Merge branch 'main' into fix-ssh-key

Signed-off-by: Chris Harrison <36608309+chris3ware@users.noreply.github.com>

.github/workflows/tofu-ci-reuse.yaml

@@ -3,6 +3,10 @@ name: OpenTofu CI
 on:
   workflow_call:
     inputs:
+      environment:
+        description: GitHub repository deployment environment
+        required: false
+        type: string
       tf-directory:
         description: Terraform / OpenTofu working directory
         required: true
@@ -11,16 +15,18 @@ on:
       backend-credentials:
         description: Credentials required to initialise the tf backend
         required: true
-      aws-oidc-role:
-        description: AWS role to assume to deploy resources
+      provider-credentials:
+        description: Credentials required to authenticate with provider
         required: true
 
 # Disable permissions for all available scopes
 permissions: {}
 
 jobs:
   plan-and-apply:
-    name: Plan / Apply OpenTofu changes
+    environment:
+      name: ${{ inputs.environment }}
+    name: Plan and Apply OpenTofu changes
     permissions:
       actions: read # Required to download repository artifact.
       checks: write # Required to add status summary.
@@ -42,7 +48,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.aws-oidc-role }}
+          role-to-assume: ${{ secrets.provider-credentials }}
 
       - name: Setup OpenTofu
         uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4

.github/workflows/tofu-ci.yaml

@@ -5,13 +5,13 @@ on:
     types: [opened, synchronize]
     branches: [main]
     paths:
-      - "**/*.tf"
-      - "**.*.tfvars"
+      - tf/**/*.tf
+      - tf/**.*.tfvars
   push:
     branches: [main]
     paths:
-      - "**/*.tf"
-      - "**.*.tfvars"
+      - tf/**/*.tf
+      - tf/**.*.tfvars
 
 # Disable permissions for all available scopes
 permissions: {}
@@ -21,8 +21,9 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  plan-and-apply:
-    name: Open Tofu CI
+  #TODO: Use find-terraform to get directory
+  plan-and-apply-dev:
+    name: Open Tofu CI Development
     permissions:
       actions: read # Required to download repository artifact.
       checks: write # Required to add status summary.
@@ -31,14 +32,35 @@ jobs:
       pull-requests: write # Required to add PR comment and label.
     uses: ./.github/workflows/tofu-ci-reuse.yaml
     with:
-      tf-directory: tf/dev/cdn
+      environment: development
+      tf-directory: tf/dev/vpc
     secrets:
       backend-credentials: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
-      aws-oidc-role: ${{ secrets.AWS_ORG_OIDC_ROLE_ARN }}
+      provider-credentials: ${{ secrets.AWS_DEV_OIDC_ROLE_ARN }}
+
+    #TODO Copy files from dev to prod
+
+  plan-and-apply-prd:
+    needs: [plan-and-apply-dev]
+    if: ${{ github.ref == 'refs/heads/main'}}
+    name: Open Tofu CI Production
+    permissions:
+      actions: read # Required to download repository artifact.
+      checks: write # Required to add status summary.
+      contents: read # Required to checkout repository.
+      id-token: write # Required to authenticate via OIDC.
+      pull-requests: write # Required to add PR comment and label.
+    uses: ./.github/workflows/tofu-ci-reuse.yaml
+    with:
+      environment: production
+      tf-directory: tf/prd/vpc
+    secrets:
+      backend-credentials: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
+      provider-credentials: ${{ secrets.AWS_PRD_OIDC_ROLE_ARN }}
 
   terraform-docs:
     if: ${{ github.event_name == 'push' }}
-    needs: plan-and-apply
+    needs: [plan-and-apply-prd]
     name: Terraform Docs
     uses: 3ware/workflows/.github/workflows/terraform-docs.yaml@22e03ff8b79ce67f4a5059d0d24c3d07d8d69b1b # v4.2.2
     secrets: inherit

.trunk/configs/.checkov.yaml

@@ -1,4 +1 @@
-skip-check:
-  - CKV_GIT_1 # Repos can be public
-  - CKV_GIT_5 # PRs only need 1 approval
-  - CKV2_GIT_1 # Disable as using repository rules
+skip-check: {}

