♻️ Cleanup this repository

.devcontainer/devcontainer.json

@@ -0,0 +1,30 @@
+{
+ "$schema": "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.schema.json",
+ "name": "k3s Terraform module - Dev Container",
+ "image": "mcr.microsoft.com/vscode/devcontainers/universal",
+ "features": {
+ "ghcr.io/devcontainers-contrib/features/yamllint:2.0.9": {},
+ "ghcr.io/devcontainers/features/terraform:1.3.5": {
+ "version": "1.6.2"
+ },
+ "ghcr.io/devcontainers-contrib/features/go-task:1.0.5": {},
+ "ghcr.io/dhoeric/features/terraform-docs:1.0.0": {
+ "version": "0.16.0"
+ },
+ "ghcr.io/itsmechlark/features/act:1.0.0": {},
+ "ghcr.io/itsmechlark/features/trivy:1.0.0": {}
+ },
+ "customizations": {
+ "vscode": {
+ "extensions": [
+ "bierner.github-markdown-preview",
+ "github.copilot",
+ "ms-vscode.makefile-tools",
+ "redhat.vscode-yaml",
+ "tylerharris.terraform-link-docs",
+ "yzhang.markdown-all-in-one",
+ "task.vscode-task"
+ ]
+ }
+ }
+}

.github/ISSUE_TEMPLATE/bug-report.yaml

@@ -0,0 +1,68 @@
+name: Bug Report
+description: File a bug report for this project
+title: ":bug: "
+labels: ["kind/bug"]
+projects: ["xunleii/2"]
+
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Before opening a new issue, please search existing issues.
+
+ ----
+
+ Thank you for filing a bug report! Please fill out the sections below to help us reproduce the bug.
+
+ - type: textarea
+ id: what_happened
+ attributes:
+ label: ":fire: What happened?"
+ description: Describe the issue you are experiencing here
+ validations:
+ required: true
+ - type: textarea
+ id: what_expected
+ attributes:
+ label: ":+1: What did you expect to happen?"
+ description: Describe what you expected to happen here
+ validations:
+ required: false
+ - type: textarea
+ id: how_reproduce
+ attributes:
+ label: ":mag: How can we reproduce the issue?"
+ description: Describe how to reproduce the problem in as much detail as possible
+ validations:
+ required: true
+
+ - type: input
+ id: module_version
+ attributes:
+ label: ":wrench: Module version"
+ description: Please provide the version of the module you are using
+ validations:
+ required: true
+ - type: input
+ id: terraform_version
+ attributes:
+ label: ":wrench: Terraform version"
+ description: Please provide the version of Terraform you are using
+ validations:
+ required: true
+
+ - type: textarea
+ id: provider_list
+ attributes:
+ label: ":wrench: Terraform providers"
+ description: List all the providers you are using with their version (copy the output of `terraform providers`)
+ validations:
+ required: true
+
+ - type: textarea
+ id: additional_info
+ attributes:
+ label: ":clipboard: Additional information"
+ description: Please provide any additional information that might be useful
+ validations:
+ required: false

.github/ISSUE_TEMPLATE/config.yaml

@@ -0,0 +1 @@
+blank_issues_enabled: true

.github/labels.yaml

@@ -25,6 +25,13 @@
 - name: size/XL
  color: FF0000
 
+- name: status/stale
+ description: This issue has not had recent activity
+ color: 6A5ACD
+- name: no-stale
+ description: This issue cannot be marked as stale
+ color: 6A5ACD
+
 - name: terraform:plan
  description: Invoke Terraform plan workflow on the current PR
  color: 7A55CC

.github/workflows/github.documentation.yaml

@@ -1,4 +1,5 @@
-name: Update documentation assets (master only)
+---
+name: '[bot] Update documentation assets (master only)'
 on:
  push:
  branches: [master]
@@ -11,15 +12,15 @@ jobs:
  contents: write
  steps:
  - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- - uses: heinrichreimer/github-changelog-generator-action@6f5b9494dd265d6fb7243a10c53dc0169c55f247 # renovate: tag=v2.3
+ - uses: heinrichreimer/github-changelog-generator-action@6f5b9494dd265d6fb7243a10c53dc0169c55f247 # v2.3
  with:
  token: ${{ secrets.GITHUB_TOKEN }}
  # NOTE: seems impossible to use terraform-docs/gh-actions with EndBug/add-and-commit... so
  # we will do everything manually
  - name: Generate README.md with terraform-docs
  run: |
  mkdir .terraform-docs
- curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz | tar -xvzC .terraform-docs
+ curl -L "https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz" | tar -xvzC .terraform-docs
  chmod +x .terraform-docs/terraform-docs
 
  .terraform-docs/terraform-docs .

