diff --git a/.checkov.yaml b/.checkov.yaml index 17517ac..28b0676 100644 --- a/.checkov.yaml +++ b/.checkov.yaml @@ -10,3 +10,5 @@ quiet: true skip-path: - .external_modules - modules + - catalog-info.yml +baseline: .checkov.baseline diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index a178f2c..737a013 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,14 +6,21 @@ --> -## Pull Request Submission Checklist +### Pull Request Submission Checklist Please confirm that you have done the following before requesting reviews: - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c). - [ ] I have typed an adequate description that explains **why** I am making this change. - [ ] I have installed and run standard pre-commit hooks that lints and validates my code. +- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4) ### Description * + +### Experiment Link + + + +GrowthBook Experiment Link: https://app.growthbook.io/features/ diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 0000000..1cbe949 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,27 @@ +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-checkov" +permissions: read-all + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - test + - dev + - qa + - prod + - main + push: + branches: + - test + - dev + - qa + - prod + - main + +jobs: + repository-checkov: + name: repository-checkov + uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main + secrets: inherit diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 8b16bae..332f9bd 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -1,7 +1,13 @@ -name: "Semantic Pull Request" +# DO NOT CHANGE. This file is being managed from a central repository +# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md + +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-semantic-pr" permissions: read-all -on: +on: # yamllint disable-line rule:truthy pull_request: types: - opened @@ -9,11 +15,7 @@ on: - synchronize jobs: - main: - name: Semantic Pull Request - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@v4 - name: Semantic Pull Request - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + repository-semantic-pr: + name: repository-semantic-pr + uses: honestbank/workflows/.github/workflows/shared-semantic-pr.yaml@main + secrets: inherit diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml new file mode 100644 index 0000000..d0cf4a7 --- /dev/null +++ b/.github/workflows/terraform.yaml @@ -0,0 +1,38 @@ +name: "Terraform GitHub Action" +on: + pull_request: + branches: [test, dev, qa, prod, main] +env: + tf_version: "latest" + tf_working_dir: "." + TF_WORKSPACE: ${{ github.base_ref }} +jobs: + terraform: + name: "terraform" + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: "recursive" + token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + - name: Terraform Format + id: fmt + run: terraform fmt + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} + - name: Terraform Init + id: init + run: terraform init + - name: Terraform Validate + id: validate + run: terraform validate -no-color + - name: Terraform Plan + id: plan + run: terraform plan -no-color + continue-on-error: true diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml new file mode 100644 index 0000000..f3f4240 --- /dev/null +++ b/.github/workflows/terratest.yaml @@ -0,0 +1,30 @@ +name: "Terratest GitHub Action" +on: + pull_request: + branches: [test, dev, qa, prod, main] + push: + branches: [test, dev, qa, prod, main] +env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }} + AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }} + AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }} +jobs: + terratest: + name: terratest + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: true + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: 1.20 + id: go + - name: Run 'go test -v -timeout 60m' + run: | + cd test + go mod download + go test -v -timeout 30m diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5a55de0..768f242 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,27 +6,62 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - id: check-yaml + args: ['--allow-multiple-documents'] - id: check-added-large-files + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - repo: local + hooks: + - id: create-checkov-baseline + name: Create Checkov Baseline + entry: bash -c 'if [ ! -f .checkov.baseline ]; then echo "{}" > .checkov.baseline && touch baseline-created; fi' + language: system + stages: [commit] + pass_filenames: false - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.83.2 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.83.6 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - - id: terraform_docs - id: terraform_validate - exclude: (test/|examples/) + args: + - --hook-config=--retry-once-with-cleanup=true + - --tf-init-args=-upgrade - id: terraform_tfsec - exclude: (test/|examples/) + exclude: "test/" - id: terraform_checkov - exclude: (test/|examples/) - - repo: https://github.com/gitguardian/ggshield - rev: v1.18.1 # Update to latest version by running `pre-commit autoupdate` + exclude: "test/" + args: + - --args=--baseline __GIT_WORKING_DIR__/.checkov.baseline + - repo: local hooks: - - id: ggshield - language: python + - id: delete-checkov-baseline + name: Delete Checkov Baseline + entry: bash -c 'if [ -f baseline-created ]; then rm .checkov.baseline && rm baseline-created; fi' + language: system stages: [commit] - args: [ 'secret', 'scan', 'pre-commit' ] + pass_filenames: false + - repo: https://github.com/gitguardian/ggshield + rev: v1.21.0 + hooks: + - id: ggshield + language: python + stages: [commit] + args: [ 'secret', 'scan', 'pre-commit' ] + - repo: local + hooks: + - id: docs + name: docs + entry: make + args: [ 'docs' ] + language: system + # Run this at the end so that we don't end up in infinite loop + # where the end of line fixer runs first and then the docs and fmt + # and other hooks that modify files will break it again. + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer diff --git a/Makefile b/Makefile index 19da8b5..be634ce 100644 --- a/Makefile +++ b/Makefile @@ -1,23 +1,19 @@ -lint: - terraform fmt --recursive - -validate: lint - cd examples/create_mysql_instance_with_public_ip/; terraform init --upgrade; terraform validate - cd examples/create_mysql_instance_with_private_ip/; terraform init --upgrade; terraform validate - cd examples/mysql_instance_with_read_replica/; terraform init --upgrade; terraform validate - cd examples/postgres_instance_with_read_replica/; terraform init --upgrade; terraform validate +commit: docs validate docs: - terraform-docs -c .terraform-docs.yml . - cd examples/create_mysql_instance_with_public_ip/; terraform-docs markdown . --output-file README.md --output-mode inject - cd examples/create_mysql_instance_with_private_ip/; terraform-docs markdown . --output-file README.md --output-mode inject - cd examples/mysql_instance_with_read_replica/; terraform-docs markdown . --output-file README.md --output-mode inject - cd examples/postgres_instance_with_read_replica/; terraform-docs markdown . --output-file README.md --output-mode inject + terraform-docs --lockfile=false -c .terraform-docs.yml . -commit: docs validate +init: + git submodule update --init --recursive + terraform init -upgrade -apply_and_destroy: - terraform apply -auto-approve && terraform apply -auto-approve -destroy +lint: + terraform fmt --recursive tests: - cd test; go clean -testcache; ./test.sh +# Super long timeout since this Makefile will be used in various repositories + cd test; go clean -testcache; go test -v -timeout 60m + +validate: lint + terraform init --upgrade + terraform validate