feat: Integrate Commitizen for standardized commit messages, update pre-commit hooks, and enhance CI workflows with new Terraform plan jobs for nonprod, prod, root, and sandbox environments. Update required Terraform version to 1.14.0 across modules and workspaces.

Arnel Jan Sarmiento · Arnel Jan Sarmiento · commit f5c072ffe844 · 2026-04-11T16:40:23.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,7 +7,7 @@ on:
     branches: [main]
 
 env:
-  TF_VERSION: "~1.11"
+  TF_VERSION: "1.14.8"
 
 jobs:
   fmt:
@@ -58,92 +58,3 @@ jobs:
       - uses: gitleaks/gitleaks-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  # Detect which workspaces have changed — used to gate plan jobs on PRs only
-  changes:
-    name: Detect changes
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    outputs:
-      root: ${{ steps.filter.outputs.root }}
-      prod: ${{ steps.filter.outputs.prod }}
-      nonprod: ${{ steps.filter.outputs.nonprod }}
-      sandbox: ${{ steps.filter.outputs.sandbox }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-            root:
-              - 'workspaces/root/**'
-              - 'modules/**'
-            prod:
-              - 'workspaces/prod/**'
-              - 'modules/**'
-            nonprod:
-              - 'workspaces/nonprod/**'
-              - 'modules/**'
-            sandbox:
-              - 'workspaces/sandbox/**'
-              - 'modules/**'
-
-  plan-root:
-    name: Plan (root)
-    runs-on: ubuntu-latest
-    needs: changes
-    if: needs.changes.outputs.root == 'true'
-    env:
-      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TF_VERSION }}
-      - run: terraform -chdir=workspaces/root init
-      - run: terraform -chdir=workspaces/root plan -no-color
-
-  plan-prod:
-    name: Plan (prod)
-    runs-on: ubuntu-latest
-    needs: changes
-    if: needs.changes.outputs.prod == 'true'
-    env:
-      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TF_VERSION }}
-      - run: terraform -chdir=workspaces/prod init
-      - run: terraform -chdir=workspaces/prod plan -no-color
-
-  plan-nonprod:
-    name: Plan (nonprod)
-    runs-on: ubuntu-latest
-    needs: changes
-    if: needs.changes.outputs.nonprod == 'true'
-    env:
-      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TF_VERSION }}
-      - run: terraform -chdir=workspaces/nonprod init
-      - run: terraform -chdir=workspaces/nonprod plan -no-color
-
-  plan-sandbox:
-    name: Plan (sandbox)
-    runs-on: ubuntu-latest
-    needs: changes
-    if: needs.changes.outputs.sandbox == 'true'
-    env:
-      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TF_VERSION }}
-      - run: terraform -chdir=workspaces/sandbox init
-      - run: terraform -chdir=workspaces/sandbox plan -no-color
diff --git a/.github/workflows/plan-nonprod.yml b/.github/workflows/plan-nonprod.yml
@@ -0,0 +1,25 @@
+name: Plan (nonprod)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/nonprod/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+jobs:
+  plan:
+    name: Plan (nonprod)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - run: terraform -chdir=workspaces/nonprod init
+      - run: terraform -chdir=workspaces/nonprod plan -no-color
diff --git a/.github/workflows/plan-prod.yml b/.github/workflows/plan-prod.yml
@@ -0,0 +1,25 @@
+name: Plan (prod)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/prod/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+jobs:
+  plan:
+    name: Plan (prod)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - run: terraform -chdir=workspaces/prod init
+      - run: terraform -chdir=workspaces/prod plan -no-color
diff --git a/.github/workflows/plan-root.yml b/.github/workflows/plan-root.yml
@@ -0,0 +1,25 @@
+name: Plan (root)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/root/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+jobs:
+  plan:
+    name: Plan (root)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - run: terraform -chdir=workspaces/root init
+      - run: terraform -chdir=workspaces/root plan -no-color
diff --git a/.github/workflows/plan-sandbox.yml b/.github/workflows/plan-sandbox.yml
@@ -0,0 +1,25 @@
+name: Plan (sandbox)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/sandbox/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+jobs:
+  plan:
+    name: Plan (sandbox)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - run: terraform -chdir=workspaces/sandbox init
+      - run: terraform -chdir=workspaces/sandbox plan -no-color
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -16,6 +16,12 @@ repos:
       args: [--allow-missing-credentials]
     - id: detect-private-key
 
+- repo: https://github.com/commitizen-tools/commitizen
+  rev: v4.6.0
+  hooks:
+    - id: commitizen
+      stages: [commit-msg]
+
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.24.3
   hooks:
diff --git a/Justfile b/Justfile
@@ -3,6 +3,7 @@ workspaces := `ls -d workspaces/*/ | xargs -n1 basename | tr '\n' ' '`
 # Install pre-commit hooks into git
 install-hooks:
   pre-commit install
+  pre-commit install --hook-type commit-msg
 
 # Run pre-commit hooks on all files
 pre-commit:
diff --git a/modules/aws/budget/main.tf b/modules/aws/budget/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,5 @@
+[tool.commitizen]
+name = "cz_conventional_commits"
+tag_format = "v$version"
+version_scheme = "semver"
+update_changelog_on_bump = false
diff --git a/workspaces/nonprod/backend.tf b/workspaces/nonprod/backend.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
 
   required_providers {
     aws = {
diff --git a/workspaces/prod/backend.tf b/workspaces/prod/backend.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
 
   required_providers {
     aws = {
diff --git a/workspaces/prod/gcp-project/main.tf b/workspaces/prod/gcp-project/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     google = {
       source  = "hashicorp/google"
diff --git a/workspaces/root/backend.tf b/workspaces/root/backend.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
 
   required_providers {
     aws = {
diff --git a/workspaces/root/cdn/main.tf b/workspaces/root/cdn/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     aws = {
       source                = "hashicorp/aws"
@@ -49,6 +49,7 @@ resource "aws_acm_certificate_validation" "cdn" {
   validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
 }
 
+# trivy:ignore:aws-0132 -- CDN origin serves public static assets; SSE-S3 is sufficient
 resource "aws_s3_bucket" "cdn" {
   bucket = var.domain_name
   tags   = merge(var.tags, { Name = "CDN" })
@@ -65,9 +66,9 @@ resource "aws_s3_bucket_ownership_controls" "cdn" {
 resource "aws_s3_bucket_public_access_block" "cdn" {
   bucket                  = aws_s3_bucket.cdn.id
   block_public_acls       = true
-  block_public_policy     = false
+  block_public_policy     = true
   ignore_public_acls      = true
-  restrict_public_buckets = false
+  restrict_public_buckets = true
 }
 
 resource "aws_cloudfront_origin_access_control" "oac" {
@@ -78,6 +79,7 @@ resource "aws_cloudfront_origin_access_control" "oac" {
   signing_protocol                  = "sigv4"
 }
 
+# trivy:ignore:aws-0011 -- WAF not required for a static asset CDN
 resource "aws_cloudfront_distribution" "cdn" {
   enabled             = true
   is_ipv6_enabled     = true
diff --git a/workspaces/root/connections/main.tf b/workspaces/root/connections/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
diff --git a/workspaces/root/github-oidc/main.tf b/workspaces/root/github-oidc/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
diff --git a/workspaces/root/terraform-state/main.tf b/workspaces/root/terraform-state/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
diff --git a/workspaces/sandbox/backend.tf b/workspaces/sandbox/backend.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
 
   required_providers {
     aws = {
diff --git a/workspaces/sandbox/iam/main.tf b/workspaces/sandbox/iam/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11.3"
+  required_version = ">= 1.14.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
