diff --git a/.checkov.yaml b/.checkov.yaml index f9f4518..58766d5 100644 --- a/.checkov.yaml +++ b/.checkov.yaml @@ -1,12 +1,14 @@ compact: true directory: -- . + - . download-external-modules: true evaluate-variables: true external-modules-download-path: .external_modules -#framework: -#- all +framework: + - all quiet: true skip-path: - .external_modules - modules + - catalog-info.yml +baseline: .checkov.baseline diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 08ea211..533728b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,4 +8,4 @@ # the repo. Unless a later match takes precedence, # @global-owner1 and @global-owner2 will be requested for # review when someone opens a pull request. -* @honestbank/devops-engineers @honestbank/backend-engineers +* @honestbank/devops-engineers diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index a178f2c..7e799e2 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,13 +6,14 @@ --> -## Pull Request Submission Checklist +### Pull Request Submission Checklist Please confirm that you have done the following before requesting reviews: - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c). - [ ] I have typed an adequate description that explains **why** I am making this change. - [ ] I have installed and run standard pre-commit hooks that lints and validates my code. +- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4) ### Description diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index c0e4451..1cbe949 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -1,21 +1,27 @@ -name: "Checkov GitHub Action" -on: +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-checkov" +permissions: read-all + +on: # yamllint disable-line rule:truthy pull_request: - branches: [test, dev, qa, prod, main] + branches: + - test + - dev + - qa + - prod + - main + push: + branches: + - test + - dev + - qa + - prod + - main jobs: - checkov: - name: checkov - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - submodules: "recursive" - token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} - - name: Run Checkov - id: checkov - uses: bridgecrewio/checkov-action@master - with: - download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry - quiet: true # optional: display only failed checks + repository-checkov: + name: repository-checkov + uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main + secrets: inherit diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 3e219dd..99eda8b 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -1,17 +1,24 @@ -name: "Semantic Pull Request" +# DO NOT CHANGE. This file is being managed from a central repository +# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md -on: +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-semantic-pr" +permissions: + contents: write + pull-requests: write + +on: # yamllint disable-line rule:truthy pull_request: types: - opened - edited + - reopened - synchronize jobs: - main: - name: Semantic Pull Request - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + repository-semantic-pr: + name: repository-semantic-pr + uses: honestbank/workflows/.github/workflows/shared-semantic-pr.yaml@main + secrets: inherit diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 079a708..d0cf4a7 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -12,12 +12,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: submodules: "recursive" token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} - name: Set up Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v3 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - name: Terraform Format @@ -36,29 +36,3 @@ jobs: id: plan run: terraform plan -no-color continue-on-error: true - - uses: actions/github-script@v4 - if: github.event_name == 'pull_request' - env: - PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" - with: - github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }} - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` - -
Show Plan - - \`\`\`${process.env.PLAN}\`\`\` - -
- - *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; - - github.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml index 0f9b970..05041b1 100644 --- a/.github/workflows/terratest.yaml +++ b/.github/workflows/terratest.yaml @@ -15,15 +15,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: submodules: true - - name: Set up Go (1.16) - uses: actions/setup-go@v2 + - name: Set up Go + uses: actions/setup-go@v5 with: - go-version: 1.16 + go-version: 1.20 id: go - - name: Run 'go test -v -timeout 30m' + - name: Run 'go test -v -timeout 60m' run: | cd test go mod download diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 301d704..7ca4cad 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,25 +1,70 @@ +# DO NOT CHANGE. This file is being managed from a central repository +# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md + # See https://pre-commit.com for more information # See https://pre-commit.com/hooks.html for more hooks + repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - id: check-yaml + args: ["--allow-multiple-documents"] - id: check-added-large-files + - id: detect-aws-credentials + args: ["--allow-missing-credentials"] + - repo: local + hooks: + - id: create-checkov-baseline + name: Create Checkov Baseline + entry: bash -c 'if [ ! -f .checkov.baseline ]; then echo "{}" > .checkov.baseline && touch baseline-created; fi' + language: system + stages: [commit] + pass_filenames: false - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.88.4 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - - id: terraform_docs - id: terraform_validate - exclude: test/ + args: + - --hook-config=--retry-once-with-cleanup=true + - --tf-init-args=-upgrade - id: terraform_tfsec - exclude: test/ + exclude: "test/" + args: + - --args=--exclude-downloaded-modules - id: terraform_checkov - exclude: test/ - - repo: https://github.com/zricethezav/gitleaks - rev: v8.15.0 + exclude: "test/" + args: + - --args=--baseline __GIT_WORKING_DIR__/.checkov.baseline + - repo: local + hooks: + - id: delete-checkov-baseline + name: Delete Checkov Baseline + entry: bash -c 'if [ -f baseline-created ]; then rm .checkov.baseline && rm baseline-created; fi' + language: system + stages: [commit] + pass_filenames: false + - repo: https://github.com/gitguardian/ggshield + rev: v1.26.0 + hooks: + - id: ggshield + language: python + stages: [commit] + args: ["secret", "scan", "pre-commit"] + - repo: local hooks: - - id: gitleaks + - id: docs + name: docs + entry: make + args: ["docs"] + language: system + pass_filenames: false + # Run this at the end so that we don't end up in infinite loop + # where the end of line fixer runs first and then the docs and fmt + # and other hooks that modify files will break it again. + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..be634ce --- /dev/null +++ b/Makefile @@ -0,0 +1,19 @@ +commit: docs validate + +docs: + terraform-docs --lockfile=false -c .terraform-docs.yml . + +init: + git submodule update --init --recursive + terraform init -upgrade + +lint: + terraform fmt --recursive + +tests: +# Super long timeout since this Makefile will be used in various repositories + cd test; go clean -testcache; go test -v -timeout 60m + +validate: lint + terraform init --upgrade + terraform validate