From 386e91aca89e93b3127400c31729e83c875cab81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mats=20B=C3=B8e=20Bergmann?= <mats.boe.bergmann@nrk.no>
Date: Mon, 21 Oct 2024 14:47:21 +0200
Subject: [PATCH] feat: first commit

---
 .bulldozer.yml                           |  4 ++
 .envrc                                   |  1 +
 .github/dependabot.yml                   | 20 ++++++++
 .github/scripts/branch_restrictions.json | 56 ++++++++++++++++++++++
 .github/scripts/repo_settings.sh         | 19 ++++++++
 .github/workflows/lint-release.yaml      | 14 ++++++
 .github/workflows/terraform.yaml         | 21 +++++++++
 .policy.yml                              |  4 ++
 .terraform-docs.yaml.example             | 60 ++++++++++++++++++++++++
 .trivyignore                             |  0
 examples/main.example                    |  8 ++++
 11 files changed, 207 insertions(+)
 create mode 100644 .bulldozer.yml
 create mode 100644 .envrc
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/scripts/branch_restrictions.json
 create mode 100755 .github/scripts/repo_settings.sh
 create mode 100644 .github/workflows/lint-release.yaml
 create mode 100644 .github/workflows/terraform.yaml
 create mode 100644 .policy.yml
 create mode 100644 .terraform-docs.yaml.example
 create mode 100644 .trivyignore
 create mode 100644 examples/main.example

diff --git a/.bulldozer.yml b/.bulldozer.yml
new file mode 100644
index 000000000..b9909ba8e
--- /dev/null
+++ b/.bulldozer.yml
@@ -0,0 +1,4 @@
+---
+remote: nrkno/nrk-bot-configs
+path: admin-groups/iac-admins/bulldozer/bulldozer.yaml
+ref: main
diff --git a/.envrc b/.envrc
new file mode 100644
index 000000000..a60d64143
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+pre-commit install-hooks
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..9ed497b56
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: terraform
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "12:00"
+      timezone: "Europe/Oslo"
+    commit-message:
+      prefix: chore(deps)
+    open-pull-requests-limit: 5
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "12:00"
+      timezone: "Europe/Oslo"
+    commit-message:
+      prefix: chore(deps)
+    open-pull-requests-limit: 5
diff --git a/.github/scripts/branch_restrictions.json b/.github/scripts/branch_restrictions.json
new file mode 100644
index 000000000..cd0ad03d5
--- /dev/null
+++ b/.github/scripts/branch_restrictions.json
@@ -0,0 +1,56 @@
+{
+  "required_status_checks": {
+    "strict": true,
+    "checks": [
+      {
+        "context": "Terraform / Config Validation in ."
+      },
+      {
+        "context": "Terraform / Trivy Vulnerability Scan in ."
+      },
+      {
+        "context": "lint_release / Commit lint"
+      },
+      {
+        "context": "Terraform / Render terraform docs in ."
+      }
+    ]
+  },
+  "restrictions": {
+    "users": [],
+    "teams": [
+      "IaC-Admins"
+    ],
+    "apps": [
+      "NRKno-Bulldozer"
+    ]
+  },
+  "required_pull_request_reviews": {
+    "dismissal_restrictions": {
+      "users": [],
+      "teams": [
+        "IaC-Admins"
+      ],
+      "apps": [
+        "NRKno-Bulldozer"
+      ]
+    },
+    "dismiss_stale_reviews": true,
+    "bypass_pull_request_allowances": {
+      "users": [],
+      "teams": [],
+      "apps": []
+    },
+    "require_code_owner_reviews": true,
+    "require_last_push_approval": false,
+    "required_approving_review_count": 1
+  },
+  "enforce_admins": true,
+  "required_linear_history": true,
+  "allow_force_pushes": false,
+  "allow_deletions": false,
+  "block_creations": true,
+  "required_conversation_resolution": true,
+  "lock_branch": false,
+  "allow_fork_syncing": false
+}
\ No newline at end of file
diff --git a/.github/scripts/repo_settings.sh b/.github/scripts/repo_settings.sh
new file mode 100755
index 000000000..32e6e09a5
--- /dev/null
+++ b/.github/scripts/repo_settings.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+#set -e
+#set -x
+
+
+GH_TOKEN=$(gh auth token)
+REPO=$1
+BRANCH=$2
+
+gh repo edit $REPO --add-topic "terraform,terraform-module" \
+--enable-rebase-merge --delete-branch-on-merge \
+--enable-squash-merge=false --enable-merge-commit=false
+
+curl \
+-X PUT \
+-H "Accept: application/vnd.github+json" \
+-H "Authorization: Bearer ${GH_TOKEN}" \
+"https://api.github.com/repos/$REPO/branches/$BRANCH/protection" \
+--data-binary "@.github/scripts/branch_restrictions.json"
\ No newline at end of file
diff --git a/.github/workflows/lint-release.yaml b/.github/workflows/lint-release.yaml
new file mode 100644
index 000000000..0b9a015ff
--- /dev/null
+++ b/.github/workflows/lint-release.yaml
@@ -0,0 +1,14 @@
+---
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+name: Commit lint and release
+jobs:
+  lint_release:
+    uses: nrkno/github-workflow-semantic-release/.github/workflows/workflow.yaml@v3.1.0
+    with:
+      runs-on: linux
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
new file mode 100644
index 000000000..bf5900feb
--- /dev/null
+++ b/.github/workflows/terraform.yaml
@@ -0,0 +1,21 @@
+---
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform:
+    name: Terraform
+    uses: nrkno/github-workflow-terraform-config/.github/workflows/workflow.yaml@v4.60.1
+    with:
+      terraform-docs-fail-on-diff: false
+      working-directory: .
+      trivy-ignore-files: .trivyignore
+    secrets:
+      registries: "terraform-registry.nrk.cloud=${{ secrets.PLATTFORM_TERRAFORM_REGISTRY_NRK_CLOUD }}"
diff --git a/.policy.yml b/.policy.yml
new file mode 100644
index 000000000..514ee3ab8
--- /dev/null
+++ b/.policy.yml
@@ -0,0 +1,4 @@
+---
+remote: nrkno/nrk-bot-configs
+path: admin-groups/iac-admins/policy-bot/policy-bot.yaml
+ref: main
diff --git a/.terraform-docs.yaml.example b/.terraform-docs.yaml.example
new file mode 100644
index 000000000..2a65f4f63
--- /dev/null
+++ b/.terraform-docs.yaml.example
@@ -0,0 +1,60 @@
+# With this file you can controll the behaviour of your README.md file.
+# To see what is possible please read: https://terraform-docs.io/user-guide/configuration/
+#
+# The following is an example of how to use this file to populate your README.md with info from your terraform code
+#
+formatter: markdown
+
+header-from: main.tf
+#footer-from:
+
+sections:
+  #hide: []
+  show:
+    - all
+
+content: |-
+  {{ .Header }}
+
+  {{ .Requirements }}
+
+  {{ .Inputs }}
+
+  {{ .Providers }}
+  
+  {{ .Modules }}
+
+  {{ .Outputs }}
+
+  {{ .Resources }}
+
+output:
+  file: "README.md"
+  mode: replace
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  #from: 
+
+sort:
+  enabled: true
+  by: required
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: true
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: false
+  required: true
+  sensitive: true
+  type: true
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/main.example b/examples/main.example
new file mode 100644
index 000000000..c3a05ccf3
--- /dev/null
+++ b/examples/main.example
@@ -0,0 +1,8 @@
+module "some-module" {
+  source  = "terraform-registry.nrk.cloud/nrkno/iac-terraform-module-template/generic"
+  version = "1.0.0"
+
+  argument1 = "value"
+  argument2 = "value"
+  argument3 = "value"
+}