.trunk/setup-ci/action.yaml

@@ -0,0 +1,31 @@
+name: Trunk Code Quality setup
+description: Set up dependencies for Trunk Code Quality
+
+runs:
+  using: composite
+  steps:
+    # Find tf working directory
+    - name: Get terraform working directory
+      id: tf-dir
+      uses: tj-actions/changed-files@4918e1183080b35a085c91c8abc9e6adc4de61a1 # v42.1.0
+      with:
+        files: |
+          tf/**/*.tf
+          tf/**/*.tfvars
+        dir_names: true
+
+    # Install OpenTofu
+    - name: Setup OpenTofu
+      if: ${{ steps.tf-dir.outputs.all_changed_files != '' }}
+      uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3
+
+    # Initialise OpenTofu in the directory where terraform file have changed.
+    - name: Initialise OpenTofu
+      if: ${{ steps.tf-dir.outputs.all_changed_files != '' }}
+      shell: bash
+      env:
+        TF_DIRS: ${{ steps.tf-dir.outputs.all_changed_files }}
+      run: |
+        for dir in ${TF_DIRS}; do
+          cd $GITHUB_WORKSPACE/$dir && tofu init --backend=false
+        done

tf/dev/cdn/providers.tf

@@ -1,12 +1,12 @@
 provider "aws" {
-  #profile = "ans-gen"
+  #profile = "3ware-dev"
   region = "us-east-1"
 
   default_tags {
     tags = {
       "3ware:project-id"      = "aws-network-speciality"
       "3ware:environment"     = var.environment
-      "3ware:service"         = "cdn"
+      "3ware:service"         = var.service
       "3ware:managed-by-tofu" = true
     }
   }
@@ -29,7 +29,7 @@ terraform {
     organization = "3ware"
     hostname     = "app.terraform.io"
     workspaces {
-      name = "aws-net-spec-cdn"
+      name = "aws-net-spec-${var.service}-${var.environment}"
     }
   }
 }

tf/dev/cdn/terraform.tfvars

@@ -1,3 +1,4 @@
+service = "cdn"
 # enable_cloudfront = true
 # demo_domain_name  = "your-demo-domain"
 # secure_s3_bucket  = true

tf/dev/cdn/variables.tf

@@ -8,7 +8,12 @@ variable "environment" {
     condition     = contains(["dev", "prd"], var.environment)
     error_message = "Invalid environment specified. Valid values are: \"dev\" and \"prd\""
   }
+}
 
+variable "service" {
+  description = "The AWS service being deployed"
+  type        = string
+  nullable    = false
 }
 
 variable "enable_cloudfront" {

tf/dev/vpc-peer/providers.tf

@@ -4,8 +4,8 @@ provider "aws" {
   default_tags {
     tags = {
       "3ware:project-id"       = "aws-network-speciality"
-      "3ware:environment-type" = "dev"
-      "3ware:service"          = "vpc-peer"
+      "3ware:environment-type" = var.environment
+      "3ware:service"          = var.service
       "3ware:tofu"             = true
     }
   }
@@ -29,7 +29,7 @@ terraform {
     hostname     = "app.terraform.io"
 
     workspaces {
-      name = "aws-net-spec-vpc-peer"
+      name = "aws-net-spec-${var.service}-${var.environment}"
     }
   }
 }

tf/dev/vpc-peer/terraform.tfvars

@@ -1,3 +1,6 @@
+environment = "dev"
+service     = "vpc-peer"
+
 vpc = {
   a4l-vpca = {
     cidr            = "10.16.0.0/16"

tf/dev/vpc-peer/variables.tf

@@ -1,3 +1,21 @@
+variable "environment" {
+  description = "The AWS environment to deploy resources to"
+  type        = string
+  default     = "dev"
+  nullable    = false
+
+  validation {
+    condition     = contains(["dev", "prd"], var.environment)
+    error_message = "Invalid environment specified. Valid values are: \"dev\" and \"prd\""
+  }
+}
+
+variable "service" {
+  description = "The AWS service being deployed"
+  type        = string
+  nullable    = false
+}
+
 variable "vpc" {
   description = "A map of VPCs to create"
   type = map(object({