feat: initial terraform configuration for GitHub org management

Author: xnoto

.checkov.yml

@@ -0,0 +1,13 @@
+block-list-secret-scan: []
+compact: true
+directory:
+  - .
+download-external-modules: false
+evaluate-variables: true
+framework:
+  - all
+output:
+  - cli
+quiet: true
+soft-fail: true
+summary-position: top

.github/workflows/opentofu.yml

@@ -0,0 +1,106 @@
+name: OpenTofu Tests, Plan & Apply
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+env:
+  SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+
+jobs:
+  test:
+    name: Pre-commit Tests
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/makeitworkcloud/runner:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize OpenTofu
+        run: tofu init -backend=false
+
+      - name: Run tests
+        run: make test
+
+      - name: Show README.md changes after pre-commit
+        run: |
+          echo "=== Git status after pre-commit ==="
+          git status --porcelain
+          echo "=== Git diff after pre-commit ==="
+          git diff HEAD
+          echo "=== README.md content after pre-commit ==="
+          cat README.md | head -50
+
+  plan:
+    name: OpenTofu Plan
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/makeitworkcloud/runner:latest
+    if: github.event_name == 'pull_request'
+    needs: [test]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: OpenTofu Plan
+        id: plan
+        run: |
+          # Run make plan - Makefile will handle writing plan to file
+          make plan || true
+
+          # Extract only the plan summary - what will actually change
+          # Start from "OpenTofu will perform" and take everything after
+          sed -n '/OpenTofu will perform the following actions:/,$p' plan-output.txt > plan-filtered.txt
+
+          # If no changes, look for "No changes" message
+          if [ ! -s plan-filtered.txt ]; then
+            grep -A 2 "No changes" plan-output.txt > plan-filtered.txt || echo "No plan output found" > plan-filtered.txt
+          fi
+
+          # Limit output to last 1000 lines to prevent "Argument list too long" error
+          # The plan summary with actual changes is at the end, that's what matters
+          tail -n 1000 plan-filtered.txt > plan-filtered-truncated.txt
+          mv plan-filtered-truncated.txt plan-filtered.txt
+
+      - name: Comment PR with Plan
+        uses: actions/github-script@v7
+        if: github.event_name == 'pull_request'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const planOutput = fs.readFileSync('plan-filtered.txt', 'utf8');
+
+            const output = `#### OpenTofu Plan 📋
+            \`\`\`
+            ${planOutput}
+            \`\`\`
+            `;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });
+
+  apply:
+    name: OpenTofu Apply
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/makeitworkcloud/runner:latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: [test]
+    environment: production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: OpenTofu Apply
+        run: make apply

.gitignore

@@ -0,0 +1,16 @@
+# vim swap files
+**/*.sw[po]
+
+# don't commit terraform state or lock. the repo code is the only state we care about.
+# the provider state cache is auto-upgraded by default to ensure compatibility with upstream cloud provider APIs
+**/.terraform.lock.hcl
+**/.terraform
+
+# IDE Folders
+**/.vscode
+
+# Mac Finder cache
+**/.DS_Store
+
+# Plan output
+plan-output.txt

.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: check-symlinks
+    - id: check-vcs-permalinks
+    - id: destroyed-symlinks
+    - id: detect-private-key
+    - id: mixed-line-ending
+    - id: trailing-whitespace
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.100.0
+  hooks:
+    - id: terraform_validate
+      args:
+        - --hook-config=--retry-once-with-cleanup=true
+        - --args=-no-color
+        - --tf-init-args=-reconfigure
+        - --tf-init-args=-upgrade
+    - id: terraform_tflint
+      args:
+        - --args=--minimum-failure-severity=error
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+    - id: terraform_checkov
+      args:
+        - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+    - id: terraform_fmt
+      args:
+        - --args=-no-color
+        - --args=-diff
+        - --args=-recursive
+    - id: terraform_docs
+      args:
+        - --args=--config=.terraform-docs.yml

.sops.yaml

@@ -0,0 +1,3 @@
+---
+creation_rules:
+  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l

.terraform-docs.yml

@@ -0,0 +1,18 @@
+formatter: "markdown"
+
+output:
+  file: "README.md"
+  mode: replace
+
+settings:
+  color: false
+  lockfile: false
+
+sort:
+  enabled: true
+  by: name
+
+# recursive can't be enabled until this bug is fixed:
+# https://github.com/terraform-docs/terraform-docs/issues/654
+recursive:
+  enabled: false

.tflint.hcl

@@ -0,0 +1,12 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+rule "terraform_required_providers" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}

.tfsec.yml

@@ -0,0 +1,5 @@
+---
+min_required_version: 1.28.1
+minimum_severity: LOW
+severity_overrides: {}
+exclude: []