chore: initial configurations (#2)

.checkov.yml

@@ -0,0 +1,11 @@
+directory:
+  - modules/
+  - examples/
+download-external-modules: false # This should ideally be true but there's a lot of findings in the upstream open source modules.
+framework: terraform
+compact: true
+quiet: false
+summary-position: bottom
+
+skip-check:
+  - CKV_TF_1 # Ensure Terraform module sources use a commit hash // pending https://github.com/hashicorp/terraform/issues/29867

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+max_line_length = 120
+tab_width = 4
+
+[{Makefile,go.mod,go.sum,*.go,.gitmodules}]
+indent_style = tab
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false

.env

@@ -0,0 +1,3 @@
+BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness
+# renovate: datasource=github-tags depName=defenseunicorns/build-harness
+BUILD_HARNESS_VERSION=1.14.8

.github/ISSUE_TEMPLATE/general_issue.md

@@ -0,0 +1,48 @@
+---
+name: General Issue
+about: Suggest a new feature, report a bug, or just ask a question
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- Thank you for submitting an issue! Please answer the following questions. This template is intended to guide the issue author toward meeting our [Definition of Ready](https://github.com/defenseunicorns/delivery-aws-iac/blob/main/CONTRIBUTING.md#definition-of-ready-for-a-backlog-item). You don't have to use this exact format if you don't want to, but whatever you submit must meet the DoR or the issue may be closed, and you will be asked to resubmit. -->
+
+### Persona
+
+<!-- Who is submitting this request? Please describe how you use this repo. -->
+
+
+
+### Description
+
+<!-- What **outcome** is being requested? Note: An outcome is a description of the behavior desired rather than an imperative. For example, "I want to be able to create a new user" is an outcome, while "Create new users using this specific javascript library" is an imperative. -->
+
+
+
+### Use Case
+
+<!-- Why is this needed? Is this request related to a problem? Please describe. -->
+
+
+
+### Impact
+
+<!-- What will happen if this request is not fulfilled? -->
+
+
+
+### Completion
+
+<!-- What does being "done" look like?
+Note: Some "givens" of done criteria that don't need to be included in the answer:
+> * The change has been peer reviewed
+> * Automated tests have been written and/or updated, and are passing
+> * Documentation has been written and/or updated -->
+
+
+
+### Additional Context
+
+<!-- Any additional information / visual aids that might be helpful in understanding the request? -->

.github/workflows/pr-merge-group.yml

@@ -0,0 +1,25 @@
+# triggers on merge_group and pull_request events
+# only use this if merge queue is enabled, otherwise stick to test-command for e2e testing
+
+name: pr-merge-group
+on:
+  merge_group:
+    types: [checks_requested]
+  pull_request:
+
+defaults:
+  run:
+    shell: bash -eo pipefail {0}
+
+permissions:
+  id-token: write # needed for oidc auth for AWS creds
+  contents: read
+
+jobs:
+  pr-merge-group-test:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pr-merge-group-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}

.github/workflows/pre-commit.yml

@@ -0,0 +1,20 @@
+# If the workflow trigger is "pull_request", run pre-commit checks.
+name: pre-commit
+
+on:
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+
+permissions:
+  pull-requests: write
+  id-token: write
+  contents: read
+
+jobs:
+  pre-commit:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pre-commit.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}

.github/workflows/pull-request-opened-by-renovate.yml

@@ -0,0 +1,40 @@
+# If Renovate is not the author of the PR that triggers this workflow, it will do nothing.
+# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing.
+# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will:
+#   1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes.
+#   2. Change the branch protection rules to turn off require codeowner approval due to github apps not being able to be codeowners or added to teams.
+#   3. narwhal-bot approves the PR.
+#   4. narwhal-bot merges the PR.
+#   5. PR is added to merge queue.
+#   6. tests are ran.
+#     a. If tests pass, PR is merged.
+#       i. If PR is merged, it is closed and branch is deleted.
+#     b. If tests fail, PR stays open and it is removed from merge queue.
+#   7. Branch protection is always set back to the original state.
+#
+# See ADR #0008.
+name: auto-test
+on:
+  pull_request:
+    # WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop.
+    types:
+      - opened
+
+permissions:
+  id-token: write
+  contents: write
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  renovate-test:
+    if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]'
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}

