MITLibraries · vab · Feb 25, 2025 · Feb 25, 2025
@@ -0,0 +1,20 @@
+# CODEOWNERS file (from GitHub template at
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)
+# Each line is a file pattern followed by one or more owners.
+
+################################################################################
+# These owners will be the default owners for everything in the repo. Unless a
+# later match takes precedence, @cabutlermit will be requested for review when 
+# someone opens a pull request.This is commented out in favor of using a team
+# as the default (see below). It is left here as a comment to indicate the
+# primary expert for this code.
+# * @[Infrateam member github handle]
+
+# Teams can be specified as code owners as well. Teams should be identified in
+# the format @org/team-name. Teams must have explicit write access to the 
+# repository.
+* @mitlibraries/infraeng-terraform-reviewers
+
+# We set the senior engineer in the team as the owner of the CODEOWNERS file as
+# a layer of protection for unauthorized changes.
+/.github/CODEOWNERS @cabutlermit
@@ -9,6 +9,7 @@ on:
       - 'main'
     paths:
       - '**/*.tf'
+permissions: read-all
 
 jobs:
   validate:

@@ -0,0 +1,18 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: "v1.97.3"
+    hooks:
+      - id: terraform_fmt
+        args:
+          - --args=-recursive
+      - id: terraform_validate
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.19.0"
+    hooks:
+      - id: terraform-docs-go
+        args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: '3.2.373'
+    hooks:
+      - id: checkov
+        verbose: false
@@ -0,0 +1,5 @@
+formatter: "" # this is required
+
+settings:
+  anchor: false
+  html: false
@@ -10,6 +10,8 @@ After deploying this, the following steps must be completed.
 1. **Optional**: Update the `locals {}` block in [main.tf](./main.tf) to provide a project-id.
 1. **Optional**: Update the `tags {}` block in [providers.tf](./providers.tf) to enable a backup plan via AWS Backups
 1. Copy the `locals {}` block from the [deleteme.tf](./deleteme.tf) file and paste it into each `.tf` file that will create named resources.
+1. Update the [CODEOWNERS](./github/CODEOWNERS) file.
+1. Update the Pre-Commit Actions programs in [.pre-commit-config](./pre-commit-config.yaml) to the latest versions.
 1. Delete the [deleteme.tf](./deleteme.tf) file.
 1. Delete the file tree below.
 
