-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: added trunk for linter tooling
- Loading branch information
Showing
9 changed files
with
142 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
name: Trunk Check | ||
on: [push] | ||
concurrency: | ||
group: ${{ github.head_ref || github.run_id }} | ||
cancel-in-progress: true | ||
|
||
permissions: read-all | ||
|
||
jobs: | ||
trunk-check: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
checks: write # For trunk to post annotations | ||
contents: read # For repo checkout | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: trunk-io/trunk-action@v1 | ||
with: | ||
check-mode: all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
*out | ||
*logs | ||
*actions | ||
*notifications | ||
*tools | ||
plugins | ||
user_trunk.yaml | ||
user.yaml | ||
tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Prettier friendly markdownlint config (all formatting rules disabled) | ||
extends: markdownlint/style/prettier |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
enable=all | ||
source-path=SCRIPTDIR | ||
disable=SC2154 | ||
|
||
# If you're having issues with shellcheck following source, disable the errors via: | ||
# disable=SC1090 | ||
# disable=SC1091 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
rules: | ||
quoted-strings: | ||
required: only-when-needed | ||
extra-allowed: ["{|}"] | ||
key-duplicates: {} | ||
octal-values: | ||
forbid-implicit-octal: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# This file controls the behavior of Trunk: https://docs.trunk.io/cli | ||
# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml | ||
version: 0.1 | ||
cli: | ||
version: 1.22.3 | ||
# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) | ||
plugins: | ||
sources: | ||
- id: trunk | ||
ref: v1.6.2 | ||
uri: https://github.com/trunk-io/plugins | ||
# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) | ||
runtimes: | ||
enabled: | ||
- [email protected] | ||
- [email protected] | ||
- [email protected] | ||
# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) | ||
lint: | ||
enabled: | ||
- [email protected] | ||
- git-diff-check | ||
- [email protected] | ||
- [email protected] | ||
- [email protected] | ||
- [email protected] | ||
- [email protected] | ||
- [email protected] | ||
- [email protected] | ||
actions: | ||
enabled: | ||
- trunk-announce | ||
- trunk-check-pre-push | ||
- trunk-fmt-pre-commit | ||
- trunk-upgrade-available |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -63,10 +63,10 @@ In order to deploy this project, you will need the following permissions in our | |
|
||
1. Clone the repo: | ||
|
||
```sh | ||
git clone https://github.com/mento-protocol/terraform-gcp-seed-project.git | ||
cd terraform-gcp-seed-project | ||
``` | ||
```sh | ||
git clone https://github.com/mento-protocol/terraform-gcp-seed-project.git | ||
cd terraform-gcp-seed-project | ||
``` | ||
|
||
1. Configure `terraform.tfvars` (this is like a `.env` for Terraform): | ||
|
||
|
@@ -93,9 +93,9 @@ In order to deploy this project, you will need the following permissions in our | |
|
||
1. Initialize Terraform: Initialize the Terraform working directory and install required providers | ||
|
||
```sh | ||
terraform init | ||
``` | ||
```sh | ||
terraform init | ||
``` | ||
|
||
## Deploying & Updating the Seed Project | ||
|
||
|
@@ -105,16 +105,19 @@ It's plain old Terraform, the process is: | |
1. Run `terraform plan` to see a dry run of the expected changes | ||
1. Run `terraform apply` to deploy the changes to Google Cloud | ||
<!-- markdownlint-disable-next-line MD036 --> | ||
<!-- markdownlint-disable MD036 --> | ||
**🚨 Be careful to not accidentally delete or otherwise change the terraform state bucket created by the bootstrap module as this houses state from all our GCP projects 🚨** | ||
<!-- markdownlint-enable MD036 --> | ||
## Service Account Impersonation | ||
Instead of having to figure out and manage individual permissions for everyone, Devs can just impersonate a shared service account and not suffer through any "works on my machine" problems locally. | ||
### The advantages of impersonation | ||
Impersonation does not require any service account keys to be generated or distributed (i.e. in form of `credentials.json` files). While Terraform does support the use of service account keys, generating and distributing those keys introduces some security risks that are minimized with impersonation. Instead of administrators creating, tracking, and rotating keys, the access to the service account is centralized to its corresponding IAM policy. By using impersonation, the code becomes portable and usable by anyone on the project with the Service Account Token Creator role, which can be easily granted and revoked by an administrator. | ||
Impersonation does not require any service account keys to be generated or distributed (i.e. in form of `credentials.json` files). While Terraform does support the use of service account keys, generating and distributing those keys introduces some security risks that are minimized with impersonation. Instead of administrators creating, tracking, and rotating keys, the access to the service account is centralized to its corresponding IAM policy. By using impersonation, the code becomes portable and usable by anyone on the project with the Service Account Token Creator role, which can be easily granted and revoked by an administrator. | ||
For more details about the SA impersonation approach see this blog post: [**"Using Google Cloud Service Account impersonation in your Terraform code"**](https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code) | ||
|
@@ -124,30 +127,32 @@ There are two approaches. | |
1. Setting a local Env Var | ||
<!-- markdownlint-disable-next-line MD034 --> | ||
If you set the following env var in your local shell, all `terraform` commands will be executed with the service account's permissions (and not your own [email protected] gcloud user account). | ||
<!-- markdownlint-disable MD034 --> | ||
```sh | ||
# You can find the service account email via: | ||
# `terraform state show "module.bootstrap.google_service_account.org_terraform[0]" | grep email` | ||
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=<terraform-service-account-email> | ||
``` | ||
If you set the following env var in your local shell, all `terraform` commands will be executed with the service account's permissions (and not your own <[email protected]> gcloud user account). | ||
<!-- markdownlint-enable MD034 --> | ||
|
||
It’s a quick and easy way to run Terraform as a service account, but you’ll have to remember to set that variable each time you restart your terminal session. | ||
```sh | ||
# You can find the service account email via: | ||
# `terraform state show "module.bootstrap.google_service_account.org_terraform[0]" | grep email` | ||
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=<terraform-service-account-email> | ||
``` | ||
|
||
It’s a quick and easy way to run Terraform as a service account, but you’ll have to remember to set that variable each time you restart your terminal session. | ||
|
||
2. Provider Config | ||
|
||
Alternatively, you can add some extra configuration to your project's terraform files like: | ||
Alternatively, you can add some extra configuration to your project's terraform files like: | ||
```hcl | ||
provider "google" { | ||
project = YOUR_PROJECT_ID | ||
access_token = data.google_service_account_access_token.default.access_token | ||
request_timeout = "60s" | ||
} | ||
``` | ||
```hcl | ||
provider "google" { | ||
project = YOUR_PROJECT_ID | ||
access_token = data.google_service_account_access_token.default.access_token | ||
request_timeout = "60s" | ||
} | ||
``` | ||
There's a few other things to set, consult the following blog post for step-by-step instructions: [**"Using Google Cloud Service Account impersonation in your Terraform code"**](https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code) | ||
There's a few other things to set, consult the following blog post for step-by-step instructions: [**"Using Google Cloud Service Account impersonation in your Terraform code"**](https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code) | ||
### Using the shared Terraform State Bucket | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters