chore: sync with template

.coderabbit.yaml

@@ -7,6 +7,7 @@ language: en
 tone_instructions: |
   Provide feedback in a professional, friendly, constructive, and concise tone.
   Offer clear, specific suggestions and best practices to help enhance the code quality and promote learning.
+  Be concise and only comment on significant issues.
 
 early_access: true
 
@@ -26,21 +27,25 @@ knowledge_base:
 reviews:
   profile: chill
   auto_review:
-    # Ignore reviewing if the title of the pull request contains any of these keywords (case-insensitive)
+    # Disable incremental code review on each push
+    auto_incremental_review: false
+    # The keywords are case-insensitive
     ignore_title_keywords:
       - wip
       - draft
       - test
-  # Set the commit status to 'pending' when the review is in progress and 'success' when it is complete.
   commit_status: false
-  # Post review details on each review. Additionally, post a review status when a review is skipped in certain cases.
-  review_status: false
   path_instructions:
     - path: "**/*.tf"
       instructions: |
         You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
         You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
         As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.
+  changed_files_summary: false
+  poem: false
+  # Don't post review details on each review.
+  review_status: false
+  sequence_diagrams: false
   tools:
     # By default, all tools are enabled.
     # Masterpoint uses Trunk (https://trunk.io) so we do not need a lot of this feedback due to overlap.

.editorconfig

@@ -7,19 +7,8 @@ indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 
-[*.{tf,tfvars}]
-indent_size = 2
-indent_style = space
-
 [*.md]
 max_line_length = 0
-trim_trailing_whitespace = false
-
-# Override for Makefile
-[{Makefile, makefile, GNUmakefile, Makefile.*}]
-tab_width = 2
-indent_style = tab
-indent_size = 4
 
 [COMMIT_EDITMSG]
 max_line_length = 0

.github/CODEOWNERS

@@ -4,4 +4,4 @@
 # Order is important: the last matching pattern takes the most precedence
 
 # These owners will be the default owners for everything
-*             @masterpointio/masterpoint-internal
+*             @masterpointio/masterpoint-open-source

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,13 +1,15 @@
 ## what
-* Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
-* Use bullet points to be concise and to the point.
+
+- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
+- Use bullet points to be concise and to the point.
 
 ## why
-* Provide the justifications for the changes (e.g. business case). 
-* Describe why these changes were made (e.g. why do these commits fix the problem?)
-* Use bullet points to be concise and to the point.
+
+- Provide the justifications for the changes (e.g. business case).
+- Describe why these changes were made (e.g. why do these commits fix the problem?)
+- Use bullet points to be concise and to the point.
 
 ## references
-* Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow). 
-* Use `closes #123`, if this PR closes a GitHub issue `#123`
 
+- Link to any supporting GitHub issues or helpful documentation to add some context (e.g. Stackoverflow).
+- Use `closes #123`, if this PR closes a GitHub issue `#123`

.github/renovate.json5

@@ -0,0 +1,56 @@
+{
+  "extends": [
+    "config:best-practices",
+    "github>aquaproj/aqua-renovate-config#2.7.5"
+  ],
+  "schedule": [
+    "after 9am on the first day of the month"
+  ],
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "addLabels": [
+    "auto-upgrade"
+  ],
+  "enabledManagers": [
+    "terraform"
+  ],
+  "terraform": {
+    "ignorePaths": [
+      "**/context.tf" // Mixin file https://github.com/cloudposse/terraform-null-label/blob/main/exports/context.tf
+    ],
+    "fileMatch": [
+      "\\.tf$",
+      "\\.tofu$"
+    ]
+  },
+  "packageRules": [
+    {
+      "matchDepTypes": [
+        "optionalDependencies"
+      ],
+      // Allow auto merge if it's not a major version update
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": true
+    },
+    {
+      "matchFileNames": ["**/*.tofu", "**/*.tf"],
+      "matchDatasources": ["terraform-provider", "terraform-module"],
+      "registryUrls": ["https://registry.opentofu.org"]
+    },
+    {
+      "matchFileNames": ["**/*.tofu"],
+      "matchDepTypes": ["required_version"],
+      "registryUrls": ["https://registry.opentofu.org"]
+    },
+    {
+      "matchFileNames": ["**/*.tf"],
+      "matchDepTypes": ["required_version"],
+      "registryUrls": ["https://registry.terraform.io"]
+    }
+  ]
+}

