Initial commit

.cspell/azure-extended.txt

@@ -0,0 +1,8 @@
+azuread
+azurerm
+keyvault
+managementpartner
+resourcegroups
+southcentralus
+southeastasia
+vnet

.cspell/google.txt

@@ -0,0 +1,3 @@
+gcp
+gsuite
+gws

.cspell/security.txt

@@ -0,0 +1,8 @@
+auditctl
+auditd
+cspm
+oathtool
+qualys
+siem
+sysmon
+sysmonconfig

.cspell/terraform.txt

@@ -0,0 +1,9 @@
+hashicorp
+jsondecode
+jsonencode
+terragrunt
+tfrc
+tfstate
+tfstatestorage
+yamldecode
+yamlencode

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @cncsc/conventions-reviewers @cncsc/devops-reviewers @cncsc/application-reviewers @cncsc/infrastructure-reviewers

.github/workflows/cd.yaml

@@ -0,0 +1,13 @@
+name: Continuous Deployment
+on:
+  workflow_run:
+    workflows: [Continuous Integration]
+    types: [completed]
+    branches: [main]
+jobs:
+  on-success:
+    name: Semantic Release
+    uses: cncsc/actions/.github/workflows/semantic-release.yaml@main
+    secrets:
+      GIT_TOKEN_BASIC: ${{ secrets.GIT_TOKEN_BASIC }}
+      NPM_ACCESS_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}

.github/workflows/ci.yaml

@@ -0,0 +1,7 @@
+name: Continuous Integration
+on:
+  - push
+jobs:
+  ci:
+    name: Validation
+    uses: cncsc/actions/.github/workflows/validation.yaml@main

.gitignore

@@ -0,0 +1,23 @@
+# Terraform
+.terraform
+.terragrunt-cache
+*.tfstate
+*.tfstate.backup
+.terraform.lock.hcl
+
+# OS X
+.history
+.DS_Store
+
+# IntelliJ
+.idea_modules
+*.iml
+*.iws
+*.ipr
+.idea/
+build/
+*/build/
+out/
+
+# NodeJS
+node_modules

.pre-commit-config.yaml

@@ -0,0 +1,34 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.4.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-byte-order-marker
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-yaml
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+        args: [--fix=no]
+      - id: trailing-whitespace
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.45.0
+    hooks:
+      - id: terragrunt_fmt
+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: v3.5.1-1
+    hooks:
+      - id: shfmt
+        args: [-w, -s, --indent=2]
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.0.8
+    hooks:
+      - id: shellcheck
+  - repo: https://github.com/streetsidesoftware/cspell-cli
+    rev: v6.17.0
+    hooks:
+      - id: cspell

.releaserc.json

@@ -0,0 +1,3 @@
+{
+  "extends": "@cncsc/semantic-release-config/base"
+}

.remote-state-config.yaml

@@ -0,0 +1,3 @@
+hostname: app.terraform.io
+organization: cncsc
+root_prefix: stacks

.terraform-version

@@ -0,0 +1 @@
+1.3.4

.terragrunt-version

@@ -0,0 +1 @@
+0.36.6

.tools/verify-tfc-workspace.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# By convention, we only use Terraform Cloud for remote state storage with execution handled by GitHub actions.
+# This allows us to utilize the monorepo pattern with Terragrunt facilitating modularity.
+# This script handles the dynamic Terraform Cloud workspace management for use with Terragrunt.
+
+function get_workspace_execution_mode() {
+  local -r tfc_api_token="$1"
+  local -r organization="$2"
+  local -r workspace="$3"
+
+  # When calling GET on a specific workspace, if it doesn't already exist, it will be automatically created.
+  # By default it will be created with the `remote` execution mode.
+  # We will the change it to `local` execution mode the same as if it was already existing and misconfigured.
+
+  curl -sSL -X GET \
+    -H "authorization: Bearer $tfc_api_token" \
+    -H "content-type: application/vnd.api+json" \
+    "https://app.terraform.io/api/v2/organizations/$organization/workspaces/$workspace" |
+    jq -r '.data.attributes["execution-mode"]'
+}
+
+function set_execution_mode_local() {
+  local -r tfc_api_token="$1"
+  local -r organization="$2"
+  local -r workspace="$3"
+  local -r execution_mode="$4"
+
+  curl -sSL -X PATCH \
+    -H "authorization: Bearer $tfc_api_token" \
+    -H "content-type: application/vnd.api+json" \
+    "https://app.terraform.io/api/v2/organizations/$organization/workspaces/$workspace" \
+    --data '{"data":{"type":"workspaces","attributes":{"execution-mode":"local"}}}' >/dev/null
+}
+
+function validate_workspace() {
+  local -r organization="$1"
+  local -r workspace="$2"
+  echo "- Current organization is $organization"
+  echo "- Current workspace is $workspace"
+
+  if test -f "$HOME/.terraform.d/credentials.tfrc.json"; then
+    tfc_api_token=$(jq -r '.credentials["app.terraform.io"].token' <"$HOME/.terraform.d/credentials.tfrc.json")
+  elif [ -z "$TFC_API_TOKEN" ]; then
+    tfc_api_token="$TFC_API_TOKEN"
+  else
+    echo ""
+    echo -e "\033[31mCould not find a Terraform Cloud API token to use.\033[39m" >&2
+
+    # shfmt removes the unnecessary escapes that shellcheck requires explicitly – disabling these checks.
+    # shellcheck disable=SC2016
+    echo 'Run `terraform login` to generate and store your user token; or'
+    # shellcheck disable=SC2016
+    echo 'Set the token on your environment as $TFC_API_TOKEN'
+
+    echo ""
+    exit 1
+  fi
+
+  execution_mode=$(get_workspace_execution_mode "$tfc_api_token" "$organization" "$workspace")
+
+  echo "- Current execution mode is $execution_mode"
+
+  if [ "$execution_mode" != "local" ]; then
+    echo "- Updating workspace execution mode to local..."
+    set_execution_mode_local "$tfc_api_token" "$organization" "$workspace"
+    echo "- Workspace execution mode updated to to local."
+    echo ""
+  fi
+}
+
+function main() {
+  echo ""
+  echo -e '\033[1mValidating Terraform Cloud workspace execution mode...\033[0m'
+  validate_workspace "$@"
+}
+
+main "$@"