DurianPy-Davao-Python-User-Group · ArJSarmiento · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,67 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+env:
+  TF_VERSION: "1.14.8"
+
+jobs:
+  fmt:
+    name: Terraform fmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - run: terraform fmt -recursive -check .
+
+  validate:
+    name: Validate (${{ matrix.workspace }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        workspace: [root, prod, nonprod, sandbox]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - run: terraform -chdir=workspaces/${{ matrix.workspace }} init -backend=false
+      - run: terraform -chdir=workspaces/${{ matrix.workspace }} validate
+
+  trivy:
+    name: Trivy IaC scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: config
+          scan-ref: .
+          exit-code: 1
+          severity: CRITICAL,HIGH
+          format: table
+
+  security:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: read
+      packages: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          GITLEAKS_CONFIG: .gitleaks.toml
diff --git a/.github/workflows/plan-nonprod.yml b/.github/workflows/plan-nonprod.yml
@@ -0,0 +1,34 @@
+name: Plan (nonprod)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/nonprod/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  plan:
+    name: Plan (nonprod)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+        with:
+          role-to-assume: ${{ vars.NONPROD_OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+      - run: terraform -chdir=workspaces/nonprod init
+      - run: terraform -chdir=workspaces/nonprod plan -no-color
diff --git a/.github/workflows/plan-prod.yml b/.github/workflows/plan-prod.yml
@@ -0,0 +1,34 @@
+name: Plan (prod)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/prod/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  plan:
+    name: Plan (prod)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+        with:
+          role-to-assume: ${{ vars.PROD_OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+      - run: terraform -chdir=workspaces/prod init
+      - run: terraform -chdir=workspaces/prod plan -no-color
diff --git a/.github/workflows/plan-root.yml b/.github/workflows/plan-root.yml
@@ -0,0 +1,34 @@
+name: Plan (root)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/root/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  plan:
+    name: Plan (root)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+        with:
+          role-to-assume: ${{ vars.ROOT_OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+      - run: terraform -chdir=workspaces/root init
+      - run: terraform -chdir=workspaces/root plan -no-color
diff --git a/.github/workflows/plan-sandbox.yml b/.github/workflows/plan-sandbox.yml
@@ -0,0 +1,34 @@
+name: Plan (sandbox)
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "workspaces/sandbox/**"
+      - "modules/**"
+
+env:
+  TF_VERSION: "1.14.8"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  plan:
+    name: Plan (sandbox)
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+        with:
+          role-to-assume: ${{ vars.SANDBOX_OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+          terraform_wrapper: false
+      - run: terraform -chdir=workspaces/sandbox init
+      - run: terraform -chdir=workspaces/sandbox plan -no-color
diff --git a/.gitignore b/.gitignore
@@ -9,11 +9,11 @@
 crash.log
 crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
-*.tfvars
+# Exclude auto-loaded and environment-specific tfvars (may contain secrets).
+# terraform.tfvars is committed — it holds non-sensitive workspace defaults only.
+# Sensitive values go in TFC workspace variables.
+*.auto.tfvars
+*.auto.tfvars.json
 *.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
@@ -35,3 +35,5 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+.DS_Store
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,5 @@
+title = "Durianpy gitleaks configuration"
+
+# Keep this minimal: use Gitleaks' built-in rules and add only repo-specific allowlists.
+[extend]
+useDefault = true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,54 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v5.0.0
+  hooks:
+    - id: check-added-large-files
+    - id: check-merge-conflict
+    - id: check-yaml
+    - id: check-executables-have-shebangs
+    - id: end-of-file-fixer
+    - id: trailing-whitespace
+      args: [--markdown-linebreak-ext=md]
+    - id: mixed-line-ending
+      args: [--fix=lf]
+    - id: check-case-conflict
+    - id: detect-aws-credentials
+      args: [--allow-missing-credentials]
+    - id: detect-private-key
+
+- repo: https://github.com/commitizen-tools/commitizen
+  rev: v4.6.0
+  hooks:
+    - id: commitizen
+      stages: [commit-msg]
+
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.24.3
+  hooks:
+    - id: gitleaks
+
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.99.4
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_validate
+      args:
+        - --args=-no-color
+        - --hook-config=--retry-once-with-cleanup=true
+      # Only validate workspace roots (workspaces/<env>/*.tf).
+      # Sub-module directories (workspaces/<env>/<module>/) are child modules
+      # that require a calling root to supply provider aliases — they cannot be
+      # validated standalone.
+      exclude: ^(modules/|workspaces/[^/]+/[^/]+/)
+    - id: terraform_tflint
+      args:
+        - --args=--only=terraform_deprecated_interpolation
+        - --args=--only=terraform_deprecated_index
+        - --args=--only=terraform_unused_declarations
+        - --args=--only=terraform_comment_syntax
+        - --args=--only=terraform_documented_outputs
+        - --args=--only=terraform_documented_variables
+        - --args=--only=terraform_typed_variables
+        - --args=--only=terraform_naming_convention
+        - --args=--only=terraform_required_version
+        - --args=--only=terraform_required_providers
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl