diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..0e80b05 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,22 @@ +--- +# See https://ansible-lint.readthedocs.io/en/latest/configuring.html +# for a list of the configuration elements that can exist in this +# file. +enable_list: + # Useful checks that one must opt-into. See here for more details: + # https://ansible-lint.readthedocs.io/en/latest/rules.html + - fcqn-builtins + - no-log-password + - no-same-owner +exclude_paths: + # This exclusion is implicit, unless exclude_paths is defined + - .cache + # Seems wise to ignore this too + - .github +kinds: + # This will force our systemd specific molecule configurations to be treated + # as plain yaml files by ansible-lint. This mirrors the default kind + # configuration in ansible-lint for molecule configurations: + # yaml: "**/molecule/*/{base,molecule}.{yaml,yml}" + - yaml: "**/molecule/*/molecule-{no,with}-systemd.yml" +use_default_rules: true diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fa93c02..41a26d0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,3 +16,8 @@ updates: directory: "/" schedule: interval: "weekly" + + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c0c09c6..5d7494c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,22 +41,23 @@ jobs: name: "Lint sources" runs-on: ubuntu-latest steps: - - uses: cisagov/setup-env-github-action@develop + - id: setup-env + uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v2 - id: setup-python uses: actions/setup-python@v2 with: python-version: 3.9 - # GO_VERSION and GOCACHE are used by the cache task, so the Go - # installation must happen before that. + # We need the Go version and Go cache location for the actions/cache step, + # so the Go installation must happen before that. - uses: actions/setup-go@v2 with: go-version: '1.16' - name: Store installed Go version + id: go-version run: | - echo "GO_VERSION="\ - "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ - >> $GITHUB_ENV + echo "::set-output name=version::"\ + "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" - name: Lookup Go cache directory id: go-cache run: | @@ -65,9 +66,9 @@ jobs: env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ - go${{ env.GO_VERSION }}-\ - packer${{ env.PACKER_VERSION }}-\ - tf${{ env.TERRAFORM_VERSION }}-" + go${{ steps.go-version.outputs.version }}-\ + packer${{ steps.setup-env.outputs.packer-version }}-\ + tf${{ steps.setup-env.outputs.terraform-version }}-" with: # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use @@ -89,6 +90,8 @@ jobs: - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - name: Install Packer + env: + PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} run: | PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ @@ -101,20 +104,17 @@ jobs: sudo ln -s /opt/packer/packer /usr/local/bin/packer - uses: hashicorp/setup-terraform@v1 with: - terraform_version: ${{ env.TERRAFORM_VERSION }} + terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install shfmt - run: go install mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION} + env: + PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt + PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs - run: | - go install \ - github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION} - - name: Find and initialize Terraform directories - run: | - for path in $(find . -not \( -type d -name ".terraform" -prune \) \ - -type f -iname "*.tf" -exec dirname "{}" \; | sort -u); do \ - echo "Initializing '$path'..."; \ - terraform init -input=false -backend=false "$path"; \ - done + env: + PACKAGE_URL: github.com/terraform-docs/terraform-docs + PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 83aaf60..09f9cec 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 + rev: v4.1.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -32,17 +32,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.28.1 + rev: v0.30.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.3.2 + rev: v2.5.1 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.26.2 + rev: v1.26.3 hooks: - id: yamllint args: @@ -50,7 +50,7 @@ repos: # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.14.0 + rev: v2.16.0 hooks: - id: validate_manifest @@ -76,7 +76,7 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.0 + rev: 1.7.1 hooks: - id: bandit name: bandit (tests tree) @@ -91,7 +91,7 @@ repos: name: bandit (everything else) exclude: tests - repo: https://github.com/psf/black - rev: 21.7b0 + rev: 21.12b0 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 @@ -101,48 +101,31 @@ repos: additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.9.3 + rev: 5.10.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.910 + rev: v0.931 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.23.3 + rev: v2.31.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - # This is intentionally being held back because of issues in v5 per - # https://github.com/cisagov/skeleton-ansible-role/issues/69 - rev: v4.3.7 + rev: v5.3.2 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.50.0 + rev: v1.62.3 hooks: - id: terraform_fmt - # There are ongoing issues with how this command works. This issue - # documents the core issue: - # https://github.com/hashicorp/terraform/issues/21408 - # We have seen issues primarily with proxy providers and Terraform code - # that uses remote state. The PR - # https://github.com/hashicorp/terraform/pull/24887 - # has been approved and is part of the 0.13 release to resolve the issue - # with remote states. - # The PR - # https://github.com/hashicorp/terraform/pull/24896 - # is a proprosed fix to deal with `terraform validate` with proxy - # providers (among other configurations). - # We have decided to disable the terraform_validate hook until the issues - # above have been resolved, which we hope will be with the release of - # Terraform 0.13. - # - id: terraform_validate + - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit