Merge pull request #4 from dasmeta/best-practices

fix(best-practices): add all best practices

.github/workflows/checkov.yaml

@@ -0,0 +1,28 @@
+name: Checkov
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+jobs:
+  terraform-validate:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      discussions: write
+      pull-requests: write
+      security-events: write
+      id-token: write
+    strategy:
+      matrix:
+        path:
+          - modules/sso
+          - modules/sso/modules/account-assignments
+          - modules/sso/modules/permission-sets
+
+    steps:
+    - uses: dasmeta/reusable-actions-workflows/checkov@main
+      with:
+        fetch-depth: 0
+        directory: ${{ matrix.path }}
+      continue-on-error: true

.github/workflows/pre-commit.yaml

@@ -0,0 +1,23 @@
+name: Pre-Commit
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+jobs:
+  terraform-validate:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      discussions: write
+      pull-requests: write
+      id-token: write
+    steps:
+    - name: Pre-Commit
+      uses: dasmeta/reusable-actions-workflows/pre-commit@main
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        path: modules/${{ matrix.path }}
+      continue-on-error: true

.github/workflows/semantic-release.yaml

@@ -0,0 +1,22 @@
+name:  Semantic-Release
+on: [pull_request, push]
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      discussions: write
+      pull-requests: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 16
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/terraform-test.yaml

@@ -0,0 +1,27 @@
+name: Terraform Test
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+jobs:
+  terraform-validate:
+    permissions:
+      actions: write
+      contents: write
+      discussions: write
+      pull-requests: write
+      id-token: write
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        path:
+          - /
+
+    steps:
+    - uses: dasmeta/reusable-actions-workflows/terraform-test@main
+      with:
+        aws-region: ${{ secrets.AWS_REGION}}
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        path: ${{ matrix.path }}
+      continue-on-error: true

.github/workflows/tflint.yaml

@@ -0,0 +1,32 @@
+name: Tflint
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+
+jobs:
+  terraform-validate:
+    permissions:
+      actions: write
+      contents: write
+      discussions: write
+      pull-requests: write
+      id-token: write
+      security-events: write
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        path:
+          - modules/sso
+          - modules/sso/modules/account-assignments
+          - modules/sso/modules/permission-sets
+
+    steps:
+    - uses: dasmeta/reusable-actions-workflows/tflint@main
+      with:
+        aws-region: ${{ secrets.AWS_REGION}}
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        path: ${{ matrix.path }}
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+      continue-on-error: true

.github/workflows/tfsec.yaml

@@ -0,0 +1,20 @@
+name: TFSEC
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+jobs:
+  terraform-tfsec:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      discussions: write
+      pull-requests: write
+      id-token: write
+      security-events: write
+    steps:
+    - uses: dasmeta/reusable-actions-workflows/tfsec@main
+      with:
+        fetch-depth: 0
+    continue-on-error: true

.pre-commit-config.yaml

@@ -0,0 +1,28 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-vcs-permalinks
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+        exclude: CHANGELOG.md
+      - id: check-yaml
+      - id: check-merge-conflict
+      - id: check-case-conflict
+      - id: mixed-line-ending
+        args: [--fix=lf]
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+      - id: detect-private-key
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.64.1
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true

commitlint.config.js

@@ -0,0 +1,5 @@
+module.exports = {
+    extends: [
+        "@commitlint/config-conventional"
+    ]
+}

git-conventional-commits.json

@@ -0,0 +1,41 @@
+{
+  "convention" : {
+    "commitTypes": [
+      "feat",
+      "fix",
+      "perf",
+      "refactor",
+      "style",
+      "test",
+      "build",
+      "ops",
+      "docs",
+      "merge",
+      "chore"
+    ],
+    "commitScopes": [],
+    "releaseTagGlobPattern":  "v[0-9]*.[0-9]*.[0-9]*",
+    "issueRegexPattern": "(^|\\s)#\\d+(\\s|$)"
+  },
+  "changelog" : {
+    "commitTypes": [
+      "feat",
+      "fix",
+      "perf",
+      "merge"
+    ],
+    "includeInvalidCommits": true,
+    "commitScopes": [],
+    "commitIgnoreRegexPattern": "^WIP ",
+    "headlines": {
+      "feat": "Features",
+      "fix": "Bug Fixes",
+      "perf": "Performance Improvements",
+      "merge": "Merged Branches",
+      "breakingChange": "BREAKING CHANGES"
+    },
+    "commitUrl": "https://github.com/ACCOUNT/REPOSITORY/commit/%commit%",
+    "commitRangeUrl": "https://github.com/ACCOUNT/REPOSITORY/compare/%from%...%to%?diff=split",
+    "issueUrl": "https://github.com/ACCOUNT/REPOSITORY/issues/%issue%"
+  }
+}