@@ -24,6 +26,10 @@ After deploying this, the following steps must be completed.
 │   └── adrs
 │       ├── 0001-record-architecture-decisions.md
 │       └── 0002-upgrade-to-cloud-block.md
+├── files
+│   └── README.md
+│   └── delete_initial_ssm_param.sh
+│   └── set_initial_ssm_param.sh
 ├── main.tf
 ├── modules
 │   └── README.md
@@ -36,21 +42,90 @@ After deploying this, the following steps must be completed.
 └── versions.tf
 ```
 
+## Pre-Commit
+
+For proper linting and checking, this repo uses [pre-commit](https://pre-commit.com/) together with `pre-push` hooks. The following should be installed in the local workstation
+
+* [pre-commit](https://pre-commit.com/)
+* [terraform cli](https://developer.hashicorp.com/terraform/downloads)
+* [terraform-docs](https://terraform-docs.io/)
+* [checkov](https://github.com/bridgecrewio/checkov)
+
+### Install pre-commit
+
+After the first checkout locally, run the following command to initialize [pre-commit](https://pre-commit.com/) and link it to the git `pre-push` hook. This will allow you to make local commits as much as you want and no linting/checking will run. Only when you attempt to push your commits to GitHub will [pre-commit](https://pre-commit.com/) run the hooks.
+
+```bash
+pre-commit install --hook-type pre-push
+```
+
+### Run hooks on your own
+
+It is possible to run the [pre-commit](https://pre-commit.com/) hooks manually. To run **all** the pre-commit hooks for this repo, run
+
+```bash
+pre-commit run --all-files
+```
+
+To run just the `checkov` checker, run
+
+```bash
+pre-commit run checkov
+```
+
+To run just the `terraform-docs` hook to update the README, run
+
+```bash
+pre-commit run terraform-docs-go
+```
+
+See [.pre-commit-config.yaml](./.pre-commit-config.yaml) for any other hooks that can be run.
+
+## Requirements/Dependencies
+
+This section provides descriptions of any requirements or dependencies that this infrastructure repository has. This may include other github repositories or any ParameterStore SSM objects that much be defined. As a documentation formatting example some repository and SSM requirements/dependencies are shown:
+
+* ECR generated by [mitlib-tf-workloads-ecr](https://github.com/mitlibraries/mitlib-tf-workloads-ecr)
+* GHA OIDC roles generated by [mitlib-tf-workloads-ecr](https://github.com/mitlibraries/mitlib-tf-workloads-ecr)
+* Manual parameters set in SSM Parameter Store as inputs to this repo and passed to the container task as environment vars (see [set_initial_ssm_param.sh](files/set_initial_ssm_param.sh) and [delete_initial_ssm_param.sh](files/delete_initial_ssm_param.sh) for details)
+* `log-level` (Debugging level for the application)
+
+## Related Assets
+
+This section provides descriptions of any infrastructure and application github repositories that this infrastructure application is related to. For example, this may be the Data Team's application repository for this project. It may also include base infrastructure repositories this infrastructure code depends on (such as ECR), or other application repositories that are part of a larger multi-app project. As a documentation formatting examples some sample repository dependencies are shown:
+
+* [(DataApp) Application Container](https://github.com/MITLibraries/(DataApp)) - The (DataApp) Application Code
+* [ECR Infrastructure](https://github.com/MITLibraries/mitlib-tf-workloads-ecr) - The ECR Infrastructure Repository
+
+### IAM Roles and Policies for the task
+
+This section provides descriptions of any IAM roles and policies that are created and defined.
+
+### CloudWatch logs and Monitoring
+
+This section provides a description of CloudWatch logging and any monitoring in place.
+
+## Maintainers
+
+* Owner: See [CODEOWNERS](./.github/CODEOWNERS)
+* Team: See [CODEOWNERS](./.github/CODEOWNERS)
+* Last Maintenance: YYYY-MM
+
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 1.2 |
+| terraform | ~> 1.10 |
 | aws | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 5.0 |
+| aws | 5.88.0 |
 
 ## Modules
 

@@ -1,3 +1,8 @@
 # Files README
 
 This is where any files used by Terraform should be stored.
+
+## Contents
+
+* [delete_initial_ssm_param.sh](./delete_initial_ssm_param.sh): Pseudo-script for deleting the required "manual" parameters for the application infrastructure
+* [set_initial_ssm_param.sh](./set_initial_ssm_param.sh): Pseudo-script for generating the required "manual" parameters for the application infrastructure
@@ -0,0 +1,7 @@
+### Template Script for deleting the "manual" SSM Parameter Store values
+
+## This is not a real bash script, just a list of AWS CLI commands and dummy
+## values that can be used to delete all of the required SSM Param Store
+## values needed by Ansible
+
+# aws ssm delete-parameter --name "/tfvars/(app name)/(example-ssm-param)"
@@ -0,0 +1,10 @@
+### This is not actually a shell script, copy/paste these lines after editing
+### them locally into cloudshell to set parameters easily. 
+
+## Application configuration variables
+# Note: SSM objects provided through the console are dev/test/prod environment
+# specific and/or may be sensitive. Those values may be retrieved through 
+# LastPass or from the Infra-Data team.
+
+# aws ssm put-parameter --name "/tfvars/apps-vars/(app name)/(example-ssm-param)" --type "String" --description "(example description)" --overwrite --value "(example value)"
+# aws ssm put-parameter --name "/tfvars/apps-vars/(app name)/(example-ssm-secure-param)" --type "SecureString" --description "(example description)" --overwrite --value "(example secure value)"
@@ -3,7 +3,7 @@
 # Providers themselves are set in the `providers.tf` file.
 
 terraform {
-  required_version = "~> 1.2"
+  required_version = "~> 1.10"
 
   required_providers {
     aws = {
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ on: @@
           - 'main'
         paths:
           - '**/*.tf'
+    permissions: read-all
     jobs:
       validate:
@@ Expand Down @@