feat: CICD and supporting docs

.github/CODEOWNERS

@@ -1 +1,2 @@
-* @willguibr @jmolnar-zscaler
+/.github/ @willguibr
+/.github/ @jmolnar-zscaler

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,50 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+## Describe the bug
+
+<!--- A clear and concise description of what is wrong -->
+<!--- Save the details for the next sections -->
+
+## Expected behavior
+
+<!--- Tell us what should happen, or how it should work -->
+
+## Current behavior
+
+<!--- Tell us what happens instead of the expected behavior -->
+
+## Possible solution
+
+<!--- Not obligatory, but suggest a fix/reason for the bug, -->
+<!--- or ideas how to implement the addition or change -->
+
+## Steps to reproduce
+
+<!--- Provide a link to a live example, or an unambiguous set of steps to -->
+<!--- reproduce this bug. Include code to reproduce, if relevant -->
+
+1.
+2.
+3.
+4.
+
+## Screenshots
+
+<!--- Drag any screenshots of the issue here or delete this section -->
+
+## Context
+
+<!--- How has this issue affected you? What are you trying to accomplish? -->
+<!--- Providing context helps us come up with a solution that is useful in the real world -->
+
+## Your Environment
+
+<!--- Include the output of `terraform version` and other relevant details about -->
+<!--- the environment you experienced the bug in -->

.github/workflows/ci.yml

@@ -0,0 +1,89 @@
+
+---
+name: CI/CD
+on:
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+  schedule:
+    - cron: '0 0 1 * *'
+
+jobs:
+  pre-commit:
+    name: Verify the pre-commit framework was used properly by developers
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out source
+        uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          # Semantic version range syntax (like 3.x) or the exact Python version
+          python-version: '3.9.4'
+
+      - name: Run pre-commit framework as the developer should run it
+        run: sudo ./scripts/install.sh && sudo ./scripts/run.sh
+
+      - name: The `git diff` showing whether the pre-commit mandated extra changes to the repository files
+        if: failure()
+        run: git diff
+
+  validate:
+    name: Validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out source
+        uses: actions/checkout@v2
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 0.15.3
+
+      - name: terraform validate
+        env:
+          AWS_DEFAULT_REGION: us-west-2
+        run: |
+          cd "$GITHUB_WORKSPACE"
+          for dir in $(find modules examples -type d -not \( -name ".?*" \) -maxdepth 1 -mindepth 1);
+          do
+            if [[ "$dir" == "modules/transit_gateway_peering" ]];
+            then
+              echo "Skipping directory: $dir"
+              echo "Terraform does not support validating a module which uses an aliased provider (module-specific; validating an entire configuration works fine)."
+              continue
+            fi
+
+            echo "Processing directory: $dir"
+            cd "$GITHUB_WORKSPACE/$dir"
+            terraform init -backend=false
+            terraform validate
+          done
+
+  zscaler-iac-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Code Checkout
+        uses: actions/checkout@v2
+
+      - name : Zscaler IAC Scan
+        uses : ZscalerCWP/[email protected]
+        id: zscaler-iac-scan
+        with:
+          client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
+          client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
+          region : 'US'
+          iac_dir : '../../'
+          iac_file : '../../'
+          output_format : 'human+github-sarif'
+          fail_build : 'false'
+      - name: Upload SARIF file
+        if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.zscaler-iac-scan.outputs.sarif_file_path }}

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+name: Release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - master
+    paths:
+      - '**/*.tpl'
+      - '**/*.py'
+      - '**/*.tf'
+      - '.github/workflows/release.yml'
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    # Skip running release workflow on forks
+    if: github.repository_owner == 'zscaler'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v2
+        with:
+          semantic_version: 18.0.0
+          extra_plugins: |
+            @semantic-release/[email protected]
+            @semantic-release/[email protected]
+            [email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -0,0 +1,32 @@
+name: 'Mark or close stale issues and PRs'
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v4
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          # Staling issues and PR's
+          days-before-stale: 30
+          stale-issue-label: stale
+          stale-pr-label: stale
+          stale-issue-message: |
+            This issue has been automatically marked as stale because it has been open 30 days
+            with no activity. Remove stale label or comment or this issue will be closed in 10 days
+          stale-pr-message: |
+            This PR has been automatically marked as stale because it has been open 30 days
+            with no activity. Remove stale label or comment or this PR will be closed in 10 days
+          # Not stale if have this labels or part of milestone
+          exempt-issue-labels: bug,wip,on-hold
+          exempt-pr-labels: bug,wip,on-hold
+          exempt-all-milestones: true
+          # Close issue operations
+          # Label will be automatically removed if the issues are no longer closed nor locked.
+          days-before-close: 10
+          delete-branch: true
+          close-issue-message: This issue was automatically closed because of stale in 10 days
+          close-pr-message: This PR was automatically closed because of stale in 10 days

