Initial commit

Author: kewalaka

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# AVM core team owns key files
+.github/policies/ @Azure/avm-core-team-technical
+.github/CODEOWNERS @Azure/avm-core-team-technical

.github/actions/docs-check/action.yml

@@ -0,0 +1,52 @@
+author: AVM
+name: Docs check
+description: Checks that documentation has been updated on PR
+runs:
+  using: composite
+  steps:
+    - name: setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version: "1.21.x"
+        # cache-dependency-path: tests/go.sum
+
+    - name: setup Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_wrapper: false
+
+    - name: install tools
+      shell: bash
+      run: |
+        go install github.com/katbyte/terrafmt@latest
+        go install github.com/terraform-docs/terraform-docs@latest
+
+    - name: fmt check
+      shell: bash
+      run: |
+        echo "==> Fixing Terraform code with terraform fmt..."
+        terraform fmt -recursive
+        echo "==> Fixing embedded Terraform with terrafmt..."
+        find . | egrep ".md|.tf" | grep -v README.md | sort | while read f; do terrafmt fmt $f; done
+
+    - name: docs check
+      shell: bash
+      run: |
+        echo "==> Generating module documentation..."
+        terraform-docs -c .terraform-docs.yml .
+        echo "==> Generating examples documentation..."
+        cd examples && for d in $(ls -d */); do terraform-docs $d; done
+
+    - name: check for changes
+      shell: bash
+      run: |
+        echo "==> Testing for changes to tracked files"
+        CHANGES=$(git status -suno)
+        if [ "$CHANGES" ]; then
+          echo "Repository formatting or documentation is not correct."
+          echo
+          git diff
+          echo
+          echo "Run 'make fmt && make docs' locally and commit the changes to fix."
+          exit 1
+        fi

.github/actions/e2e-getexamples/action.yml

@@ -0,0 +1,34 @@
+author: AVM
+name: e2e - getexamples
+description: Gets example directories from `examples/` and outputs them to the next step
+inputs:
+  github-token:
+    description: The GitHub token to use for the API calls
+    required: true
+outputs:
+  examples:
+    description: The examples to test
+    value: ${{ steps.getexamples.outputs.examples }}
+runs:
+  using: composite
+  steps:
+    - name: get examples
+      id: getexamples
+      run: |
+        # Get latest release from GitHub API and get download URL for the Linux x64 binary
+        URL=$(curl -sL -H "Authorization: Bearer ${{ inputs.github-token }}" https://api.github.com/repos/matt-FFFFFF/jsonls/releases/latest \
+          | jq -r '.assets[] | select( .name | test("linux_amd64")) | .browser_download_url')
+
+        # Download the binary and extract
+        curl -sL "$URL" | tar -xvz jsonls
+
+        # Ensure exec bit set
+        sudo chmod a+x jsonls
+
+        # Move binary to path
+        sudo mv jsonls /usr/local/bin/jsonls
+
+        # Get the examples
+        echo examples="$(jsonls -d)" >> "$GITHUB_OUTPUT"
+      working-directory: examples
+      shell: bash

.github/actions/e2e-testexamples/action.yml

@@ -0,0 +1,47 @@
+author: AVM
+name: e2e - testexamples
+description: Tests the example supplied in the input. Needs checkout and Azure login prior.
+inputs:
+  example:
+    description: The example directory to test
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: ">=1.5.0"
+
+    - name: terraform init
+      run: terraform init
+      working-directory: examples/${{ inputs.example }}
+      shell: bash
+
+    - name: terraform apply
+      run: terraform apply -auto-approve
+      working-directory: examples/${{ inputs.example }}
+      shell: bash
+
+    - name: terraform plan
+      id: plan
+      run: |
+        terraform plan -detailed-exitcode
+        echo PLANCODE="$?" >> "$GITHUB_OUTPUT"
+      continue-on-error: true
+      working-directory: examples/${{ inputs.example }}
+      shell: bash
+
+    - name: check idempotent
+      run: |
+        echo Error: terraform plan code is ${{ steps.plan.outputs.PLANCODE }}
+        exit 1
+      working-directory: examples/${{ inputs.example }}
+      shell: bash
+      if: steps.plan.outputs.PLANCODE != 0
+
+    - name: terraform destroy
+      run: terraform destroy -auto-approve
+      working-directory: examples/${{ inputs.example }}
+      shell: bash
+      if: always()