.github/workflows/github.labeler.yaml

@@ -1,16 +1,19 @@
-name: Synchronize labels
+---
+name: '[bot] Synchronize labels'
 on:
  push:
  branches: [master]
  paths: [.github/workflows/github.labeler.yaml, .github/labels.yaml]
+ schedule:
+ - cron: '0 0 * * *'
 
 jobs:
  sync:
  name: Synchronize labels
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # renovate: tag=v1.3.0
+ - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  with:

.github/workflows/github.stale.yaml

@@ -0,0 +1,25 @@
+---
+name: '[bot] Close stale issues and PRs'
+on:
+ schedule:
+ - cron: '0 0 * * *'
+
+jobs:
+ stale:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write
+ issues: write
+ pull-requests: write
+ steps:
+ - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
+ with:
+ days-before-close: 7
+ days-before-stale: 30
+ exempt-issue-labels: no-stale
+ exempt-pr-labels: no-stale
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ stale-issue-label: status/stale
+ stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. If the issue still persists, please leave a comment and it will be reopened.'
+ stale-pr-label: status/stale
+ stale-pr-message: 'This pull request has been automatically marked as stale because it has not had recent activity. If the pull request still needs attention, please leave a comment and it will be reopened.'

.github/workflows/security.terraform.yaml

@@ -0,0 +1,16 @@
+name: Security hardening (Terraform)
+
+on:
+ pull_request:
+
+jobs:
+ trivy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+ - uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320 # v0.13.0
+ with:
+ scan-type: config
+ scan-ref: .
+ exit-code: 1
+ severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

.github/workflows/security.workflows.yaml

@@ -7,7 +7,20 @@ on:
 
 jobs:
  ci_harden_security:
- name: Security hardening
+ name: Github Action security hardening
+ runs-on: ubuntu-latest
  permissions:
  security-events: write
- uses: xunleii/github-actions-grimoire/.github/workflows/security.workflows.yaml@0ab2cd93e86642397ecdfb2da1e5b97594ab9905
+ steps:
+ - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+ - name: Lint your Github Actions
+ run: |
+ curl -O https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json
+
+ echo "::add-matcher::actionlint-matcher.json"
+ bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+ ./actionlint -color
+
+ - name: Ensure SHA pinned actions
+ uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6ca5574367befbc9efdb2fa25978084159c5902d # v1.3.0