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.75.0
+    rev: v1.76.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

.releaserc.json

@@ -0,0 +1,45 @@
+{
+  "branches": [
+    "main",
+    "master"
+  ],
+  "ci": false,
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "conventionalcommits"
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "conventionalcommits"
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
+        "labels": false,
+        "releasedLabels": false
+      }
+    ],
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "CHANGELOG.md",
+        "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "CHANGELOG.md"
+        ],
+        "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+      }
+    ]
+  ]
+}

SUPPORT.md

@@ -0,0 +1,15 @@
+# Community Supported
+
+The software and templates in this repo are released under an AS-IS, best effort,
+support policy. This software should be seen as community supported and Zscaler
+will contribute our expertise as and when possible. We do not
+provide technical support or help in using or troubleshooting the components of
+the project through our normal support options such as Zscaler support teams,
+or ASC (Authorized Support Centers) partners and backline
+support options. The underlying product used (the Zscaler App Connector VM Appliances)
+by the scripts or templates are still supported, but the support is only for the product
+functionality and not for help in deploying or using the template or script
+itself. Unless explicitly tagged, all projects or work posted in our GitHub
+repository (at https://github.com/zscaler) or sites other than our
+official support page on https://help.zscaler.com/login-tickets are provided
+under the best effort policy.

docs/contributing.md

@@ -0,0 +1,48 @@
+# Contributing
+
+Contributions are welcome, and they are greatly appreciated! Every little bit helps,
+and credit will always be given.
+
+## Coding Standards
+
+Please follow the [Terraform conventions](terraform-conventions.md) for the project.
+
+## Publish a new release (for maintainers)
+
+### Test the release process
+
+Testing the workflow requires node, npm, and semantic-release to be installed locally:
+
+```
+$ npm install -g semantic-release@^17.1.1 @semantic-release/git@^9.0.0 @semantic-release/exec@^5.0.0 conventional-changelog-conventionalcommits@^4.4.0
+```
+
+Run `semantic-release` on develop:
+
+```
+semantic-release --dry-run --no-ci --branches=develop
+```
+
+Verify in the output that the next version is set correctly, and the release notes are generated correctly.
+
+### Merge develop to master and push
+
+```
+git checkout master
+git merge develop
+git push origin master
+```
+
+At this point, GitHub Actions builds and tags the release.
+
+### Merge master to develop and push
+
+Now, sync develop to master to add any commits made by the release bot.
+
+```
+git fetch --all --tags
+git pull origin master
+git checkout develop
+git merge master
+git push origin develop
+```

scripts/install.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/bash
+
+# install.sh - prepare the dependencies for the run.sh
+# 
+# It only handles installing from scratch and will probably fail on a subsequent run.
+# It overuses the &&, &, and backslash line continuation so it could be easily converted
+# into a Dockerfile, just by adding `RUN` directives (and `COPY requirements.txt .`).
+
+set -euo pipefail
+
+cd "$(dirname $0)"
+
+curl -sL https://github.com/terraform-docs/terraform-docs/releases/download/v0.15.0/terraform-docs-v0.15.0-linux-amd64.tar.gz > terraform-docs.tar.gz    & \
+curl -sL https://github.com/tfsec/tfsec/releases/download/v0.34.0/tfsec-linux-amd64 > tfsec    & \
+curl -sL https://github.com/terraform-linters/tflint/releases/download/v0.29.0/tflint_linux_amd64.zip > tflint.zip & \
+wait
+echo Finished successfully all parallel downloads ------------------------------------------------------------------
+
+tar zxf terraform-docs.tar.gz
+rm terraform-docs.tar.gz
+mv terraform-docs /usr/local/bin/
+
+chmod +x tfsec
+mv tfsec /usr/local/bin/
+
+unzip tflint.zip
+rm tflint.zip
+mv tflint /usr/local/bin/
+
+git --version
+terraform-docs --version
+tfsec --version
+tflint --version
+terraform version
+
+echo "Also, the newest release: $(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64")"
+echo "Also, the newest release: $(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")"
+echo "Also, the newest release: $(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")"
+
+python3 -m pip install -r requirements.txt