From 3bdeeddb2811358eb08e01e03d1f187ea2a6288a Mon Sep 17 00:00:00 2001
From: "V. Alex Brennen" <vab@mit.edu>
Date: Tue, 25 Feb 2025 10:54:33 -0500
Subject: [PATCH] repo update and maintenance

Why these changes are being introduced:

This commit add new standardized workflows to this repository. It expands the
files and documentaion and brings them up to our new standards. This should
significantly reduce the amount of work it takes for us to deploy new apps
off of this template and reduce errors and missing code/docs while doing so.
Finally, this commit updates the version of terraform and pre-commit action
dependency programs.

How this addresses that need:
 - Add pre-commit hooks, files, and code
 - Update terraform version to v1.10
 - Update all workflow app versions
 - SECURITY: restrict GH workflows to readonly
 - Add CODEOWNERS file
 - Add set/delete initial SSM param scripts
 - README.md documentation updates
 - Add placeholder .terraform.lock.hcl

Side effects of this change:

None

Changes to be committed:
      new file:   .github/CODEOWNERS
      modified:   .github/workflows/tf-shared-workflows.yml
      new file:   .pre-commit-config.yaml
      new file:   .terraform-docs.yaml
      new file:   .terraform.lock.hcl
      modified:   README.md
      modified:   files/README.md
      new file:   files/delete_initial_ssm_param.sh
      new file:   files/set_initial_ssm_param.sh
      modified:   versions.tf
---
 .github/CODEOWNERS                        | 20 ++++++
 .github/workflows/tf-shared-workflows.yml |  1 +
 .pre-commit-config.yaml                   | 18 ++++++
 .terraform-docs.yaml                      |  5 ++
 .terraform.lock.hcl                       | 25 +++++++
 README.md                                 | 79 ++++++++++++++++++++++-
 files/README.md                           |  5 ++
 files/delete_initial_ssm_param.sh         |  7 ++
 files/set_initial_ssm_param.sh            | 10 +++
 versions.tf                               |  2 +-
 10 files changed, 169 insertions(+), 3 deletions(-)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 .terraform-docs.yaml
 create mode 100644 .terraform.lock.hcl
 create mode 100644 files/delete_initial_ssm_param.sh
 create mode 100644 files/set_initial_ssm_param.sh

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..1cecb6b
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,20 @@
+# CODEOWNERS file (from GitHub template at
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)
+# Each line is a file pattern followed by one or more owners.
+
+################################################################################
+# These owners will be the default owners for everything in the repo. Unless a
+# later match takes precedence, @cabutlermit will be requested for review when 
+# someone opens a pull request.This is commented out in favor of using a team
+# as the default (see below). It is left here as a comment to indicate the
+# primary expert for this code.
+# * @[Infrateam member github handle]
+
+# Teams can be specified as code owners as well. Teams should be identified in
+# the format @org/team-name. Teams must have explicit write access to the 
+# repository.
+* @mitlibraries/infraeng-terraform-reviewers
+
+# We set the senior engineer in the team as the owner of the CODEOWNERS file as
+# a layer of protection for unauthorized changes.
+/.github/CODEOWNERS @cabutlermit
diff --git a/.github/workflows/tf-shared-workflows.yml b/.github/workflows/tf-shared-workflows.yml
index e0abc5d..c10ab82 100644
--- a/.github/workflows/tf-shared-workflows.yml
+++ b/.github/workflows/tf-shared-workflows.yml
@@ -9,6 +9,7 @@ on:
       - 'main'
     paths:
       - '**/*.tf'
+permissions: read-all
 
