Merge pull request #2 from masterpointio/feature/gh_component

feature: GitHub component

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+quote_type = double
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -0,0 +1,8 @@
+## Info
+
+- Describe high-level what changed as a result of these commits and why you made these changes. Be descriptive as pull requests are a common source of historical information when looking at past changes to the code.
+- Use bullet points to be concise and to the point.
+
+## References
+
+- Include any links to tickets, Teams or Slack threads, documentation, or online articles that help understand these changes and why they were made.

.github/workflows/lint.yaml

@@ -0,0 +1,21 @@
+name: Lint
+
+on: pull_request
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  pull-requests: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+      - name: Trunk Check
+        uses: trunk-io/trunk-action@v1
+      - name: Set up Terraform CLI
+        uses: hashicorp/setup-terraform@v2
+      - run: terraform fmt -check -recursive

.gitignore

@@ -5,14 +5,16 @@
 *.tfstate
 *.tfstate.*
 
+# Terraform lock files
+.terraform.lock.hcl
+
 # Crash log files
 crash.log
 
 # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
 # .tfvars files are managed as part of configuration and so should be included in
 # version control.
-#
-# example.tfvars
+*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

.markdownlint.yaml

@@ -0,0 +1,4 @@
+# This is a Markdownlint configuration file to ignore the acceptable issues for all files.
+MD041: false # First line in file should be a top level header.
+MD013: false # Line length.
+MD033: false # Inline HTML.

.pre-commit-config.yaml

@@ -0,0 +1,6 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.83.5 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs

.trunk/.gitignore

@@ -0,0 +1,8 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,10 @@
+# Autoformatter friendly markdownlint config (all formatting rules disabled)
+default: true
+blank_lines: false
+bullet: false
+html: false
+indentation: false
+line_length: false
+spaces: false
+url: false
+whitespace: false

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.trunk/trunk.yaml

@@ -0,0 +1,30 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.17.0
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.2.5
+      uri: https://github.com/trunk-io/plugins
+runtimes:
+  enabled:
+    - node@18.12.1
+    - python@3.10.8
+lint:
+  enabled:
+    - checkov@2.5.9
+    - git-diff-check
+    - markdownlint@0.37.0
+    - prettier@3.0.3
+    - tflint@0.48.0
+    - trivy@0.46.0
+    - trufflehog@3.60.0
+    - yamllint@1.32.0
+actions:
+  enabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+    - trunk-upgrade-available

README.md

@@ -1,2 +1,29 @@
-# terraform-components
-The Masterpoint reusable and sharable Terraform Root Modules (Components)
+[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io)
+
+# terraform-components [![Latest Release](https://img.shields.io/github/release/masterpointio/terraform-components.svg)](https://github.com/masterpointio/terraform-components/releases/latest)
+
+This is a Masterpoint's reusable and sharable collection of Terraform Root Modules (Components). Each Component is a set of Terraform modules, resources, data sources and local expressions that represent an higher abstraction layer of infrastructure comparing to an average community child module. It can be easily integrated into the architecture and removed if needed.
+
+It's Open Source and licensed under the [APACHE2](LICENSE).
+
+## Components
+
+- [GitHub Repositories](./github-repositories/README.md): responsible for managing GitHub repositories, including permissions, webhooks, pages, etc.
+
+## Trunk Linter
+
+To maintain code quality we use a collection of linters, all managed by [Trunk](https://trunk.io).
+
+To install trunk on your machine you can use brew: `brew install trunk-io`. You can also install trunk via the [official instructions](https://docs.trunk.io/docs/install).
+
+### Usage
+
+To run the linters, simply run `trunk check` from the root of the project. This will check any files that you have changed in your current branch.
+
+To automatically apply formatting changes, run `trunk fmt`.
+
+## Automating Trunk
+
+Trunk can manage git hooks, and is configured to run `fmt` on pre-commit and `check` on pre-push. This should help to prevent code being kicked-back by CI.
+
+Trunk is automated in CI using GitHub Actions, and PRs will be blocked if the linters fail.

