chore: added trunk for linter tooling

.github/workflows/ci.yaml

@@ -0,0 +1,19 @@
+name: Trunk Check
+on: [push]
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  trunk-check:
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write # For trunk to post annotations
+      contents: read # For repo checkout
+    steps:
+      - uses: actions/checkout@v4
+      - uses: trunk-io/trunk-action@v1
+        with:
+          check-mode: all

.trunk/.gitignore

@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,2 @@
+# Prettier friendly markdownlint config (all formatting rules disabled)
+extends: markdownlint/style/prettier

.trunk/configs/.shellcheckrc

@@ -0,0 +1,7 @@
+enable=all
+source-path=SCRIPTDIR
+disable=SC2154
+
+# If you're having issues with shellcheck following source, disable the errors via:
+# disable=SC1090
+# disable=SC1091

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,7 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.trunk/trunk.yaml

@@ -0,0 +1,35 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.22.3
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.6.2
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - [email protected]
+    - [email protected]
+    - [email protected]
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  enabled:
+    - [email protected]
+    - git-diff-check
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+actions:
+  enabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+    - trunk-upgrade-available

README.md

@@ -63,10 +63,10 @@ In order to deploy this project, you will need the following permissions in our
 
 1. Clone the repo:
 
-    ```sh
-    git clone https://github.com/mento-protocol/terraform-gcp-seed-project.git
-    cd terraform-gcp-seed-project
-    ```
+   ```sh
+   git clone https://github.com/mento-protocol/terraform-gcp-seed-project.git
+   cd terraform-gcp-seed-project
+   ```
 
 1. Configure `terraform.tfvars` (this is like a `.env` for Terraform):
 
@@ -93,9 +93,9 @@ In order to deploy this project, you will need the following permissions in our
 
 1. Initialize Terraform: Initialize the Terraform working directory and install required providers
 
-    ```sh
-    terraform init
-    ```
+   ```sh
+   terraform init
+   ```
 
 ## Deploying & Updating the Seed Project
 
@@ -105,16 +105,19 @@ It's plain old Terraform, the process is:
 1. Run `terraform plan` to see a dry run of the expected changes
 1. Run `terraform apply` to deploy the changes to Google Cloud
 
-<!-- markdownlint-disable-next-line MD036 -->
+<!-- markdownlint-disable MD036 -->
+
 **🚨 Be careful to not accidentally delete or otherwise change the terraform state bucket created by the bootstrap module as this houses state from all our GCP projects 🚨**
 
+<!-- markdownlint-enable MD036 -->
+
 ## Service Account Impersonation
 
 Instead of having to figure out and manage individual permissions for everyone, Devs can just impersonate a shared service account and not suffer through any "works on my machine" problems locally.
 
 ### The advantages of impersonation
 
-Impersonation does not require any service account keys to be generated or distributed (i.e. in form of `credentials.json` files).  While Terraform does support the use of service account keys, generating and distributing those keys introduces some security risks that are minimized with impersonation.  Instead of administrators creating, tracking, and rotating keys, the access to the service account is centralized to its corresponding IAM policy.  By using impersonation, the code becomes portable and usable by anyone on the project with the Service Account Token Creator role, which can be easily granted and revoked by an administrator.
+Impersonation does not require any service account keys to be generated or distributed (i.e. in form of `credentials.json` files). While Terraform does support the use of service account keys, generating and distributing those keys introduces some security risks that are minimized with impersonation. Instead of administrators creating, tracking, and rotating keys, the access to the service account is centralized to its corresponding IAM policy. By using impersonation, the code becomes portable and usable by anyone on the project with the Service Account Token Creator role, which can be easily granted and revoked by an administrator.
 
 For more details about the SA impersonation approach see this blog post: [**"Using Google Cloud Service Account impersonation in your Terraform code"**](https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code)
 
@@ -124,30 +127,32 @@ There are two approaches.
 
 1. Setting a local Env Var
 
-    <!-- markdownlint-disable-next-line MD034 -->
-    If you set the following env var in your local shell, all `terraform` commands will be executed with the service account's permissions (and not your own [email protected] gcloud user account).
+   <!-- markdownlint-disable MD034 -->
 
-    ```sh
-    # You can find the service account email via:
-    # `terraform state show "module.bootstrap.google_service_account.org_terraform[0]" | grep email`
-    export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=<terraform-service-account-email>
-    ```
+   If you set the following env var in your local shell, all `terraform` commands will be executed with the service account's permissions (and not your own <[email protected]> gcloud user account).
+   <!-- markdownlint-enable MD034 -->
 
-    It’s a quick and easy way to run Terraform as a service account, but you’ll have to remember to set that variable each time you restart your terminal session.
+   ```sh
+   # You can find the service account email via:
+   # `terraform state show "module.bootstrap.google_service_account.org_terraform[0]" | grep email`
+   export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=<terraform-service-account-email>
+   ```
+
+   It’s a quick and easy way to run Terraform as a service account, but you’ll have to remember to set that variable each time you restart your terminal session.
 
