Merge pull request #1 from edgefarm/management-cluster

feat(ops.management-cluster): shared terraform workflows

.github/workflows/commitlint.yml

@@ -0,0 +1,13 @@
+name: Lint Commit Messages
+on:
+  pull_request:
+    branches:
+      - "**"
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@v4

.github/workflows/management-cluster-terraform-apply-on-hcloud.yaml

@@ -0,0 +1,78 @@
+name: "terraform apply on hcloud"
+
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        required: true
+        type: string
+      var_file:
+        required: true
+        type: string
+      prefix:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+    secrets:
+      tf_api_token:
+        required: true
+      hcloud_secret:
+        required: true
+      hcloud_ssh_key_private:
+        required: true
+      hcloud_ssh_key_public:
+        required: true
+
+jobs:
+  terraform:
+    name: "Terraform"
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.tf_api_token }}
+
+      # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+      - name: Terraform Init
+        run: TF_WORKSPACE=fallback terraform init -input=false
+
+      # Selecting correct workspace (and create if not exist)
+      - name: Terraform Workspace Select
+        run: terraform workspace select ${{ inputs.workspace }} || terraform workspace new ${{ inputs.workspace }}
+
+      # Checks that all Terraform configuration files adhere to a canonical format
+      - name: Terraform Format
+        run: terraform fmt -check
+
+      # Generates an execution plan for Terraform
+      - name: Terraform Plan
+        run: |
+          terraform plan -var-file=${{ inputs.var_file }} \
+            -var prefix="${{ inputs.prefix }}" \
+            -var hcloud_secret="${{ secrets.hcloud_secret }}" \
+            -var hcloud_ssh_key_private="${{ secrets.hcloud_ssh_key_private }}" \
+            -var hcloud_ssh_key_public="${{ secrets.hcloud_ssh_key_public }}"
+
+        # On push to branch, build or change infrastructure according to Terraform configuration files
+      - name: Terraform Apply
+        run: |
+          terraform apply -auto-approve -var-file=${{ inputs.var_file }} \
+            -var prefix="${{ inputs.prefix }}" \
+            -var hcloud_secret="${{ secrets.hcloud_secret }}" \
+            -var hcloud_ssh_key_private="${{ secrets.hcloud_ssh_key_private }}" \
+            -var hcloud_ssh_key_public="${{ secrets.hcloud_ssh_key_public }}"

.github/workflows/management-cluster-terraform-destroy-and-delete-workspace.yaml

@@ -0,0 +1,55 @@
+name: "management cluster terraform destroy and delete workspace"
+
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        required: true
+        type: string
+      var_file:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+    secrets:
+      tf_api_token:
+        required: true
+
+jobs:
+  terraform:
+    name: "Terraform"
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+
+    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.tf_api_token }}
+
+      # Selecting correct workspace
+      - name: Terraform Workspace Select
+        run: terraform workspace select ${{ inputs.workspace }}
+
+      # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+      - name: Terraform Init
+        run: terraform init
+
+      # Destroy
+      - name: Terraform Destroy
+        run: terraform destroy -auto-approve
+
+      - name: Terraform Workspace delete
+        run: terraform workspace delete -force ${{ inputs.workspace }}

.github/workflows/management-cluster-terraform-plan-on-hcloud.yaml

@@ -0,0 +1,69 @@
+name: "management cluster terraform plan on hcloud"
+
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        required: true
+        type: string
+      var_file:
+        required: true
+        type: string
+      prefix:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+    secrets:
+      tf_api_token:
+        required: true
+      hcloud_secret:
+        required: true
+      hcloud_ssh_key_private:
+        required: true
+      hcloud_ssh_key_public:
+        required: true
+
+jobs:
+  terraform:
+    name: "Terraform"
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.tf_api_token }}
+
+      # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+      - name: Terraform Init
+        run: TF_WORKSPACE=fallback terraform init -input=false
+
+      # Selecting correct workspace (and create if not exist)
+      - name: Terraform Workspace Select
+        run: terraform workspace select ${{ inputs.workspace }} || terraform workspace new ${{ inputs.workspace }}
+
+      # Checks that all Terraform configuration files adhere to a canonical format
+      - name: Terraform Format
+        run: terraform fmt -check
+
+      # Generates an execution plan for Terraform
+      - name: Terraform Plan
+        run: |
+          terraform plan -var-file=${{ inputs.var_file }} \
+            -var prefix="${{ inputs.prefix }}" \
+            -var hcloud_secret="${{ secrets.hcloud_secret }}" \
+            -var hcloud_ssh_key_private="${{ secrets.hcloud_ssh_key_private }}" \
+            -var hcloud_ssh_key_public="${{ secrets.hcloud_ssh_key_public }}"

.github/workflows/release.yml

@@ -0,0 +1,20 @@
+name: Release
+on:
+  push:
+    branches:
+      - main
+      - beta
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx semantic-release

.gitignore

@@ -0,0 +1,39 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+# *.tfvars
+# *.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# git cz
+node_modules
+package-lock.json
+package.json

.mdl_style.rb

@@ -0,0 +1,3 @@
+all
+
+rule 'MD013', :line_length => 120

.mdlrc

@@ -0,0 +1 @@
+style '.mdl_style.rb'

.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+exclude: "(?x)^(.*/base/charts/.*)"
+repos:
+  # general stuff
+  - repo: git://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      # Git style
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-vcs-permalinks
+      - id: forbid-new-submodules
+      - id: no-commit-to-branch
+
+      # Common errors
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+      - id: check-yaml
+        exclude: "(?x)^(.*/delete-.*.yaml)"
+      - id: check-merge-conflict
+      - id: check-executables-have-shebangs
+
+  # security scans for infrastructure
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: "2.0.1037"
+    hooks:
+      - id: checkov
+
+  # scanning for terraform issues
+  - repo: git://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.50.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+      - id: terraform_tfsec

.releaserc.yaml

@@ -0,0 +1,8 @@
+branches:
+  - name: "main"
+  - name: "beta"
+    prerelease: true
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - "@semantic-release/github"

README.md

@@ -1,2 +1,5 @@
 # ops.gh-workflows
+
 shared github workflows, only for internal usage
+
+note: needs to be public for sharing workspaces