.github/actions/linting/action.yml

@@ -0,0 +1,42 @@
+author: AVM
+name: linting
+description: Tests the example supplied in the input. Needs checkout and Azure login prior.
+inputs:
+  github-token:
+    description: The GitHub token
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: ">=1.5.0"
+
+    - name: terraform init
+      run: terraform init
+      shell: bash
+
+    - name: terraform validate
+      run: terraform validate
+      shell: bash
+
+    - uses: terraform-linters/setup-tflint@v3
+      name: Setup TFLint
+      with:
+        tflint_version: v0.48.0
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+
+    - name: get tflint config
+      run: |
+        curl --header "Authorization: Bearer ${{ inputs.github-token }}" https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/main/.tflint.hcl -o .tflint.hcl
+      shell: bash
+
+    - name: tflint init
+      run: tflint --init
+      shell: bash
+
+    - name: tflint
+      run: tflint
+      shell: bash

.github/actions/version-check/action.yml

@@ -0,0 +1,73 @@
+author: AVM
+name: Module version check
+description: Checks that module version has been updated on PR
+inputs:
+  version-file-name:
+    description: Terraform JSON file containing module version
+    required: false
+    default: locals.version.tf.json
+  jq-query:
+    description: jq query to extract module version
+    required: false
+    default: .locals.module_version
+  github_token:
+    description: GitHub token
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: semver regex
+      shell: bash
+      run: |
+        echo SEMVER_REGEX="^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" >> "$GITHUB_ENV"
+
+    - name: Get latest release version
+      shell: bash
+      run: |
+        VER=$(curl --silent -L -H "Authorization: Bearer ${{ inputs.github_token }}" -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .name | sed s/^v//)
+        if [ "$VER" == "null" ]; then
+          echo "No releases found"
+          echo LATEST_RELEASE="0.0.0" >> "$GITHUB_ENV"
+          exit 0
+        fi
+        if echo "$VER" | grep -P -qv "$SEMVER_REGEX"; then
+          echo "Release version $VER is not a valid semantic version"
+          exit 1
+        fi
+        echo LATEST_RELEASE="$VER" >> "$GITHUB_ENV"
+
+    - name: Get current module version
+      shell: bash
+      run: |
+        VER=$(jq -r '${{ inputs.jq-query }}' < ${{ inputs.version-file-name }})
+        if echo "$VER" | grep -P -qv "$SEMVER_REGEX"; then
+          echo "Module version $VER is not a valid semantic version"
+          exit 1
+        fi
+        echo MODULE_VERSION="$VER" >> "$GITHUB_ENV"
+
+    - name: Check module version is greater than latest release
+      shell: bash
+      run: |
+        MODVERMAJOR=$(echo ${{ env.MODULE_VERSION }} | cut -d. -f1)
+        MODVERMINOR=$(echo ${{ env.MODULE_VERSION }} | cut -d. -f2)
+        MODVERPATCH=$(echo ${{ env.MODULE_VERSION }} | cut -d. -f3)
+
+        RELVERMAJOR=$(echo ${{ env.LATEST_RELEASE }} | cut -d. -f1)
+        RELVERMINOR=$(echo ${{ env.LATEST_RELEASE }} | cut -d. -f2)
+        RELVERPATCH=$(echo ${{ env.LATEST_RELEASE }} | cut -d. -f3)
+
+        if [ "$MODVERMAJOR" -lt "$RELVERMAJOR" ]; then
+          echo "Module version ${{ env.MODULE_VERSION }} is less than latest release ${{ env.LATEST_RELEASE }}"
+          exit 1
+        fi
+
+        if [ "$MODVERMAJOR" -eq "$RELVERMAJOR" ] && [ "$MODVERMINOR" -lt "$RELVERMINOR" ]; then
+          echo "Module version ${{ env.MODULE_VERSION }} is less than latest release ${{ env.LATEST_RELEASE }}"
+          exit 1
+        fi
+
+        if [ "$MODVERMAJOR" -eq "$RELVERMAJOR" ] && [ "$MODVERMINOR" -eq "$RELVERMINOR" ] && [ "$MODVERPATCH" -lt "$RELVERPATCH" ]; then
+          echo "Module version ${{ env.MODULE_VERSION }} is less than latest release ${{ env.LATEST_RELEASE }}"
+          exit 1
+        fi