 2. Provider Config
 
-    Alternatively, you can add some extra configuration to your project's terraform files like:
+   Alternatively, you can add some extra configuration to your project's terraform files like:
 
-    ```hcl
-    provider "google" {
-        project          = YOUR_PROJECT_ID
-        access_token     = data.google_service_account_access_token.default.access_token
-        request_timeout  = "60s"
-    }
-    ```
+   ```hcl
+   provider "google" {
+       project          = YOUR_PROJECT_ID
+       access_token     = data.google_service_account_access_token.default.access_token
+       request_timeout  = "60s"
+   }
+   ```
 
-    There's a few other things to set, consult the following blog post for step-by-step instructions: [**"Using Google Cloud Service Account impersonation in your Terraform code"**](https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code)
+   There's a few other things to set, consult the following blog post for step-by-step instructions: [**"Using Google Cloud Service Account impersonation in your Terraform code"**](https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code)
 
 ### Using the shared Terraform State Bucket
 

main.tf

@@ -26,7 +26,7 @@ module "bootstrap" {
     "roles/resourcemanager.organizationAdmin"
   ]
   org_id               = var.org_id
-  project_prefix       = "mento-terraform"
+  project_prefix       = var.project_name
   random_suffix        = true
   sa_org_iam_permissions = [
     "roles/billing.user",
@@ -35,7 +35,6 @@ module "bootstrap" {
     "roles/iam.securityAdmin",
     "roles/iam.serviceAccountAdmin",
     "roles/logging.configWriter",
-    "roles/logging.logWriter",
     "roles/orgpolicy.policyAdmin",
     "roles/resourcemanager.folderAdmin",
     "roles/resourcemanager.organizationViewer",
@@ -45,4 +44,4 @@ module "bootstrap" {
   source               = "git::https://github.com/terraform-google-modules/terraform-google-bootstrap.git?ref=177e6be173eb8451155a133f7c6a591215130aab" # commit hash of v8.0.0
   tf_service_account_id = "org-terraform"
   tf_service_account_name = "CFT Organization Terraform Account"
-}
+}

set-project-vars.sh

@@ -4,26 +4,26 @@ set -o pipefail # Ensure piped commands propagate exit codes properly
 set -u          # Treat unset variables as an error when substituting
 
 check_gcloud_login() {
-    echo "🌀 Checking gcloud login..."
-    # Check if there's an active account
-    if ! gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep -q .; then
-        echo "No active Google Cloud account found. Initiating login..."
-        gcloud auth login
-        echo "✅ Successfully logged in to gcloud"
-    else
-        echo "ℹ️  Already logged in to Google Cloud."
-    fi
-    printf "\n"
-
-    echo "🌀 Checking gcloud application-default credentials..."
-    if ! gcloud auth application-default print-access-token &>/dev/null; then
-        echo "No valid application-default credentials found. Initiating login..."
-        gcloud auth application-default login
-        echo "✅ Successfully logged in to gcloud"
-    else
-        echo "ℹ️  Already logged in with valid application-default credentials."
-    fi
-    printf "\n"
+	echo "🌀 Checking gcloud login..."
+	# Check if there's an active account
+	if ! gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep -q .; then
+		echo "No active Google Cloud account found. Initiating login..."
+		gcloud auth login
+		echo "✅ Successfully logged in to gcloud"
+	else
+		echo "ℹ️  Already logged in to Google Cloud."
+	fi
+	printf "\n"
+
+	echo "🌀 Checking gcloud application-default credentials..."
+	if ! gcloud auth application-default print-access-token &>/dev/null; then
+		echo "No valid application-default credentials found. Initiating login..."
+		gcloud auth application-default login
+		echo "✅ Successfully logged in to gcloud"
+	else
+		echo "ℹ️  Already logged in with valid application-default credentials."
+	fi
+	printf "\n"
 }
 
 set_project_id() {
@@ -36,17 +36,17 @@ set_project_id() {
 	printf ' \033[1m%s\033[0m\n' "${project_id}"
 
 	# Set your local default project
-	echo "Setting your default project to \033[1m%s\033[0m...\n" "${project_id}"
+	printf "Setting your default project to \033[1m%s\033[0m...\n" "${project_id}"
 	gcloud config set project "${project_id}"
-    printf "\n"
+	printf "\n"
 
 	# Set the quota project to the governance-watchdog project, some gcloud commands require this to be set
-	echo "Setting the quota project to \033[1m%s\033[0m...\n" "${project_id}"
+	printf "Setting the quota project to \033[1m%s\033[0m...\n" "${project_id}"
 	gcloud auth application-default set-quota-project "${project_id}"
-    printf "\n"
+	printf "\n"
 
 	echo "✅ All Done!"
-    printf "\n"
+	printf "\n"
 }
 
 cache_file=".project_vars_cache"
@@ -108,15 +108,15 @@ invalidate_cache() {
 
 # Main script logic
 main() {
-    check_gcloud_login
+	check_gcloud_login
 
-    printf "Loading current local gcloud project ID: "
+	printf "Loading current local gcloud project ID: "
 	current_local_project_id=$(gcloud config get project)
-    printf ' \033[1m%s\033[0m\n' "${current_local_project_id}"
+	printf ' \033[1m%s\033[0m\n' "${current_local_project_id}"
 
-    printf "Comparing with project ID from terraform state: "
+	printf "Comparing with project ID from terraform state: "
 	current_tf_state_project_id=$(terraform state show module.bootstrap.module.seed_project.module.project-factory.google_project.main | grep project_id | awk '{print $3}' | tr -d '"')
-    printf ' \033[1m%s\033[0m\n' "${current_tf_state_project_id}"
+	printf ' \033[1m%s\033[0m\n' "${current_tf_state_project_id}"
 
 	if [[ ${current_local_project_id} != "${current_tf_state_project_id}" ]]; then
 		printf '️\n🚨 Your local gcloud is set to the wrong project: \033[1m%s\033[0m 🚨\n' "${current_local_project_id}"