githooks/commit-msg

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+RED='\033[1;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[1;32m'
+NC='\033[0m'
+
+isNvmOk=false
+isYarnOk=false
+isNodeOk=false
+isGccOk=false
+
+source ~/.nvm/nvm.sh > /dev/null 2>&1
+nvm -v > /dev/null 2>&1
+if [ ! $? -eq 0 ]; then
+  mkdir ~/.nvm > /dev/null 2>&1
+  (curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash) > /dev/null 2>&1
+
+  source ~/.nvm/nvm.sh
+
+  if [ `command -v nvm` ]; then
+      isNvmOk=true
+      #echo -e "$${GREEN}[ OK ]$${NC} nvm installed successfully"
+  else
+      isNvmOk=false
+      #echo -e "$${RED}[ FAIL ]$${NC} Error during nvm installation"
+  fi
+fi
+
+
+if  [  `command -v node`  ]; then
+    isNodeOk=true
+    #echo -e "$${GREEN}[ OK ]$${NC} npm and node is already installed"
+else
+  #echo -e "$${YELLOW}[ WAIT ]$${NC} npm is not installed.. installing"
+  nvm install node > /dev/null 2>&1
+  if [ `command -v node` ] && [ `command -v npm` ]; then
+      isNodeOk=true
+      #echo -e "$${GREEN}[ OK ]$${NC} npm installed successfully"
+  fi
+
+#  mkdir ~/.npm-global > /dev/null 2>&1
+#  npm config set prefix '~/.npm-global' > /dev/null 2>&1
+#  export PATH=~/.npm-global/bin:$PATH > /dev/null 2>&1
+#  source ~/.profile > /dev/null 2>&1
+
+fi
+
+
+if [ `command -v yarn` ]; then
+  isYarnOk=true
+  #echo -e "$${GREEN}[ OK ]$${NC} Yarn already installed"
+
+else
+  rm -rf ~/.yarn
+  (curl -o- -L https://yarnpkg.com/install.sh | bash) > /dev/null 2>&1
+  export PATH="$HOME/.yarn/bin:$PATH"
+  yarn config set prefix ~/.yarn -g > /dev/null 2>&1
+
+  if [ `command -v yarn` ]; then
+    isYarnOk=true
+     # echo $yarn_result
+    #  echo -e "$${GREEN}[ OK ]$${NC} Yarn installed successfully"
+  fi
+fi
+
+#echo -e "$${GREEN}[ OK ]$${NC}" nvm cache clear --force
+
+PATH="/c/Program Files/nodejs:$HOME/AppData/Roaming/npm/:$PATH"
+
+npm install --global git-conventional-commits > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+    isGccOk=true
+   # echo -e "$${GREEN}[ OK ]$${NC} git-conventional-commit successfully installed"
+  else
+    isGccOk=false
+   # echo -e "$${RED}[ FAIL ]$${NC} Error during installation of git-conventional-commit"
+fi
+
+git-conventional-commits commit-msg-hook "$1"
+
+if [[ $isNodeOk && $isYarnOk && $isNvmOk && $isNodeOk ]]; then
+    echo -e "$${GREEN}[ OK ]$${NC} Dependencies installed successfully"
+else
+    echo -e "$${RED}[ FAIL ]$${NC} Error during dependency installation"
+fi

githooks/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+set -e
+pre-commit run --show-diff-on-failure --color=always --all-files

package.json

@@ -0,0 +1,22 @@
+{
+  "name": "app",
+  "devDependencies": {
+    "@commitlint/cli": "^17.0.3",
+    "@commitlint/config-conventional": "^17.0.3",
+    "husky": "^8.0.1",
+    "@semantic-release/github": "^8.0.4",
+    "semantic-release": "^19.0.3"
+  },
+  "release": {
+    "branches": [
+      "main", "master", "next"
+    ]
+  },
+  "private": true,
+  "plugins": [
+    "@semantic-release/commit-analyzer",
+    "@semantic-release/release-notes-generator",
+    "@semantic-release/github",
+    "@semantic-release/npm"
+  ]
+}