diff --git a/.github/workflows/pre-commit-hooks.yml b/.github/workflows/pre-commit-hooks.yml
new file mode 100644
index 0000000..7949f86
--- /dev/null
+++ b/.github/workflows/pre-commit-hooks.yml
@@ -0,0 +1,56 @@
+# Optional: Pre-commit hooks workflow
+# This provides guidance for setting up local pre-commit hooks
+
+name: Pre-commit Validation
+
+on:
+ pull_request:
+ paths:
+ - ".pre-commit-config.yaml"
+ - ".github/workflows/pre-commit-hooks.yml"
+
+jobs:
+ validate-pre-commit:
+ name: Validate Pre-commit Configuration
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Python
+ uses: actions/setup-python@v4
+ with:
+ python-version: "3.11"
+
+ - name: Install pre-commit
+ run: |
+ pip install pre-commit
+ pre-commit --version
+
+ - name: Run pre-commit on all files
+ run: pre-commit run --all-files
+ continue-on-error: true
+
+ - name: Show pre-commit setup instructions
+ if: always()
+ run: |
+ echo "## π Setting up Pre-commit Hooks Locally"
+ echo ""
+ echo "Pre-commit hooks help catch secrets BEFORE they reach GitHub."
+ echo ""
+ echo "### Installation:"
+ echo "\`\`\`bash"
+ echo "# Install pre-commit"
+ echo "pip install pre-commit"
+ echo ""
+ echo "# Install the git hooks"
+ echo "pre-commit install"
+ echo ""
+ echo "# (Optional) Run against all files"
+ echo "pre-commit run --all-files"
+ echo "\`\`\`"
+ echo ""
+ echo "### What it does:"
+ echo "- Scans for secrets before each commit"
+ echo "- Validates Terraform formatting"
+ echo "- Checks for merge conflicts"
+ echo "- Prevents large files from being committed"
diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
new file mode 100644
index 0000000..95a986e
--- /dev/null
+++ b/.github/workflows/secret-scanning.yml
@@ -0,0 +1,282 @@
+name: Secret Scanning
+
+on:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+ - "feature/**"
+ - "fix/**"
+
+permissions:
+ contents: write
+ pull-requests: write
+ issues: write
+
+jobs:
+ gitleaks:
+ name: Gitleaks Secret Scanning
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0 # Fetch all history for accurate scanning
+
+ - name: Run Gitleaks
+ uses: gitleaks/gitleaks-action@v2
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITLEAKS_ENABLE_COMMENTS: true
+
+ - name: Upload Gitleaks Report
+ if: failure()
+ uses: actions/upload-artifact@v4
+ with:
+ name: gitleaks-report
+ path: results.sarif
+ retention-days: 7
+
+ trufflehog:
+ name: TruffleHog Secret Scanning
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+
+ - name: TruffleHog OSS
+ uses: trufflesecurity/trufflehog@main
+ with:
+ path: ./
+ base: ${{ github.event.repository.default_branch }}
+ head: HEAD
+ extra_args: --debug --only-verified
+
+ custom-pattern-check:
+ name: Custom Pattern Detection
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+
+ - name: Check for common secret patterns
+ id: secret_check
+ run: |
+ echo "Scanning for common secret patterns..."
