chore(misc): add default renovate and pre-commit config (#3)

.github/.yamllint

@@ -0,0 +1,18 @@
+---
+extends: default
+
+rules:
+  indentation:
+    indent-sequences: false
+  document-start:
+    level: error
+  comments:
+    level: error
+  comments-indentation:
+    level: error
+  line-length:
+    max: 175
+  truthy:
+    # prevent false positives on Github Actions workflow files with `on`,
+    # see https://github.com/adrienverge/yamllint/issues/158
+    check-keys: false

.github/renovate.json5

@@ -0,0 +1,136 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:recommended",
+    ":automergeDisabled",
+    ":semanticCommits",
+    ":dependencyDashboard",
+    ":enablePreCommit",
+  ],
+  schedule: ["every weekend"],
+  platformAutomerge: false,
+  prHourlyLimit: 6,
+  prConcurrentLimit: 20,
+  commitBodyTable: true,
+  separateMajorMinor: false,
+  prBodyNotes: [
+    "{{#if isMajor}}:warning: THIS IS A MAJOR VERSION UPDATE :warning:{{/if}}",
+    "Before merging, *always* check with the release notes if any other changes need to be done.",
+  ],
+  major: {
+    enabled: true,
+    addLabels: ["upgrade:major"],
+  },
+  minor: {
+    enabled: true,
+    addLabels: ["upgrade:minor"],
+  },
+  patch: {
+    enabled: true,
+    addLabels: ["upgrade:patch"],
+  },
+  vulnerabilityAlerts: {
+    addLabels: ["security"],
+    enabled: true
+  },
+  packageRules: [
+    // limit the PR creation for the Renovate pre-commit hook (it's released very frequently)
+    {
+      matchPackageNames: ["renovatebot/pre-commit-hooks"],
+      matchUpdateTypes: ["patch"],
+      enabled: false,
+    },
+    {
+      matchPackageNames: ["renovatebot/pre-commit-hooks"],
+      schedule: ["on Saturday"],
+    },
+    {
+      matchManagers: ["github-actions"],
+      addLabels: ["group:github-actions", "component:ci"],
+    },
+    // Terraform AWS modules
+    {
+      matchDatasources: ["terraform-module"],
+      matchPackagePatterns: ["terraform-aws-modules.*"],
+      addLabels: ["group:terraform"],
+      groupName: "Terraform AWS modules",
+      schedule: [
+        "every 2 weeks on Saturday and Sunday",
+      ],
+    },
+    // Terraform major provider updates
+    {
+      matchDatasources: ["terraform-provider"],
+      addLabels: ["group:terraform"],
+      schedule: [
+        "every 2 weeks on Saturday and Sunday",
+      ]
+    },
+    // Terraform patch provider updates
+    {
+      matchUpdateTypes: ["patch"],
+      matchDatasources: ["terraform-provider"],
+      addLabels: ["group:terraform", "automerge"],
+      groupName: "Terraform providers",
+      automerge: true,
+      schedule: [
+        "every 2 weeks on Saturday and Sunday",
+      ]
+    },
+    // Patches
+    // Those are tested packages, and we know that they follow the semver convention,
+    // but it's fine to have candidate packages to test before move them to minor section.
+    {
+      matchUpdateTypes: ["patch"],
+      matchPackagePatterns: [
+        "pre-commit",
+        "^terraform$",
+        "terraform-aws-modules/.+",
+      ],
+      addLabels: ["automerge"],
+      automerge: true,
+    },
+    // Minor versions
+    // Those are tested packages, and we know that they follow the semver convention,
+    // but it's fine to have candidate packages to test before move them to minor section.
+    {
+      matchUpdateTypes: ["minor"],
+      matchPackagePatterns: [
+        "pre-commit",
+      ],
+      addLabels: ["automerge"],
+      automerge: true,
+    },
+    // Create PRs and automerge mentioned components afterward
+    // Those are tested packages
+    {
+      matchUpdateTypes: ["major"],
+      matchPackagePatterns: [
+        "pre-commit/.+",
+      ],
+      addLabels: ["automerge"],
+      automerge: true,
+    },
+    {
+      matchUpdateTypes: ["major", "minor", "patch"],
+      matchManagers: ["pre-commit"],
+      groupName: "pre-commit hooks",
+      addLabels: ["automerge"],
+      automerge: true
+    },
+    // For known GitHub repositories that use GitHub tags/releases of format
+    // "v1.2.3" and where the asdf plugin ignores the "v" prefix, we also tell
+    // Renovate to ignore it via extractVersion when updating .tool-version file
+    {
+      matchFileNames: ["**/.tool-versions", "**/*.tf"],
+      matchPackageNames: [
+        "hashicorp/terraform",
+        "helm/helm",
+        "koalaman/shellcheck",
+        "pre-commit/pre-commit",
+        "rhysd/actionlint",
+      ],
+      extractVersion: "^v(?<version>.*)$",
+    },
+  ],
+}