.github/workflows/release-please.yml

@@ -0,0 +1,19 @@
+# On every push to main, run release-please to automatically handle the release process.
+
+name: release-please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/release-please.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}

.github/workflows/repo-config.yml

@@ -0,0 +1,19 @@
+name: repo-config
+
+on:
+  schedule:
+    # daily at 11:00 UTC
+    - cron: '0 11 * * *'
+
+jobs:
+  repo-config:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/repo-config.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+    with:
+      branch: main
+      checks: |-
+        checks:
+          - context: 'e2e-tests'
+          - context: 'pre-commit-checks'

.github/workflows/scheduled-e2e-secure-test.yml

@@ -0,0 +1,23 @@
+name: scheduled-e2e-secure-test
+
+on:
+  schedule:
+    # weekly on Mondays at 12:00 UTC
+    - cron: '0 12 * * 1'
+
+defaults:
+  run:
+    shell: bash -eo pipefail {0}
+
+permissions:
+  id-token: write # needed for oidc auth for AWS creds
+  contents: read
+
+jobs:
+  scheduled-e2e-secure-test:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/secure-test-with-chatops.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
+      SLACK_WEBHOOK_URL: ${{ secrets.NARWHAL_SLACK_URL }}

.github/workflows/slash-command-dispatch.yml

@@ -0,0 +1,50 @@
+# When someone with write access to the repo adds a comment to a PR that contains "/test <command>", dispatch the workflow found in "test-command.yml"
+# When someone with write access to the repo adds a comment to a PR that contains "/update <command>", dispatch the workflow found in "update-command.yml"
+
+name: Slash Command Dispatch
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+
+  slashCommandDispatchTest:
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/test')
+    runs-on:  ubuntu-latest
+    steps:
+      - name: Get token
+        id: get_workflow_token
+        uses: peter-murray/workflow-application-token-action@v2
+        with:
+          application_id: ${{ secrets.NARWHAL_BOT_APP_ID }}
+          application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }}
+
+      - name: Slash Command Dispatch
+        uses: peter-evans/slash-command-dispatch@v3
+        with:
+          token: ${{ steps.get_workflow_token.outputs.token }}
+          reaction-token: ${{ steps.get_workflow_token.outputs.token }}
+          commands: test
+          permission: write
+          issue-type: pull-request
+
+  slashCommandDispatchUpdate:
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/update')
+    runs-on:  ubuntu-latest
+    steps:
+    - name: Get token
+      id: get_workflow_token
+      uses: peter-murray/workflow-application-token-action@v2
+      with:
+        application_id: ${{ secrets.NARWHAL_BOT_APP_ID }}
+        application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }}
+
+    - name: Slash Command Dispatch
+      uses: peter-evans/slash-command-dispatch@v3
+      with:
+        token: ${{ steps.get_workflow_token.outputs.token }}
+        reaction-token: ${{ steps.get_workflow_token.outputs.token }}
+        commands: update
+        permission: write
+        issue-type: pull-request

.github/workflows/test-command.yml

@@ -0,0 +1,38 @@
+# usage:
+  # A user with write status to the repo can from a PR comment:
+
+  # run a single test
+  # /test make=<make-target> region=<region>
+
+  # run ping test
+  # /test ping
+
+  # run all tests in the makefile
+  # /test
+
+name: test
+on:
+  repository_dispatch:
+    types: [test-command]
+
+
+permissions:
+  id-token: write
+  contents: read
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  e2e-test:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/e2e-test.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
+      AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
+      AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
+    with:
+      # check if the required slash command args are present, if so populate the json matrix, else pass in null and relevant e2e tests that would require a make target and region will be skipped
+      e2e-test-matrix: ${{ (contains(github.event.client_payload.slash_command_args.named, 'make') && contains(github.event.client_payload.slash_command_args.named, 'region')) && format('[{{"make-target":"{0}", "region":"{1}"}}]', github.event.client_payload.slash_command_args.named.make, github.event.client_payload.slash_command_args.named.region) || null }}

.github/workflows/update-command.yml

@@ -0,0 +1,22 @@
+# This workflow is triggered by a comment on a pull request. The comment must contain "/update <command>" to trigger the workflow.
+
+name: update
+on:
+  repository_dispatch:
+    types: [update-command]
+
+permissions:
+  id-token: write
+  contents: write
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  update:
+    uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/update.yml@main
+    secrets:
+      APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}