feat: add k8s-oidc-pages-repo TF module

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "terraform"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/labeler.yml

@@ -0,0 +1,20 @@
+version: 1
+labels:
+  - label: size/xs
+    size:
+      below: 10
+  - label: size/s
+    size:
+      above: 10
+      below: 50
+  - label: size/m
+    size:
+      above: 50
+      below: 100
+  - label: size/l
+    size:
+      above: 100
+      below: 500
+  - label: size/xl
+    size:
+      above: 500

.github/workflows/ci.yml

@@ -0,0 +1,143 @@
+name: ci
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: 0 0 * * *
+
+jobs:
+  tofu-fmt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+      - name: Tofu format
+        run: |
+          tofu fmt -check -recursive
+
+  release-please:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    outputs:
+      releases_created: ${{ steps.release-please.outputs.releases_created }}
+      tag_name: ${{ steps.release-please.outputs.tag_name }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - id: release-please
+        name: Release please
+        uses: googleapis/release-please-action@v4
+        with:
+          release-type: simple
+
+  tofu-docs:
+    needs: release-please
+    if: needs.release-please.outputs.releases_created == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.x
+      - name: Install dependencies
+        run: |
+          pip install -U pip -r requirements.txt
+      - name: Install Terraform docs
+        run: |
+          curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-$(uname)-amd64.tar.gz
+          tar -xzf terraform-docs.tar.gz
+          chmod +x terraform-docs
+          mv terraform-docs /usr/local/bin/terraform-docs
+      - name: Build the doc
+        run: ./scripts/build-docs.sh
+      - name: Configure git
+        run: |
+          git config --global user.name "${{ github.actor }}"
+          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+      - name: Create version
+        run: |
+          mike deploy --push --force --update-aliases ${{ needs.release-please.outputs.tag_name }} latest
+
+  trivy:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        scan-type:
+          - fs
+          - config
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: ${{ matrix.scan-type }}
+          scan-ref: "."
+          trivy-config: trivy.yaml
+          format: "sarif"
+          output: "trivy-results.sarif"
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif
+      - if: always()
+        name: Upload Trivy results to Github Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results
+          path: trivy-results.sarif
+
+  kubescape:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: kubescape/github-action@main
+        continue-on-error: true
+        with:
+          frameworks: AllControls
+          outputFile: results.sarif
+          format: sarif
+      - uses: actions/upload-artifact@v4
+        with:
+          name: kubescape-results
+          path: results.sarif
+          if-no-files-found: warn
+          retention-days: 7
+          compression-level: 6
+          overwrite: true
+
+  labeler:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: PR Labeler
+        uses: srvaroa/labeler@master
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          config_path: .github/labeler.yml
+          use_local_config: false
+          fail_on_error: false

.gitignore

@@ -0,0 +1,42 @@
+# Created by https://www.toptal.com/developers/gitignore/api/Terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=Terraform
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# End of https://www.toptal.com/developers/gitignore/api/Terraform
+
+mkdocs

.pre-commit-config.yaml

@@ -0,0 +1,114 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-added-large-files
+        args:
+          - --maxkb=800
+      - id: check-ast
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-shebang-scripts-are-executable
+        exclude: .*templates/.*j2$
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+        exclude: |
+          (?x)^(
+              mkdocs.yml
+          )$
+      - id: detect-private-key
+        exclude: |
+          (?x)^(
+              k8s/blueprints/atlantis/helm-values.yml
+          )$
+      - id: detect-aws-credentials
+        args:
+          - --allow-missing-credentials
+      - id: end-of-file-fixer
+        exclude: ads.txt
+      - id: name-tests-test
+      - id: file-contents-sorter
+      - id: requirements-txt-fixer
+      - id: sort-simple-yaml
+      - id: trailing-whitespace
+      - id: fix-byte-order-marker
+      - id: check-builtin-literals
+      - id: check-case-conflict
+      - id: check-builtin-literals
+      - id: check-byte-order-marker
+      - id: check-case-conflict
+      - id: check-docstring-first
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-vcs-permalinks
+      - id: check-xml
+      - id: debug-statements
+      - id: destroyed-symlinks
+      - id: fix-byte-order-marker
+      - id: fix-encoding-pragma
+      - id: forbid-new-submodules
+      - id: forbid-submodules
+      - id: mixed-line-ending
+      - id: pretty-format-json
+        args:
+          - --autofix
+        exclude: |
+          (?x)^(
+              .release-please-manifest.json
+          )$
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.19.0
+    hooks:
+      - id: commitlint
+        stages:
+          - commit-msg
+        additional_dependencies:
+          - "@commitlint/config-conventional"
+  - repo: https://github.com/tofuutils/pre-commit-opentofu
+    rev: v2.1.0
+    hooks:
+      - id: tofu_fmt
+      # - id: tfupdate
+      # - id: tofu_validate
+      - id: tofu_tflint
+      # - id: tofu_docs
+      # - id: checkov
+      # - id: infracost_breakdown
+      #   args:
+      #     - --args=--path=.
+      # - id: terraform_trivy
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.24
+    hooks:
+      # - id: terraform-fmt
+      # - id: terraform-validate
+      # - id: tflint
+      - id: shellcheck
+      - id: terragrunt-hclfmt
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.1
+    hooks:
+      - id: ruff
+        types_or:
+          - python
+          - pyi
+          - jupyter
+        args:
+          - --fix
+          - --select=I
+      - id: ruff-format
+        types_or:
+          - python
+          - pyi
+          - jupyter
+  - repo: local
+    hooks:
+      - id: terraform-docs
+        name: terraform-docs
+        entry: ./scripts/build-docs.sh
+        language: system
+        pass_filenames: false
+        always_run: true

.terraform-docs.yml

@@ -0,0 +1,47 @@
+formatter: markdown
+
+version: ""
+
+header-from: main.tf
+footer-from: ""
+
+recursive:
+  enabled: false
+  path: ""
+
+sections:
+  hide: []
+  show: []
+
+content: ""
+
+output:
+  file: ""
+  mode: inject
+  template: |
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: true
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true