chore: configure renovate

.github/workflows/pre-commit-pr.yml

@@ -1,11 +1,107 @@
----
-name: Scan Terraform
+name: Scan
 on:
   push:
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - main
+    paths:
+      - "**.tf"
+      - "**.go"
+      - ".github/**"
+      - "README.md"
+
+permissions:
+  contents: read
 
 jobs:
-  scan-terraform:
-    uses: defenseunicorns/uds-common-workflows/.github/workflows/terraform-scan.yaml@main
-    with:
-      soft-fail: true
-      github-token: $GITHUB_TOKEN
+  tflint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3    
+        with:
+          # renovate: datasource=github-tags depName=opentofu/opentofu versioning=semver
+          tofu_version: 1.6.3
+
+      - name: tofu init
+        run: tofu init
+
+      - name: tofu validate
+        run: tofu validate
+
+      - name: tofu fmt
+        run: tofu fmt -recursive
+
+      - name: Update Tofu Docs
+        uses: terraform-docs/gh-actions@e47bfa196e79fa50987ef391be236d9d97b0c786 # v1.2.0
+        with:
+          working-dir: .
+          output-method: inject
+          git-push: false
+          fail-on-diff: true
+
+      - name: Setup TFLint
+        uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0
+        with:
+          # renovate: datasource=github-tags depName=terraform-linters/tflint versioning=semver
+          tflint_version: v0.46.1
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Run TFLint
+        run: tflint -f compact --recursive
+
+  tfsec-scan:
+    needs: [tflint]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: tfsec
+        uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }} 
+          soft_fail: true
+
+  regula:
+    needs: [tflint]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: List Directories
+        run: ls -lsa
+
+      - name: Scan with Regula
+        uses: fugue/regula-action@e47ae38fae32dccedc5ef814acdb2081eb2a351d # v3.2.1
+        with:
+          input_path: .
+          input_type: tf
+          severity: high
+
+  lintgo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0

.github/workflows/release-please.yml

@@ -11,8 +11,16 @@ permissions:
   repository-projects: read
 
 jobs:
-  release-terraform:
-    uses: defenseunicorns/uds-common-workflows/.github/workflows/release-terraform.yml@main
-    with:
-      command: manifest
-      release-type: simple
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release-flag.outputs.release_created }}
+    steps:
+      - name: Create Release Tag
+        id: tag
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+        with:
+          command: ${{ inputs.command }}
+          release-type: ${{ inputs.release-type }} 
+      - id: release-flag
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT

.github/workflows/test-module.yml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
         with:
           role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }}
           role-session-name: ${{ github.event.client_payload.pull_request.head.sha || github.sha }}
@@ -40,7 +40,17 @@ jobs:
           # 1800 seconds == 30 minutes
           role-duration-seconds: 1800
 
-      - name: Run Shared Test workfow
-        uses: defenseunicorns/uds-common-workflows/.github/actions/terraform-test@main
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Go from go.mod
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          test_retry: 1
+          go-version-file: go.mod
+
+      - name: Install Go Dependencies and Test
+        shell: bash
+        working-directory: test
+        run: |
+          go mod tidy
+          go test -count 1 -timeout 30m -v .

.golangci.yml

@@ -13,6 +13,7 @@ linters:
     - gomnd
     - lll
     - nlreturn
+    - perfsprint
     - stylecheck
     #   - testpackage
     - varnamelen

Makefile

@@ -1,129 +1,19 @@
-include .env
-
-.DEFAULT_GOAL := help
-
-# Optionally add the "-it" flag for docker run commands if the env var "CI" is not set (meaning we are on a local machine and not in github actions)
-TTY_ARG :=
-ifndef CI
-	TTY_ARG := -it
-endif
-
-# Silent mode by default. Run `make VERBOSE=1` to turn off silent mode.
-ifndef VERBOSE
-.SILENT:
-endif
-
-# Idiomatic way to force a target to always run, by having it depend on this dummy target
-FORCE:
-
 .PHONY: help
 help: ## Show a list of all targets
-	grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) \
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) \
 	| sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \
 	| column -t -s ":"
 
