fix: Terraform locks constraint (#2012)

* added release github pipeline

* Static Analysis updated

* pr-title github action added

* used ubuntu-lastest as image

* added releaserc configuration

* updated release.yml pipeline

* try plugin cache

* try plugin cache

* try plugin cache

* try plugin cache

* try plugin cache

* try plugin cache

* try plugin cache

* try

* try

* try

* try

* try

* try temp runner

* try temp runner

* try temp runner

* try temp runner

* try terraform install

* try terraform install

* try terraform install

* try with docker env variables

* try with terraform only

* terraform locks updated

* try pre-commit with validate retry once

* terraform locks updated

* try pre-commit with cache folder

* terraform locks updated

* added read version of terraform

* locks file updated

* locks updated

* v1

* enable pre.commit features

* pre-commit fixs

* pre-commit update

* prividers fixed

* gps-common update locks

* docs: added new platform for pre-commits

* pre-commit added new platform linux_arm64 for locks

* changed terraform-utils to be single thread

* Terraform lock updates

* aca-app fix main versions

* pre-commit locks disable

* pre-commit fixs

* fix next-aks versions

* fix aca-common

* ghact: force terraform init

* pre-commit fixs

* updated terraform locks

.github/workflows/pr-title.yml

@@ -0,0 +1,52 @@
+name: "Validate PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      # Please look up the latest version from
+      # https://github.com/amannn/action-semantic-pull-request/releases
+      - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e #v5.5.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Configure which types are allowed.
+          # Default: https://github.com/commitizen/conventional-commit-types
+          types: |
+            fix
+            feat
+            docs
+            chore
+            breaking
+          # Configure that a scope must always be provided.
+          requireScope: false
+          # Configure additional validation for the subject based on a regex.
+          # This example ensures the subject starts with an uppercase character.
+          subjectPattern: ^.+$
+          # If `subjectPattern` is configured, you can use this property to override
+          # the default error message that is shown when the pattern doesn't match.
+          # The variables `subject` and `title` can be used within the message.
+          subjectPatternError: |
+            The subject "{subject}" found in the pull request title "{title}"
+            didn't match the configured pattern `^.+$/`. Please ensure that the subject
+            starts with an uppercase character.
+          # For work-in-progress PRs you can typically use draft pull requests
+          # from Github. However, private repositories on the free plan don't have
+          # this option and therefore this action allows you to opt-in to using the
+          # special "[WIP]" prefix to indicate this state. This will avoid the
+          # validation of the PR title and the pull request checks remain pending.
+          # Note that a second check will be reported if this is enabled.
+          wip: true
+          # When using "Squash and merge" on a PR with only one commit, GitHub
+          # will suggest using that commit message instead of the PR title for the
+          # merge commit, and it's easy to commit this by mistake. Enable this option
+          # to also validate the commit message for one commit PRs.
+          validateSingleCommit: false

.github/workflows/release.yml

@@ -0,0 +1,22 @@
+name: Release
+
+on:
+  # Trigger the workflow on push or pull request,
+  # but only for the main branch
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "CODEOWNERS"
+      - "**.md"
+      - ".**"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Release action
+        uses: pagopa/eng-github-actions-iac-template/global/release-action@457f7ae4b537ae395dd0ccac9df1c27bb472e953 # v1.13.1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/static_analysis.yml

@@ -7,10 +7,10 @@ on:
 
 jobs:
   static_analysis:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     steps:
       - name: Static Analysis
-        uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@59c12b7a846423d62c27c9905686a7a1fd71c003 # v1.7.0
+        uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@6b8192a09750c44dde5a9a8d9ed72648547071c5 # v1.14.1
         with:
-          precommit_version: 'v1.83.5@sha256:fed35dd9347aa3dd3e59a870dbc4500245dae26910d84065a6f66fe61afceaa8'
+          precommit_version: 'v1.89.1@sha256:1ea921bc4fe87651d41677218e537afdcdb8202e757e554b9866668eaba144c5'

