Merge pull request #8 from remerge/CORE-15-update-template

Update template
remerge · Jul 27, 2023 · 93c2937 · 93c2937
2 parents 0f679fa + 85a3c1c
commit 93c2937
Show file tree

Hide file tree

Showing 15 changed files with 645 additions and 755 deletions.
diff --git a/.checkov.yml b/.checkov.yml
@@ -0,0 +1,31 @@
+---
+quiet: true
+compact: false
+
+skip-check:
+  # https://github.com/bridgecrewio/checkov/issues/5286
+  - CKV_TF_1
+  # do not enforce Customer Supplied Encryption Keys (CSEK)
+  - CKV_GCP_37
+  - CKV_GCP_38
+  - CKV_GCP_80
+  - CKV_GCP_81
+  - CKV_GCP_83
+  - CKV_GCP_84
+  - CKV_GCP_85
+  - CKV_GCP_90
+  - CKV_GCP_91
+  - CKV_GCP_93
+  # do not enforce vpc flow logs
+  - CKV_GCP_26
+  - CKV_GCP_61
+  # restricted default service account is ok
+  - CKV_GCP_30
+  # do not enforce bucket access log
+  - CKV_GCP_62
+  # do not enforce bucket object versioning
+  - CKV_GCP_78
+  # we want serial port console access
+  - CKV_GCP_35
+  # base64 high entropy check causes too many false positives
+  - CKV_SECRET_6
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,23 +1,10 @@
 ---
 # Changes here will be overwritten by Copier
-_commit: v1.12.2
+_commit: v2.0.1
 _src_path: gh:remerge/template
-deploy_branch: production
-google_cloud_gke_master_subnet: None
-google_cloud_project: ansible-role-zfs-[random_id]
-google_cloud_region: europe-west4
-google_cloud_zone: europe-west4-a
-project_description: Install and configure ZFS kernel modules and pools with Ansible.
 project_id: ansible-role-zfs
 project_license: apache-2.0
 project_name: Ansible Role for ZFS
-project_owner: sre
+project_owner: core
 project_type: ansible-role
-use_ansible: false
-use_docker: false
-use_golang: false
-use_google_cloud_compute: false
-use_google_cloud_gke: false
 use_python: true
-use_terraform: false
-use_terraform_google: false
diff --git a/.envrc b/.envrc
@@ -15,9 +15,6 @@ dotenv_if_exists
 # Add local scripts to PATH
 PATH_add "${PWD}/bin"
 
-# Use company 1Password account
-export OP_ACCOUNT=remerge.1password.com
-
 # Disable macOS fork safety for Python compatibility
 # https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos
 export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
@@ -29,7 +26,13 @@ if [[ -e /opt/homebrew/opt/libssh ]]; then
 fi
 
 # Load poetry virtual env
-export POETRY_ACTIVE=1 && poetry run true
-# shellcheck disable=SC2155
-export VIRTUAL_ENV="$(poetry env info --path)"
+if [[ ! -d "${PWD}/.venv" ]]; then
+    ln -nfs "$(poetry run poetry env info -p)" "${PWD}/.venv"
+fi
+
+export POETRY_ACTIVE=1
+export VIRTUAL_ENV="${PWD}/.venv"
 PATH_add "${VIRTUAL_ENV}/bin"
+
+# shellcheck disable=SC2155
+export PYTHON_SITE_DIR=$(echo "${VIRTUAL_ENV}"/lib/*/site-packages)
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,6 +1,2 @@
 # By default all files are owned by the project owner
-* @remerge/sre
-
-# Terraform code is owned by the SRE team for required reviews
-*.tf @remerge/sre
-*.tfvars @remerge/sre
+* @remerge/core
diff --git a/.gitignore b/.gitignore
@@ -142,7 +142,7 @@ secring.*
 .LSOverride
 
 # Icon must end with two \r
-Icon
+Icon
 
 # Thumbnails
 ._*
@@ -505,8 +505,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -554,8 +554,22 @@ go.work
 
 # Custom ignores for Go projects
 .build/
+.tools/
 cache/
 
 # Ignore SSH keys
 id_*
 *.key
+
+# Ignore Terraform lock and cache from submodules
+*/**/.terraform
+*/**/.terraform.lock.hcl
+
+# Allow all .tfvars files even though the default gitignore file for Terraform
+# excludes these. These files should normally not be part of version control as
+# they are likely to contain sensitive data, such as password, private keys, and
+# other secrets. However, we provide all sensitive variables to Terraform
+# through Terraform Cloud and only use .tfvars files for non-sensitive variables
+# only.
+!*.tfvars
+!*.tfvars.json

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -29,24 +29,25 @@ repos:
       - id: fix-byte-order-marker
       - id: forbid-submodules
       - id: trailing-whitespace
+        exclude: "^.gitignore$"
 
   # https://github.com/pre-commit/mirrors-prettier/tags
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: "v2.7.1"
+    rev: "v3.0.0"
     hooks:
       - id: prettier
         exclude: "^project/"
 
   # https://github.com/igorshubovych/markdownlint-cli/tags
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: "v0.33.0"
+    rev: "v0.35.0"
     hooks:
       - id: markdownlint-fix
         name: markdownlint
 
   # https://github.com/adrienverge/yamllint/tags
   - repo: https://github.com/adrienverge/yamllint
-    rev: "v1.31.0"
+    rev: "v1.32.0"
     hooks:
       - id: yamllint
         entry: yamllint --strict
@@ -66,14 +67,14 @@ repos:
 
   # https://github.com/rhysd/actionlint/tags
   - repo: https://github.com/rhysd/actionlint
-    rev: "v1.6.24"
+    rev: "v1.6.25"
     hooks:
       - id: actionlint-docker
         name: actionlint
 
   # https://github.com/ansible/ansible-lint/tags
   - repo: https://github.com/ansible/ansible-lint
-    rev: "v6.15.0"
+    rev: "v6.17.2"
     hooks:
       - id: ansible-lint
         name: ansible-lint
@@ -95,7 +96,7 @@ repos:
 
   # https://github.com/bridgecrewio/checkov/tags
   - repo: https://github.com/bridgecrewio/checkov
-    rev: "2.3.224"
+    rev: "2.3.340"
     hooks:
       - id: checkov
         name: checkov

diff --git a/.prettierignore b/.prettierignore
@@ -1,5 +1,2 @@
 # auto generated
 .copier-answers.yml
-
-# Dell server configuration profiles
-playbooks/files/*.rmge.net.json
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -1,5 +1,6 @@
 {
   "recommendations": [
+    "redhat.ansible",
     "ms-python.autopep8",
     "ms-python.black-formatter",
     "ms-python.flake8",
@@ -10,13 +11,13 @@
     "ms-toolsai.jupyter",
     "aaron-bond.better-comments",
     "bierner.markdown-emoji",
-    "bungcip.better-toml",
     "DavidAnson.vscode-markdownlint",
     "DotJoshJohnson.xml",
     "eamodio.gitlens",
     "esbenp.prettier-vscode",
     "github.vscode-github-actions",
     "GitHub.vscode-pull-request-github",
+    "jasonnutter.vscode-codeowners",
     "mkhl.direnv",
     "mkhl.shfmt",
     "ms-azuretools.vscode-docker",
@@ -25,6 +26,7 @@
     "redhat.vscode-yaml",
     "samuelcolvin.jinjahtml",
     "sharat.vscode-brewfile",
+    "tamasfe.even-better-toml",
     "timonwong.shellcheck",
     "wholroyd.jinja",
     "yzhang.markdown-all-in-one"

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -7,6 +7,8 @@
     "editor.formatOnSaveMode": "file",
     "editor.defaultFormatter": "ms-python.python"
   },
+  "python.defaultInterpreterPath": ".venv/bin/python",
+  "ansible.python.interpreterPath": ".venv/bin/python",
   "[json]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
   },

diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md