.github/workflows/templates.terraform.pull_requests.lint.yaml

@@ -0,0 +1,121 @@
+name: IaaS - Terraform CI (for pull requests) - Lint
+
+on:
+ workflow_call:
+ inputs:
+ terraform_workdir:
+ description: Working directory where Terraform files are
+ required: false
+ default: "."
+ type: string
+ terraform_version:
+ description: Terraform version that should we use (latest by default)
+ required: false
+ type: string
+
+jobs:
+ # Terraform validate checks if your TF files are in a canonical format and without HCL issues
+ terraform_validate:
+ name: Terraform files validation
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+ - uses: hashicorp/setup-terraform@bbe167fbdaa1a3bd046bdd70eba9dd3dddcca99c # tag=v2.0.2
+ with:
+ terraform_version: ${{ inputs.terraform_version }}
+ - name: Pre-hook Terraform workflow
+ id: pre
+ run: |
+ # Setup `workdir` suffix used to give more information during execution
+ if [[ '${{ inputs.terraform_workdir }}' == '.' ]]; then
+ echo "workdir=" >> "${GITHUB_OUTPUT}"
+ else
+ echo "workdir=(${{ inputs.terraform_workdir }})" >> "${GITHUB_OUTPUT}"
+ fi
+
+ # --- `terraform fmt`
+ - name: Check if all Terraform configuration files are in a canonical format ${{ steps.pre.outputs.workdir }}
+ id: fmt
+ run: terraform fmt -check -recursive -diff -no-color
+ working-directory: ${{ inputs.terraform_workdir }}
+ - uses: marocchino/sticky-pull-request-comment@97bddef64db61b9d80edc69593cc4e4c415c3362 # tag=v2.2.1
+ if: failure() && steps.fmt.outcome == 'failure'
+ with:
+ recreate: true
+ header: tf::${{ steps.pre.outputs.workdir }}
+ message: |
+ # Terraform CI/CD ${{ steps.pre.outputs.workdir }}
+
+ - [ ] :paintbrush: Check if all Terraform configuration files are in a canonical format
+
+ ### 🚫 Failure reason
+ ```terraform
+ ${{ steps.fmt.outputs.stdout }}
+ ```
+ <br/>
+
+ > _Report based on commit ${{ github.sha }} (authored by **@${{ github.actor }}**). See [`actions#${{ github.run_id }}`](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details._
+
+ # --- `terraform init`
+ - name: Initialize Terraform working directory ${{ steps.pre.outputs.workdir }}
+ id: init
+ env:
+ TF_IN_AUTOMATION: yes
+ run: terraform init -no-color -backend=false
+ working-directory: ${{ inputs.terraform_workdir }}
+ - uses: marocchino/sticky-pull-request-comment@97bddef64db61b9d80edc69593cc4e4c415c3362 # tag=v2.2.1
+ if: failure() && steps.init.outcome == 'failure'
+ with:
+ recreate: true
+ header: tf::${{ steps.pre.outputs.workdir }}
+ message: |
+ # Terraform CI/CD ${{ steps.pre.outputs.workdir }}
+
+ - [x] :paintbrush: Check if all Terraform configuration files are in a canonical format
+ - [ ] :hammer_and_wrench: Validate the configuration files
+
+ ### 🚫 Failure reason
+ ```
+ ${{ steps.init.outputs.stderr }}
+ ```
+ <br/>
+
+ > _Report based on commit ${{ github.sha }} (authored by **@${{ github.actor }}**). See [`actions#${{ github.run_id }}`](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details._
+
+ # --- `terraform validate`
+ - name: Validate the configuration files ${{ steps.pre.outputs.workdir }}
+ id: validate
+ env:
+ TF_IN_AUTOMATION: yes
+ run: terraform validate -no-color
+ working-directory: ${{ inputs.terraform_workdir }}
+ - uses: marocchino/sticky-pull-request-comment@97bddef64db61b9d80edc69593cc4e4c415c3362 # tag=v2.2.1
+ if: failure() && steps.validate.outcome == 'failure'
+ with:
+ recreate: true
+ header: tf::${{ steps.pre.outputs.workdir }}
+ message: |
+ # Terraform CI/CD ${{ steps.pre.outputs.workdir }}
+
+ - [x] :paintbrush: Check if all Terraform configuration files are in a canonical format
+ - [ ] :hammer_and_wrench: Validate the configuration files
+
+ ### 🚫 Failure reason
+ ```
+ ${{ steps.validate.outputs.stderr }}
+ ```
+ <br/>
+
+ > _Report based on commit ${{ github.sha }} (authored by **@${{ github.actor }}**). See [`actions#${{ github.run_id }}`](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details._
+ - uses: marocchino/sticky-pull-request-comment@97bddef64db61b9d80edc69593cc4e4c415c3362 # tag=v2.2.1
+ if: success()
+ with:
+ recreate: true
+ header: tf::${{ steps.pre.outputs.workdir }}
+ message: |
+ # Terraform CI/CD ${{ steps.pre.outputs.workdir }}
+
+ - [x] :paintbrush: Check if all Terraform configuration files are in a canonical format
+ - [x] :hammer_and_wrench: Validate the configuration files
+
+ > _Report based on commit ${{ github.sha }} (authored by **@${{ github.actor }}**). See [`actions#${{ github.run_id }}`](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details._