.github/workflows/lint.yaml

@@ -1,9 +1,5 @@
 name: Lint
 
-concurrency:
-  group: lint-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 on: pull_request
 
 permissions:
@@ -13,17 +9,10 @@ permissions:
   pull-requests: read
 
 jobs:
-  trunk-check:
+  lint:
     runs-on: ubuntu-latest
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       - name: Trunk Check
-        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
-
-  conventional-title:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 #v1.1.19

.github/workflows/release-please.yaml

@@ -8,11 +8,12 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
           release-type: terraform-module

.github/workflows/test.yaml

@@ -0,0 +1,69 @@
+name: TF Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  id-token: write
+  pull-requests: read
+
+env:
+  AWS_REGION: us-east-1
+
+jobs:
+  tf-test:
+    name: 🧪 ${{ matrix.tf }} test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        tf: [tofu, terraform]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Aqua Cache
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+
+      - name: Install Aqua
+        uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1
+        with:
+          aqua_version: v2.48.1
+
+      - name: Aqua Install
+        shell: bash
+        run: aqua install --tags ${{ matrix.tf }}
+
+      - name: Check if TF AWS provider is used
+        id: check_aws_provider
+        run: |
+          if grep -q "aws" $(find . -name "versions.tf" -o -name "versions.tofu" -type f); then
+            echo "Found aws in versions.tf or versions.tofu files"
+            echo "contains_hashicorp=true" >> $GITHUB_OUTPUT
+          else
+            echo "No versions.tf or versions.tofu files contain aws"
+            echo "contains_hashicorp=false" >> $GITHUB_OUTPUT
+          fi
+
+      # Assume into the `masterpoint-testing` AWS account with OIDC for testing ONLY if the AWS provider is used
+      # Not needed for modules that don't use the AWS provider, for example, exclusive Spacelift modules
+      - name: Configure AWS Credentials on `masterpoint-testing` AWS Account
+        if: steps.check_aws_provider.outputs.contains_hashicorp == 'true'
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: arn:aws:iam::115843287071:role/mp-ue1-testing-oidc-github
+          role-session-name: GitHubActionsOIDC-MP-Infra-Repo
+          aws-region: ${{ env.AWS_REGION }}
+
+      - run: ${{ matrix.tf }} init
+      - run: ${{ matrix.tf }} test

.github/workflows/trunk-upgrade.yaml

@@ -1,25 +1,34 @@
-name: Monthly Trunk Upgrade
+name: Trunk Upgrade
+
 on:
   schedule:
     # On the first day of every month @ 8am
     - cron: 0 8 1 * *
-    # Allows us to manually run the workflow from Actions UI
   workflow_dispatch: {}
+
 permissions: read-all
+
 jobs:
-  trunk_upgrade:
-    name: Upgrade Trunk
+  trunk-upgrade:
     runs-on: ubuntu-latest
     permissions:
-      contents: write # For trunk to create PRs
-      pull-requests: write # For trunk to create PRs
+      # For trunk to create PRs
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Create Token for MasterpointBot App
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.MP_BOT_APP_ID }}
+          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
 
-      - name: Trunk Upgrade
+      - name: Upgrade
         uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
         with:
-          base: main
+          github-token: ${{ steps.generate-token.outputs.token }}
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "

.gitignore

@@ -1,39 +1,46 @@
-# Local .terraform directories
-**/.terraform/*
+# Ignore override files as they are usually used to override resources locally
+*override.tf
+*override.tf.json
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
 
-# Crash log files
-crash.log
-
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
-# example.tfvars
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-*.plan
-
-# Ignore IntelliJ configuration
-/.idea/
+# Local .terraform directories
+**/.terraform/*
 
-# Ignore lock files
+# Ignore the root .terraform.lock.hcl file (Child modules don't want this)
 .terraform.lock.hcl
-
-# Random
-*.DS_Store
+!examples/**/.terraform.lock.hcl
+
+# IDE/Editor settings
+**/.idea
+**/*.iml
+.vscode/
+*.orig
+*.draft
+*~
+
+# Build Harness https://github.com/cloudposse/build-harness
+**/.build-harness
+**/build-harness
+
+# Log files
+*.log
+
+# Output from other tools that might be used alongside Terraform/OpenTofu
+*.tfvars.json
+backend.tf.json
+
+# Taskit files
+.taskit/
+.task/
+.env.taskit-secrets
+
+# Other
+**/*.backup
+***/*.tmp
+**/*.temp
+**/*.bak
+**/*.*swp
+**/.DS_Store