github-repositories/main.tf

@@ -0,0 +1,84 @@
+module "repos" {
+  # checkov:skip=CKV_TF_1: For now we use Terraform registry source, not git. If switching to git, we should use a commit hash.
+  source  = "mineiros-io/repository/github"
+  version = "0.18.0"
+
+  for_each = var.repos
+
+  # Main Resource Configuration
+  allow_auto_merge   = each.value.allow_auto_merge
+  allow_merge_commit = each.value.allow_merge_commit
+  allow_rebase_merge = each.value.allow_rebase_merge
+  allow_squash_merge = each.value.allow_squash_merge
+  archive_on_destroy = each.value.archive_on_destroy
+  archived           = each.value.archived
+  # NOTE: The configured branch must exist in the repository.
+  # If the branch doesn't exist yet, or if you are creating a new repository,
+  # please add the desired default branch to the `branches` variable, which will cause Terraform to create it for you.
+  default_branch       = each.value.default_branch
+  description          = each.value.description
+  extra_topics         = each.value.extra_topics
+  has_downloads        = each.value.has_downloads
+  has_issues           = each.value.has_issues
+  has_projects         = each.value.has_projects
+  has_wiki             = each.value.has_wiki
+  homepage_url         = each.value.homepage_url
+  is_template          = each.value.is_template
+  name                 = each.key
+  pages                = each.value.pages
+  topics               = each.value.topics
+  visibility           = each.value.visibility
+  vulnerability_alerts = each.value.vulnerability_alerts
+
+  # Extended Resource Configuration
+  auto_init          = each.value.auto_init
+  gitignore_template = each.value.gitignore_template
+  license_template   = each.value.license_template
+  template           = each.value.template
+
+  # Teams Configuration
+  admin_teams    = each.value.admin_teams
+  maintain_teams = each.value.maintain_teams
+  pull_teams     = each.value.pull_teams
+  push_teams     = each.value.push_teams
+  triage_teams   = each.value.triage_teams
+
+  # Collaborator Configuration
+  admin_collaborators    = each.value.admin_collaborators
+  maintain_collaborators = each.value.maintain_collaborators
+  pull_collaborators     = each.value.pull_collaborators
+  push_collaborators     = each.value.push_collaborators
+  triage_collaborators   = each.value.triage_collaborators
+
+  # Branches Configuration
+  branches = each.value.branches
+
+  # Deploy Keys Configuration
+  deploy_keys          = each.value.deploy_keys
+  deploy_keys_computed = each.value.deploy_keys_computed
+
+  # Branch Protections v4 Configuration
+  branch_protections_v4 = each.value.branch_protections_v4
+
+  # Issue Labels Configuration
+  issue_labels        = each.value.issue_labels
+  issue_labels_create = each.value.issue_labels_create
+
+  issue_labels_merge_with_github_labels = each.value.issue_labels_merge_with_github_labels
+
+  # Projects Configuration
+  projects = each.value.projects
+
+  # Webhooks Configuration
+  webhooks = each.value.webhooks
+
+  # Secrets Configuration
+  plaintext_secrets = each.value.plaintext_secrets
+  encrypted_secrets = each.value.encrypted_secrets
+
+  # Autolink References Configuration
+  autolink_references = each.value.autolink_references
+
+  # App Installations
+  app_installations = each.value.app_installations
+}

github-repositories/providers.tf

@@ -0,0 +1,32 @@
+locals {
+  gh_token         = try(local.secrets[var.gh_token_secret_name], "")
+  gh_token_enabled = length(local.gh_token) > 0 ? true : false
+
+  gh_app_auth_id_enabled              = length(var.gh_app_auth_id) > 0 ? true : false
+  gh_app_auth_installation_id_enabled = length(var.gh_app_auth_installation_id) > 0 ? true : false
+  gh_app_auth_pem_file                = try(local.secrets[var.gh_app_auth_pem_file_secret_name], "")
+  gh_app_auth_pem_file_enabled        = length(local.gh_app_auth_pem_file) > 0 ? true : false
+  gh_app_auth_enabled                 = alltrue([local.gh_app_auth_id_enabled, local.gh_app_auth_installation_id_enabled, local.gh_app_auth_pem_file_enabled])
+}
+
+# The GitHub provider offers multiple ways to authenticate with GitHub API:
+# - GitHub CLI
+# - OAuth / Personal Access Token
+# - GitHub App Installation
+#
+# When none configuration is provided, the provider can only access resources available anonymously.
+provider "github" {
+  base_url = var.gh_base_url
+  owner    = var.gh_owner
+
+  token = local.gh_token_enabled ? local.gh_token : null
+
+  dynamic "app_auth" {
+    for_each = local.gh_app_auth_enabled ? ["app_auth"] : []
+    content {
+      id              = var.gh_app_auth_id
+      installation_id = var.gh_app_auth_installation_id
+      pem_file        = local.gh_app_auth_pem_file
+    }
+  }
+}

github-repositories/secrets.sops.tf

@@ -0,0 +1,26 @@
+module "secrets" {
+  # checkov:skip=CKV_TF_1: For now we use Terraform registry source, not git. If switching to git, we should use a commit hash.
+  source         = "masterpointio/helper/secrets"
+  version        = "0.2.0"
+  secret_mapping = var.secret_mapping
+}
+
+variable "secret_mapping" {
+  type = list(object({
+    name = string
+    type = string
+    path = optional(string, null)
+    file = string
+  }))
+  default     = []
+  description = <<-EOT
+    The list of secret mappings the application will need.
+    This creates secret values for the component to consume at `local.secrets[name]`.
+    EOT
+}
+
+# Reference your secrets using the module output
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  secrets = module.secrets.all
+}