 .terraform/
 *.terraform.*
-
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -56,3 +57,7 @@ backend.tf
 .external_modules
 
 examples/zarf-complete-example/build
+
+#ignore lamba builds json file created from deploying lambda resource
+
+**/ignore

.pre-commit-config.yaml

@@ -20,18 +20,24 @@ repos:
     rev: 0.2.0
     hooks:
       - id: fix-smartquotes
-  - repo: https://github.com/dnephin/pre-commit-golang
-    rev: v0.5.1
+  - repo: https://github.com/tekwizely/pre-commit-golang
+    rev: v1.0.0-rc.1
     hooks:
       - id: go-fmt
       - id: golangci-lint
+        args:
+          - "--timeout=10m"
+          - "--verbose"
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.4
+    rev: v1.83.5
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
         args:
           - --args=--lockfile=false
+          - --hook-config=--path-to-file=README.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
+          - --hook-config=--add-to-existing-file=true     # Boolean. true or false
+          - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
       - id: terraform_checkov
         verbose: true
         args:

CODEOWNERS

@@ -1 +1,5 @@
 * @defenseunicorns/delivery-aws-iac
+
+# Privileged Files
+/CODEOWNERS @defenseunicorns/delivery-aws-iac-admin
+/LICENSE @defenseunicorns/delivery-aws-iac-admin

CONTRIBUTING.md

@@ -0,0 +1,62 @@
+# Contributor Guide
+
+Thanks so much for wanting to help out! :tada:
+
+Most of what you'll see in this document is our attempt at documenting the lightweight development process that works for our team. We're always open to feedback and suggestions for improvement. The intention is not to force people to follow this process step by step, rather to document it as a norm and provide a baseline for discussion.
+
+## Developer Experience
+
+Continuous Delivery is core to our development philosophy. Check out [https://minimumcd.org](https://minimumcd.org/) for a good baseline agreement on what that means.
+
+Specifically:
+
+- We do trunk-based development (`main`) with short-lived feature branches that originate from the trunk, get merged to the trunk, and are deleted after the merge.
+- We don't merge work into `main` that isn't releasable.
+- We perform automated testing on all pushes to `main`. Fixing failing pipelines in `main` are prioritized over all other work.
+- We create immutable release artifacts.
+
+### Developer Workflow
+
+:key: == Required by automation
+
+1. Pick an issue to work on, assign it to yourself, and drop a comment in the issue to let everyone know you're working on it.
+2. Create a Draft Pull Request targeting the `main` branch as soon as you are able to, even if it is just 5 minutes after you started working on it. We lean towards working in the open as much as we can. If you're not sure what to put in the PR description, just put a link to the issue you're working on. If you're not sure what to put in the PR title, just put "WIP" (Work In Progress) and we'll help you out with the rest.
+3. :key: The automated tests have to pass for the PR to be able to be merged. To run the tests in the PR add a comment to the PR that says `/test`. **NOTE** tests still have to pass in the merge queue, **you do not need to have tests pass in the PR, status checks are automatically reported as success in the PR**. If you want to run a specific test manually in the PR, you can use `/test make=<make-target> region=<region>`. The available CI tests are found in the [Makefile](./Makefile) and start with the string "test-ci-"
+4. If your PR is still set as a Draft transition it to "Ready for Review"
+5. Get it reviewed by a [CODEOWNER](./CODEOWNERS)
+6. Add the PR to the merge queue
+7. The merge queue will run different tests based on if it's a `release-please` pull request or just a regular pull request. If it's a `release-please` pull request, it will run all make targets starting with `test-ci-` and `test-release-` by default. If it's a regular pull request, it will run all make targets starting with `test-ci-` test by default. If the tests fail, the PR will be removed from the merge queue and the PR stays open. If the tests pass, the PR will be merged to `main` and the PR will be closed.
+8. If the issue is fully resolved, close it. _Hint: You can add "Closes #XXX" to the PR description to automatically close the issue when the PR is merged._
+
+### Pre-Commit Hooks
+
+This project uses [pre-commit](https://pre-commit.com/) to run a set of checks on your code before you commit it. You have the option to either install pre-commit and all other needed tools locally or use our docker-based build harness. To use the build harness, run
+
+```shell
+make run-pre-commit-hooks
+```
+> NOTE: Sometimes file ownership of stuff in the `.cache` folder can get messed up. You can optionally add the `fix-cache-permissions` target to the above command to fix that. It is idempotent so it is safe to run it every time.
+
+### Commit Messages
+
+Because we use the [release-please](https://github.com/googleapis/release-please) bot, commit messages to main must follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. This is enforced by the [commitlint](https://commitlint.js.org/#/) tool. This requirement is only enforced on the `main` branch. Commit messages in PRs can be whatever you want them to be. "Squash" mode must be used when merging a PR, with a commit message that follows the Conventional Commits specification.
+
+### Release Process
+
+This repo uses the [release-please](https://github.com/googleapis/release-please) bot. Release-please will automatically open a PR to update the version of the repo when a commit is merged to `main` that follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. The bot will automatically keep the PR up to date until a human merges it. When that happens the bot will automatically create a new release.
+
+### Backlog Management
+
+- We use [GitHub Issues](https://github.com/defenseunicorns/delivery-aws-iac/issues) to manage our backlog.
+- Issues need to meet our Definition of Ready (see below). If it does not meet the Definition of Ready, we may close it and ask the requester to re-open it once it does.
+
+#### Definition of Ready for a Backlog Item
+
+To meet the Definition of Ready the issue needs to answer the following questions:
+- Who is requesting it?
+- What is being requested?
+- Why is it needed?
+- What is the impact? What will happen if the request is not fulfilled?
+- How do we know that we are done?
+
+This can take various forms, and we don't care which form the issue takes as long as it answers the questions above.

complete/README.md

@@ -0,0 +1,51 @@
+
+# examples/complete
+
+
+# examples/complete
+
+Example that uses the module with many of its configurations. Used in CI E2E tests.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.62.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_id.default](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of a permissions boundary policy to use when creating IAM roles | `string` | `null` | no |
+| <a name="input_ip_offsets_per_subnet"></a> [ip\_offsets\_per\_subnet](#input\_ip\_offsets\_per\_subnet) | List of offsets for IP reservations in each subnet. | `list(list(number))` | <pre>[<br>  [<br>    5,<br>    6<br>  ],<br>  [<br>    5,<br>    6<br>  ],<br>  [<br>    5<br>  ]<br>]</pre> | no |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The prefix to use when naming all resources | `string` | `"ci"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to apply to all resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_reserved_ips_per_subnet"></a> [reserved\_ips\_per\_subnet](#output\_reserved\_ips\_per\_subnet) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->