feat: added terraform template

.github/renovate.json

@@ -0,0 +1,16 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:base",
+        ":semanticCommitTypeAll(chore)"
+    ],
+    "lockFileMaintenance": {
+        "enabled": true,
+        "extends": [
+            "schedule:weekly"
+        ]
+    },
+    "nix": {
+        "enabled": true
+    }
+}

.github/workflows/flake.yaml

@@ -13,7 +13,9 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: cachix/install-nix-action@v25
+        with:
+          enable_kvm: true
       - uses: cachix/cachix-action@v14
         with:
           authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }}
@@ -26,7 +28,9 @@ jobs:
       - check
     runs-on: ubuntu-latest
     steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: cachix/install-nix-action@v25
+        with:
+          enable_kvm: true
       - uses: cachix/cachix-action@v14
         with:
           authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }}

.gitignore

@@ -1,3 +1,4 @@
-.direnv
+/.direnv
+/build-configs
 /result
 /target

.golangci.yaml

@@ -2,4 +2,3 @@
 issues:
   exclude:
     - Error return value of `\(github.com/go-kit/log.Logger\).Log` is not checked
-

flake.nix

@@ -12,7 +12,6 @@
             just;
 
           name = "build-configs";
-          version = "0.1.0";
           CGO_ENABLED = "0";
         in
         {
@@ -23,10 +22,7 @@
 
           packages = {
             default = pkgs.buildGo122Module {
-              inherit name version;
-              GOFLAGS = [
-                "-ldflags=github.com/ALT-F4-LLC/build-configs/internal/cli.Version=${version}"
-              ];
+              inherit name;
               src = ./.;
               vendorHash = "sha256-6B9O6ho4COpJy4HlkzQ0lk+ieezRO3xg9LyLHzoxYzc=";
               buildModules = [ "cmd/${name}" ];

internal/config/config.go

@@ -71,6 +71,24 @@ func (c Config) GetTemplater() (Templater, error) {
 			return tpl, err
 		}
 
+		// Then convert them back into the type for the templater selected
+		if err := json.Unmarshal(b, &tpl); err != nil {
+			return tpl, err
+		}
+		return tpl, nil
+
+	case "terraform":
+		if Debug {
+			fmt.Println("loading terraform templater")
+		}
+		tpl := NewTerraformConfig(c)
+
+		// Convert the parameters (map type) to JSON
+		b, err := json.Marshal(c.Parameters)
+		if err != nil {
+			return tpl, err
+		}
+
 		// Then convert them back into the type for the templater selected
 		if err := json.Unmarshal(b, &tpl); err != nil {
 			return tpl, err

internal/config/go_cobra_cli.go

@@ -33,6 +33,7 @@ func (c GoCobraCliConfig) Render() error {
 	files, err := templates.RenderTemplates(templates.RenderMap{
 		templates.AllCommonTemplates: {
 			".envrc",
+			".github/renovate.json",
 		},
 		templates.GoCommonTemplates: {
 			".editorconfig",

internal/config/go_lambda.go

@@ -45,6 +45,7 @@ func (c GoLambdaConfig) Render() error {
 	renderMap := templates.RenderMap{
 		templates.AllCommonTemplates: {
 			".envrc",
+			".github/renovate.json",
 		},
 		templates.GoCommonTemplates: {
 			".editorconfig",

internal/config/terraform.go

@@ -0,0 +1,62 @@
+package config
+
+import (
+	"fmt"
+
+	"github.com/ALT-F4-LLC/build-configs/internal/templates"
+)
+
+const TerraformName = "terraform"
+
+type TerraformConfigRole struct {
+	PlanARN  string `json:"planArn,omitempty" yaml:"planArn,omitempty"`
+	ApplyARN string `json:"applyArn,omitempty" yaml:"applyArn,omitempty"`
+}
+
+type TerraformConfig struct {
+	Config
+	Nix       NixConfig           `json:"nix,omitempty" yaml:"nix,omitempty"`
+	Region    string              `json:"region,omitempty" yaml:"region,omitempty"`
+	Role      TerraformConfigRole `json:"role,omitempty" yaml:"role,omitempty"`
+	Schedule  *string             `json:"schedule,omitempty" yaml:"schedule,omitempty"`
+	Providers []string            `json:"providers,omitempty" yaml:"providers,omitempty"`
+}
+
+func NewTerraformConfigRole(name string) TerraformConfigRole {
+	return TerraformConfigRole{
+		ApplyARN: fmt.Sprintf("arn:aws:iam::677459762413:role/altf4llc-gha-%s-apply", name),
+		PlanARN:  fmt.Sprintf("arn:aws:iam::677459762413:role/altf4llc-gha-%s-plan", name),
+	}
+}
+
+func NewTerraformConfig(c Config) TerraformConfig {
+	return TerraformConfig{
+		Config:   c,
+		Nix:      NewNixConfig(),
+		Region:   "us-west-2",
+		Role:     NewTerraformConfigRole(c.Name),
+		Schedule: nil,
+	}
+}
+
+func (c TerraformConfig) Render() error {
+	renderMap := templates.RenderMap{
+		templates.AllCommonTemplates: {
+			".envrc",
+			".github/renovate.json",
+		},
+		templates.TerraformTemplates: {
+			".github/workflows/terraform.yaml",
+			".gitignore",
+			"flake.nix",
+			"justfile",
+		},
+	}
+
+	files, err := templates.RenderTemplates(renderMap, c)
+	if err != nil {
+		return err
+	}
+
+	return templates.WriteFiles(files)
+}

internal/templates/templates.go

@@ -22,10 +22,14 @@ var (
 	//go:embed all:templates/go-lambda/*
 	goLambdaFS embed.FS
 
