|
1 | 1 | inheritance: true |
| 2 | + |
| 3 | +knowledge_base: |
| 4 | + code_guidelines: |
| 5 | + filePatterns: |
| 6 | + - "developer-docs/**" |
| 7 | + |
2 | 8 | reviews: |
3 | 9 | path_filters: |
4 | 10 | - "!**/.terraform/**" |
5 | 11 | - "!**/terraform.tfstate*" |
6 | 12 |
|
7 | | - path_instructions: |
8 | | - - path: "**/*.tf" |
9 | | - instructions: | |
10 | | - **ROSA HCP only** — not ROSA Classic (see terraform-rhcs-rosa-classic). |
11 | | - **rhcs** registry schemas are authoritative; do not invent attributes. |
12 | | - Root **versions.tf** sets minimum **rhcs** / **aws** / other providers |
13 | | - for the **entire** tree; raise root when any submodule raises a floor. |
14 | | - AWS-only work must match **Module scope** in |
15 | | - .cursor/rules/rosa-hcp-terraform.mdc. Variables: snake_case; |
16 | | - **sensitive** on secrets; no long-lived keys in HCL. Finer points |
17 | | - (validation, import-safe count/for_each): see **AGENTS.md** and |
18 | | - .cursor/rules. |
19 | | -
|
20 | | - - path: "modules/**" |
21 | | - instructions: | |
22 | | - Submodule changes affect root, **examples/**, and downstream users. |
23 | | -
|
24 | | - 1. **Breaking changes:** No silent renames/retypes of variables or |
25 | | - outputs; migration plan or explicit PR callout (AGENTS.md). |
26 | | -
|
27 | | - 2. **Provider floor:** **required_providers** changes → update root |
28 | | - **versions.tf** for the whole module tree. |
29 | | -
|
30 | | - 3. **IAM / STS / OIDC / IRSA:** Least privilege; link non-obvious |
31 | | - cross-account or shared-VPC patterns to official ROSA HCP docs. |
32 | | -
|
33 | | - 4. **Ordering:** IAM/STS eventual consistency — **depends_on** / |
34 | | - waits / preconditions where immediate effect is assumed. |
35 | | -
|
36 | | - 5. **Tests / examples:** Update **modules/*/tests/*.tftest.hcl** and |
37 | | - keep **make verify** green for touched **examples/**. |
38 | | -
|
39 | | - 6. **modules/rosa-cluster-hcp:** **rhcs_cluster_rosa_hcp** (and |
40 | | - related rhcs resources) — match provider docs; document minimum |
41 | | - OpenShift version for version-gated features. |
42 | | -
|
43 | | - 7. **modules/shared-vpc-resources:** RAM, endpoints, IAM trust per |
44 | | - shared VPC docs; prefer narrow bindings over broad IAM. |
45 | | -
|
46 | | - - path: "examples/**/*.tf" |
47 | | - instructions: | |
48 | | - **make verify** (init + validate per example) must stay passing. |
49 | | - No embedded credentials; follow existing auth patterns. |
50 | | -
|
51 | | - - path: "**/*.tftest.hcl" |
52 | | - instructions: | |
53 | | - Per **CONTRIBUTING.md** / **AGENTS.md**: mocks where the repo does; |
54 | | - branch on booleans → cover both outcomes. Tests live under |
55 | | - **modules/<name>/tests/** (see **make unit-tests** / README). |
56 | | -
|
57 | | - - path: "scripts/**" |
58 | | - instructions: | |
59 | | - No secret leakage. Behavior must stay aligned with **CONTRIBUTING.md** |
60 | | - (fmt, terraform-docs, verify-gen, verify). |
61 | | -
|
62 | | - - path: ".github/workflows/**" |
63 | | - instructions: | |
64 | | - CI changes affect every PR: keep **make verify**, lint, and doc |
65 | | - generation behavior consistent with **CONTRIBUTING.md**; avoid |
66 | | - weakening checks without an explicit rationale in the PR. |
67 | 13 | tools: |
68 | 14 | checkov: |
69 | 15 | enabled: true |
|
0 commit comments