diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..44e75fc --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base", + ":semanticCommitTypeAll(chore)" + ], + "lockFileMaintenance": { + "enabled": true, + "extends": [ + "schedule:weekly" + ] + }, + "nix": { + "enabled": true + } +} diff --git a/.github/workflows/flake.yaml b/.github/workflows/flake.yaml index 9615e2e..2485649 100644 --- a/.github/workflows/flake.yaml +++ b/.github/workflows/flake.yaml @@ -13,7 +13,9 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: DeterminateSystems/nix-installer-action@main + - uses: cachix/install-nix-action@v25 + with: + enable_kvm: true - uses: cachix/cachix-action@v14 with: authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }} @@ -26,7 +28,9 @@ jobs: - check runs-on: ubuntu-latest steps: - - uses: DeterminateSystems/nix-installer-action@main + - uses: cachix/install-nix-action@v25 + with: + enable_kvm: true - uses: cachix/cachix-action@v14 with: authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }} diff --git a/.gitignore b/.gitignore index 1c27273..062dcd8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ -.direnv +/.direnv +/build-configs /result /target diff --git a/.golangci.yaml b/.golangci.yaml index 8321d68..994a8e4 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -2,4 +2,3 @@ issues: exclude: - Error return value of `\(github.com/go-kit/log.Logger\).Log` is not checked - diff --git a/build-configs.yaml b/build-configs.yaml index d3455b5..eeda0a6 100644 --- a/build-configs.yaml +++ b/build-configs.yaml @@ -6,5 +6,3 @@ parameters: cachix: binaryCache: altf4llc-os vendorHash: sha256-6B9O6ho4COpJy4HlkzQ0lk+ieezRO3xg9LyLHzoxYzc= - goPackage: go_1_22 - buildGoModule: buildGo122Module diff --git a/flake.nix b/flake.nix index 1d65968..e49813b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,48 +1,33 @@ { inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; - outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } { - systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; + outputs = inputs @ {flake-parts, ...}: + flake-parts.lib.mkFlake {inherit inputs;} { + systems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; - perSystem = { config, pkgs, ... }: - let - inherit (pkgs) - go_1_22 - just; - - name = "build-configs"; - version = "0.1.0"; - CGO_ENABLED = "0"; - in - { - devShells.default = pkgs.mkShell { - buildInputs = [ just ]; - inputsFrom = [ config.packages.default ]; - }; - - packages = { - default = pkgs.buildGo122Module { - inherit name version; - GOFLAGS = [ - "-ldflags=github.com/ALT-F4-LLC/build-configs/internal/cli.Version=${version}" - ]; - src = ./.; - vendorHash = "sha256-6B9O6ho4COpJy4HlkzQ0lk+ieezRO3xg9LyLHzoxYzc="; - buildModules = [ "cmd/${name}" ]; - }; + perSystem = { + config, + pkgs, + ... + }: let + inherit (pkgs) just; + name = "build-configs"; + version = "0.1.0"; + CGO_ENABLED = "0"; + in { + devShells.default = pkgs.mkShell { + buildInputs = [just]; + inputsFrom = [config.packages.default]; + }; - docker = pkgs.dockerTools.buildImage { - inherit name; - tag = "latest"; - config = { - Entrypoint = [ "${config.packages.default}/bin/${name}" ]; - Env = [ - "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - ]; - }; - }; + packages = { + default = pkgs.buildGoModule { + inherit CGO_ENABLED name version; + src = ./.; + subPackages = ["cmd/${name}"]; + vendorHash = "sha256-6B9O6ho4COpJy4HlkzQ0lk+ieezRO3xg9LyLHzoxYzc="; }; }; - }; + }; + }; } diff --git a/internal/config/config.go b/internal/config/config.go index 6fb0739..ab24783 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -71,6 +71,42 @@ func (c Config) GetTemplater() (Templater, error) { return tpl, err } + // Then convert them back into the type for the templater selected + if err := json.Unmarshal(b, &tpl); err != nil { + return tpl, err + } + return tpl, nil + + case "terraform": + if Debug { + fmt.Println("loading terraform templater") + } + tpl := NewTerraformConfig(c) + + // Convert the parameters (map type) to JSON + b, err := json.Marshal(c.Parameters) + if err != nil { + return tpl, err + } + + // Then convert them back into the type for the templater selected + if err := json.Unmarshal(b, &tpl); err != nil { + return