chore: synced file(s) with honestbank/.github

.checkov.yaml

@@ -10,3 +10,5 @@ quiet: true
 skip-path:
   - .external_modules
   - modules
+  - catalog-info.yml
+baseline: .checkov.baseline

.github/pull_request_template.md

@@ -6,14 +6,21 @@
 
 -->
 
-## Pull Request Submission Checklist
+### Pull Request Submission Checklist
 
 Please confirm that you have done the following before requesting reviews:
 
 - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
 - [ ] I have typed an adequate description that explains **why** I am making this change.
 - [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
+- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4)
 
 ### Description
 
 * <!-- WRITE A SHORT DESCRIPTION OF CHANGES -->
+
+### Experiment Link
+
+<!-- All code changes require an experiment - you can get started at https://www.notion.so/honestbank/How-to-create-a-feature-flag-ON-OFF-on-GrowthBook-0a11a156397d4eca89fb76dad0eb921c?pvs=4 -->
+
+GrowthBook Experiment Link: https://app.growthbook.io/features/

.github/workflows/checkov.yaml

@@ -1,22 +1,27 @@
-name: "Checkov GitHub Action"
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+---
+name: "repository-checkov"
 permissions: read-all
 
-on:
+on:  # yamllint disable-line rule:truthy
   pull_request:
-    branches: [test, dev, qa, prod, main]
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+  push:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
 
 jobs:
-  checkov:
-    name: checkov
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          submodules: "recursive"
-          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      - name: Run Checkov
-        id: checkov
-        uses: bridgecrewio/checkov-action@master
-        with:
-          config_file: ".checkov.yaml"
+  repository-checkov:
+    name: repository-checkov
+    uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main
+    secrets: inherit

.github/workflows/semantic-pr.yaml

@@ -1,19 +1,21 @@
-name: "Semantic Pull Request"
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+---
+name: "repository-semantic-pr"
 permissions: read-all
 
-on:
+on: # yamllint disable-line rule:truthy
   pull_request:
     types:
       - opened
       - edited
       - synchronize
 
 jobs:
-  main:
-    name: Semantic Pull Request
-    runs-on: ubuntu-latest
-    steps:
-      - uses: amannn/action-semantic-pull-request@v4
-        name: Semantic Pull Request
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  repository-semantic-pr:
+    name: repository-semantic-pr
+    uses: honestbank/workflows/.github/workflows/shared-semantic-pr.yaml@main
+    secrets: inherit

.github/workflows/terraform.yaml

@@ -1,28 +1,23 @@
-name: "terraform"
-permissions: read-all
+name: "Terraform GitHub Action"
 on:
   pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
+    branches: [test, dev, qa, prod, main]
 env:
   tf_version: "latest"
   tf_working_dir: "."
-  GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS_READ_ALL_PROJECTS }}
+  TF_WORKSPACE: ${{ github.base_ref }}
 jobs:
   terraform:
     name: "terraform"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: "recursive"
           token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v3
         with:
           cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
       - name: Terraform Format
@@ -41,29 +36,3 @@ jobs:
         id: plan
         run: terraform plan -no-color
         continue-on-error: true
-      - uses: actions/github-script@v4
-        if: github.event_name == 'pull_request'
-        env:
-          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
-        with:
-          github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
-          script: |
-            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
-            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
-            #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
-            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
-
-            <details><summary>Show Plan</summary>
-
-            \`\`\`${process.env.PLAN}\`\`\`
-
-            </details>
-
-            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
-
-            github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: output
-            })

.github/workflows/terratest.yaml

@@ -1,52 +1,30 @@
-name: terratest
-permissions:
-  contents: write
-  pull-requests: write
+name: "Terratest GitHub Action"
 on:
   pull_request:
-    branches:
-      - main
+    branches: [test, dev, qa, prod, main]
   push:
-    branches:
-      - main
-  workflow_dispatch:
-
+    branches: [test, dev, qa, prod, main]
 env:
-  TERRATEST_GOOGLE_CREDENTIALS: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
-  GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }}
-  GCP_SA_EMAIL: ${{ secrets.TERRATEST_GCP_SA_EMAIL }}
-  TF_VAR_google_project: ${{ secrets.TERRATEST_GOOGLE_PROJECT }}
-  TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
-  TF_VAR_shared_vpc_host_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
+  AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
 jobs:
   terratest:
     name: terratest
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           submodules: true
-      - name: Set up Go (latest)
+      - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '>=1.17.0'
+          go-version: 1.20
         id: go
-      - name: Login to Google Cloud
-        uses: google-github-actions/auth@v0
-        with:
-          credentials_json: ${{ env.TERRATEST_GOOGLE_CREDENTIALS }}
-      - name: Set Google Cloud project
-        run: gcloud config set project $GOOGLE_PROJECT
-      - name: Run terratest
+      - name: Run 'go test -v -timeout 60m'
         run: |
-          make test_and_cover
-      - name: Release
-        uses: cycjimmy/semantic-release-action@v4
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          extra_plugins: |
-            @semantic-release/[email protected]
-            @semantic-release/[email protected]
-            @semantic-release/[email protected]
+          cd test
+          go mod download
+          go test -v -timeout 30m

.pre-commit-config.yaml

@@ -6,20 +6,62 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
-      - id: trailing-whitespace
-      - id: end-of-file-fixer
       - id: check-yaml
+        args: ['--allow-multiple-documents']
       - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+  - repo: local
+    hooks:
+      - id: create-checkov-baseline
+        name: Create Checkov Baseline
+        entry: bash -c 'if [ ! -f .checkov.baseline ]; then echo "{}" > .checkov.baseline && touch baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.83.6 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
-      - id: terraform_docs
       - id: terraform_validate
-        exclude: (test/|examples/)
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
       - id: terraform_tfsec
-        exclude: (test/|examples/)
+        exclude: "test/"
       - id: terraform_checkov
-        exclude: (test/|examples/)
+        exclude: "test/"
+        args:
+          - --args=--baseline __GIT_WORKING_DIR__/.checkov.baseline
+  - repo: local
+    hooks:
+      - id: delete-checkov-baseline
+        name: Delete Checkov Baseline
+        entry: bash -c 'if [ -f baseline-created ]; then rm .checkov.baseline && rm baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
+  -   repo: https://github.com/gitguardian/ggshield
+      rev: v1.21.0
+      hooks:
+        - id: ggshield
+          language: python
+          stages: [commit]
+          args: [ 'secret', 'scan', 'pre-commit' ]
+  - repo: local
+    hooks:
+      - id: docs
+        name: docs
+        entry: make
+        args: [ 'docs' ]
+        language: system
+  # Run this at the end so that we don't end up in infinite loop
+  # where the end of line fixer runs first and then the docs and fmt
+  # and other hooks that modify files will break it again.
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer

Makefile

@@ -1,21 +1,19 @@
-lint:
-	terraform fmt --recursive
+commit: docs validate
 
-validate:
-	terraform init
-	terraform validate
+docs:
+	terraform-docs --lockfile=false -c .terraform-docs.yml .
+
+init:
+	git submodule update --init --recursive
+	terraform init -upgrade
+
+lint:
 	terraform fmt --recursive
 
-docs:
-	terraform-docs  --lockfile=false -c .terraform-docs.yml .
-	cd examples/gcp_bigquery_big_lake_table/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_cloudsql_connection/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_dataset/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_dataset_iam_policy/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_masked_dataset/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_masked_table/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_table/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
-	cd examples/gcp_bigquery_view/; terraform-docs --lockfile=false -c .terraform-docs.yml .;
+tests:
+# Super long timeout since this Makefile will be used in various repositories
+	cd test; go clean -testcache; go test -v -timeout 60m
 
-test_and_cover:
-	cd test; go test -v -race -covermode=atomic -timeout 90m ./...
+validate: lint
+	terraform init --upgrade
+	terraform validate