Merge branch 'main' into renovate/hashicorp-setup-terraform-3.x

Author: stefanwb

.github/workflows/workflow-synchronization.yaml

@@ -10,20 +10,53 @@ on:
 env:
   REPOSITORIES: |
     schubergphilis/terraform-aws-mcaf-account-baseline
+    schubergphilis/terraform-aws-mcaf-audit-logs
     schubergphilis/terraform-aws-mcaf-aurora
     schubergphilis/terraform-aws-mcaf-avm
+    schubergphilis/terraform-aws-mcaf-budget
+    schubergphilis/terraform-aws-mcaf-certificate
+    schubergphilis/terraform-aws-mcaf-clientvpn
+    schubergphilis/terraform-aws-mcaf-cost-and-usage-reports
+    schubergphilis/terraform-aws-mcaf-datadog
     schubergphilis/terraform-aws-mcaf-dynamodb
+    schubergphilis/terraform-aws-mcaf-ecr
+    schubergphilis/terraform-aws-mcaf-energy-labeler
+    schubergphilis/terraform-aws-mcaf-fargate
+    schubergphilis/terraform-aws-mcaf-gitlab-oidc
     schubergphilis/terraform-aws-mcaf-glue-connector
+    schubergphilis/terraform-aws-mcaf-glue-job
+    schubergphilis/terraform-aws-mcaf-ipam
+    schubergphilis/terraform-aws-mcaf-kms
     schubergphilis/terraform-aws-mcaf-lambda
     schubergphilis/terraform-aws-mcaf-landing-zone
+    schubergphilis/terraform-aws-mcaf-managed-grafana
     schubergphilis/terraform-aws-mcaf-network-firewall
+    schubergphilis/terraform-aws-mcaf-redshift
+    schubergphilis/terraform-aws-mcaf-resource-scheduler
+    schubergphilis/terraform-aws-mcaf-role
     schubergphilis/terraform-aws-mcaf-s3
+    schubergphilis/terraform-aws-mcaf-saas-audit-logs
     schubergphilis/terraform-aws-mcaf-securityhub-findings-manager
+    schubergphilis/terraform-aws-mcaf-service-quotas-manager
+    schubergphilis/terraform-aws-mcaf-ses
+    schubergphilis/terraform-aws-mcaf-ses-forwarder
     schubergphilis/terraform-aws-mcaf-transit-gateway
     schubergphilis/terraform-aws-mcaf-user
+    schubergphilis/terraform-aws-mcaf-vpc
+    schubergphilis/terraform-aws-mcaf-vpc-with-ipam
     schubergphilis/terraform-aws-mcaf-workspace
+    schubergphilis/terraform-azure-mcaf-key-vault
+    schubergphilis/terraform-azure-mcaf-naming
+    schubergphilis/terraform-azure-mcaf-network
+    schubergphilis/terraform-azure-mcaf-svm-csp
+    schubergphilis/terraform-azure-mcaf-svm-ea
+    schubergphilis/terraform-azure-mcaf-private-endpoints
+    schubergphilis/terraform-datadog-mcaf-monitor
     schubergphilis/terraform-github-mcaf-repository
+    schubergphilis/terraform-gitlab-mcaf-group
     schubergphilis/terraform-gitlab-mcaf-project
+    schubergphilis/terraform-opsgenie-mcaf-schedule
+    schubergphilis/terraform-tfe-mcaf-workspace
 
   WORKFLOW_FILES: |
     sync-root/.github/labels.yaml=.github/labels.yaml

sync-root/.github/labels.yaml

@@ -1,25 +1,28 @@
 ---
 - name: breaking
-  color: 'b60205'
+  color: "b60205"
   description: This change is not backwards compatible
 - name: bug
-  color: 'd93f0b'
+  color: "d93f0b"
   description: Something isn't working
 - name: documentation
-  color: '0075ca'
+  color: "0075ca"
   description: Improvements or additions to documentation
 - name: enhancement
-  color: '0e8a16'
+  color: "0e8a16"
   description: New feature or request
 - name: feature
-  color: '0e8a16'
+  color: "0e8a16"
   description: New feature or request
 - name: fix
-  color: 'd93f0b'
+  color: "d93f0b"
   description: Something isn't working
+- name: misc
+  color: "#6B93D3"
+  description: Miscellaneous task not covered by something else
 - name: no-changelog
-  color: 'cccccc'
+  color: "cccccc"
   description: No entry should be added to the release notes and changelog
 - name: security
-  color: '5319e7'
+  color: "5319e7"
   description: Solving a security issue

sync-root/.github/workflows/label-synchronization.yaml

@@ -1,5 +1,6 @@
 name: label-synchronization
 on:
+  workflow_dispatch:
   push:
     branches:
       - main
@@ -20,7 +21,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Synchronize labels
-        uses: crazy-max/ghaction-github-labeler@v4
+        uses: crazy-max/ghaction-github-labeler@v5
         with:
           dry-run: false
           github-token: ${{ secrets.GITHUB_TOKEN }}

