feat: migrate to tfroot pattern with AWX and shared workflows (#1)

* feat: migrate from terraform-libvirt-infra

- Use external terraform-libvirt-domain module via git
- Update pre-commit-terraform to v1.104.0
- Update providers: libvirt >= 0.8.2, sops >= 0.7.0, aap >= 1.3.0
- Remove deprecated template provider
- Switch from terraform to tofu
- Add -backend=false for pre-commit validation
- Preserve self-hosted GitHub workflows

* feat: add PR plan comments and environment protection

- Restructure workflows into separate test/plan/apply jobs
- Add PR comment integration for plan output
- Add permissions block for PR write access
- Add environment protection for apply job
- Rename workflows to OpenTofu

* feat: migrate to AWX and shared workflows

- Replace plan.yml/apply.yml with shared opentofu.yml workflow
- Update libvirt provider to >= 0.9.0
- Rename aap_* secrets to awx_* for AWX migration
- Add aap_inventory_name = libvirt to modules
- Add keyfile to libvirt_uri for SSH auth
- Align pre-commit-config with other repos
- Fix missing newlines in cloud-init files

* chore: trigger CI

* fix: use runner image instead of terraform-runner

* fix: update S3 credentials to use svc-terraform-admin

* fix: use mirror URL with Content-Length for boot image

Author: xnoto

.checkov.yml

@@ -0,0 +1,13 @@
+block-list-secret-scan: []
+compact: true
+directory:
+  - .
+download-external-modules: false
+evaluate-variables: true
+framework:
+  - all
+output:
+  - cli
+quiet: true
+soft-fail: true
+summary-position: top

.github/workflows/opentofu.yml

@@ -0,0 +1,25 @@
+name: OpenTofu
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  opentofu:
+    uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
+    with:
+      runs-on: arc-dind
+      container: image-registry.openshift-image-registry.svc:5000/public-registry/runner:latest
+      setup-ssh: true
+    secrets:
+      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}

.gitignore

@@ -0,0 +1,17 @@
+# vim swap files
+**/*.sw[po]
+
+# don't commit terraform state or lock. the repo code is the only state we care about.
+# the provider state cache is auto-upgraded by default to ensure compatibility with upstream cloud provider APIs
+**/.terraform.lock.hcl
+**/.terraform
+
+# IDE Folders
+**/.vscode
+
+# Mac Finder cache
+**/.DS_Store
+
+# Plan output
+plan-output.txt
+tfplan.bin

.pre-commit-config.yaml

@@ -0,0 +1,43 @@
+repos:
+- repo: https://github.com/compilerla/conventional-pre-commit
+  rev: v4.0.0
+  hooks:
+    - id: conventional-pre-commit
+      stages: [commit-msg]
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.104.0
+  hooks:
+    - id: terraform_validate
+      args:
+        - --hook-config=--retry-once-with-cleanup=true
+        - --args=-no-color
+        - --tf-init-args=-reconfigure
+        - --tf-init-args=-upgrade
+        - --tf-init-args=-backend=false
+    - id: terraform_tflint
+      args:
+        - --args=--minimum-failure-severity=error
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+    - id: terraform_checkov
+      args:
+        - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+    - id: terraform_fmt
+      args:
+        - --args=-no-color
+        - --args=-diff
+        - --args=-recursive
+    - id: terraform_docs
+      args:
+        - --args=--config=.terraform-docs.yml
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: check-symlinks
+    - id: check-vcs-permalinks
+    - id: destroyed-symlinks
+    - id: detect-private-key
+    - id: end-of-file-fixer
+    - id: mixed-line-ending
+    - id: trailing-whitespace

.sops.yaml

@@ -0,0 +1,3 @@
+---
+creation_rules:
+  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l

.terraform-docs.yml

@@ -0,0 +1,18 @@
+formatter: "markdown"
+
+output:
+  file: "README.md"
+  mode: replace
+
+settings:
+  color: false
+  lockfile: false
+
+sort:
+  enabled: true
+  by: name
+
+# recursive can't be enabled until this bug is fixed:
+# https://github.com/terraform-docs/terraform-docs/issues/654
+recursive:
+  enabled: false

.tflint.hcl

@@ -0,0 +1,12 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+rule "terraform_required_providers" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}