.github/dependabot.yml

@@ -0,0 +1,12 @@
+---
+version: 2
+
+updates:
+  - package-ecosystem: gomod
+    directory: /tests
+    schedule:
+      interval: daily
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: daily

.github/policies/avmrequiredfiles.yml

@@ -0,0 +1,28 @@
+name: AVM Mandatory Files Policy
+description: This policy will ensure the presence of AVM mandatory files into the repos
+
+resource: repository
+where:
+  # criteria can be provided to limit the repositories the policy is applied to
+configuration:
+  mandatoryFiles:
+    issueTitle: This repo is missing mandatory files
+    issueBody: |
+      There are several mandatory files we require in this
+      repository. A pull request has been opened to add the
+      missing files. When the pr is merged this issue will be
+      closed automatically.
+    prTitle: "feat: add AVM mandatory file(s) to this repo"
+    prBody: |
+      This repository needs the standard workflow and policy files to ensure compliance.
+    file:
+      - path: .github/workflows/version-check.yml
+        prContentLink: https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/main/.github/workflows/version-check.yml
+      - path: .github/workflows/linting.yml
+        prContentLink: https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/main/.github/workflows/linting.yml
+      - path: Makefile
+        prContentLink: https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/main/Makefile
+      - path: .github/policies/avmrequiredfiles.yml
+        prContentLink: https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/main/.github/policies/avmrequiredfiles.yml
+      - path: .github/policies/branchprotection.yml
+        prContentLink: https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/main/.github/policies/branchprotection.yml

.github/policies/branchprotection.yml

@@ -0,0 +1,14 @@
+name: avm_required
+description: AVM minimum required branch protection policy
+resource: repository
+where:
+configuration:
+  branchProtectionRules:
+    - branchNamePattern: "~default~"
+      requiresPullRequestBeforeMerging: true
+      requiredApprovingReviewsCount: 0
+      isAdminEnforced: true
+      allowsForcePushes: false
+      allowsDeletions: false
+      requiresLinearHistory: true
+      requireCodeOwnersReview: true

.github/workflows/e2e.yml

@@ -0,0 +1,58 @@
+---
+name: e2e test
+
+on:
+  pull_request:
+    types: ['opened', 'reopened', 'synchronize']
+  merge_group:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  getexamples:
+    runs-on: ubuntu-latest
+    outputs:
+      examples: ${{ steps.getexamples.outputs.examples }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: get examples
+        id: getexamples
+        uses: Azure/terraform-azurerm-avm-template/.github/actions/e2e-getexamples@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+  testexamples:
+    runs-on: ubuntu-latest
+    needs: getexamples
+    environment: test
+    env:
+      TF_IN_AUTOMATION: 1
+      TF_VAR_enable_telemetry: false
+    strategy:
+      matrix:
+        example: ${{ fromJson(needs.getexamples.outputs.examples) }}
+      max-parallel: 5
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: Azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Test example
+        uses: Azure/terraform-azurerm-avm-template/.github/actions/e2e-testexamples@main
+        with:
+          example: ${{ matrix.example }}
+
+  # This job is only run when all the previous jobs are successful.
+  # We can use it for PR validation to ensure all examples have completed.
+  testexamplescomplete:
+    runs-on: ubuntu-latest
+    needs: testexamples
+    steps:
+      - run: echo "All tests passed"