-.PHONY: _create-folders
-_create-folders:
-	mkdir -p .cache/docker
-	mkdir -p .cache/pre-commit
-	mkdir -p .cache/go
-	mkdir -p .cache/go-build
-	mkdir -p .cache/tmp
-	mkdir -p .cache/.terraform.d/plugin-cache
-	mkdir -p .cache/.zarf-cache
-
-.PHONY: _test-all
-_test-all: _create-folders
-	echo "Running automated tests. This will take several minutes. At times it may not log anything to the console. If you interrupt the test run you will need to log into AWS console and manually delete any orphaned infrastructure."
-	# Developer note: If sshuttle is to be used, --cap-add=NET_ADMIN and --cap-add=NET_RAW need to be added to the below docker run command
-	docker run $(TTY_ARG) --rm \
-		-v "${PWD}:/app" \
-		-v "${PWD}/.cache/tmp:/tmp" \
-		-v "${PWD}/.cache/go:/root/go" \
-		-v "${PWD}/.cache/go-build:/root/.cache/go-build" \
-		-v "${PWD}/.cache/.terraform.d/plugin-cache:/root/.terraform.d/plugin-cache" \
-		-v "${PWD}/.cache/.zarf-cache:/root/.zarf-cache" \
-		--workdir "/app" \
-		-e TF_LOG_PATH \
-		-e TF_LOG \
-		-e GOPATH=/root/go \
-		-e GOCACHE=/root/.cache/go-build \
-		-e TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE=true \
-		-e TF_PLUGIN_CACHE_DIR=/root/.terraform.d/plugin-cache \
-		-e AWS_REGION \
-		-e AWS_DEFAULT_REGION \
-		-e AWS_ACCESS_KEY_ID \
-		-e AWS_SECRET_ACCESS_KEY \
-		-e AWS_SESSION_TOKEN \
-		-e AWS_SECURITY_TOKEN \
-		-e AWS_SESSION_EXPIRATION \
-		-e SKIP_SETUP \
-		-e SKIP_TEST \
-		-e SKIP_TEARDOWN \
-		${BUILD_HARNESS_REPO}:${BUILD_HARNESS_VERSION} \
-		bash -c 'git config --global --add safe.directory /app \
-			&& asdf install && cd examples/complete \
-			&& terraform init -upgrade=true \
-			&& cd ../../test/e2e \
-			&& go test -count 1 -v $(EXTRA_TEST_ARGS) .'
-
-.PHONY: test
-test: ## Run all automated tests. Requires access to an AWS account. Costs real money.
-	$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h"
-
-# Example of how to run a single test only
-#.PHONY: test-complete-foo
-#test-complete-foo: ## Run one test (TestExamplesCompleteFoo). Requires access to an AWS account. Costs real money.
-#	$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteFoo"
-
-.PHONY: docker-save-build-harness
-docker-save-build-harness: _create-folders ## Pulls the build harness docker image and saves it to a tarball
-	docker pull ${BUILD_HARNESS_REPO}:${BUILD_HARNESS_VERSION}
-	docker save -o .cache/docker/build-harness.tar ${BUILD_HARNESS_REPO}:${BUILD_HARNESS_VERSION}
-
-.PHONY: docker-load-build-harness
-docker-load-build-harness: ## Loads the saved build harness docker image
-	docker load -i .cache/docker/build-harness.tar
-
-.PHONY: _runhooks
-_runhooks: _create-folders
-	docker run $(TTY_ARG) --rm \
-		-v "${PWD}:/app" \
-		-v "${PWD}/.cache/tmp:/tmp" \
-		-v "${PWD}/.cache/go:/root/go" \
-		-v "${PWD}/.cache/go-build:/root/.cache/go-build" \
-		-v "${PWD}/.cache/.terraform.d/plugin-cache:/root/.terraform.d/plugin-cache" \
-		-v "${PWD}/.cache/.zarf-cache:/root/.zarf-cache" \
-		--workdir "/app" \
-		-e GOPATH=/root/go \
-		-e GOCACHE=/root/.cache/go-build \
-		-e TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE=true \
-		-e TF_PLUGIN_CACHE_DIR=/root/.terraform.d/plugin-cache \
-		-e "SKIP=$(SKIP)" \
-		-e "PRE_COMMIT_HOME=/app/.cache/pre-commit" \
-		${BUILD_HARNESS_REPO}:${BUILD_HARNESS_VERSION} \
-		bash -c 'git config --global --add safe.directory /app && asdf install && pre-commit run -a --show-diff-on-failure $(HOOK)'
-
-.PHONY: pre-commit-all
-pre-commit-all: ## Run all pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility
-	$(MAKE) _runhooks HOOK="" SKIP=""
-
-.PHONY: pre-commit-terraform
-pre-commit-terraform: ## Run the terraform pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility
-	$(MAKE) _runhooks HOOK="" SKIP="check-added-large-files,check-merge-conflict,detect-aws-credentials,detect-private-key,end-of-file-fixer,fix-byte-order-marker,trailing-whitespace,check-yaml,fix-smartquotes,go-fmt,golangci-lint,renovate-config-validator"
-
-.PHONY: pre-commit-golang
-pre-commit-golang: ## Run the golang pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility
-	$(MAKE) _runhooks HOOK="" SKIP="check-added-large-files,check-merge-conflict,detect-aws-credentials,detect-private-key,end-of-file-fixer,fix-byte-order-marker,trailing-whitespace,check-yaml,fix-smartquotes,terraform_fmt,terraform_docs,terraform_checkov,terraform_tflint,renovate-config-validator"
-
-.PHONY: pre-commit-renovate
-pre-commit-renovate: ## Run the renovate pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility
-	$(MAKE) _runhooks HOOK="renovate-config-validator" SKIP=""
-
-.PHONY: pre-commit-common
-pre-commit-common: ## Run the common pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility
-	$(MAKE) _runhooks HOOK="" SKIP="go-fmt,golangci-lint,terraform_fmt,terraform_docs,terraform_checkov,terraform_tflint,renovate-config-validator"
-
-.PHONY: fix-cache-permissions
-fix-cache-permissions: ## Fixes the permissions on the pre-commit cache
-	docker run $(TTY_ARG) --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" ${BUILD_HARNESS_REPO}:${BUILD_HARNESS_VERSION} chmod -R a+rx .cache
+.PHONY: tfdocs
+tfdocs: ## update the terraform docs
+	tofu init
+	tofu validate
+	tofu fmt -recursive
+	terraform-docs markdown table --indent 2 --output-mode inject --output-file README.md .
+
+.PHONY: tflint
+tflint: ## tflint
+	tflint
+
+lint-go: ## Run golang-ci-lint to lint the go code (must `brew install golangci-lint` first)
+	golangci-lint run

README.md

@@ -20,7 +20,7 @@ go test -count 1 -v .
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.42.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.62.0 |
 
 ## Modules