+
+ # Define patterns to search for
+ PATTERNS=(
+ "aws_access_key_id"
+ "aws_secret_access_key"
+ "AKIA[0-9A-Z]{16}" # AWS Access Key
+ "(?i)api[_-]?key.*['\"][0-9a-zA-Z]{32,}['\"]" # Generic API keys
+ "(?i)password.*['\"][^'\"]{8,}['\"]" # Passwords in quotes
+ "(?i)secret.*['\"][0-9a-zA-Z]{32,}['\"]" # Generic secrets
+ "(?i)token.*['\"][0-9a-zA-Z]{32,}['\"]" # Tokens
+ "private[_-]?key"
+ "-----BEGIN (RSA|OPENSSH|DSA|EC) PRIVATE KEY-----" # Private keys
+ "ghp_[0-9a-zA-Z]{36}" # GitHub Personal Access Token
+ "ghs_[0-9a-zA-Z]{36}" # GitHub OAuth Secret
+ "sk_live_[0-9a-zA-Z]{24,}" # Stripe Live Secret Key
+ "pk_live_[0-9a-zA-Z]{24,}" # Stripe Live Public Key
+ )
+
+ FOUND_SECRETS=0
+ REPORT_FILE="secret_scan_report.txt"
+
+ echo "=== Secret Scanning Report ===" > $REPORT_FILE
+ echo "Timestamp: $(date)" >> $REPORT_FILE
+ echo "" >> $REPORT_FILE
+
+ # Get list of changed files
+ if [ "${{ github.event_name }}" = "pull_request" ]; then
+ FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+ else
+ FILES=$(git diff --name-only HEAD~1 HEAD)
+ fi
+
+ # Skip certain file types and directories
+ FILES=$(echo "$FILES" | grep -v ".terraform/" | grep -v ".git/" | grep -v "node_modules/" || true)
+
+ for FILE in $FILES; do
+ if [ -f "$FILE" ]; then
+ echo "Scanning: $FILE" >> $REPORT_FILE
+
+ for PATTERN in "${PATTERNS[@]}"; do
+ MATCHES=$(grep -niE "$PATTERN" "$FILE" 2>/dev/null || true)
+ if [ ! -z "$MATCHES" ]; then
+ FOUND_SECRETS=1
+ echo " β FOUND POTENTIAL SECRET:" >> $REPORT_FILE
+ echo " Pattern: $PATTERN" >> $REPORT_FILE
+ echo "$MATCHES" | while IFS= read -r line; do
+ # Redact the actual secret value
+ REDACTED=$(echo "$line" | sed -E 's/['\''"][0-9a-zA-Z]{8,}['\''"]/***REDACTED***/g')
+ echo " $REDACTED" >> $REPORT_FILE
+ done
+ echo "" >> $REPORT_FILE
+ fi
+ done
+ fi
+ done
+
+ if [ $FOUND_SECRETS -eq 1 ]; then
+ echo "status=failed" >> $GITHUB_OUTPUT
+ cat $REPORT_FILE
+ echo ""
+ echo "β SECRETS DETECTED! Please remove sensitive data before committing."
+ exit 1
+ else
+ echo "status=passed" >> $GITHUB_OUTPUT
+ echo "β
No secrets detected"
+ fi
+
+ - name: Comment on PR with findings
+ if: failure() && github.event_name == 'pull_request'
+ uses: actions/github-script@v7
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const fs = require('fs');
+ let report = 'β οΈ **Secret Scanning Failed**\n\n';
+ report += '**Potential secrets or API keys were detected in your changes.**\n\n';
+ report += 'Please review and remove any sensitive data before merging.\n\n';
+ report += '### What to do:\n';
+ report += '1. Remove the secret from your code\n';
+ report += '2. Use environment variables or GitHub Secrets instead\n';
+ report += '3. If the secret was already committed, you must:\n';
+ report += ' - Rotate/invalidate the exposed secret\n';
+ report += ' - Remove it from git history using `git filter-branch` or BFG Repo-Cleaner\n\n';
+ report += '### Common secret patterns detected:\n';
+ report += '- AWS Access Keys (AKIA...)\n';
+ report += '- API Keys\n';
+ report += '- Private Keys\n';
+ report += '- Passwords or tokens in code\n\n';
+ report += '**This PR cannot be merged until all secrets are removed.**';
+
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: report
+ });
+
+ block-merge:
+ name: Block Merge if Secrets Found
+ runs-on: ubuntu-latest
+ needs: [gitleaks, trufflehog, custom-pattern-check]
+ if: always()
+ steps:
+ - name: Check scan results
+ run: |
+ if [ "${{ needs.gitleaks.result }}" = "failure" ] || \
+ [ "${{ needs.trufflehog.result }}" = "failure" ] || \
+ [ "${{ needs.custom-pattern-check.result }}" = "failure" ]; then
+ echo "β Secret scanning failed. Blocking merge."
+ exit 1
+ else
+ echo "β
All secret scans passed. Safe to merge."
