Initial commit

2025-11-12 08:13:55 +00:00 · 2025-11-12 08:13:55 +00:00 · 411a1fea1f
commit 411a1fea1f
14 changed files with 359 additions and 0 deletions
--- a/.forgejo/pull_request_template.md
+++ b/.forgejo/pull_request_template.md
@ -0,0 +1,8 @@
 ## Description
 ## Checklist
 - [ ] The `README.md` has been updated accordingly.
 - [ ] A `CHANGELOG.md` entry has been added.
 - [ ] The CI pipeline passed successfully.
 - [ ] My commit is signed.
--- a/.forgejo/workflows/default-ci.yaml
+++ b/.forgejo/workflows/default-ci.yaml
@ -0,0 +1,56 @@
 name: CI
 on: [push]
 jobs:
  license-check:
    name: Check License Header
    runs-on: docker
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Verify license header in Terraform files
        run: |
          set -e
          # Only checks for the presence of the word "Copyright" in the first line.
          KEYWORD="Copyright"
          for file in $(find . -maxdepth 1 -name "*.tf"); do
            if ! head -n 1 "$file" | grep -q "$KEYWORD"; then
              echo "::error file=$file,line=1::A copyright header is missing or incorrect in the first line."
              exit 1
            fi
          done
          echo "✔ Copyright header check passed for all .tf files."
  secrets-scan:
    name: TruffleHog Secrets Scan
    runs-on: docker
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: trufflehog-actions-scan
        uses: https://github.com/edplato/trufflehog-actions-scan@master
  terraform:
    name: Terraform CI
    runs-on: docker
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Terraform
        uses: https://github.com/hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.5.7"
      - name: Terraform Init
        run: terraform init
      - name: Terraform Format Check
        run: terraform fmt -recursive -check
      - name: Terraform Validate
        run: terraform validate
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,44 @@
 # ---> Terraform
 # Local .terraform directories
 **/.terraform/*
 # .tfstate files
 *.tfstate
 *.tfstate.*
 # Crash log files
 crash.log
 crash.*.log
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version 
 # control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
 # Ignore transient lock info files created by terraform apply
 .terraform.tfstate.lock.info
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
 .env
 *.qcow2
 .DS_Store
 *.bkp
 .idea
--- a/.terraform-version
+++ b/.terraform-version
@ -0,0 +1 @@
 v1.5.7
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -0,0 +1,45 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/random" {
  version     = "3.6.3"
  constraints = "3.6.3"
  hashes = [
    "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
    "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
    "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
    "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
    "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
    "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
    "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
    "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
    "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
    "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
    "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
  ]
 }
 provider "registry.terraform.io/stackitcloud/stackit" {
  version     = "0.69.0"
  constraints = "0.69.0"
  hashes = [
    "h1:ZJT3yMWfm4f2+L8XOJlp4x9dAej6TOz0POQi6yvRimc=",
    "zh:0062c29953695943f44561264542c65050c35b45fc5fd279d07db40a856c7e33",
    "zh:01f74068286ebbb9e7a280e893b6a941214444986ec0aad156b0a349ab3efbab",
    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
    "zh:23f695fc9299cbdff0cef3e99eccdfd6dbc85266d71f9e7eb917066821f97b2d",
    "zh:2cb58760e26de6afc93b26452e1987eca0713ecca5a252e3baf4b6a9adce5ab0",
    "zh:33b72f438dccbbba5015bd3e265db83fa69f693f5e93cfaf1735bcfd92f2198b",
    "zh:4d22147d5881b6ea824ca11d8676dd3c24b378a87e72d849485d87c412d57c0d",
    "zh:7373e3036eee52c5d915992bcd42df3227603714e9b814d1f8513e0891b87a54",
    "zh:7ea4ad058e2767d7461c4b0cc02adf8591f0c3541274481611ca7c8bc4396f9d",
    "zh:82e2568b28874ded800a592b84e6cd570a2f3488214422041a41918076a2db49",
    "zh:ae2d827c2328c225d279e37f6e1de2605b670b2f1bddf5d43e7c932ef4ff52a3",
    "zh:b206487c97f87f0cde19ef0ab1cfdeafa60ad9fbabdf0d771d96bb56d6d2e94f",
    "zh:bdbbe0ba3b3b80b0f2bc09b59ea72f9564f9b93d80949f69f6469b0ab8d6b91c",
    "zh:c955889cbb87227031233b2226ebe591e4a30699e3f0fc9f32b61ff2c3836dd7",
    "zh:cf51867c75f3c0b58a2e8a2404d4468d0520588aa892c3b30e5beb8a8d20ce79",
  ]
 }
--- a/00-backend.tf
+++ b/00-backend.tf
@ -0,0 +1,9 @@
 /*Copyright 2025 STACKIT GmbH & Co. KG <maintainer.email@stackit.cloud>
 Use of this source code is governed by an MIT-style
 license that can be found in the LICENSE file or at
 https://opensource.org/licenses/MIT.*/
 /*terraform {
  backend "s3" {}
 }*/
--- a/00-provider.tf
+++ b/00-provider.tf
@ -0,0 +1,26 @@
 /*Copyright 2025 STACKIT GmbH & Co. KG <maintainer.email@stackit.cloud>
 Use of this source code is governed by an MIT-style
 license that can be found in the LICENSE file or at
 https://opensource.org/licenses/MIT.*/
 terraform {
  required_version = ">= 0.14.0"
  required_providers {
    stackit = {
      source  = "stackitcloud/stackit"
      version = "0.69.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.6.3"
    }
  }
 }
 provider "stackit" {
  default_region           = var.stackit_region
  service_account_key_path = var.stackit_service_account_key_path
