feat: test live coding 6

Author: Timothée Aufort

.amazonq/agents/default.json

@@ -0,0 +1,71 @@
+{
+  "name": "q_ide_default",
+  "description": "Default agent configuration",
+  "prompt": "",
+  "mcpServers": {
+    "terraform": {
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "hashicorp/terraform-mcp-server:0.3"
+      ]
+    }
+  },
+  "tools": [
+    "fs_read",
+    "execute_bash",
+    "fs_write",
+    "report_issue",
+    "use_aws",
+    "@terraform",
+    "fsRead",
+    "fsWrite",
+    "fsReplace",
+    "listDirectory",
+    "fileSearch",
+    "executeBash",
+    "codeReview",
+    "displayFindings"
+  ],
+  "toolAliases": {},
+  "allowedTools": [
+    "fs_read",
+    "report_issue",
+    "use_aws",
+    "execute_bash",
+    "fs_write",
+    "fsRead",
+    "listDirectory",
+    "fileSearch",
+    "codeReview",
+    "displayFindings"
+  ],
+  "toolsSettings": {
+    "use_aws": {
+      "alwaysAllow": [
+        {
+          "preset": "readOnly"
+        }
+      ]
+    },
+    "execute_bash": {
+      "alwaysAllow": [
+        {
+          "preset": "readOnly"
+        }
+      ]
+    }
+  },
+  "resources": [
+    "file://AmazonQ.md",
+    "file://README.md",
+    "file://.amazonq/rules/**/*.md"
+  ],
+  "hooks": {
+    "agentSpawn": [],
+    "userPromptSubmit": []
+  },
+  "useLegacyMcpJson": true
+}

.amazonq/rules/common.md

@@ -0,0 +1,7 @@
+# Common best Practices
+
+## Linting and testing
+
+- Use pre-commit to lint the code
+- Run "pre-commit run -a" before commiting/pushing to git remote
+- Use common hooks from https://github.com/pre-commit/pre-commit-hooks

.amazonq/rules/github_actions.md

@@ -5,3 +5,4 @@ When generating or modifying GitHub actions template files, follow these best pr
 ## Code Best Practices
 
 - When you use setup-* actions, try to get the latest versions of the software you need to install
+- Use pre-commit to run the hooks of the repository in the CI and install required software so hooks can work

.amazonq/rules/terraform_aws.md

@@ -76,8 +76,9 @@ When generating or modifying Terraform code for AWS, follow these best practices
 - To avoid regressions, it is best to fix dependency versions.
 - For Terraform OSS modules, use a fixed version (preferably the latest available on the Terraform registry) in the module version field
 
-## Testing
+## Linting and testing
 
+- Use pre-commit to lint the code with the following hooks: terraform_fmt, terraform_validate, terraform_docs, terraform_docs, terraform_trivy
 - Each validator for Terraform input variables must be tested, but only failed cases.
 - For each module generated, an example must be provided.
 - For each example, there must be a test that runs it.

.github/workflows/vpc-demo-deploy.yml

@@ -0,0 +1,95 @@
+name: VPC Demo - Terraform Deploy
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'vpc-demo/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'vpc-demo/**'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform:
+    name: Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: vpc-demo
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.13.5
+          terraform_wrapper: false
+
+      - name: Install terraform-docs
+        run: |
+          curl -sSLo /tmp/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-linux-amd64.tar.gz
+          tar -xzf /tmp/terraform-docs.tar.gz -C /tmp
+          sudo mv /tmp/terraform-docs /usr/local/bin/
+
+      - name: Install trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run pre-commit
+        uses: pre-commit/[email protected]
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
+          aws-region: eu-west-3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color -var="aws_profile=" -out=tfplan
+        continue-on-error: true
+
+      - name: Comment PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const output = `#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`terraform
+            ${{ steps.plan.outputs.stdout }}
+            \`\`\`
+
+            </details>`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -var="aws_profile=" tfplan

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.96.2
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exists=true
+      - id: terraform_trivy
+        args:
+          - --args=--severity=HIGH,CRITICAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace

README.md

@@ -49,7 +49,7 @@ git checkout -b live-coding-5
 Prompt enrichi via les Q rules, le serveur MCP Terraform et code généré à partir d'un schéma Excalidraw ajouté dans le contexte du prompt suivant :
 
 ```
-Create the Terraform code from the schema. 
+Create the Terraform code from the schema.
 ```
 
 ## Live coding 6

github-oidc/.terraform.lock.hcl

@@ -0,0 +1,59 @@
+# GitHub OIDC Provider for AWS
+
+This Terraform configuration creates an IAM OIDC provider for GitHub Actions and an IAM role that can be assumed by your GitHub workflows.
+
+## Prerequisites
+
+- AWS CLI configured with profile `ippon-data-lab`
+- Terraform 1.10.5
+
+## Usage
+
+1. Copy the example variables file:
+```bash
+cp terraform.tfvars.example terraform.tfvars
+```
+
+2. Edit `terraform.tfvars` with your GitHub organization and repository:
+```hcl
+github_org  = "your-org"
+github_repo = "aws-q-academy"
+```
+
+3. Initialize Terraform:
+```bash
+terraform init
+```
+
+4. Apply the configuration:
+```bash
+terraform apply
+```
+
+## GitHub Actions Workflow
+
+Use the role in your GitHub Actions workflow:
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::721665305066:role/github-actions-role
+          aws-region: eu-west-3
+
+      - name: Run AWS commands
+        run: aws sts get-caller-identity
+```
+
+## Resources Created
+
+- IAM OIDC Provider for GitHub Actions
+- IAM Role with AdministratorAccess (adjust permissions as needed)