tpl, err + } + return tpl, nil + + case "terraform-module": + if Debug { + fmt.Println("loading terraform module templater") + } + tpl := NewTerraformModuleConfig(c) + + // Convert the parameters (map type) to JSON + b, err := json.Marshal(c.Parameters) + if err != nil { + return tpl, err + } + // Then convert them back into the type for the templater selected if err := json.Unmarshal(b, &tpl); err != nil { return tpl, err diff --git a/internal/config/go_cobra_cli.go b/internal/config/go_cobra_cli.go index 734c321..b3e55bb 100644 --- a/internal/config/go_cobra_cli.go +++ b/internal/config/go_cobra_cli.go @@ -8,24 +8,26 @@ const GoCobraCliName = "go-cobra-cli" type GoCobraCliConfig struct { Config + CgoEnabled bool `json:"cgoEnabled,omitempty" yaml:"cgoEnabled,omitempty"` GoVersion string `json:"goVersion,omitempty" yaml:"goVersion,omitempty"` Lint GolangCILintConfig `json:"lint,omitempty" yaml:"lint,omitempty"` Nix NixGoConfig `json:"nix,omitempty" yaml:"nix,omitempty"` PrivateModules string `json:"privateModules,omitempty" yaml:"privateModules,omitempty"` + Version string `json:"version,omitempty" yaml:"version,omitempty"` } func NewGoCobraCliConfig(c Config) GoCobraCliConfig { return GoCobraCliConfig{ - Config: c, - - GoVersion: "1.22", - - Lint: NewGolangCiLintConfig(), + CgoEnabled: false, + Config: c, + GoVersion: "1.22", + Lint: NewGolangCiLintConfig(), Nix: NixGoConfig{ - NixConfig: NewNixConfig(), - GoPackage: "go", BuildGoModule: "buildGoModule", + GoPackage: "go", + NixConfig: NewNixConfig(), }, + Version: "0.1.0", } } @@ -33,6 +35,7 @@ func (c GoCobraCliConfig) Render() error { files, err := templates.RenderTemplates(templates.RenderMap{ templates.AllCommonTemplates: { ".envrc", + ".github/renovate.json", }, templates.GoCommonTemplates: { ".editorconfig", diff --git a/internal/config/go_lambda.go b/internal/config/go_lambda.go index 1596919..27984b2 100644 --- a/internal/config/go_lambda.go +++ b/internal/config/go_lambda.go @@ -45,6 +45,7 @@ func (c GoLambdaConfig) Render() error { renderMap := templates.RenderMap{ templates.AllCommonTemplates: { ".envrc", + ".github/renovate.json", }, templates.GoCommonTemplates: { ".editorconfig", diff --git a/internal/config/terraform.go b/internal/config/terraform.go new file mode 100644 index 0000000..ad33cdd --- /dev/null +++ b/internal/config/terraform.go @@ -0,0 +1,62 @@ +package config + +import ( + "fmt" + + "github.com/ALT-F4-LLC/build-configs/internal/templates" +) + +const TerraformName = "terraform" + +type TerraformConfigRole struct { + PlanARN string `json:"planArn,omitempty" yaml:"planArn,omitempty"` + ApplyARN string `json:"applyArn,omitempty" yaml:"applyArn,omitempty"` +} + +type TerraformConfig struct { + Config + Nix NixConfig `json:"nix,omitempty" yaml:"nix,omitempty"` + Region string `json:"region,omitempty" yaml:"region,omitempty"` + Role TerraformConfigRole `json:"role,omitempty" yaml:"role,omitempty"` + Schedule *string `json:"schedule,omitempty" yaml:"schedule,omitempty"` + Providers []string `json:"providers,omitempty" yaml:"providers,omitempty"` +} + +func NewTerraformConfigRole(name string) TerraformConfigRole { + return TerraformConfigRole{ + ApplyARN: fmt.Sprintf("arn:aws:iam::677459762413:role/altf4llc-gha-%s-apply", name), + PlanARN: fmt.Sprintf("arn:aws:iam::677459762413:role/altf4llc-gha-%s-plan", name), + } +} + +func NewTerraformConfig(c Config) TerraformConfig { + return TerraformConfig{ + Config: c, + Nix: NewNixConfig(), + Region: "us-west-2", + Role: NewTerraformConfigRole(c.Name), + Schedule: nil, + } +} + +func (c TerraformConfig) Render() error { + renderMap := templates.RenderMap{ + templates.AllCommonTemplates: { + ".envrc", + ".github/renovate.json", + }, + templates.TerraformTemplates: { + ".github/workflows/terraform.yaml", + ".gitignore", + "flake.nix", + "justfile", + }, + } + + files, err := templates.RenderTemplates(renderMap, c) + if err != nil { + return err + } + + return templates.WriteFiles(files) +} diff --git a/internal/config/terraform_module.go b/internal/config/terraform_module.go new file mode 100644 index 0000000..379d2bb --- /dev/null +++ b/internal/config/terraform_module.go @@ -0,0 +1,42 @@ +package config + +import ( + "github.com/ALT-F4-LLC/build-configs/internal/templates" +) + +const TerraformModuleName = "terraform-module" + +type TerraformModuleConfig struct { + Config + Nix NixConfig `json:"nix,omitempty" yaml:"nix,omitempty"` + Providers []string `json:"providers,omitempty" yaml:"providers,omitempty"` +} + +func NewTerraformModuleConfig(c Config) TerraformModuleConfig { + return TerraformModuleConfig{ + Config: c, + Nix: NewNixConfig(), + } +} + +func (c TerraformModuleConfig) Render() error { + renderMap := templates.RenderMap{ + templates.AllCommonTemplates: { + ".envrc", + ".github/renovate.json", + }, + templates.TerraformModuleTemplates: { + ".github/workflows/terraform.yaml", + ".gitignore", + "flake.nix", + "justfile", + }, + } + + files, err := templates.RenderTemplates(renderMap, c) + if err != nil { + return err + } + + return templates.WriteFiles(files) +} diff --git a/internal/templates/templates.go b/internal/templates/templates.go index dd8ca79..510244e 100644 --- a/internal/templates/templates.go +++ b/internal/templates/templates.go @@ -22,10 +22,18 @@ var ( //go:embed all:templates/go-lambda/* goLambdaFS embed.FS - AllCommonTemplates *template.Template - GoCommonTemplates *template.Template - GoCobraCliTemplates *template.Template - GoLambdaTemplates *template.Template + //go:embed all:templates/terraform/* + terraformFS embed.FS + + //go:embed all:templates/terraform-module/* + terraformModuleFS embed.FS + + AllCommonTemplates *template.Template + GoCommonTemplates *template.Template + GoCobraCliTemplates *template.Template + GoLambdaTemplates *template.Template + TerraformTemplates *template.Template + TerraformModuleTemplates *template.Template ) // RenderMap maps a template set to the filenames* that should be written. @@ -38,6 +46,8 @@ func init() { GoCommonTemplates = template.Must(template.ParseFS(goCommonFS, "templates/common/go/*")) GoCobraCliTemplates = template.Must(template.ParseFS(goCobraCliFS, "templates/go-cobra-cli/*")) GoLambdaTemplates = template.Must(template.ParseFS(goLambdaFS, "templates/go-lambda/*")) + TerraformTemplates = template.Must(template.ParseFS(terraformFS, "templates/terraform/*")) + TerraformModuleTemplates = template.Must(template.ParseFS(terraformModuleFS, "templates/terraform-module/*")) } func RenderTemplates(in RenderMap, context any) (map[string]string, error) { @@ -81,7 +91,7 @@ func WriteFiles(in map[string]string) error { continue } - if err := os.WriteFile(filename, []byte(contents), 0644); err != nil { + if err := os.WriteFile(filename, []byte(contents), 0o644); err != nil { return err } } diff --git a/internal/templates/templates/common/all/.github__renovate.json b/internal/templates/templates/common/all/.github__renovate.json new file mode 100644 index 0000000..44e75fc --- /dev/null +++ b/internal/templates/templates/common/all/.github__renovate.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base", + ":semanticCommitTypeAll(chore)" + ], + "lockFileMaintenance": { + "enabled": true, + "extends": [ + "schedule:weekly" + ] + }, + "nix": { + "enabled": true + } +} diff --git a/internal/templates/templates/go-cobra-cli/flake.nix b/internal/templates/templates/go-cobra-cli/flake.nix index 2cb6b5c..51d3788 100644 --- a/internal/templates/templates/go-cobra-cli/flake.nix +++ b/internal/templates/templates/go-cobra-cli/flake.nix @@ -1,44 +1,33 @@ { inputs.nixpkgs.url = "github:nixos/nixpkgs/{{ .Nix.NixpkgsBranch }}"; - outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } { - systems = [ {{range .Nix.Systems}}"{{.}}" {{end}}]; + outputs = inputs @ {flake-parts, ...}: + flake-parts.lib.mkFlake {inherit inputs;} { + systems = [{{range .Nix.Systems}}"{{.}}" {{end}}]; - perSystem = { config, pkgs, ... }: - let - inherit (pkgs) - {{ .Nix.GoPackage }} - just; - - name = "{{ .Name }}"; - CGO_ENABLED = "0"; - in - { - devShells.default = pkgs.mkShell { - buildInputs = [ just ]; - inputsFrom = [ config.packages.default ]; - }; - - packages = { - default = pkgs.