+	//go:embed all:templates/terraform/*
+	terraformFS embed.FS
+
 	AllCommonTemplates  *template.Template
 	GoCommonTemplates   *template.Template
 	GoCobraCliTemplates *template.Template
-	GoLambdaTemplates *template.Template
+	GoLambdaTemplates   *template.Template
+	TerraformTemplates  *template.Template
 )
 
 // RenderMap maps a template set to the filenames* that should be written.
@@ -38,6 +42,7 @@ func init() {
 	GoCommonTemplates = template.Must(template.ParseFS(goCommonFS, "templates/common/go/*"))
 	GoCobraCliTemplates = template.Must(template.ParseFS(goCobraCliFS, "templates/go-cobra-cli/*"))
 	GoLambdaTemplates = template.Must(template.ParseFS(goLambdaFS, "templates/go-lambda/*"))
+	TerraformTemplates = template.Must(template.ParseFS(terraformFS, "templates/terraform/*"))
 }
 
 func RenderTemplates(in RenderMap, context any) (map[string]string, error) {
@@ -81,7 +86,7 @@ func WriteFiles(in map[string]string) error {
 			continue
 		}
 
-		if err := os.WriteFile(filename, []byte(contents), 0644); err != nil {
+		if err := os.WriteFile(filename, []byte(contents), 0o644); err != nil {
 			return err
 		}
 	}

internal/templates/templates/common/all/.github__renovate.json

@@ -0,0 +1,16 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:base",
+        ":semanticCommitTypeAll(chore)"
+    ],
+    "lockFileMaintenance": {
+        "enabled": true,
+        "extends": [
+            "schedule:weekly"
+        ]
+    },
+    "nix": {
+        "enabled": true
+    }
+}

internal/templates/templates/go-cobra-cli/justfile

@@ -1,4 +1,10 @@
-build profile='default'{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}:
+build:
+    go build -o {{ .Name }} ./cmd/{{ .Name }}/main.go
+
+check:
+    nix flake check
+
+package profile='default'{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}:
     nix build \
         --json \
         --no-link \
@@ -9,7 +15,4 @@ build profile='default'{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{
         {{- end }}
         '.#{{"{{"}} profile {{"}}"}}'
 
-build-docker{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}: (build 'docker'{{ if .PrivateModules }} netrc{{ end }})
-
-check:
-    nix flake check
+package-docker{{ if .PrivateModules }} netrc="/tmp/.netrc=/tmp/.netrc"{{ end }}: (package 'docker'{{ if .PrivateModules }} netrc{{ end }})

internal/templates/templates/terraform/.github__workflows__terraform.yaml

@@ -0,0 +1,97 @@
+name: terraform
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  {{- if .Schedule }}
+  schedule:
+    - cron: "{{ .Schedule }}"
+  {{- end }}
+
+env:
+  CACHIX_BINARY_CACHE: {{ .Nix.Cachix.BinaryCache }}
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
+          name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
+      - uses: actions/checkout@v4
+      - run: nix develop -c just check
+
+  plan:
+    runs-on: ubuntu-latest
+    needs: check
+    concurrency:
+      group: tf-lock
+      cancel-in-progress: false
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      TF_VAR_PLATFORM_DIRECTORY_TOKEN: ${{"{{"}} secrets.TF_VAR_PLATFORM_DIRECTORY_TOKEN {{"}}"}}
+    steps:
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
+          name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-west-2
+          role-to-assume: {{ .Role.PlanARN }}
+      - run: aws sts get-caller-identity
+      - uses: actions/checkout@v4
+      - run: nix develop -c just init
+      - run: nix develop -c just validate
+      - run: nix develop -c just plan
+      - uses: actions/upload-artifact@v4
+        with:
+          name: tf-plan
+          path: terraform.tfplan
+
+  apply:
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs: plan
+    environment:
+      name: prod
+    permissions:
+      contents: read
+      id-token: write
+    concurrency:
+      group: tf-lock
+      cancel-in-progress: false
+    env:
+      TF_VAR_PACKER_SSH_PUBLIC_KEY: ${{"{{"}} secrets.TF_VAR_PACKER_SSH_PUBLIC_KEY {{"}}"}}
+    steps:
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
+          name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-west-2
+          role-to-assume: {{ .Role.ApplyARN }}
+      - run: aws sts get-caller-identity
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: tf-plan
+      - run: nix develop -c just init
+      - run: nix develop -c just apply

internal/templates/templates/terraform/.gitignore

@@ -0,0 +1,38 @@
+.direnv
+*.tfplan
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl