Skip to content

Commit 8cdc491

Browse files
authored
feat: migrate to tfroot pattern with AWX and shared workflows (#1)
* feat: migrate from terraform-libvirt-infra - Use external terraform-libvirt-domain module via git - Update pre-commit-terraform to v1.104.0 - Update providers: libvirt >= 0.8.2, sops >= 0.7.0, aap >= 1.3.0 - Remove deprecated template provider - Switch from terraform to tofu - Add -backend=false for pre-commit validation - Preserve self-hosted GitHub workflows * feat: add PR plan comments and environment protection - Restructure workflows into separate test/plan/apply jobs - Add PR comment integration for plan output - Add permissions block for PR write access - Add environment protection for apply job - Rename workflows to OpenTofu * feat: migrate to AWX and shared workflows - Replace plan.yml/apply.yml with shared opentofu.yml workflow - Update libvirt provider to >= 0.9.0 - Rename aap_* secrets to awx_* for AWX migration - Add aap_inventory_name = libvirt to modules - Add keyfile to libvirt_uri for SSH auth - Align pre-commit-config with other repos - Fix missing newlines in cloud-init files * chore: trigger CI * fix: use runner image instead of terraform-runner * fix: update S3 credentials to use svc-terraform-admin * fix: use mirror URL with Content-Length for boot image
1 parent 42ab21c commit 8cdc491

File tree

16 files changed

+1074
-0
lines changed

16 files changed

+1074
-0
lines changed

.checkov.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
block-list-secret-scan: []
2+
compact: true
3+
directory:
4+
- .
5+
download-external-modules: false
6+
evaluate-variables: true
7+
framework:
8+
- all
9+
output:
10+
- cli
11+
quiet: true
12+
soft-fail: true
13+
summary-position: top

.github/workflows/opentofu.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
name: OpenTofu
2+
3+
on:
4+
pull_request:
5+
branches:
6+
- main
7+
push:
8+
branches:
9+
- main
10+
11+
permissions:
12+
contents: read
13+
pull-requests: write
14+
15+
jobs:
16+
opentofu:
17+
uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
18+
with:
19+
runs-on: arc-dind
20+
container: image-registry.openshift-image-registry.svc:5000/public-registry/runner:latest
21+
setup-ssh: true
22+
secrets:
23+
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
24+
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
25+
SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}

.gitignore

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# vim swap files
2+
**/*.sw[po]
3+
4+
# don't commit terraform state or lock. the repo code is the only state we care about.
5+
# the provider state cache is auto-upgraded by default to ensure compatibility with upstream cloud provider APIs
6+
**/.terraform.lock.hcl
7+
**/.terraform
8+
9+
# IDE Folders
10+
**/.vscode
11+
12+
# Mac Finder cache
13+
**/.DS_Store
14+
15+
# Plan output
16+
plan-output.txt
17+
tfplan.bin

.pre-commit-config.yaml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
repos:
2+
- repo: https://github.com/compilerla/conventional-pre-commit
3+
rev: v4.0.0
4+
hooks:
5+
- id: conventional-pre-commit
6+
stages: [commit-msg]
7+
- repo: https://github.com/antonbabenko/pre-commit-terraform
8+
rev: v1.104.0
9+
hooks:
10+
- id: terraform_validate
11+
args:
12+
- --hook-config=--retry-once-with-cleanup=true
13+
- --args=-no-color
14+
- --tf-init-args=-reconfigure
15+
- --tf-init-args=-upgrade
16+
- --tf-init-args=-backend=false
17+
- id: terraform_tflint
18+
args:
19+
- --args=--minimum-failure-severity=error
20+
- --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
21+
- id: terraform_checkov
22+
args:
23+
- --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
24+
- id: terraform_fmt
25+
args:
26+
- --args=-no-color
27+
- --args=-diff
28+
- --args=-recursive
29+
- id: terraform_docs
30+
args:
31+
- --args=--config=.terraform-docs.yml
32+
- repo: https://github.com/pre-commit/pre-commit-hooks
33+
rev: v6.0.0
34+
hooks:
35+
- id: check-case-conflict
36+
- id: check-merge-conflict
37+
- id: check-symlinks
38+
- id: check-vcs-permalinks
39+
- id: destroyed-symlinks
40+
- id: detect-private-key
41+
- id: end-of-file-fixer
42+
- id: mixed-line-ending
43+
- id: trailing-whitespace

.sops.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
---
2+
creation_rules:
3+
- age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l

.terraform-docs.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
formatter: "markdown"
2+
3+
output:
4+
file: "README.md"
5+
mode: replace
6+
7+
settings:
8+
color: false
9+
lockfile: false
10+
11+
sort:
12+
enabled: true
13+
by: name
14+
15+
# recursive can't be enabled until this bug is fixed:
16+
# https://github.com/terraform-docs/terraform-docs/issues/654
17+
recursive:
18+
enabled: false

.tflint.hcl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
plugin "terraform" {
2+
enabled = true
3+
preset = "recommended"
4+
}
5+
6+
rule "terraform_required_providers" {
7+
enabled = false
8+
}
9+
10+
rule "terraform_required_version" {
11+
enabled = false
12+
}

0 commit comments

Comments
 (0)