test(modules): implement first tests of this repo (#30)

.github/labeler.yml

@@ -0,0 +1,17 @@
+# Add 'feature' label to any PR where the head branch name starts with `feature` or has a `feature` section in the name
+feature:
+  - head-branch: ['^feature', 'feature']
+
+# Add 'test' label to any changes within 'test' folder or any subfolders
+test:
+  - changed-files:
+      - any-glob-to-any-file:
+        - test/**.go
+        - test/**/go.mod
+        - modules/fixtures/**
+
+terraform:
+  - changed-files:
+      - any-glob-to-any-file:
+          - modules/**.tf
+          - .tool-versions

.github/markdown-links.json

@@ -0,0 +1,20 @@
+{
+  "projectBaseUrl":"${workspaceFolder}",
+  "ignorePatterns": [
+    {
+      "pattern": "^http(s?)://localhost"
+    },
+    {
+      "pattern": "^#"
+    }
+  ],
+  "replacementPatterns": [
+  ],
+  "httpHeaders": [
+  ],
+  "timeout": "20s",
+  "retryOn429": true,
+  "retryCount": 5,
+  "fallbackRetryDelay": "30s",
+  "aliveStatusCodes": [200, 206]
+}

.github/renovate.json5

@@ -8,6 +8,7 @@
     ":enablePreCommit",
   ],
   schedule: ["every weekend"],
+  groupName: "mono-update-renovate", // we keep all updates in a single renovate branch in order to save CI tests
   platformAutomerge: false,
   prHourlyLimit: 6,
   prConcurrentLimit: 20,
@@ -31,8 +32,24 @@
   },
   vulnerabilityAlerts: {
     addLabels: ["security"],
-    enabled: true
+    enabled: true,
   },
+  customManagers: [
+    {
+      "customType": "regex",
+      "fileMatch": ["^.tool-versions$"],
+      "matchStrings": [
+        "datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?\\s.*? (?<currentValue>.*)\\s"
+      ],
+    },
+    {
+      "customType": "regex",
+      "fileMatch": ["^justfile$"],
+      "matchStrings": [
+        "datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?\\s(?<originalPackageName>.*) := \"(?<currentValue>.*?)\"\\s"
+      ],
+    },
+  ],
   packageRules: [
     // limit the PR creation for the Renovate pre-commit hook (it's released very frequently)
     {
@@ -52,8 +69,9 @@
     {
       matchDatasources: ["terraform-module"],
       matchPackagePatterns: ["terraform-aws-modules.*"],
-      addLabels: ["group:terraform"],
-      groupName: "Terraform AWS modules",
+      addLabels: ["group:terraform", "automerge"],
+      automerge: true,
+      groupName: "mono-update-renovate-automerge",
       schedule: [
         "every 2 weeks on Saturday and Sunday",
       ],
@@ -63,15 +81,15 @@
       matchDatasources: ["terraform-provider"],
       addLabels: ["group:terraform"],
       schedule: [
-        "every 2 weeks on Saturday and Sunday",
-      ]
+        "every 2 weeks on Saturday and Sunday"
+      ],
     },
     // Terraform patch provider updates
     {
       matchUpdateTypes: ["patch"],
       matchDatasources: ["terraform-provider"],
       addLabels: ["group:terraform", "automerge"],
-      groupName: "Terraform providers",
+      groupName: "mono-update-renovate-automerge",
       automerge: true,
       schedule: [
         "every 2 weeks on Saturday and Sunday",
@@ -82,6 +100,7 @@
       matchUpdateTypes: ["minor", "patch"],
       matchManagers: ["github-actions"],
       addLabels: ["automerge"],
+      groupName: "mono-update-renovate-automerge",
       automerge: true,
     },
     // Patches
@@ -98,6 +117,7 @@
         "terraform-linters/tflint",
       ],
       addLabels: ["automerge"],
+      groupName: "mono-update-renovate-automerge",
       automerge: true,
     },
     // Minor versions
@@ -111,6 +131,7 @@
         "terraform-linters/tflint",
       ],
       addLabels: ["automerge"],
+      groupName: "mono-update-renovate-automerge",
       automerge: true,
     },
     // Create PRs and automerge mentioned components afterward
@@ -121,25 +142,26 @@
         "pre-commit/.+",
       ],
       addLabels: ["automerge"],
+      groupName: "mono-update-renovate-automerge",
       automerge: true,
     },
     {
       matchUpdateTypes: ["major", "minor", "patch"],
       matchManagers: ["pre-commit"],
-      groupName: "pre-commit hooks",
+      groupName: "mono-update-renovate-automerge",
       addLabels: ["automerge"],
       automerge: true
     },
     // For known GitHub repositories that use GitHub tags/releases of format
     // "v1.2.3" and where the asdf plugin ignores the "v" prefix, we also tell
     // Renovate to ignore it via extractVersion when updating .tool-version file
     {
-      matchFileNames: ["**/.tool-versions", "**/*.tf"],
+      matchFileNames: ["**/*.tf"],
       matchPackageNames: [
         "hashicorp/terraform",
         "pre-commit/pre-commit",
       ],
       extractVersion: "^v(?<version>.*)$",
-    },
-  ],
+    }
+  ]
 }

.github/workflows/labeler.yml

@@ -0,0 +1,13 @@
+name: "Pull Request Labeler"
+on:
+  pull_request_target:
+  schedule:
+    - cron: "0 1 * * 1"
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5

.github/workflows/lint.yml

@@ -0,0 +1,19 @@
+---
+# desc: lint sanity check
+name: lint
+
+on:
+  push:
+  workflow_dispatch:
+
+
+jobs:
+  lint:
+    name: pre-commit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - name: Install tooling using asdf
+        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
+
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/nightly_cleanup.yml

@@ -0,0 +1,79 @@
+---
+name: Nightly Cleanup
+
+on:
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+
+
+env:
+  AWS_PROFILE: "infex"
+  # remember to also update tests.yml!
+  AWS_REGION: "eu-west-2"
+  CLEANUP_NEWER_THAN: "6 hours"
+  CLOUD_NUKE_VERSION: "v0.35.0"
+
+jobs:
+  aws-nightly-cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Import Secrets
+        id: secrets
+        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3
+        with:
+          url: ${{ secrets.VAULT_ADDR }}
+          method: approle
+          roleId: ${{ secrets.VAULT_ROLE_ID }}
+          secretId: ${{ secrets.VAULT_SECRET_ID }}
+          exportEnv: false
+          secrets: |
+            secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY;
+            secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY;
+
+      # Official action does not support profiles
+      - name: Add profile credentials to ~/.aws/credentials
+        run: |
+          aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }}
+          aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }}
+          aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }}
+
+      - name: Install Cloud Nuke
+        run: |
+          wget https://github.com/gruntwork-io/cloud-nuke/releases/download/${{ env.CLOUD_NUKE_VERSION }}/cloud-nuke_linux_amd64
+          chmod +x cloud-nuke_linux_amd64
+
+      # This is likely to fail, therefore we ignore the error
+      # We're ignoring ec2_dhcp_option as they couldn't be deleted
+      # cloudtrail is managed by IT and can't be deleted either
+      - name: Run Cloud Nuke
+        timeout-minutes: 45
+        env:
+          DISABLE_TELEMETRY: "true"
+        run: |
+          ./cloud-nuke_linux_amd64 aws \
+          --region ${{ env.AWS_REGION }} \
+          --force \
+          --newer-than ${{ env.CLEANUP_NEWER_THAN }} \
+          --exclude-resource-type ec2_dhcp_option \
+          --exclude-resource-type cloudtrail || true
+
+      # Following will delete global resources and things that cloud-nuke does not support
+      - name: Delete additional AWS resources
+        timeout-minutes: 15
+        run: .github/workflows/scripts/aws_cleanup.sh "${{ env.AWS_REGION }}"
+
+      # The second run should remove the remaining resources (VPCs) and fail if there's anything left
+      - name: Run Cloud Nuke
+        timeout-minutes: 45
+        env:
+          DISABLE_TELEMETRY: "true"
+        run: |
+          ./cloud-nuke_linux_amd64 aws \
+          --region ${{ env.AWS_REGION }} \
+          --force \
+          --newer-than ${{ env.CLEANUP_NEWER_THAN }} \
+          --exclude-resource-type ec2_dhcp_option \
+          --exclude-resource-type cloudtrail

