Merge remote-tracking branch 'origin/general-repo-infrastructure' int…

…o jrp/terragrunt-iac

.bash_scripts/git-config-nano.sh

@@ -0,0 +1,4 @@
+set -ex
+
+# In Cloud9, everytime the EC2 reboots, it seems like you need to explicitly set nano as the editor in order to allow interactive rebasing to work
+git config --global core.editor "nano"

.bash_scripts/install-terraform.sh

@@ -0,0 +1,10 @@
+set -ex
+# adapted from https://phoenixnap.com/kb/how-to-install-terraform-centos-ubuntu
+sudo apt-get update
+sudo apt-get install wget unzip
+# update this to the version you want to install
+sudo wget https://releases.hashicorp.com/terraform/0.14.7/terraform_0.14.7_linux_amd64.zip
+
+sudo unzip terraform_0.14.7_linux_amd64.zip –d /usr/local/bin
+
+terraform –v

.bash_scripts/remove-local-git-branchs-that-are-gone-on-remote.sh

@@ -0,0 +1,5 @@
+set -ex
+# check remote for any updates and prune old branches deleted on remote
+git fetch --prune
+# delete local branches that are listed as "gone" on remote
+git branch -vv | grep ': gone]'|  grep -v "\*" | awk '{ print $1; }' | xargs -r git branch -d

.bash_scripts/resize-cloud9-volume.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Specify the desired volume size in GiB as a command-line argument. If not specified, default to 20 GiB.
+# To run: sh resize-cloud9-volume.sh
+SIZE=${1:-20}
+
+# Install the jq command-line JSON processor.
+sudo apt install -y jq
+
+# Get the ID of the envrionment host Amazon EC2 instance.
+INSTANCEID=$(curl http://169.254.169.254/latest/meta-data//instance-id)
+
+# Get the ID of the Amazon EBS volume associated with the instance.
+VOLUMEID=$(aws ec2 describe-instances --instance-id $INSTANCEID | jq -r .Reservations[0].Instances[0].BlockDeviceMappings[0].Ebs.VolumeId)
+
+# Resize the EBS volume.
+aws ec2 modify-volume --volume-id $VOLUMEID --size $SIZE
+
+# Wait for the resize to finish.
+while [ "$(aws ec2 describe-volumes-modifications --volume-id $VOLUMEID --filters Name=modification-state,Values="optimizing","completed" | jq '.VolumesModifications | length')" != "1" ]; do
+  sleep 1
+done
+
+# Rewrite the partition table so that the partition takes up all the space that it can.
+sudo growpart /dev/xvda 1
+
+# Expand the size of the file system.
+sudo resize2fs /dev/xvda1

.github/.codecov.yml

@@ -0,0 +1,2 @@
+comment:
+  require_changes: true  # if true: only post the comment if coverage changes

.github/dependabot.yaml

@@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # when multiple pull requests are open at once then they can accidentally be merged too quickly without time for rebasing in between
+    open-pull-requests-limit: 1
+    # Labels on pull requests for version updates only
+    pull-request-branch-name:
+      # Separate sections of the branch name with a hyphen
+      # for example, `dependabot-npm_and_yarn-next_js-acorn-6.4.1`
+      separator: "-"
+
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # when multiple pull requests are open at once then they can accidentally be merged too quickly without time for rebasing in between
+    open-pull-requests-limit: 1
+    pull-request-branch-name:
+      # Separate sections of the branch name with a hyphen
+      # for example, `dependabot-npm_and_yarn-next_js-acorn-6.4.1`
+      separator: "-"

.github/workflows/dev-test.yaml

@@ -22,17 +22,13 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - "ubuntu-18.04"
+          - "ubuntu-20.04"
         python-version:
-            - 3.8
+            - 3.9
         include:
-          # only enable coverage on the fastest job
-          - os: "ubuntu-18.04"
-            python-version: "3.8"
-            ENABLE_CODE_COVERAGE: true
+          - os: "ubuntu-20.04"
+            python-version: "3.9"
             IS_FASTEST_JOB: true
-          - os: "ubuntu-18.04"
-            IS_LINUX: true
     name: Python ${{ matrix.python-version }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:
@@ -50,8 +46,26 @@ jobs:
           python -c "import sys; print(sys.version)"
           python -m venv venv
 
+      - name: 'Terraform Setup'
+        # setup Terraform to make sure to have the correct version when running pre-commit hooks
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 0.14.7
+
+      - name: Cache Pre-commit hooks
+        uses: actions/[email protected]
+        env:
+          cache-name: cache-pre-commit-hooks
+        if: matrix.IS_FASTEST_JOB == true
+        with:
+          path: ./.precommit_cache
+          key: ${{ matrix.os }}-${{ matrix.python-version }}-build-${{ env.cache-name }}-${{ hashFiles('**/.pre-commit-config.yaml') }}
+          restore-keys: |
+            ${{ matrix.os }}-${{ matrix.python-version }}-build-${{ env.cache-name }}-
+
+
       - name: Activate virtual environment (Linux/MacOS)
-        if: matrix.IS_LINUX == true
+        if: runner.os == 'Linux' || runner.os == 'macOS'
         run: . venv/bin/activate
 
       - name: Display Pip Version and confirm environment empty
@@ -67,6 +81,8 @@ jobs:
       - name: Run pre-commit hooks
         if: matrix.IS_FASTEST_JOB == true
         # only enable pre-commit on the fastest job
+        env:
+          PRE_COMMIT_HOME: ./.precommit_cache
         run: |
           pre-commit install
           pre-commit run -a

.github/workflows/terraform-test.yaml

@@ -10,7 +10,7 @@ defaults:
 jobs:
   terraform:
     name: 'Terraform'
-    runs-on: ubuntu-latest
+    runs-on: "ubuntu-20.04"
     environment: test
 
     env:
@@ -23,13 +23,12 @@ jobs:
 
       - name: 'Terraform Setup'
         uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 0.14.7
 
       - name: 'Terraform Init'
         run: terraform init
 
-      - name: 'Terraform Format'
-        run: terraform fmt -check
-
       - name: 'Terraform Plan'
         run: terraform plan
 

.gitignore

@@ -2,6 +2,11 @@
 .idea/
 .~c9*
 
+# CI caches
+.npm_cache/
+.precommit_cache/
+.pipenv_cache/
+
 # Python
 *.py[cod]
 __pycache__/

.pre-commit-config.yaml

@@ -1,41 +1,48 @@
-minimum_pre_commit_version: '2.4.0'
+minimum_pre_commit_version: 2.4.0
 # default_stages: [commit, push]
 # fail_fast: true
 repos:
 
 # Git-related
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.4.0  # Use the ref you want to point at
+    rev: v3.4.0  # Use the ref you want to point at
     hooks:
     -   id: forbid-new-submodules
 -   repo: https://github.com/jumanjihouse/pre-commit-hooks
-    rev: 1.11.0  # Use the ref you want to point at
+    rev: 2.1.5  # Use the ref you want to point at
     hooks:
     -   id: git-dirty
 
 # Reformatting (should generally come before any file format or other checks, because reformatting can change things)
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.4.0  # Use the ref you want to point at
+    rev: v3.4.0  # Use the ref you want to point at
     hooks:
-        # black and docformatter don't do this in docstrings (11/1/19)
     -   id: trailing-whitespace
     -   id: pretty-format-json
         args: [--autofix, --no-sort-keys]
+-   repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.45.0
+    hooks:
+    -   id: terraform_fmt
 
 # Safety/Security Issues
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.4.0  # Use the ref you want to point at
+    rev: v3.4.0  # Use the ref you want to point at
     hooks:
     -   id: detect-private-key
 
 # Invalid File Checks
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.4.0  # Use the ref you want to point at
+    rev: v3.4.0  # Use the ref you want to point at
     hooks:
     -   id: check-added-large-files
         args: ['--maxkb=123']
     -   id: check-json
     -   id: check-yaml
     -   id: check-xml
     -   id: check-merge-conflict
-    -   id: check-case-conflict
+    -   id: check-case-conflict
+-   repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.45.0
+    hooks:
+    -   id: terraform_validate

infra/global/main.tf

@@ -34,6 +34,7 @@ resource "aws_dynamodb_table" "terraform_locks" {
 }
 
 terraform {
+  required_version = "0.14.7"
   backend "s3" {
     bucket = "curi-tf-state"
     key    = "global/terraform.tfstate"

infra/prod/main.tf

@@ -5,13 +5,23 @@ provider "aws" {
 resource "aws_s3_bucket" "prod_bucket" {
   bucket = "curi-prod-test"
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
   tags = {
     Name        = "curi-prod-test"
     Environment = "prod"
   }
 }
 
 terraform {
+  required_version = "0.14.7"
+
   backend "s3" {
     bucket = "curi-tf-state"
     key    = "prod/terraform.tfstate"

infra/test/main.tf

@@ -5,13 +5,23 @@ provider "aws" {
 resource "aws_s3_bucket" "test_bucket" {
   bucket = "curi-dev-test"
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
   tags = {
     Name        = "curi-prod-test"
     Environment = "test"
   }
 }
 
 terraform {
+  required_version = "0.14.7"
+
   backend "s3" {
     bucket = "curi-tf-state"
     key    = "test/terraform.tfstate"