Rework github actions

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @letur

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+---
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "terraform"  # See documentation for possible values
+    directory: "/"  # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yaml

@@ -0,0 +1,41 @@
+name: Continuous Integration
+
+on:
+  pull_request:
+    branches:
+      - main
+    types: [opened, synchronize, reopened]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/antonbabenko/pre-commit-terraform:latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+          git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
+
+      - name: fix tar dependency in alpine container image
+        run: |
+          apk --no-cache add tar
+          # check python modules installed versions
+          python -m pip freeze --local
+
+      - name: Cache pre-commit since we use pre-commit from container
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Execute pre-commit
+        run: |
+          pre-commit run --color=always --show-diff-on-failure --all-files

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.97.3
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+      - id: terraform_validate
+      - id: terraform_tflint
+      - id: terraform_trivy
+        args:
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore

.trivyignore

@@ -0,0 +1,2 @@
+# Storage account must be publicly accessible for public github runner to access it
+AVD-AZU-0012 azurerm_storage_account.this

README.md

@@ -36,15 +36,17 @@ terraform apply
 
 | Name | Version |
 |------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~>1.10 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>4.18 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 5.36 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.6 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~>4.18 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.6 |
 
 ## Modules
 

modules/azure/avm.storage_account.tf

@@ -15,7 +15,7 @@ module "storage" {
 
   network_rules = {
     default_action = "Allow"
-    bypass = [ "AzureServices" ]
+    bypass         = ["AzureServices"]
   }
 
   managed_identities = {

modules/azure/outputs.tf

@@ -1,5 +1,5 @@
 output "backend_azure_resource_group_name" {
-  value = module.resource_group_state.name 
+  value = module.resource_group_state.name
 }
 
 output "backend_azure_storage_account_name" {

modules/azure/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = "~>1.10"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>4.18"
+    }
+  }
+}

modules/github/locals.tf

@@ -10,9 +10,7 @@ locals {
 locals {
   org_plan = data.github_organization.this.plan
 
-  free_plan       = "free"
-  team_plan       = "team"
-  enterprise_plan = "enterprise"
+  free_plan = "free"
 }
 
 locals {

modules/github/repository.tf

@@ -35,7 +35,7 @@ resource "github_repository_file" "this" {
 }
 
 resource "github_branch_protection" "this" {
-  count      = local.activated_features.deployment_protection_rule ? 1 : 0
+  count = local.activated_features.deployment_protection_rule ? 1 : 0
 
   repository_id                   = local.repository_name
   pattern                         = "main"

modules/github/terraform.tf

@@ -1,4 +1,5 @@
 terraform {
+  required_version = "~>1.10"
   required_providers {
     github = {
       source  = "integrations/github"

modules/resource_names/providers.tf

@@ -1,4 +1,5 @@
 terraform {
+  required_version = "~>1.10"
   required_providers {
     random = {
       source  = "hashicorp/random"

terraform.tf

@@ -1,4 +1,5 @@
 terraform {
+  required_version = "~>1.10"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
@@ -8,6 +9,10 @@ terraform {
       source  = "integrations/github"
       version = "~> 5.36"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6"
+    }
   }
 }