navapbc · doshitan · Jan 2, 2025 · Jan 3, 2025 · Jan 3, 2025 · Jan 3, 2025
@@ -3,7 +3,7 @@ description: "Set up Terraform with the version stored in the .terraform-version
 inputs:
   version-file:
     description: "File containing the terraform version to use."
-    default: ".terraform-version"
+    default: "./templates/base/.terraform-version"
 runs:
   using: "composite"
   steps:

@@ -16,4 +16,4 @@ jobs:
       - uses: gaurav-nelson/[email protected]
         with:
           use-quiet-mode: "yes" # errors only.
-          config-file: ".github/workflows/markdownlint-config.json"
+          config-file: "templates/base/.github/workflows/markdownlint-config.json"
@@ -5,14 +5,16 @@ on:
     branches:
       - main
     paths:
-      - bin/**
-      - infra/**
       - .github/workflows/**
+      - templates/*/.github/workflows/**
+      - templates/*/bin/**
+      - templates/*/infra/**
   pull_request:
     paths:
-      - bin/**
-      - infra/**
       - .github/workflows/**
+      - templates/*/.github/workflows/**
+      - templates/*/bin/**
+      - templates/*/infra/**
 
 jobs:
   lint-github-actions:
@@ -35,31 +37,25 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Shellcheck
-        run: make infra-lint-scripts
+        run: make -f template-only.mak infra-lint-scripts
   check-terraform-format:
     name: Check Terraform format
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.8.3
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-terraform
       - name: Run infra-lint-terraform
         run: |
           echo "If this fails, run 'make infra-format'"
-          make infra-lint-terraform
+          make -f template-only.mak infra-lint-terraform
   validate-terraform:
     name: Validate Terraform modules
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.8.3
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-terraform
       - name: Validate
-        run: make infra-validate-modules
+        run: make -f template-only.mak infra-validate-modules
   check-compliance-with-checkov:
     name: Check compliance with checkov
     runs-on: ubuntu-latest
@@ -76,7 +72,8 @@ jobs:
         # In this case, checkov-action v12.2296.0 is mapped to checkov v2.3.194.
         uses: bridgecrewio/[email protected]
         with:
-          directory: infra
+          # TODO: need to run different steps for templates/*/infra?
+          # directory: infra
           framework: terraform
           quiet: true # only displays failed checks
   check-compliance-with-tfsec:

@@ -6,8 +6,8 @@ on:
       - main
   pull_request:
     paths:
-      - bin/**
-      - infra/**
+      - templates/*/bin/**
+      - templates/*/infra/**
       - template-only-bin/**
       - template-only-infra/**
       - template-only-test/**
@@ -40,7 +40,7 @@ jobs:
       - name: Set up Terraform
         uses: ./template-infra/.github/actions/setup-terraform
         with:
-          version-file: ./template-infra/.terraform-version
+          version-file: ./template-infra/templates/base/.terraform-version
 
       - uses: actions/setup-go@v5
         with:

@@ -100,10 +100,4 @@ _skip_if_exists:
   - "/{{ app_name }}/"
   - "/{{ app_name }}/Makefile"
 
-_exclude:
-  - /.git
-  - /copier.yml
-  - /CODEOWNERS
-  - /CONTRIBUTING.md
-  - /LICENSE.md
-  - /README.md
+_subdirectory: templates/{{ template }}
@@ -1,5 +1,5 @@
 # Run `make update-docker-digest` to update the image
-FROM python:3-alpine@sha256:657dbdb20479a6523b46c06114c8fec7db448232f956a429d3cc0606d30c1b59 as release
+FROM python:3-alpine@sha256:657dbdb20479a6523b46c06114c8fec7db448232f956a429d3cc0606d30c1b59 AS release
 
 RUN adduser --system --disabled-password --no-create-home app
 

@@ -3,6 +3,6 @@
 [Pull request environments](/docs/infra/pull-request-environments.md) are temporary environments that exist during a pull request. Enable them after [setting up the app environment](/docs/infra/set-up-app-env.md):
 
 - In [ci-{{app_name}}-pr-environment-checks.yml](/.github/workflows/ci-{{app_name}}-pr-environment-checks.yml.jinja) and [ci-{{app_name}}-pr-environment-destroy.yml](/.github/workflows/ci-{{app_name}}-pr-environment-destroy.yml.jinja), search for `!!`.
-- Uncomment the PR environment triggers for spot testing. Run `nava-platform infra update --answers-only --data app_has_dev_env_setup=true .` to consistently enable things.
+- Uncomment the PR environment triggers for spot testing. Run `nava-platform infra update-app --answers-only --data app_has_dev_env_setup=true . <APP_NAME>` to consistently enable things.
 