.github/workflows/static_analysis_pr.yml

@@ -7,10 +7,104 @@ on:
 
 jobs:
   static_analysis:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     steps:
-      - name: Static Analysis
-        uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@59c12b7a846423d62c27c9905686a7a1fd71c003 # v1.7.0
-        with:
-          precommit_version: 'v1.83.5@sha256:fed35dd9347aa3dd3e59a870dbc4500245dae26910d84065a6f66fe61afceaa8'
+    - name: ⚡ Checkout code
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - name: 📖 Read current terraform version
+      run: |
+        VER=$(cat .terraform-version)
+        echo "TERRAFORM_VERSION=$VER" >> $GITHUB_ENV
+
+    - name: 🔨 Setup Terraform
+      # from https://github.com/hashicorp/setup-terraform/commits/main
+      uses: hashicorp/setup-terraform@97f030cf6dc0b4f5e0da352c7bca9cca34579800 #v3.1.0
+      with:
+        terraform_version: "${{ env.TERRAFORM_VERSION }}"
+
+    - name: 🏁 Init terraform folders
+      id: init_terraform_folders
+      shell: bash
+      run: |
+
+        echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
+        echo    "+ 🔨 CREATE CACHE FOLDER         +"
+        echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n"
+
+        export TF_PLUGIN_CACHE_DIR="/tmp/.terraform.d/plugin-cache"
+        mkdir -p ${TF_PLUGIN_CACHE_DIR}
+        ls -la ${TF_PLUGIN_CACHE_DIR}
+
+        echo "📢 Show space"
+        df -h
+        du -h ${TF_PLUGIN_CACHE_DIR}
+
+        echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
+        echo    "+ 🏁 INIT TERRAFORM FOLDERS 🏁   +"
+        echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n"
+
+        FOLDERS=$(grep -rl --include='*.tf' --exclude-dir='.terraform' '^' . | xargs -I{} dirname {} | sort -u)
+        echo "FOLDERS=${FOLDERS}"
+
+        pids=()
+
+        # TAG=$(cat .terraform-version)
+        # docker pull hashicorp/terraform:$TAG
+
+        for f in $FOLDERS; do
+          pushd "$(pwd)/${f}"
+            sed -i -e 's/  backend "azurerm" {}//g' 99_main.tf # use local backend
+            terraform init -upgrade &
+            pids+=($!)
+          popd
+
+        done
+
+        # Wait for each specific process to terminate.
+        # Instead of this loop, a single call to 'wait' would wait for all the jobs
+        # to terminate, but it would not give us their exit status.
+        #
+        for pid in "${pids[@]}"; do
+          #
+          # Waiting on a specific PID makes the wait command return with the exit
+          # status of that process. Because of the 'set -e' setting, any exit status
+          # other than zero causes the current shell to terminate with that exit
+          # status as well.
+          #
+          wait "$pid"
+        done
+
+        echo "📢 Show space 3"
+        df -h
+        ls -la /tmp/.terraform.d/plugin-cache
+        du -h -d 5 ${TF_PLUGIN_CACHE_DIR}
+
+    - name: Show precommit version
+      shell: bash
+      run: |
+        echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
+        echo    "+ 1️⃣  SHOW PRECOMMIT VERSION 1️⃣  +"
+        echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n"
+
+        TAG=v1.89.1
+        docker run --rm --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
+
+    - name: 🚨 Run precommit
+      id: run_precommit
+      shell: bash
+      run: |
+        echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
+        echo    "+- 🚨 PRECOMMIT TERRAFORM 🚨 -+"
+        echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n"
+
+        export TF_PLUGIN_CACHE_DIR="/tmp/.terraform.d/plugin-cache"
+
+        TAG=v1.89.1
+        docker run \
+          -v $(pwd):/lint \
+          -v /tmp/.terraform.d/plugin-cache:/tmp/.terraform.d/plugin-cache \
+          -w /lint \
+          ghcr.io/antonbabenko/pre-commit-terraform:$TAG \
+          run -a

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   ## terraform
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.5
+    rev: v1.89.1
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -10,15 +10,39 @@ repos:
           - --hook-config=--add-to-existing-file=true     # Boolean. true or false
           - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
           - --args=--hide providers
-      # - id: terraform_tfsec
       - id: terraform_validate
         args:
           - --init-args=-lockfile=readonly
+          - --hook-config=--retry-once-with-cleanup=true
+          - --init-args=-plugin-dir=/tmp/.terraform.d/plugin-cache
           - --args=-json
           - --args=-no-color
+          - --args=-compact-warnings
       # - id: terraform_providers_lock
       #   args:
       #     - --args=-platform=windows_amd64
       #     - --args=-platform=darwin_amd64
       #     - --args=-platform=darwin_arm64
       #     - --args=-platform=linux_amd64
+      #     - --args=-platform=linux_arm64
+  ## general
+  # - repo: https://github.com/pre-commit/pre-commit-hooks
+  #   rev: v4.0.1
+  #   hooks:
+  #     # Common errors
+  #     - id: end-of-file-fixer
+  #       exclude_types: [sql]
+  #     - id: trailing-whitespace
+  #       args: [--markdown-linebreak-ext=md]
+  #       exclude_types: [sql]
+  #     - id: check-yaml
+  #     - id: check-executables-have-shebangs
+  #     # Cross platform
+  #     - id: check-case-conflict
+  #     - id: mixed-line-ending
+  #       args: [--fix=lf]
+  #       exclude_types: [sql]
+  #     # Security
+  #     - id: detect-aws-credentials
+  #       args: ['--allow-missing-credentials']
+  #     - id: detect-private-key