{{ .Nix.BuildGoModule }} { - inherit name; - src = ./.; - vendorHash = "{{ .Nix.VendorHash }}"; - buildModules = [ "cmd/${name}" ]; - }; + perSystem = { + config, + pkgs, + ... + }: let + inherit (pkgs) just; + name = "{{ .Name }}"; + version = "{{ .Version }}"; + {{ if .CgoEnabled }}CGO_ENABLED = "1";{{ else }}CGO_ENABLED = "0";{{ end }} + in { + devShells.default = pkgs.mkShell { + buildInputs = [just]; + inputsFrom = [config.packages.default]; + }; - docker = pkgs.dockerTools.buildImage { - inherit name; - tag = "latest"; - config = { - Entrypoint = [ "${config.packages.default}/bin/${name}" ]; - Env = [ - "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - ]; - }; - }; + packages = { + default = pkgs.{{ .Nix.BuildGoModule }} { + inherit CGO_ENABLED name version; + src = ./.; + subPackages = ["cmd/${name}"]; + vendorHash = "{{ .Nix.VendorHash }}"; }; }; - }; + }; + }; } diff --git a/internal/templates/templates/go-cobra-cli/justfile b/internal/templates/templates/go-cobra-cli/justfile index 2e9ca51..f61c04e 100644 --- a/internal/templates/templates/go-cobra-cli/justfile +++ b/internal/templates/templates/go-cobra-cli/justfile @@ -1,4 +1,10 @@ -build profile='default'{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}: +build: + go build -o {{ .Name }} ./cmd/{{ .Name }}/main.go + +check: + nix flake check + +package profile='default'{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}: nix build \ --json \ --no-link \ @@ -9,7 +15,4 @@ build profile='default'{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{ {{- end }} '.#{{"{{"}} profile {{"}}"}}' -build-docker{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}: (build 'docker'{{ if .PrivateModules }} netrc{{ end }}) - -check: - nix flake check +package-docker{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}: (package 'docker'{{ if .PrivateModules }} netrc{{ end }}) diff --git a/internal/templates/templates/terraform-module/.github__workflows__terraform.yaml b/internal/templates/templates/terraform-module/.github__workflows__terraform.yaml new file mode 100644 index 0000000..1bef1cc --- /dev/null +++ b/internal/templates/templates/terraform-module/.github__workflows__terraform.yaml @@ -0,0 +1,39 @@ +name: terraform + +on: + pull_request: + push: + branches: + - main + +env: + CACHIX_BINARY_CACHE: {{ .Nix.Cachix.BinaryCache }} + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + - uses: actions/checkout@v4 + - run: nix develop -c just check + + package: + needs: + - check + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + - uses: actions/checkout@v4 + - run: nix develop -c just package diff --git a/internal/templates/templates/terraform-module/.gitignore b/internal/templates/templates/terraform-module/.gitignore new file mode 100644 index 0000000..7f9219f --- /dev/null +++ b/internal/templates/templates/terraform-module/.gitignore @@ -0,0 +1,38 @@ +.direnv +*.tfplan + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl diff --git a/internal/templates/templates/terraform-module/flake.nix b/internal/templates/templates/terraform-module/flake.nix new file mode 100644 index 0000000..d49f0f2 --- /dev/null +++ b/internal/templates/templates/terraform-module/flake.nix @@ -0,0 +1,54 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + + outputs = inputs @ { + flake-parts, + nixpkgs, + ... + }: + flake-parts.lib.mkFlake {inherit inputs;} { + systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"]; + + perSystem = { + config, + pkgs, + system, + ... + }: let + inherit (pkgs) just mkShell terraform-docs; + terraform = pkgs.terraform.withPlugins (ps: [ + {{- range $p := .Providers }} + ps.{{ $p }} + {{- end }} + ]); + in { + _module.args.pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + }; + + devShells = { + default = mkShell { + inputsFrom = [config.packages.default]; + nativeBuildInputs = [ + just + terraform-docs + ]; + }; + }; + + packages = { + default = + pkgs.runCommand "default" + { + src = ./.; + } '' + mkdir -p $out + cp -R $src/*.tf $out + ${terraform}/bin/terraform -chdir="$out" init + ${terraform}/bin/terraform -chdir="$out" validate + ''; + }; + }; + }; +} diff --git a/internal/templates/templates/terraform-module/justfile b/internal/templates/templates/terraform-module/justfile new file mode 100644 index 0000000..3cd8c53 --- /dev/null +++ b/internal/templates/templates/terraform-module/justfile @@ -0,0 +1,19 @@ +_default: + just --list + +check: + nix flake check + +docs: + terraform-docs markdown table \ + --output-file README.md \ + --output-mode inject . + +init: + terraform init + +package: + nix build --json --no-link --print-build-logs . + +validate: + terraform validate diff --git a/internal/templates/templates/terraform/.github__workflows__terraform.yaml b/internal/templates/templates/terraform/.github__workflows__terraform.yaml new file mode 100644 index 0000000..330a946 --- /dev/null +++ b/internal/templates/templates/terraform/.github__workflows__terraform.yaml @@ -0,0 +1,98 @@ +name: terraform + +on: + pull_request: + push: + branches: + - main + {{- if .Schedule }} + schedule: + - cron: "{{ .Schedule }}" + {{- end }} + workflow_dispatch: + +env: + CACHIX_BINARY_CACHE: {{ .Nix.Cachix.BinaryCache }} + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + - uses: actions/checkout@v4 + - run: nix develop -c just check + + plan: + concurrency: + cancel-in-progress: false + group: tf-lock + env: + TF_VAR_PLATFORM_DIRECTORY_TOKEN: ${{"{{"}} secrets.TF_VAR_PLATFORM_DIRECTORY_TOKEN {{"}}"}} + needs: check + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + - uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + aws-region: us-west-2 + role-to-assume: {{ .Role.PlanARN }} + - run: aws sts get-caller-identity + - uses: actions/checkout@v4 + - run: nix develop -c just init + - run: nix develop -c just validate + - run: nix develop -c just plan + - uses: actions/upload-artifact@v4 + with: + name: tf-plan + path: terraform.tfplan + + apply: + concurrency: + group: tf-lock + cancel-in-progress: false + environment: + name: prod + env: + TF_VAR_PACKER_SSH_PUBLIC_KEY: ${{"{{"}} secrets.TF_VAR_PACKER_SSH_PUBLIC_KEY {{"}}"}} + if: github.ref == 'refs/heads/main' + needs: plan + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + - uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + aws-region: us-west-2 + role-to-assume: {{ .Role.ApplyARN }} + - run: aws sts get-caller-identity + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v4 + with: + name: tf-plan + - run: nix develop -c just init + - run: nix develop -c just apply diff --git a/internal/templates/templates/terraform/.gitignore b/internal/templates/templates/terraform/.gitignore new file mode 100644 index 0000000..7f9219f --- /dev/null +++ b/internal/templates/templates/terraform/.gitignore @@ -0,0 +1,38 @@ +.direnv +*.tfplan + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl diff --git a/internal/templates/templates/terraform/flake.nix b/internal/templates/templates/terraform/flake.nix new file mode 100644 index 0000000..6259b93 --- /dev/null +++ b/internal/templates/templates/terraform/flake.nix @@ -0,0 +1,38 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + + outputs = inputs @ { + flake-parts, + nixpkgs, + ... + }: + flake-parts.lib.mkFlake {inherit inputs;} { + systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"]; + + perSystem = { + config, + pkgs, + system, + ... + }: { + _module.args.pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + }; + + devShells = { + default = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ + just + (pkgs.terraform.withPlugins (ps: [ + {{- range $p := .Providers }} + ps.{{ $p }} + {{- end }} + ])) + terraform-docs + ]; + }; + }; + }; + }; +} diff --git a/internal/templates/templates/terraform/justfile b/internal/templates/templates/terraform/justfile new file mode 100644 index 0000000..5fd316c --- /dev/null +++ b/internal/templates/templates/terraform/justfile @@ -0,0 +1,23 @@ +check: + nix flake check + terraform fmt -check + +docs: + terraform-docs markdown table \ + --output-file README.md \ + --output-mode inject . + +format: + terraform fmt -recursive + +init: + terraform init + +validate: + terraform validate + +plan: + terraform plan -out "terraform.tfplan" + +apply: + terraform apply "terraform.tfplan" diff --git a/justfile b/justfile index a9a415d..29b8071 100644 --- a/justfile +++ b/justfile @@ -1,11 +1,14 @@ -build profile='default': +build: + go build -o build-configs ./cmd/build-configs/main.go + +check: + nix flake check + +package profile='default': nix build \ --json \ --no-link \ --print-build-logs \ '.#{{ profile }}' -build-docker: (build 'docker') - -check: - nix flake check +package-docker: (package 'docker')