.github/workflows/lint.yml

@@ -0,0 +1,25 @@
+---
+name: Lint
+
+on:
+  push:
+  pull_request:
+    branches:
+    - main
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+    - uses: actions/checkout@v4
+    - uses: asdf-vm/actions/setup@v3
+    - name: Install tooling required for pre-commit
+      run: |
+        for tool in actionlint shellcheck terraform tflint ; do
+          asdf plugin add "${tool}"
+          asdf install "${tool}"
+        done
+    - uses: pre-commit/[email protected]
+      with:
+        extra_args: --all-files --verbose

.github/workflows/nightly_aws_2_region.yml

@@ -1,3 +1,4 @@
+---
 name: Nightly AWS EKS 2 Region Test
 
 on:
@@ -22,14 +23,14 @@ jobs:
     - name: Get go.mod details
       uses: Eun/go-mod-details@v1
       id: go-mod-details
-      with: 
+      with:
         modfile: ${{ github.workspace }}/test/go.mod
-    
+
     - name: Set up Go environment
       uses: actions/setup-go@v5
       with:
         go-version: ${{ steps.go-mod-details.outputs.go_version }}
-    
+
     - name: Set up Terraform
       uses: hashicorp/setup-terraform@v3
       with:
@@ -49,7 +50,7 @@ jobs:
           secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY;
 
     # Official action does not support profiles
-    - name: Add profile credentials to ~/.aws/credentials 
+    - name: Add profile credentials to ~/.aws/credentials
       run: |
           aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }}
           aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }}

.github/workflows/nightly_aws_region_cleanup.yml

@@ -1,3 +1,4 @@
+---
 name: Nightly AWS Region Cleanup
 
 on:
@@ -17,7 +18,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
-    
+
     - name: Import Secrets
       id: secrets
       uses: hashicorp/vault-action@v2
@@ -32,7 +33,7 @@ jobs:
           secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY;
 
