Initial commit

Author: jamesiarmes

.cz.yaml

@@ -0,0 +1,7 @@
+---
+commitizen:
+  changelog_incremental: true
+  name: cz_conventional_commits
+  update_changelog_on_bump: true
+  version: 0.1.0
+  version_scheme: semver2

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true

.github/workflows/codeql.yaml

@@ -0,0 +1,39 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '45 13 * * *'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build_mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/release.yaml

@@ -0,0 +1,106 @@
+name: Release New Version
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  # Builds a new release for the module by bumping the version number and
+  # generating a changelog entry. Commit the changes and open a pull request.
+  build-release:
+    name: Build new release
+    runs-on: ubuntu-latest
+    if: ${{ !startsWith(github.event.head_commit.message, 'bump:') }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Bump version and create changelog
+        id: bump
+        uses: commitizen-tools/commitizen-action@0.27.0
+        with:
+          push: false
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_redirect_stderr: true
+      - name: Get the commit message
+        id: message
+        run: |
+          MESSAGE=$(git log --format=%B -n 1)
+          echo "message=${MESSAGE}" >> $GITHUB_OUTPUT
+      - name: Open a pull request for the release
+        uses: peter-evans/create-pull-request@v8
+        with:
+          branch: release-${{ steps.bump.outputs.version }}
+          title: ${{ steps.message.outputs.message }}
+
+  # Creates a new tag and GitHub release for the module.
+  release:
+    name: Release module
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.head_commit.message, 'bump:')
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Get the module name
+        id: module_name
+        run: |
+          REPO_NAME="${{ github.event.repository.name }}"
+          REPO_NAME="${REPO_NAME/tofu-modules-/}"
+          MODULE_NAME="${REPO_NAME//-/_}"
+          echo "name=${MODULE_NAME}" >> $GITHUB_OUTPUT
+      - name: Get the version from the commit message
+        id: version
+        uses: actions/github-script@v8
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+        with:
+          result-encoding: string
+          # Look for the last version number, expecting it to be in the format:
+          # `#.#.#-<suffix>.#` where the suffix is optional.
+          script: |
+            const message = process.env.COMMIT_MESSAGE;
+            const regex = /^bump:.+(?<version>\d+\.\d+\.\d+[\da-z.-]*) \(#\d+\)$/m;
+            const version = message.match(regex).groups.version;
+            console.log(version);
+            return version;
+      - name: Bundle the module
+        # We create an empty file first, so that tar doesn't complain about the
+        # contents changing while it's running.
+        run: |
+          touch '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz'
+          tar \
+            --exclude='.git' \
+            --exclude='.gitignore' \
+            --exclude='.github' \
+            --exclude='.cz.yaml' \
+            --exclude='*.tar.gz' \
+            --exclude='*.tfvars' \
+            --exclude='release.md' \
+            --exclude='CODEOWNERS' \
+            --exclude='trivy.yaml' \
+            --exclude='*.env' \
+            -czf '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz' \
+            .
+      - name: Get changelog entry
+        id: changelog
+        uses: artlaman/conventional-changelog-reader-action@v1.1.0
+        with:
+          version: ${{ steps.version.outputs.result }}
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          body: |
+            ## ${{ steps.changelog.outputs.version }} (${{ steps.changelog.outputs.date }})
+
+            ${{ steps.changelog.outputs.changes }}
+          tag_name: ${{ steps.version.outputs.result }}
+          files: |
+            ${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz

.github/workflows/tflint.yaml

@@ -0,0 +1,53 @@
+name: TFLint Checks
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      # Required to avoid rate limiting when downloading plugins.
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Cache plugin directory
+        uses: actions/cache@v5
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - uses: terraform-linters/setup-tflint@v6
+        name: Setup TFLint
+      - name: Show version
+        run: tflint --version
+      - name: Init TFLint
+        run: tflint --init
+      - name: Run TFLint
+        # Run TFLint, outputting the results to a SARIF file. We use `tee` so
+        # that we can still see the output in the logs, and capture the exit
+        # code properly with `pipefail`.
+        run: |
+          set -o pipefail
+          tflint --format sarif --recursive \
+            --config "$GITHUB_WORKSPACE/.tflint.hcl" \
+            | tee tflint-results.sarif
+          exit "${PIPESTATUS[0]}"
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: jontyms/sarif-annotations@v0.0.3
+        with:
+          annotation-level: notice
+          sarif-file: tflint-results.sarif
+      - name: Upload SARIF result
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: tflint-results.sarif

.github/workflows/trivy.yaml

@@ -0,0 +1,36 @@
+name: Trivy Analysis
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          format: sarif
+          output: trivy-results.sarif
+          scan-type: config
+          trivy-config: trivy.yaml
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: jontyms/sarif-annotations@v0.0.3
+        with:
+          annotation-level: notice
+          sarif-file: trivy-results.sarif
+      - name: Upload SARIF result
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-results.sarif

.gitignore

@@ -0,0 +1,39 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+.env
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Ignore the plan output of command: terraform plan -out=tfplan
+*tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Ignore release artifacts
+release.md
+/*.tar.gz

.tflint.hcl

@@ -0,0 +1,20 @@
+# Uncomment if your module uses the aws provider.
+# plugin "aws" {
+#   enabled = true
+#   version = "0.37.0"
+#   source  = "github.com/terraform-linters/tflint-ruleset-aws"
+# }
+
+plugin "terraform" {
+  preset = "all"
+  enabled = true
+}
+
+# TFLint doesn't understand the provider for_each syntax introduced with
+# OpenTofu 1.9, so we need to disable these rules so it doesn't error out.
+rule "terraform_required_providers" {
+  enabled = false
+}
+rule "terraform_unused_required_providers" {
+  enabled = false
+}

CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+
+Initial release.

CODEOWNERS

@@ -0,0 +1 @@
+* @codeforamerica/devops