feat: setup repo skeleton (#151)

.github/workflows/release.yaml

@@ -0,0 +1,126 @@
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+name: release
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release: ${{ toJson(steps.release-please.outputs) }}
+      releases_created: ${{ steps.release-please.outputs.releases_created }}
+    steps:
+      - name: Create Github App Token for Release Please
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.RELEASE_PLEASE_GH_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PLEASE_GH_APP_PRIVATE_KEY }}
+
+      - uses: google-github-actions/release-please-action@v4
+        id: release-please
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+
+  upload-artifact:
+    if: ${{ needs.release-please.outputs.releases_created }}
+    needs:
+      - release-please
+    strategy:
+      matrix:
+        released_path: ${{ fromJson(fromJson(needs.release-please.outputs.release).paths_released) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ needs.release-please.outputs.release.tag_name }}
+          fetch-depth: 1
+
+      - name: Extract info from release
+        id: info
+        run: |
+          tag_name='${{ fromJson(needs.release-please.outputs.release)[format('{0}--tag_name', matrix.released_path)] }}'
+          echo "tag_name=$tag_name" >> "$GITHUB_OUTPUT"
+
+          artifact_path='${{ fromJson(needs.release-please.outputs.release)[format('{0}--tag_name', matrix.released_path)] }}.zip'
+          echo "artifact_path=$artifact_path" >> "$GITHUB_OUTPUT"
+
+      - name: Package artifact
+        working-directory: ${{ matrix.released_path }}
+        run: |
+          zip -r ../../${{ steps.info.outputs.artifact_path }} .
+
+      - name: Upload artifact
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload ${{ steps.info.outputs.tag_name }} ${{ steps.info.outputs.artifact_path }}
+
+  create-module-tag:
+    if: ${{ needs.release-please.outputs.releases_created }}
+    needs:
+      - release-please
+    strategy:
+      matrix:
+        released_path: ${{ fromJson(fromJson(needs.release-please.outputs.release).paths_released) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        id: checkout
+        with:
+          ref: ${{ needs.release-please.outputs.release.tag_name }}
+          fetch-depth: 0
+
+      - name: Extract info from release
+        id: info
+        run: |
+          tag_name='${{ fromJson(needs.release-please.outputs.release)[format('{0}--tag_name', matrix.released_path)] }}'
+          echo "tag_name=$tag_name" >> "$GITHUB_OUTPUT"
+
+          component_name=$(cat release-please-config.json | jq '.packages."${{ matrix.released_path }}".component' -r)
+          echo "component_name=$component_name" >> "$GITHUB_OUTPUT"
+
+          major='${{ fromJson(needs.release-please.outputs.release)[format('{0}--major', matrix.released_path)] }}'
+          echo "major=$major" >> "$GITHUB_OUTPUT"
+
+          minor='${{ fromJson(needs.release-please.outputs.release)[format('{0}--minor', matrix.released_path)] }}'
+          echo "minor=$minor" >> "$GITHUB_OUTPUT"
+
+          patch='${{ fromJson(needs.release-please.outputs.release)[format('{0}--patch', matrix.released_path)] }}'
+          echo "patch=$patch" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout repo as orphan branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ needs.release-please.outputs.release.tag_name }}
+          fetch-depth: 0
+          path: "orphan"
+
+      - name: Create orphan commit and separate version tags
+        working-directory: "orphan"
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout --orphan orphan/${{ github.sha }}
+          git rm -rf .
+          cp -r --copy-contents ../${{ matrix.released_path }}/* .
+          git add .
+          git commit \
+            -m 'chore: release module ${{ steps.info.tag_name }}' \
+            -m 'Original-Commit-Sha: ${{ github.sha }}'
+          git tag -f module/${{ steps.info.outputs.component_name }}/v${{ steps.info.outputs.major}}
+          git tag -f module/${{ steps.info.outputs.component_name }}/v${{ steps.info.outputs.major}}.${{ steps.info.outputs.minor }}
+          git tag -f module/${{ steps.info.outputs.component_name }}/v${{ steps.info.outputs.major}}.${{ steps.info.outputs.minor }}.${{ steps.info.outputs.patch }}
+          git push -f origin module/${{ steps.info.outputs.component_name }}/v${{ steps.info.outputs.major}}
+          git push -f origin module/${{ steps.info.outputs.component_name }}/v${{ steps.info.outputs.major}}.${{ steps.info.outputs.minor }}
+          git push -f origin module/${{ steps.info.outputs.component_name }}/v${{ steps.info.outputs.major}}.${{ steps.info.outputs.minor }}.${{ steps.info.outputs.patch }}

.gitignore

@@ -1,22 +1,15 @@
-### TERRAFORM
+### Terraform
+
 # Local .terraform directories
 **/.terraform/*
 
-# Terraform lockfile
-.terraform.lock.hcl
-
 # .tfstate files
 *.tfstate
 *.tfstate.*
 
 # Crash log files
 crash.log
-
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-*.tfvars
+crash.*.log
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -29,11 +22,55 @@ override.tf.json
 .terraformrc
 terraform.rc
 
-### EDITORS
-.idea/
-.vscode/
-
-### OS
+### MacOS
 
-# macOS
+# General
 .DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows
+
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk

.pre-commit-config.yaml

@@ -1,21 +1,19 @@
 repos:
-  # pre-commit hook to verify commit messages are conventional commit compliant
-  - repo: https://github.com/commitizen-tools/commitizen
-    rev: v3.2.1
-    hooks:
-      - id: commitizen
-        stages: [commit-msg]
-
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.4.0
     hooks:
-      - id: detect-aws-credentials
-      - id: detect-private-key
       - id: trailing-whitespace
+      - id: check-yaml
+      - id: check-added-large-files
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.79.1
+    rev: v1.89.1
     hooks:
-      - id: terrascan
-      - id: terraform_tfsec
+      - id: terraform_fmt
+      - id: terragrunt_fmt
+      # per module tflint config
+      - id: terraform_tflint
+      # global tflint config
       - id: terraform_tflint
+        args:
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  "metadata": "0.0.0"
+}

.tflint.hcl

@@ -0,0 +1,4 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}