 You can verify that PR environments are working by opening a new PR and waiting for the "PR Environment Update" job to finish.
@@ -3,12 +3,30 @@
 
 PROJECT_NAME ?= platform-template-infra
 
+MODULES := $(notdir $(wildcard templates/base/infra/modules/*))
+
 .PHONY : \
   clean \
 	test \
 	setup-app-backends \
 	destroy-account
 
+infra-lint-scripts: ## Lint shell scripts
+	shellcheck templates/*/bin/**
+
+infra-lint-terraform: ## Lint Terraform code
+	terraform fmt -recursive -check templates/*/infra
+
+# The prerequisite for this rule is obtained by
+# prefixing each module with the string "infra-validate-module-"
+infra-validate-modules: ## Run terraform validate on reusable child modules
+infra-validate-modules: $(patsubst %, infra-validate-module-%, $(MODULES))
+
+infra-validate-module-%:
+	@echo "Validate library module: $*"
+	terraform -chdir=templates/base/infra/modules/$* init -backend=false
+	terraform -chdir=templates/base/infra/modules/$* validate
+
 lint-template-scripts: ## Lint template only scripts
 	shellcheck template-only-bin/**
 

@@ -16,7 +16,7 @@ on:
   # !! Once you've set up the dev environment and are ready to enable continuous
   # deployment, run:
   #
-  # nava-platform infra update --answers-only --data app_has_dev_env_setup=true .
+  # nava-platform infra update-app --answers-only --data app_has_dev_env_setup=true . {{app_name}}
   #
   # to enable these lines. They are here as comments for context.
   #

@@ -20,7 +20,7 @@ on:
   # !! Once you've set up the dev environment and are ready to enable automated
   # infra tests, run:
   #
-  # nava-platform infra update --answers-only --data app_has_dev_env_setup=true .
+  # nava-platform infra update-app --answers-only --data app_has_dev_env_setup=true . {{app_name}}
   #
   # to enable these lines. They are here as comments for context.
   #

@@ -14,7 +14,7 @@ on:
   # !! Once you've set up the dev environment and are ready to enable PR
   # environments, run:
   #
-  # nava-platform infra update --answers-only --data app_has_dev_env_setup=true .
+  # nava-platform infra update-app --answers-only --data app_has_dev_env_setup=true . {{app_name}}
   #
   # to enable these lines. They are here as comments for context.
   #

@@ -12,7 +12,7 @@ on:
   # !! Once you've set up the dev environment and are ready to enable PR
   # environments, run:
   #
-  # nava-platform infra update --answers-only --data app_has_dev_env_setup=true .
+  # nava-platform infra update-app --answers-only --data app_has_dev_env_setup=true . {{app_name}}
   #
   # to enable these lines. They are here as comments for context.
   #

@@ -0,0 +1,21 @@
+name: "Set up Terraform"
+description: "Set up Terraform with the version stored in the .terraform-version file"
+inputs:
+  version-file:
+    description: "File containing the terraform version to use."
+    default: ".terraform-version"
+runs:
+  using: "composite"
+  steps:
+    - name: Get Terraform version
+      id: get-terraform-version
+      run: |
+        terraform_version="$(cat ${{ inputs.version-file }})"
+        echo "Terraform version: ${terraform_version}"
+        echo "terraform_version=${terraform_version}" >> "$GITHUB_OUTPUT"
+      shell: bash
+    - name: Set up Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: ${{ steps.get-terraform-version.outputs.terraform_version }}
+        terraform_wrapper: false
@@ -0,0 +1,15 @@
+## Ticket
+
+Resolves #{TICKET NUMBER OR URL}
+
+## Changes
+
+> What was added, updated, or removed in this PR.
+
+## Context for reviewers
+
+> Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.
+
+## Testing
+
+> Provide evidence that the code works as expected. Explain what was done for testing and the results of the test plan. Include screenshots, [GIF demos](https://www.cockos.com/licecap/), shell commands or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.
@@ -10,11 +10,11 @@ Each app should have:
 