sync-root/.github/workflows/pr-validation.yaml

@@ -16,7 +16,7 @@ jobs:
   autolabeler:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@v6
         with:
           config-name: release-drafter-config.yaml
         env:

sync-root/.github/workflows/release-drafter.yaml

@@ -20,7 +20,7 @@ jobs:
   draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@v6
         with:
           publish: false
           prerelease: false

sync-root/.github/workflows/terraform-validation.yaml

@@ -9,6 +9,7 @@ permissions:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  TF_IN_AUTOMATION: 1
 
 jobs:
   fmt-lint-validate:
@@ -21,33 +22,43 @@ jobs:
         uses: hashicorp/setup-terraform@v3
 
       - name: Setup Terraform Linters
-        uses: terraform-linters/setup-tflint@v3
+        uses: terraform-linters/setup-tflint@v4
         with:
           github_token: ${{ github.token }}
 
       - name: Terraform Format
         id: fmt
         run: terraform fmt -check -recursive
 
-      - name: Terraform Init
-        id: init
+      - name: Terraform Lint
+        id: lint
         run: |
+          echo "Checking ."
+          tflint --format compact
+
           for d in examples/*/; do
-            terraform -chdir=$d init
+            echo "Checking ${d} ..."
+            tflint --chdir=$d --format compact
           done
 
       - name: Terraform Validate
         id: validate
+        if: ${{ !vars.SKIP_TERRAFORM_VALIDATE }}
         run: |
           for d in examples/*/; do
+            echo "Checking ${d} ..."
+            terraform -chdir=$d init
             terraform -chdir=$d validate -no-color
           done
         env:
           AWS_DEFAULT_REGION: eu-west-1
 
-      - name: Terraform Lint
-        id: lint
-        run: tflint --no-color --recursive --format compact
+      - name: Terraform Test
+        id: test
+        if: ${{ !vars.SKIP_TERRAFORM_TESTS }}
+        run: |
+          terraform init
+          terraform test
 
       - uses: actions/github-script@v6
         if: github.event_name == 'pull_request' || always()
@@ -103,7 +114,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Render terraform docs inside the README.md and push changes back to PR branch
-        uses: terraform-docs/gh-actions@v1.0.0
+        uses: terraform-docs/gh-actions@v1.1.0
         with:
           args: --sort-by required
           git-commit-message: "docs(readme): update module usage"
@@ -139,19 +150,21 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Checkov
-        uses: bridgecrewio/checkov-action@v12.2467.0
+        uses: bridgecrewio/checkov-action@v12
         with:
           container_user: 1000
           directory: "/"
           download_external_modules: false
           framework: terraform
           output_format: sarif
           quiet: true
-          skip_check: "CKV_GIT_5,CKV_TF_1"
+          skip_check: "CKV_GIT_5,CKV_GLB_1,CKV_TF_1"
           soft_fail: false
+          skip_path: "examples/"
 
 ### SKIP REASON ###
 # Check | Description | Reason
 
 # CKV_GIT_5 | Ensure GitHub pull requests have at least 2 approvals | We strive for at least 1 approval
+# CKV_GLB_1 | Ensure at least two approving reviews are required to merge a GitLab MR | We strive for at least 1 approval
 # CKV_TF_1 | Ensure Terraform module sources use a commit hash | We think this check is too restrictive and that versioning should be preferred over commit hash

sync-root/.github/workflows/update-changelog.yaml

@@ -24,7 +24,7 @@ jobs:
           release-notes: ${{ github.event.release.body }}
 
       - name: Commit updated Changelog
-        uses: stefanzweifel/git-auto-commit-action@v4
+        uses: stefanzweifel/git-auto-commit-action@v5
         with:
           branch: ${{ github.event.repository.default_branch }}
           commit_message: "docs(changelog): update changelog"

sync-root/.pre-commit-config.yaml

@@ -2,7 +2,7 @@
 default_stages: [commit]
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.6.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -14,17 +14,27 @@ repos:
         args:
           - --autofix
       - id: detect-aws-credentials
+        args:
+          - --allow-missing-credentials
       - id: detect-private-key
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.2
+    rev: v1.88.4
     hooks:
       - id: terraform_fmt
       - id: terraform_tflint
       - id: terraform_docs
       - id: terraform_validate
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 2.3.34
+    rev: 3.2.60
     hooks:
       - id: checkov
         verbose: false
-        args: [--download-external-modules, "true", --quiet, --compact]
+        args:
+          - --download-external-modules
+          - "true"
+          - --quiet
+          - --compact
+          - --skip-check
+          - CKV_GIT_5,CKV_GLB_1,CKV_TF_1
+          - --skip-path
+          - examples/*