.releaserc.json

@@ -0,0 +1,13 @@
+{
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "angular",
+        "releaseRules": [{ "type": "breaking", "release": "major" }]
+      }
+    ],
+    "@semantic-release/release-notes-generator",
+    "@semantic-release/github"
+  ]
+}

.utils/terraform_run_all.sh

@@ -15,13 +15,16 @@ pids=()
 ACTION="$1"
 
 array=(
+    'src/aks-leonardo::itn-dev'
     'src/aks-platform::weu-dev'
     'src/core::dev'
     'src/elk-monitoring::weu-dev'
     'src/grafana-monitoring::weu-dev'
+    'src/next-aks::weu-dev'
     'src/next-core::dev'
     'src/packer::dev'
-    'src/packer::dev'
+    'src/synthetic-monitoring::weu-dev'
+    'src/zabbix::dev'
     'src/domains/aca-app::weu-dev'
     'src/domains/aca-common::weu-dev'
     'src/domains/afm-app::weu-dev'
@@ -30,7 +33,7 @@ array=(
     'src/domains/apiconfig-common::weu-dev'
     'src/domains/bizevents-app::weu-dev'
     'src/domains/bizevents-common::weu-dev'
-    'src/domains/canoneunico::dev'
+    'src/domains/canoneunico::weu-dev'
     'src/domains/checkout-app::weu-dev'
     'src/domains/checkout-common::weu-dev'
     'src/domains/ecommerce-app::weu-dev'
@@ -47,7 +50,14 @@ array=(
     'src/domains/nodo-common::weu-dev'
     'src/domains/nodo-cron::weu-dev'
     'src/domains/nodo-secret::weu-dev'
+    'src/domains/nodo-switcher::weu-dev'
     'src/domains/observability::weu-dev'
+    'src/domains/pay-wallet-app::itn-dev'
+    'src/domains/pay-wallet-common::itn-dev'
+    'src/domains/printit-app::itn-dev'
+    'src/domains/printit-common::itn-dev'
+    'src/domains/printit-legacy::itn-dev'
+    'src/domains/printit-secrets::itn-dev'
     'src/domains/qi-app::weu-dev'
     'src/domains/qi-common::weu-dev'
     'src/domains/qi-secrets::weu-dev'
@@ -77,8 +87,8 @@ for index in "${array[@]}" ; do
         echo "$FOLDER - $COMMAND"
         echo "🔬 folder: $(pwd) in under terraform: $ACTION action"
 
-        sh terraform.sh "$ACTION" "$COMMAND" &
-        pids+=($!)
+        sh terraform.sh "$ACTION" "$COMMAND"
+        # pids+=($!)
     popd
 done
 
@@ -87,12 +97,12 @@ done
 # Instead of this loop, a single call to 'wait' would wait for all the jobs
 # to terminate, but it would not give us their exit status.
 #
-for pid in "${pids[@]}"; do
-  #
-  # Waiting on a specific PID makes the wait command return with the exit
-  # status of that process. Because of the 'set -e' setting, any exit status
-  # other than zero causes the current shell to terminate with that exit
-  # status as well.
-  #
-  wait "$pid"
-done
+# for pid in "${pids[@]}"; do
+#   #
+#   # Waiting on a specific PID makes the wait command return with the exit
+#   # status of that process. Because of the 'set -e' setting, any exit status
+#   # other than zero causes the current shell to terminate with that exit
+#   # status as well.
+#   #
+#   wait "$pid"
+# done

README.md

@@ -68,6 +68,7 @@ terraform providers lock \
   -platform=linux_arm64 \
   -platform=linux_amd64 \
   -platform=darwin_amd64 \
+  -platform=darwin_arm64 \
   -platform=windows_amd64
 ```