 - `ci-<APP_NAME>`: must be created; should run linting and testing
 - `ci-<APP_NAME>-vulnerability-scans`: calls `vulnerability-scans`
-  - Based on [ci-{{app_name}}-vulnerability-scans](https://github.com/navapbc/template-infra/blob/main/.github/workflows/ci-{{app_name}}-vulnerability-scans.yml.jinja)
+  - Based on [ci-{{app_name}}-vulnerability-scans](https://github.com/navapbc/template-infra/blob/main/templates/app/.github/workflows/ci-{{app_name}}-vulnerability-scans.yml.jinja)
 - `ci-<APP_NAME>-pr-environment-checks.yml`: calls `pr-environment-checks.yml` to create or update a pull request environment (see [pull request environments](/docs/infra/pull-request-environments.md))
-  - Based on [ci-{{app_name}}-pr-environment-checks.yml](https://github.com/navapbc/template-infra/blob/main/.github/workflows/ci-{{app_name}}-pr-environment-checks.yml.jinja)
+  - Based on [ci-{{app_name}}-pr-environment-checks.yml](https://github.com/navapbc/template-infra/blob/main/templates/app/.github/workflows/ci-{{app_name}}-pr-environment-checks.yml.jinja)
 - `ci-<APP_NAME>-pr-environment-destroy.yml`: calls `pr-environment-destroy.yml` to destroy the pull request environment (see [pull request environments](/docs/infra/pull-request-environments.md))
-  - Based on [ci-{{app_name}}-pr-environment-destroy.yml](https://github.com/navapbc/template-infra/blob/main/.github/workflows/ci-{{app_name}}-pr-environment-destroy.yml.jinja)
+  - Based on [ci-{{app_name}}-pr-environment-destroy.yml](https://github.com/navapbc/template-infra/blob/main/templates/app/.github/workflows/ci-{{app_name}}-pr-environment-destroy.yml.jinja)
 
 ### App-agnostic workflows
 
@@ -27,7 +27,7 @@ Each app should have:
 Each app should have:
 
 - `cd-<APP_NAME>`: deploys an application
-  - Based on [`cd-{{app_name}}`](https://github.com/navapbc/template-infra/blob/main/.github/workflows/cd-{{app_name}}.yml.jinja)
+  - Based on [`cd-{{app_name}}`](https://github.com/navapbc/template-infra/blob/main/templates/app/.github/workflows/cd-{{app_name}}.yml.jinja)
 
 The CD workflow uses these reusable workflows:
 

@@ -0,0 +1,19 @@
+name: CI Documentation Checks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  lint-markdown:
+    name: Lint markdown
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # This is the GitHub Actions-friendly port of the linter used in the Makefile.
+      - uses: gaurav-nelson/[email protected]
+        with:
+          use-quiet-mode: "yes" # errors only.
+          config-file: ".github/workflows/markdownlint-config.json"
@@ -0,0 +1,89 @@
+name: CI Infra Checks
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - bin/**
+      - infra/**
+      - .github/workflows/**
+  pull_request:
+    paths:
+      - bin/**
+      - infra/**
+      - .github/workflows/**
+
+jobs:
+  lint-github-actions:
+    # Lint github actions files using https://github.com/rhysd/actionlint
+    # This job configuration is largely copied from https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
+    name: Lint GitHub Actions workflows
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash
+  lint-scripts:
+    name: Lint scripts
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Shellcheck
+        run: make infra-lint-scripts
+  check-terraform-format:
+    name: Check Terraform format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Run infra-lint-terraform
+        run: |
+          echo "If this fails, run 'make infra-format'"
+          make infra-lint-terraform
+  validate-terraform:
+    name: Validate Terraform modules
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Validate
+        run: make infra-validate-modules
+  check-compliance-with-checkov:
+    name: Check compliance with checkov
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - name: Run Checkov check
+        # Pin to specific checkov version rather than running from checkov@master
+        # since checkov frequently adds new checks that can cause CI checks to fail unpredictably.
+        # There is currently no way to specify the checkov version to pin to (See https://github.com/bridgecrewio/checkov-action/issues/41)
+        # so we need to pin the version of the checkov-action, which indirectly pins the checkov version.
+        # In this case, checkov-action v12.2296.0 is mapped to checkov v2.3.194.
+        uses: bridgecrewio/[email protected]
+        with:
+          directory: infra
+          framework: terraform
+          quiet: true # only displays failed checks
+  check-compliance-with-tfsec:
+    name: Check compliance with tfsec
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tfsec check
+        uses: aquasecurity/[email protected]
+        with:
+          github_token: ${{ github.token }}
@@ -0,0 +1,20 @@
+# Ignore Terraform lock files
+# As of Feb 2023, Terraform lock files, while well intentioned, have a tendency
+# to get into a confusing state that requires recreating the lock file, which
+# defeats the purpose. Moreover, lock files are per environment, which can make
+# it difficult for people to upgrade dependencies (e.g. upgrade an AWS provider)
+# across environments if certain environments are locked down (e.g. production).
+.terraform.lock.hcl
+
+# MacOS files
+.DS_Store
+
+# Ignore develop-specific VS code settings files
+.vscode
+
+# Ignore local environment variables which can contain environment secrets
+.env
+.envrc
+
+# Python testing stuff
+*__pycache__*
@@ -0,0 +1,2 @@
+# Changes here will be overwritten by Copier
+{{ _copier_answers|to_nice_yaml -}}
@@ -0,0 +1,2 @@
+__pycache__
+vendor/
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Changes here will be overwritten by Copier
		{{ _copier_answers\|to_nice_yaml -}}