     # Official action does not support profiles
-    - name: Add profile credentials to ~/.aws/credentials 
+    - name: Add profile credentials to ~/.aws/credentials
       run: |
           aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }}
           aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }}
@@ -42,7 +43,7 @@ jobs:
       run: |
         wget https://github.com/gruntwork-io/cloud-nuke/releases/download/v0.33.0/cloud-nuke_linux_amd64
         chmod +x cloud-nuke_linux_amd64
-    
+
     # This is likely to fail, therefore we ignore the error
     # We're ignoring ec2_dhcp_option as they couldn't be deleted
     # cloudtrail is managed by IT and can't be deleted either
@@ -51,98 +52,29 @@ jobs:
       env:
         DISABLE_TELEMETRY: "true"
       run: |
-        ./cloud-nuke_linux_amd64 aws --region eu-west-2 --region eu-west-3 --force --newer-than 4h --exclude-resource-type ec2_dhcp_option --exclude-resource-type cloudtrail || true
-    
+        ./cloud-nuke_linux_amd64 aws \
+        --region eu-west-2 \
+        --region eu-west-3 \
+        --force \
+        --newer-than 4h \
+        --exclude-resource-type ec2_dhcp_option \
+        --exclude-resource-type cloudtrail || true
+
     # Following will delete global resources and things that cloud-nuke does not support
     - name: Delete additional AWS resources
       timeout-minutes: 15
-      run: |
-        echo "Deleting additional resources..."
-        # mac is using BSD xargs, where -n 1 and -I {} are required to make it work
-        # in GNU xargs -n 1 and -I are mutually exclusive
-        # KMS keys can't be deleted due to resource policies, requires manual intervention
-
-        echo "Deleting IAM Roles"
-        # Detach permissions and profile instances and delete IAM roles
-        role_arns=$(aws iam list-roles --query 'Roles[?contains(RoleName, `nightly`)].RoleName' --output text)
-
-        read -r -a role_arns_array <<< "$role_arns"
-
-        for role_arn in "${role_arns_array[@]}"
-        do
-            echo "Removing instance profiles and policies of role: $role_arn"
-            attached_policy_arns=$(aws iam list-attached-role-policies --role-name "$role_arn" --query 'AttachedPolicies[].PolicyArn' --output text)
-            read -r -a attached_policy_arns_array <<< "$attached_policy_arns"
-
-            for policy_arn in "${attached_policy_arns_array[@]}"
-            do
-                echo "Removing attached policy: $policy_arn"
-                aws iam detach-role-policy --role-name "$role_arn" --policy-arn "$policy_arn"
-            done
-
-            policy_arns=$(aws iam list-role-policies --role-name "$role_arn" --query 'PolicyNames' --output text)
-            read -r -a policy_arns_array <<< "$policy_arns"
-
-            for policy_arn in "${policy_arns_array[@]}"
-            do
-                echo "Deleting policy: $policy_arn"
-                aws iam delete-role-policy --role-name "$role_arn" --policy-name "$policy_arn"
-            done
-
-            instance_profile_arns=$(aws iam list-instance-profiles-for-role --role-name "$role_arn" --query 'InstanceProfiles[].InstanceProfileName' --output text)
-            read -r -a instance_profile_arns_array <<< "$instance_profile_arns"
-
-            for instance_profile_arn in "${instance_profile_arns_array[@]}"
-            do
-                echo "Removing instance profile: $instance_profile_arn"
-                aws iam remove-role-from-instance-profile --instance-profile-name "$instance_profile_arn" --role-name "$role_arn"
-            done
-
-            echo "Deleting role: $role_arn"
-            aws iam delete-role --role-name "$role_arn"
-
-        done
-
-        echo "Deleting IAM Policies"
-        # Delete Policies
-        iam_policies=$(aws iam list-policies --query 'Policies[?contains(PolicyName, `nightly`)].Arn' --output text)
-
-        read -r -a iam_policies_array <<< "$iam_policies"
-
-        for iam_policy in "${iam_policies_array[@]}"
-        do
-            echo "Deleting policy: $iam_policy"
-            aws iam delete-policy --policy-arn "$iam_policy"
-        done
-
-        echo "Deleting OIDC Providers"
-        # Delete OIDC Provider
-        oidc_providers=$(aws iam list-open-id-connect-providers --query 'OpenIDConnectProviderList[?contains(Arn, `eu-west-2`) || contains(Arn, `eu-west-3`)].Arn' --output text)
-
-        read -r -a oidc_providers_array <<< "$oidc_providers"
-
-        for oidc_provider in "${oidc_providers_array[@]}"
-        do
-            echo "Deleting OIDC Provider: $oidc_provider"
-            aws iam delete-open-id-connect-provider --open-id-connect-provider-arn "$oidc_provider"
-        done
-
-        echo "Deleting VPC Peering Connections"
-        # Delete VPC Peering Connection
-        peering_connection_ids=$(aws ec2 describe-vpc-peering-connections --region eu-west-2 --query 'VpcPeeringConnections[?Status.Code == `active` && Tags[?contains(Value, `nightly`)]]'.VpcPeeringConnectionId --output text)
-
-        read -r -a peering_connection_ids_array <<< "$peering_connection_ids"
-
-        for peering_connection_id in "${peering_connection_ids_array[@]}"
-        do
-            echo "Deleting VPC Peering Connection: $peering_connection_id"
-            aws ec2 delete-vpc-peering-connection --region eu-west-2 --vpc-peering-connection-id "$peering_connection_id"
-        done
+      run: .github/workflows/scripts/aws_cleanup.sh
 
     # The second run should remove the remaining resources (VPCs) and fail if there's anything left
     - name: Run Cloud Nuke
       timeout-minutes: 45
       env:
         DISABLE_TELEMETRY: "true"
       run: |
-        ./cloud-nuke_linux_amd64 aws --region eu-west-2 --region eu-west-3 --force --newer-than 4h --exclude-resource-type ec2_dhcp_option --exclude-resource-type cloudtrail
+        ./cloud-nuke_linux_amd64 aws \
+        --region eu-west-2 \
+        --region eu-west-3 \
+        --force \
+        --newer-than 4h \
+        --exclude-resource-type ec2_dhcp_option \
+        --exclude-resource-type cloudtrail