 jobs:
   validate:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..0a3d25a
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,18 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: "v1.97.3"
+    hooks:
+      - id: terraform_fmt
+        args:
+          - --args=-recursive
+      - id: terraform_validate
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.19.0"
+    hooks:
+      - id: terraform-docs-go
+        args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: '3.2.373'
+    hooks:
+      - id: checkov
+        verbose: false
diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml
new file mode 100644
index 0000000..da88d31
--- /dev/null
+++ b/.terraform-docs.yaml
@@ -0,0 +1,5 @@
+formatter: "" # this is required
+
+settings:
+  anchor: false
+  html: false
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..9984bd5
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.88.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:PXaP+z5Z9pcUUcJqS6ea09wR/cscBq1F9jRsNqe39rM=",
+    "zh:24f852b1cca276d91f950cb7fb575cacc385f55edccf4beec1f611cdd7626cf5",
+    "zh:2a3b3f5ac513f8d6448a31d9619f8a96e0597dd354459de3a4698e684c909f96",
+    "zh:3700499885a8e0e532eccba3cb068340e411cf9e616bf8a59e815d3b62ca3e46",
+    "zh:4aab3605468244a74cbde66784ea1d30dc0fc6caf26d1b099427ecd5790f7c4d",
+    "zh:74eca9314d6dd80b215d7bc1c4be37d81e1045d625d5b512995f3a352d7a43bc",
+    "zh:77d9a06c63a4ad615bc97f67f948250397267f15698ebb2547fbdd20f734983c",
+    "zh:82d6aaef1eb0caf9ca451887fdbdcff10ab09318b1d60faa883a013283ab2b15",
+    "zh:8dbcfb121b887ce8572f5ab8174d592a729390ca32dc5fdacac4c7c1c508411a",
+    "zh:95d51e80b55ff9064f5c1bc61d78f992e2f89c986ba2b10546ea4461d35c24f9",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9ead5de0e123020926a0edaf88d9eed5cb86afe438a875528f6d11d0d27eed73",
+    "zh:ab7c940cbb2081314f4af3cdd61ed2c1d59fd7a60fa3db27770887d63072fbdd",
+    "zh:d52cd68006fd6fa8d028cdf569a6620fbc31726019beb7c75affa8764622d398",
+    "zh:f179ca86ad5d5fb88dfd8e8e7c448f2c0ad550d22152f939b8465baeaf9289e9",
+    "zh:f54dda271fa6dfee06537066278669a3f92c872e7dfa5a0184cd9117f7e47b8c",
+  ]
+}
diff --git a/README.md b/README.md
index d6e878e..25f22c7 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,8 @@ After deploying this, the following steps must be completed.
 1. **Optional**: Update the `locals {}` block in [main.tf](./main.tf) to provide a project-id.
 1. **Optional**: Update the `tags {}` block in [providers.tf](./providers.tf) to enable a backup plan via AWS Backups
 1. Copy the `locals {}` block from the [deleteme.tf](./deleteme.tf) file and paste it into each `.tf` file that will create named resources.
+1. Update the [CODEOWNERS](./github/CODEOWNERS) file.
+1. Update the Pre-Commit Actions programs in [.pre-commit-config](./pre-commit-config.yaml) to the latest versions.
 1. Delete the [deleteme.tf](./deleteme.tf) file.
 1. Delete the file tree below.
 