+ fi
+
+ # Optional: Auto-revert commits with secrets on main branch
+ auto-revert:
+ name: Auto-revert Commits with Secrets
+ runs-on: ubuntu-latest
+ needs: [gitleaks, trufflehog, custom-pattern-check]
+ if: |
+ failure() &&
+ github.event_name == 'push' &&
+ github.ref == 'refs/heads/main'
+ permissions:
+ contents: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ token: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Configure git
+ run: |
+ git config user.name "github-actions[bot]"
+ git config user.email "github-actions[bot]@users.noreply.github.com"
+
+ - name: Revert last commit
+ run: |
+ COMMIT_SHA="${{ github.sha }}"
+ COMMIT_MSG=$(git log -1 --pretty=%B $COMMIT_SHA)
+
+ echo "β οΈ Reverting commit: $COMMIT_SHA"
+ echo "Commit message: $COMMIT_MSG"
+
+ git revert --no-edit $COMMIT_SHA
+ git push origin main
+
+ - name: Create issue for manual review
+ uses: actions/github-script@v7
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const issue = await github.rest.issues.create({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ title: 'π¨ Secrets Detected - Commit Automatically Reverted',
+ body: `## Security Alert: Secrets Detected
+
+ **Commit**: \`${{ github.sha }}\`
+ **Author**: @${{ github.actor }}
+ **Branch**: main
+
+ ### What happened?
+ Secret scanning detected potential secrets or API keys in a commit to the main branch.
+ The commit has been automatically reverted to prevent exposure.
+
+ ### Required Actions:
+
+ 1. **β οΈ ROTATE ALL EXPOSED SECRETS IMMEDIATELY**
+ - If the secret was an API key, revoke it
+ - If it was an AWS key, disable it in IAM
+ - Generate new credentials
+
+ 2. **Clean up your local branch**:
+ \`\`\`bash
+ git fetch origin
+ git reset --hard origin/main
+ \`\`\`
+
+ 3. **Remove the secret properly**:
+ - Use environment variables
+ - Use GitHub Secrets
+ - Use AWS Secrets Manager / Parameter Store
+ - Add pattern to .gitignore
+
+ 4. **Re-commit without secrets**:
+ - Make your changes again
+ - Ensure no secrets are in the code
+ - Submit a new PR
+
+ ### Preventing Future Incidents:
+
+ - Always use \`.tfvars\` files for sensitive values (they're gitignored)
+ - Use \`backend.tf\` for backend config (also gitignored)
+ - Store secrets in GitHub Secrets or AWS Secrets Manager
+ - Run \`git diff\` before committing to review changes
+ - Enable pre-commit hooks for local secret scanning
+
+ **This issue will remain open until confirmed that exposed secrets have been rotated.**`,
+ labels: ['security', 'urgent', 'secrets-detected']
+ });
+
+ console.log('Created issue:', issue.data.number);
+
+ - name: Send alert notification
+ if: always()
+ run: |
+ echo "π¨ SECURITY ALERT: Secrets detected in commit ${{ github.sha }}"
+ echo "Commit has been reverted and an issue has been created."
+ echo "Please rotate any exposed credentials immediately."
diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
new file mode 100644
index 0000000..52eda40
--- /dev/null
+++ b/.github/workflows/terraform-apply.yml
@@ -0,0 +1,111 @@
+name: Terraform Apply
+
+on:
+ push:
+ branches:
+ - main
+ paths:
+ - "infra/aws/**/*.tf"
+ - "infra/aws/**/*.tfvars"
+ - ".github/workflows/terraform-*.yml"
+ workflow_dispatch:
+ inputs:
+ module:
+ description: "Specific module to apply (leave empty for all changed)"
+ required: false
+ type: string
+
+permissions:
+ contents: read
+ id-token: write
+
+jobs:
+ detect-changes:
+ name: Detect Changed Modules
+ runs-on: ubuntu-latest
+ outputs:
+ modules: ${{ steps.detect.outputs.modules }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 2
+
+ - name: Detect changed Terraform modules
+ id: detect
+ run: |
+ if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ -n "${{ inputs.module }}" ]; then
+ # Manual trigger with specific module
+ MODULES=$(echo '["${{ inputs.module }}"]')
+ echo "Manual module specified: $MODULES"
+ echo "modules=$MODULES" >> $GITHUB_OUTPUT
+ exit 0
+ fi
+
+ # Get changed files from the last commit
+ CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD | grep -E '^infra/aws/.*\.tf(vars)?$' || true)
+
+ if [ -z "$CHANGED_FILES" ]; then
+ echo "No Terraform files changed"
+ echo "modules=[]" >> $GITHUB_OUTPUT
+ exit 0
+ fi
+
+ # Extract unique module directories
+ MODULES=$(echo "$CHANGED_FILES" | xargs -n1 dirname | sort -u | jq -R -s -c 'split("\n")[:-1]')
+ echo "Changed modules: $MODULES"
+ echo "modules=$MODULES" >> $GITHUB_OUTPUT
+
+ terraform-apply:
+ name: Apply - ${{ matrix.module }}
+ runs-on: ubuntu-latest
+ needs: detect-changes
+ if: needs.detect-changes.outputs.modules != '[]'
+ strategy:
+ matrix:
+ module: ${{ fromJson(needs.detect-changes.outputs.modules) }}
+ fail-fast: false
+ max-parallel: 1 # Apply modules one at a time to avoid conflicts
+ defaults:
+ run:
+ working-directory: ${{ matrix.module }}
+ environment:
+ name: production-demo
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Configure AWS Credentials
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: us-east-2
+ role-session-name: GitHubActions-TerraformApply
+
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: "~1.6"
+
+ - name: Terraform Init
+ env:
+ TF_CLI_ARGS_init: >-
+ -backend-config="bucket=${{ secrets.TF_STATE_BUCKET }}"
+ -backend-config="dynamodb_table=${{ secrets.TF_STATE_LOCK_TABLE }}"
+ -backend-config="region=us-east-2"
+ -backend-config="encrypt=true"
+ run: terraform init -input=false
+
+ - name: Terraform Plan
+ run: terraform plan -no-color -input=false -out=tfplan
+
+ - name: Terraform Apply
+ run: terraform apply -no-color -input=false tfplan
+
+ - name: Upload Terraform State (backup)
+ uses: actions/upload-artifact@v4
+ if: always()
+ with:
+ name: terraform-state-${{ hashFiles(format('{0}/**', matrix.module)) }}
+ path: ${{ matrix.module }}/.terraform/
+ retention-days: 7
diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml
new file mode 100644
index 0000000..590c354
--- /dev/null
+++ b/.github/workflows/terraform-destroy.yml
@@ -0,0 +1,68 @@
+name: Terraform Destroy
+
+on:
+ workflow_dispatch:
+ inputs:
+ module:
+ description: "Module to destroy (e.g., infra/aws/us-east-2/eks)"
+ required: true
+ type: string
+ confirm:
+ description: 'Type "destroy" to confirm'
+ required: true
+ type: string
+
+permissions:
+ contents: read
+ id-token: write
+
+jobs:
+ terraform-destroy:
+ name: Destroy - ${{ inputs.module }}
+ runs-on: ubuntu-latest
+ if: inputs.confirm == 'destroy'
+ defaults:
+ run:
+ working-directory: ${{ inputs.module }}
+ environment:
+ name: production-demo
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Configure AWS Credentials
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: us-east-2
+ role-session-name: GitHubActions-TerraformDestroy
+
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: "~1.6"
+
+ - name: Terraform Init
+ env:
+ TF_CLI_ARGS_init: >-
+ -backend-config="bucket=${{ secrets.TF_STATE_BUCKET }}"
+ -backend-config="dynamodb_table=${{ secrets.TF_STATE_LOCK_TABLE }}"
+ -backend-config="region=us-east-2"
+ -backend-config="encrypt=true"
+ run: terraform init -input=false
+
+ - name: Terraform Plan Destroy
+ run: terraform plan -destroy -no-color -input=false -out=tfplan
+
+ - name: Terraform Destroy
+ run: terraform apply -no-color -input=false tfplan
+
+ validation-failed:
+ name: Validation Failed
+ runs-on: ubuntu-latest
+ if: inputs.confirm != 'destroy'
+ steps:
+ - name: Confirmation not provided
+ run: |
+ echo "::error::Destroy confirmation not provided. You must type 'destroy' to confirm."
