merge main

Author: kayman-mk

.cspell.json

@@ -0,0 +1,36 @@
+{
+  "version": "0.2",
+  "language": "en",
+  "words": [
+    "amannn",
+    "anytrue",
+    "aquasecurity",
+    "awscli",
+    "backports",
+    "blockquotes",
+    "codeowners",
+    "concat",
+    "devskim",
+    "dind",
+    "gitter",
+    "kics",
+    "jsonencode",
+    "markdownlint",
+    "Niek",
+    "npalm",
+    "oxsecurity",
+    "shuf",
+    "signoff",
+    "substr",
+    "templatefile",
+    "terrascan",
+    "tfenv",
+    "tflint",
+    "tfsec",
+    "tfvars",
+    "tmpfs",
+    "trivy",
+    "userdata"
+  ],
+  "flagWords": []
+}

.github/workflows/ci.yml

@@ -1,16 +1,23 @@
+---
 name: CI
-on:
-  push:
-    branches:
-      - main
+
+on: # yamllint disable-line rule:truthy
   pull_request:
 
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   verify_module:
     name: Verify module
     strategy:
       matrix:
-        terraform: [1.3.9]
+        terraform: [ 1.3.9 ]
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:${{ matrix.terraform }}
@@ -24,14 +31,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        terraform: [1.3.9, latest]
+        terraform: [ 1.0.11, 1.3.9, latest ]
         example:
           [
             "runner-default",
             "runner-docker",
             "runner-multi-region",
             "runner-pre-registered",
             "runner-public",
+            "runner-certificates"
           ]
     defaults:
       run:
@@ -46,13 +54,89 @@ jobs:
         run: terraform fmt -recursive -check=true -write=false
       - run: terraform validate
 
+  linter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        # You can override MegaLinter flavor used to have faster performances
+        # More info at https://megalinter.io/flavors/
+        uses: oxsecurity/megalinter@v6
+        env:
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+          SPELL_CSPELL_FILTER_REGEX_EXCLUDE: (\.gitignore|.tflint.hcl|CHANGELOG.md)
+          # needed to avoid multiple error messages
+          TERRAFORM_TERRASCAN_ARGUMENTS: "--non-recursive"
+          # format issues fail the build
+          TERRAFORM_TERRAFORM_FMT_DISABLE_ERRORS: false
+          # ignore: "tags not used", "access analyzer not used", "shield advanced not used"
+          TERRAFORM_KICS_ARGUMENTS: "--exclude-queries e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10,e592a0c5-5bdb-414c-9066-5dba7cdea370,084c6686-2a70-4710-91b1-000393e54c12"
+          # it's an auto-generated file
+          MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: (CHANGELOG.md)
+          PAT: ${{ secrets.GITHUB_TOKEN }}
+          # automatically commit fixes to the feature branch
+          APPLY_FIXES: all
+          APPLY_FIXES_EVENT: pull_request
+          APPLY_FIXES_MODE: commit
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        if: ${{ success() }} || ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+  tflint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout source code
+
+      - uses: actions/cache@v2
+        name: Cache plugin dir
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v2
+        name: Setup TFLint
+        with:
+          tflint_version: latest
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+
+      - name: Run TFLint
+        run: tflint
+
   tfsec:
     name: tfsec PR commenter
     runs-on: ubuntu-latest
 
     steps:
       - name: Clone repo
-        uses: actions/checkout@master
+        uses: actions/checkout@v3
+
       - name: tfsec
         uses: aquasecurity/[email protected]
         with:

.github/workflows/lint_pr_title.yml

@@ -1,17 +1,25 @@
+---
 name: "Lint PR title"
+
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
     branches-ignore:
       - 'release-please--branches--*'
 
+permissions: read-all
+
 jobs:
   main:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+      contents: read
+      statuses: write
     steps:
       - uses: amannn/action-semantic-pull-request@b6bca70dcd3e56e896605356ce09b76f7e1e0d39 # ratchet:amannn/action-semantic-pull-request@v5
         env:
@@ -59,7 +67,7 @@ jobs:
           # will suggest using that commit message instead of the PR title for the
           # merge commit, and it's easy to commit this by mistake. Enable this option
           # to also validate the commit message for one commit PRs.
-          validateSingleCommit: true
+          validateSingleCommit: false
           # Related to `validateSingleCommit` you can opt-in to validate that the PR
           # title matches a single commit to avoid confusion.
           validateSingleCommitMatchesPrTitle: false

.github/workflows/pr-opened.yml

@@ -1,12 +1,16 @@
+---
 name: PR opened
-on:
+
+on: # yamllint disable-line rule:truthy
   pull_request_target:
     # GITHUB_TOKEN is readonly and the action will fail for Dependabot
     branches-ignore:
       - 'dependabot/**'
     types:
       - opened
 
+permissions: read-all
+
 jobs:
   add-welcome-message:
     runs-on: ubuntu-latest
@@ -21,5 +25,18 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: 'Hey @${{ github.event.pull_request.user.login }}! 👋\n\nThank you for your contribution to the project. Please refer to the [contribution rules](${{ github.server_url }}/${{ github.repository }}/blob/main/CONTRIBUTING.md) for a quick overview of the process.\n\nMake sure that this PR clearly explains:\n\n- the problem being solved\n- the best way a reviewer and you can test your changes\n\nWith submitting this PR you confirm that you have the rights of the code added and agree that it will published under the [MIT license](${{ github.server_url }}/${{ github.repository }}/blob/main/LICENSE).\n\n_This message was generated automatically. You are welcome to [improve it](${{ github.server_url }}/${{ github.repository }}/blob/main/.github/workflows/pr-opened.yml)._'
+              body: 'Hey @${{ github.event.pull_request.user.login }}! \
+              \n\n \
+              👋Thank you for your contribution to the project. Please refer to the
+              [contribution rules](..//blob/main/CONTRIBUTION.md) for a quick overview of the process. \
+              \n\n \
+              Make sure that this PR clearly explains: \n \
+              - the problem being solved \n \
+              - the best way a reviewer and you can test your changes \n \
+              \n \
+              With submitting this PR you confirm that you hold the rights of the code added and agree \
+              that it will published under the [Apache 2.0 license](/blob/main/LICENSE). \
+              \n\n \
+              This message was generated automatically. You are welcome to \
+              [improve it](/blob/main/.github/workflows/new-pr-opened.yml)._'
             })

.github/workflows/release.yml

@@ -1,24 +1,31 @@
+---
 name: Release
-on:
+
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - main
-      
+
+permissions: read-all
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Get app installation token
         uses: npalm/action-app-token@dd4bb16d91ced5659bc618705c96b822c5a42136 # ratchet:npalm/[email protected]
         id: token
         with:
-          appId: ${{ secrets.APP_ID }}
-          appPrivateKeyBase64: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
+          appId: ${{ secrets.RELEASER_APP_ID }}
+          appPrivateKeyBase64: ${{ secrets.RELEASER_APP_PRIVATE_KEY_BASE64 }}
           appInstallationType: repo
           appInstallationValue: ${{ github.repository }}
       # bootstrap-sha and release-as needs to be removed after first release
       - name: Release
-        uses: google-github-actions/release-please-action@d3c71f9a0a55385580de793de58da057b3560862 # ratchet:google-github-actions/release-please-action@v3
+        uses: google-github-actions/release-please-action@e0b9d1885d92e9a93d5ce8656de60e3b806e542c # ratchet:google-github-actions/release-please-action@v3
         with:
           release-type: terraform-module
           token: ${{ steps.token.outputs.token }}

.github/workflows/slash_ops_commands.yml

@@ -1,18 +1,24 @@
+---
 name: Execute ChatOps command
-on:
+
+on: # yamllint disable-line rule:truthy
   repository_dispatch:
     types:
       - help-command
 
+permissions: read-all
+
 jobs:
   help-command:
     name: "ChatOps: /help"
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Choose maintainer
         id: vars
         run: |
-          maintainer=$(cat CODEOWNERS | grep -oE "@[a-zA-Z0-9_-]+" | shuf -n 1)
+          maintainer=$(grep -oE "@[a-zA-Z0-9_-]+" CODEOWNERS | shuf -n 1)
           echo "maintainer=$maintainer" >> "$GITHUB_OUTPUT"
       - name: Create comment
         uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # ratchet:actions/github-script@v6

.github/workflows/slash_ops_comment_dispatch.yml

@@ -1,18 +1,26 @@
+---
 name: PR commented
-on:
+
+on: # yamllint disable-line rule:truthy
   issue_comment:
     types:
       - created
 
+permissions: read-all
+
 jobs:
   slash-command-dispatch:
     runs-on: ubuntu-latest
+    permissions:
+      # to dispatch the command via workflow
+      contents: write
+      # to add a reaction to the comment
+      pull-requests: write
     steps:
       - name: Slash Command Dispatch
         uses: peter-evans/slash-command-dispatch@a28ee6cd74d5200f99e247ebc7b365c03ae0ef3c # ratchet:peter-evans/slash-command-dispatch@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-type: pull-request
-          reactions: false
           commands: |
             help

.github/workflows/stale.yml

@@ -1,11 +1,18 @@
+---
 name: 'Close stale issues and PRs'
-on:
+
+on: # yamllint disable-line rule:truthy
   schedule:
     - cron: '25 2 * * *'
 
+permissions: read-all
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # ratchet:actions/stale@v7
         with:

.github/workflows/update_docs.yml

@@ -1,14 +1,20 @@
+---
 name: Update docs
-on:
+
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - release-please--branches--main
 
+permissions: read-all
+
 jobs:
   docs:
     # update docs after merge back to develop
     name: Auto update terraform docs
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout branch
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3

.gitignore

@@ -31,4 +31,10 @@ builds/
 
 # exceptions for semantic release
 !.release/package*
-!.release/*.lock
+!.release/*.lock
+
+# VS Code
+.vscode/
+
+# Python
+venv/