@@ -24,6 +26,10 @@ After deploying this, the following steps must be completed.
 │   └── adrs
 │       ├── 0001-record-architecture-decisions.md
 │       └── 0002-upgrade-to-cloud-block.md
+├── files
+│   └── README.md
+│   └── delete_initial_ssm_param.sh
+│   └── set_initial_ssm_param.sh
 ├── main.tf
 ├── modules
 │   └── README.md
@@ -36,6 +42,75 @@ After deploying this, the following steps must be completed.
 └── versions.tf
 ```
 
+## Pre-Commit
+
+For proper linting and checking, this repo uses [pre-commit](https://pre-commit.com/) together with `pre-push` hooks. The following should be installed in the local workstation
+
+* [pre-commit](https://pre-commit.com/)
+* [terraform cli](https://developer.hashicorp.com/terraform/downloads)
+* [terraform-docs](https://terraform-docs.io/)
+* [checkov](https://github.com/bridgecrewio/checkov)
+
+### Install pre-commit
+
+After the first checkout locally, run the following command to initialize [pre-commit](https://pre-commit.com/) and link it to the git `pre-push` hook. This will allow you to make local commits as much as you want and no linting/checking will run. Only when you attempt to push your commits to GitHub will [pre-commit](https://pre-commit.com/) run the hooks.
+
+```bash
+pre-commit install --hook-type pre-push
+```
+
+### Run hooks on your own
+
+It is possible to run the [pre-commit](https://pre-commit.com/) hooks manually. To run **all** the pre-commit hooks for this repo, run
+
+```bash
+pre-commit run --all-files
+```
+
+To run just the `checkov` checker, run
+
+```bash
+pre-commit run checkov
+```
+
+To run just the `terraform-docs` hook to update the README, run
+
+```bash
+pre-commit run terraform-docs-go
+```
+
+See [.pre-commit-config.yaml](./.pre-commit-config.yaml) for any other hooks that can be run.
+
+## Requirements/Dependencies
+
+This section provides descriptions of any requirements or dependencies that this infrastructure repository has. This may include other github repositories or any ParameterStore SSM objects that much be defined. As a documentation formatting example some repository and SSM requirements/dependencies are shown:
+
+* ECR generated by [mitlib-tf-workloads-ecr](https://github.com/mitlibraries/mitlib-tf-workloads-ecr)
+* GHA OIDC roles generated by [mitlib-tf-workloads-ecr](https://github.com/mitlibraries/mitlib-tf-workloads-ecr)
+* Manual parameters set in SSM Parameter Store as inputs to this repo and passed to the container task as environment vars (see [set_initial_ssm_param.sh](files/set_initial_ssm_param.sh) and [delete_initial_ssm_param.sh](files/delete_initial_ssm_param.sh) for details)
+* `log-level` (Debugging level for the application)
+
+## Related Assets
+
+This section provides descriptions of any infrastructure and application github repositories that this infrastructure application is related to. For example, this may be the Data Team's application repository for this project. It may also include base infrastructure repositories this infrastructure code depends on (such as ECR), or other application repositories that are part of a larger multi-app project. As a documentation formatting examples some sample repository dependencies are shown:
+
+* [(DataApp) Application Container](https://github.com/MITLibraries/(DataApp)) - The (DataApp) Application Code
+* [ECR Infrastructure](https://github.com/MITLibraries/mitlib-tf-workloads-ecr) - The ECR Infrastructure Repository
+
+### IAM Roles and Policies for the task
+
+This section provides descriptions of any IAM roles and policies that are created and defined.
+
+### CloudWatch logs and Monitoring
+
+This section provides a description of CloudWatch logging and any monitoring in place.
+
+## Maintainers
+
+* Owner: See [CODEOWNERS](./.github/CODEOWNERS)
+* Team: See [CODEOWNERS](./.github/CODEOWNERS)
+* Last Maintenance: YYYY-MM
+
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
 <!-- BEGIN_TF_DOCS -->
@@ -43,14 +118,14 @@ After deploying this, the following steps must be completed.
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 1.2 |
+| terraform | ~> 1.10 |
 | aws | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 5.0 |
+| aws | 5.88.0 |
 
 ## Modules
 
diff --git a/files/README.md b/files/README.md
index e829b8f..1a0fc01 100644
--- a/files/README.md
+++ b/files/README.md
@@ -1,3 +1,8 @@
 # Files README
 
 This is where any files used by Terraform should be stored.
+
+## Contents
+
+* [delete_initial_ssm_param.sh](./delete_initial_ssm_param.sh): Pseudo-script for deleting the required "manual" parameters for the application infrastructure
+* [set_initial_ssm_param.sh](./set_initial_ssm_param.sh): Pseudo-script for generating the required "manual" parameters for the application infrastructure
diff --git a/files/delete_initial_ssm_param.sh b/files/delete_initial_ssm_param.sh
new file mode 100644
index 0000000..fe5d14f
--- /dev/null
+++ b/files/delete_initial_ssm_param.sh
@@ -0,0 +1,7 @@
+### Template Script for deleting the "manual" SSM Parameter Store values
+
+## This is not a real bash script, just a list of AWS CLI commands and dummy
+## values that can be used to delete all of the required SSM Param Store
+## values needed by Ansible
+
+# aws ssm delete-parameter --name "/tfvars/(app name)/(example-ssm-param)"
diff --git a/files/set_initial_ssm_param.sh b/files/set_initial_ssm_param.sh
new file mode 100644
index 0000000..aa6ece6
--- /dev/null
+++ b/files/set_initial_ssm_param.sh
@@ -0,0 +1,10 @@
+### This is not actually a shell script, copy/paste these lines after editing
+### them locally into cloudshell to set parameters easily. 
+
+## Application configuration variables
+# Note: SSM objects provided through the console are dev/test/prod environment
+# specific and/or may be sensitive. Those values may be retrieved through 
+# LastPass or from the Infra-Data team.
+
+# aws ssm put-parameter --name "/tfvars/apps-vars/(app name)/(example-ssm-param)" --type "String" --description "(example description)" --overwrite --value "(example value)"
+# aws ssm put-parameter --name "/tfvars/apps-vars/(app name)/(example-ssm-secure-param)" --type "SecureString" --description "(example description)" --overwrite --value "(example secure value)"
diff --git a/versions.tf b/versions.tf
index 2c5ecee..95b6513 100644
--- a/versions.tf
+++ b/versions.tf
@@ -3,7 +3,7 @@
 # Providers themselves are set in the `providers.tf` file.
 
 terraform {
-  required_version = "~> 1.2"
+  required_version = "~> 1.10"
 
   required_providers {
     aws = {