.github/workflows/scripts/aws_cleanup.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+
+# This script deletes additional AWS resources based on specified criteria.
+
+# Check if the region argument is provided
+if [ -z "$1" ]; then
+    echo "Please provide the AWS region as the first argument."
+    exit 1
+fi
+
+region="$1"
+
+echo "Deleting additional resources in the $region region..."
+
+
+echo "Deleting additional resources..."
+# KMS keys can't be deleted due to resource policies, requires manual intervention
+
+echo "Deleting IAM Roles"
+# Detach permissions and profile instances and delete IAM roles
+role_arns=$(aws iam list-roles --query "Roles[?contains(RoleName, 'nightly')].RoleName" --output text)
+
+read -r -a role_arns_array <<< "$role_arns"
+
+for role_arn in "${role_arns_array[@]}"
+do
+    echo "Removing instance profiles and policies of role: $role_arn"
+    attached_policy_arns=$(aws iam list-attached-role-policies --role-name "$role_arn" --query 'AttachedPolicies[].PolicyArn' --output text)
+    read -r -a attached_policy_arns_array <<< "$attached_policy_arns"
+
+    for policy_arn in "${attached_policy_arns_array[@]}"
+    do
+        echo "Removing attached policy: $policy_arn"
+        aws iam detach-role-policy --role-name "$role_arn" --policy-arn "$policy_arn"
+    done
+
+    policy_arns=$(aws iam list-role-policies --role-name "$role_arn" --query 'PolicyNames' --output text)
+    read -r -a policy_arns_array <<< "$policy_arns"
+
+    for policy_arn in "${policy_arns_array[@]}"
+    do
+        echo "Deleting policy: $policy_arn"
+        aws iam delete-role-policy --role-name "$role_arn" --policy-name "$policy_arn"
+    done
+
+    instance_profile_arns=$(aws iam list-instance-profiles-for-role --role-name "$role_arn" --query 'InstanceProfiles[].InstanceProfileName' --output text)
+    read -r -a instance_profile_arns_array <<< "$instance_profile_arns"
+
+    for instance_profile_arn in "${instance_profile_arns_array[@]}"
+    do
+        echo "Removing instance profile: $instance_profile_arn"
+        aws iam remove-role-from-instance-profile --instance-profile-name "$instance_profile_arn" --role-name "$role_arn"
+    done
+
+    echo "Deleting role: $role_arn"
+    aws iam delete-role --role-name "$role_arn"
+
+done
+
+echo "Deleting IAM Policies"
+# Delete Policies
+iam_policies=$(aws iam list-policies --query "Policies[?contains(PolicyName, 'nightly')].Arn" --output text)
+
+read -r -a iam_policies_array <<< "$iam_policies"
+
+for iam_policy in "${iam_policies_array[@]}"
+do
+    echo "Deleting policy: $iam_policy"
+    aws iam delete-policy --policy-arn "$iam_policy"
+done
+
+echo "Deleting OIDC Providers"
+# Delete OIDC Provider
+oidc_providers=$(aws iam list-open-id-connect-providers --query "OpenIDConnectProviderList[?contains(Arn, 'eu-west-2') || contains(Arn, 'eu-west-3')].Arn" --output text)
+
+read -r -a oidc_providers_array <<< "$oidc_providers"
+
+for oidc_provider in "${oidc_providers_array[@]}"
+do
+    echo "Deleting OIDC Provider: $oidc_provider"
+    aws iam delete-open-id-connect-provider --open-id-connect-provider-arn "$oidc_provider"
+done
+
+echo "Deleting VPC Peering Connections"
+# Delete VPC Peering Connection
+peering_connection_ids=$(aws ec2 describe-vpc-peering-connections --region "$region" --query "VpcPeeringConnections[?Status.Code == 'active' && Tags[?contains(Value, 'nightly')]]".VpcPeeringConnectionId --output text)
+
+read -r -a peering_connection_ids_array <<< "$peering_connection_ids"
+
+for peering_connection_id in "${peering_connection_ids_array[@]}"
+do
+    echo "Deleting VPC Peering Connection: $peering_connection_id"
+    aws ec2 delete-vpc-peering-connection --region "$region" --vpc-peering-connection-id "$peering_connection_id"
+done