  experiments              = ["routing-tables", "network"]
  enable_beta_resources    = true
 }
--- a/01-variables.tf
+++ b/01-variables.tf
@ -0,0 +1,20 @@
 /*Copyright 2025 STACKIT GmbH & Co. KG <maintainer.email@stackit.cloud>
 Use of this source code is governed by an MIT-style
 license that can be found in the LICENSE file or at
 https://opensource.org/licenses/MIT.*/
 variable "stackit_region" {
  type    = string
  default = "eu01"
 }
 variable "stackit_service_account_key_path" {
  type    = string
  default = "keys/sa-key.json"
 }
 variable "stackit_project_id" {
  type    = string
  default = "XXXX-XXXX-XXXX-XXXX"
 }
--- a/02-example.tf
+++ b/02-example.tf
@ -0,0 +1,10 @@
 /*Copyright 2025 STACKIT GmbH & Co. KG <maintainer.email@stackit.cloud>
 Use of this source code is governed by an MIT-style
 license that can be found in the LICENSE file or at
 https://opensource.org/licenses/MIT.*/
 resource "stackit_network" "example" {
  project_id = var.stackit_project_id
  name       = "example"
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,2 @@
 - v1.0.0
  - Initial Release
--- a/9
+++ b/9
@ -0,0 +1,9 @@
 MIT License
 Copyright (c) 2025 professional-service-best-practices
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -0,0 +1,8 @@
 # Maintainers
 General maintainers:
 * Foo Bar (foo.bar@stackit.cloud)
 This BP is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
 For questions, issues, or feature requests, please email general maintainers.
 Please include the BP name and version in your request. We will track your request as an issue.
--- a/README.md
+++ b/README.md
@ -0,0 +1,113 @@
 # [Name of the Best Practice Template]
 ## Overview
 This repository provides a standardized template to solve [specific problem or use case]. It is designed to ensure quality, maintainability, and security for [mention the technology, e.g., Terraform module, CI/CD pipeline, etc.] on **STACKIT**.
 The main goal of this Best Practice (BP) is to [briefly describe the primary benefit, e.g., "deploy a secure and cost-effective Kubernetes cluster on STACKIT"].
 ## License Header
 ```console
 /*
 Copyright 2025 STACKIT GmbH & Co. KG <maintainer.email@stackit.cloud>
 Use of this source code is governed by an MIT-style
 license that can be found in the LICENSE file or at
 https://opensource.org/licenses/MIT.
 */
 ```
 ## Setup Git GPG Key
 1. Generate GPG Key
 ```console
 gpg --full-generate-key
 ```
 1. Configure Git to use the Key
 ```console
 git config --global user.signingkey <GPG KEY ID>
 git config --global commit.gpgsign true
 ```
 1. Read GPG Key and add it to STACKIT Git
 ```console
 gpg --armor --export <GPG KEY ID>
 ```
 Copy the Public Key block and add it into your Profile settings on the STACKIT Git instance.
 https://docs.codeberg.org/security/gpg-key/
 https://gist.github.com/troyfontaine/18c9146295168ee9ca2b30c00bd1b41e
 ## Prerequisites
 Before using this template, ensure you have the following:
 * **Tools**:
    * [Tool Name, e.g., Terraform] version `x.y.z` or higher
    * [Tool Name, e.g., Git]
 * **Access & Permissions**:
    * [Required access, e.g., Project Member permissions on a STACKIT project]
    * STACKIT provider credentials configured
 ## How to Use
 Follow these steps to implement the template:
 1.  **Clone the repository:**
    ```bash
    git clone [repository-url]
    cd [repository-name]
    ```
 2.  **Configure the variables:**
    * Create a `terraform.tfvars` file or set environment variables as described in the **Configuration** section below.
 3.  **Initialize and apply:**
    ```bash
    terraform init
    terraform plan
    terraform apply
    ```
 4.  **Verify the deployment:**
    * [Provide a simple command or step to check if the deployment was successful].
 ## Configuration
 The following variables can be configured.
 | Variable Name | Description                                 | Type     | Default Value | Required |
 |---------------|---------------------------------------------|----------|---------------|----------|
 | `project_id`  | The STACKIT project ID.                     | `string` | `null`        | Yes      |
 | `region`      | The region where resources will be created. | `string` | `eu01`        | No       |
 | `...`         | ...                                         | `...`    | `...`         | ...      |
 ## Testing
 This repository includes automated and manual testing procedures to ensure quality.
 ### Automated Tests
 * **Validation**: `terraform validate` is automatically executed on every commit via the CI/CD pipeline.
 * **Security Scans**: A secret check is performed on every push to the repository.
 ### Manual Tests
 The following aspects should be tested manually after deployment:
 * [Manual Test Case 1, e.g., "Verify connectivity to the database instance."]
 * [Manual Test Case 2, e.g., "Check permissions for the created service account."]
 ### Dependencies
 This template relies on the following pinned versions:
 * **Provider [Provider Name, e.g., STACKIT]**: `~> 0.69.0`
 ## Changelog
 All notable changes to this project are documented in the `CHANGELOG.md` file.
--- a/backend.conf.example
+++ b/backend.conf.example
@ -0,0 +1,8 @@
 bucket                      = ""
 key                         = ""
 endpoint                    = "https://object.storage.eu01.onstackit.cloud"
 region                      = "eu01"
 skip_credentials_validation = true
 skip_region_validation      = true
 access_key                  = ""
 secret_key                  = ""