+ exit 1
diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml
new file mode 100644
index 0000000..0da766e
--- /dev/null
+++ b/.github/workflows/terraform-plan.yml
@@ -0,0 +1,140 @@
+name: Terraform Plan
+
+on:
+ pull_request:
+ branches:
+ - main
+ paths:
+ - "infra/aws/**/*.tf"
+ - "infra/aws/**/*.tfvars"
+ - ".github/workflows/terraform-*.yml"
+
+permissions:
+ contents: read
+ pull-requests: write
+ id-token: write
+
+jobs:
+ detect-changes:
+ name: Detect Changed Modules
+ runs-on: ubuntu-latest
+ outputs:
+ modules: ${{ steps.detect.outputs.modules }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+
+ - name: Detect changed Terraform modules
+ id: detect
+ run: |
+ # Get changed files
+ CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -E '^infra/aws/.*\.tf(vars)?$' || true)
+
+ if [ -z "$CHANGED_FILES" ]; then
+ echo "No Terraform files changed"
+ echo "modules=[]" >> $GITHUB_OUTPUT
+ exit 0
+ fi
+
+ # Extract unique module directories
+ MODULES=$(echo "$CHANGED_FILES" | xargs -n1 dirname | sort -u | jq -R -s -c 'split("\n")[:-1]')
+ echo "Changed modules: $MODULES"
+ echo "modules=$MODULES" >> $GITHUB_OUTPUT
+
+ terraform-plan:
+ name: Plan - ${{ matrix.module }}
+ runs-on: ubuntu-latest
+ needs: detect-changes
+ if: needs.detect-changes.outputs.modules != '[]'
+ strategy:
+ matrix:
+ module: ${{ fromJson(needs.detect-changes.outputs.modules) }}
+ fail-fast: false
+ defaults:
+ run:
+ working-directory: ${{ matrix.module }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Configure AWS Credentials
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: us-east-2
+ role-session-name: GitHubActions-TerraformPlan
+
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: "~1.6"
+
+ - name: Terraform Format Check
+ id: fmt
+ run: terraform fmt -check -recursive
+ continue-on-error: true
+
+ - name: Terraform Init
+ id: init
+ env:
+ TF_CLI_ARGS_init: >-
+ -backend-config="bucket=${{ secrets.TF_STATE_BUCKET }}"
+ -backend-config="dynamodb_table=${{ secrets.TF_STATE_LOCK_TABLE }}"
+ -backend-config="region=us-east-2"
+ -backend-config="encrypt=true"
+ run: terraform init -input=false
+
+ - name: Terraform Validate
+ id: validate
+ run: terraform validate -no-color
+
+ - name: Terraform Plan
+ id: plan
+ run: |
+ terraform plan -no-color -input=false -out=tfplan
+ terraform show -no-color tfplan > plan.txt
+ continue-on-error: true
+
+ - name: Comment PR with Plan
+ uses: actions/github-script@v7
+ if: github.event_name == 'pull_request'
+ env:
+ PLAN: ${{ steps.plan.outputs.stdout }}
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const fs = require('fs');
+ const module = '${{ matrix.module }}';
+ const plan = fs.existsSync('${{ matrix.module }}/plan.txt')
+ ? fs.readFileSync('${{ matrix.module }}/plan.txt', 'utf8')
+ : 'Plan output not available';
+
+ const output = `### Terraform Plan: \`${module}\`
+
+ #### Format and Style π \`${{ steps.fmt.outcome }}\`
+ #### Initialization βοΈ \`${{ steps.init.outcome }}\`
+ #### Validation π€ \`${{ steps.validate.outcome }}\`
+ #### Plan π \`${{ steps.plan.outcome }}\`
+
+ Show Plan
+
+ \`\`\`terraform
+ ${plan.slice(0, 65000)}
+ \`\`\`
+
+