npm - create-interview-cockpit - Versions diffs - 0.29.0 → 0.30.0 - Mend

create-interview-cockpit 0.29.0 → 0.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/template/client/src/awsGovernanceIamLab.ts +526 -0
package/template/client/src/components/LabsPanel.tsx +14 -0
package/template/client/src/githubActionsLab.ts +233 -0
package/template/cockpit.json +1 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-interview-cockpit",
-  "version": "0.29.0",
+  "version": "0.30.0",
   "description": "Scaffold a personal AI-powered interview prep cockpit",
   "type": "module",
   "bin": {

package/template/client/src/awsGovernanceIamLab.ts ADDED Viewed

@@ -0,0 +1,526 @@
+import type { InfraLabWorkspace } from "./types";
+// Mirrors the structure of a real `governance-iam` Terraform module
+// (roles, policies, attachments, users, OIDC providers, multi-account
+// `for_each` expansion) but trimmed down so it can run end-to-end
+// against LocalStack inside the Infra Lab runner.
+//
+// What works on LocalStack (free):
+//   - aws_iam_policy / aws_iam_role / *_policy_attachment / aws_iam_user
+//   - aws_iam_openid_connect_provider (object exists, trust is not exercised)
+//
+// What does NOT work realistically on LocalStack (left as plan-only / read):
+//   - real cross-account assume-role via Organizations
+//   - real OIDC federation (Azure DevOps, EKS IRSA, etc.)
+export const AWS_GOVERNANCE_IAM_FILES: Record<string, string> = {
+  "README.md": `# AWS Governance IAM Lab
+Practice the *shape* of an enterprise \`governance-iam\` Terraform module
+against LocalStack. You get the same patterns the real module uses:
+1. **OIDC providers** (\`aws_iam_openid_connect_provider\`)
+2. **Custom IAM policies** loaded from JSON files in \`policy/\`
+3. **IAM roles** with trust documents from \`assume_role/\`
+4. **Policy attachments** (custom + AWS-managed)
+5. **IAM users** with attachments
+6. **Multi-account expansion** via \`for_each\` keyed as \`account/name\`
+## How to run it
+In the Infra Lab console, one command at a time:
+1. \`terraform init\`
+2. \`terraform validate\`
+3. \`terraform plan -out=tfplan\`
+4. \`terraform apply -auto-approve\`
+5. Inspect with \`terraform state list\` and \`terraform show\`
+6. \`terraform destroy -auto-approve\` when done
+## What's real vs simulated
+LocalStack accepts the IAM CRUD calls, so all roles/policies/users/attachments
+are actually created. The OIDC providers are stored as objects, but no real
+external identity (Azure DevOps, EKS, GKE) can federate into them here.
+For the real federation handshake, you'd point this at a free-tier AWS
+account by replacing the \`endpoints\` block in \`provider.tf\` and giving
+real credentials.
+## Multi-account note
+LocalStack free tier is single-account, so the two "accounts"
+(\`access\`, \`workload\`) are simulated by provider aliases pointing at the
+same LocalStack endpoint. The \`for_each\` and \`account/name\` key shape is
+the same as in a real Organizations setup — flip the endpoints and you can
+reuse it as-is.
+## Suggested experiments
+- Add a new JSON file in \`policy/\` and reference it in \`terraform.tfvars\`.
+- Add a new role in \`terraform.tfvars\` and watch the keyspace expand.
+- Change a trust policy in \`assume_role/\` and run \`terraform plan\` to see
+  the in-place update.
+- Try \`terraform plan\` after removing an attachment to learn how detach
+  works without destroying the role.
+`,
+  "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+# Two provider aliases simulate the multi-account fan-out used by the real
+# governance-iam module. Both point at the same LocalStack endpoint here;
+# in production they would target different AWS accounts via assume-role.
+provider "aws" {
+  alias                       = "access"
+  region                      = "us-east-1"
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+  endpoints {
+    iam = "http://localhost:4566"
+    sts = "http://localhost:4566"
+  }
+}
+provider "aws" {
+  alias                       = "workload"
+  region                      = "us-east-1"
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+  endpoints {
+    iam = "http://localhost:4566"
+    sts = "http://localhost:4566"
+  }
+}
+`,
+  "variables.tf": `# Logical inputs that mirror the real module. Swap values in
+# terraform.tfvars to re-shape the deployment without touching main.tf.
+variable "accounts" {
+  description = "Logical AWS account name -> provider alias key."
+  type        = map(string)
+  default = {
+    access   = "access"
+    workload = "workload"
+  }
+}
+variable "policies" {
+  description = "Custom policies to create. Keyed as <account>/<name>."
+  type = map(object({
+    path        = string
+    description = string
+  }))
+  default = {}
+}
+variable "roles" {
+  description = "Roles to create. Keyed as <account>/<name>."
+  type = map(object({
+    name                        = string
+    assume_role_policy_file     = string
+    assume_role_policy_variable = map(string)
+    custom_policies             = list(string) # tf_policy_keys to attach
+    managed_policy_arns         = list(string) # AWS-managed ARNs to attach
+  }))
+  default = {}
+}
+variable "users" {
+  description = "IAM users to create. Keyed as <account>/<name>."
+  type = map(object({
+    name                = string
+    custom_policies     = list(string)
+    managed_policy_arns = list(string)
+  }))
+  default = {}
+}
+variable "oidc_identity" {
+  description = "OIDC providers to register. Keyed as <account>/<label>."
+  type = map(object({
+    account    = string
+    oidc_url   = string
+    audiences  = list(string)
+    thumbprint = list(string)
+  }))
+  default = {}
+}
+`,
+  "local.tf": `# Real governance-iam splits a single declaration into per-account
+# resources. We do the same here; the keys are "<account>/<name>" so a
+# role declared in two accounts becomes two distinct resources.
+locals {
+  account_policies = var.policies
+  account_roles    = var.roles
+  account_users    = var.users
+  # Flatten role -> custom policy attachments.
+  custom_role_attachments = merge([
+    for role_key, role in var.roles : {
+      for pol_key in role.custom_policies :
+      "\${role_key}::\${pol_key}" => {
+        tf_role_key   = role_key
+        tf_policy_key = pol_key
+      }
+    }
+  ]...)
+  # Flatten role -> AWS-managed policy attachments.
+  managed_role_attachments = merge([
+    for role_key, role in var.roles : {
+      for arn in role.managed_policy_arns :
+      "\${role_key}::\${arn}" => {
+        tf_role_key = role_key
+        policy_arn  = arn
+      }
+    }
+  ]...)
+  custom_user_attachments = merge([
+    for user_key, user in var.users : {
+      for pol_key in user.custom_policies :
+      "\${user_key}::\${pol_key}" => {
+        tf_user_key   = user_key
+        tf_policy_key = pol_key
+      }
+    }
+  ]...)
+  managed_user_attachments = merge([
+    for user_key, user in var.users : {
+      for arn in user.managed_policy_arns :
+      "\${user_key}::\${arn}" => {
+        tf_user_key = user_key
+        policy_arn  = arn
+      }
+    }
+  ]...)
+}
+`,
+  "main.tf": `# @ref: aws-oidc-provider
+# Trust links so external systems (ADO, EKS, GKE) can federate without
+# storing AWS keys. On LocalStack the object is created but no real JWT
+# is verified against it.
+resource "aws_iam_openid_connect_provider" "oidc" {
+  for_each = var.oidc_identity
+  provider = aws.access
+  url             = each.value.oidc_url
+  client_id_list  = each.value.audiences
+  thumbprint_list = each.value.thumbprint
+}
+# @ref: aws-custom-policy
+# Custom permission documents loaded from JSON files in ./policy.
+# The split() trick is what the real module uses to derive a name from
+# the "<account>/<group>/<file>.json" key shape.
+resource "aws_iam_policy" "policies" {
+  for_each = local.account_policies
+  provider = aws.access
+  name        = split("/", each.key)[1]
+  description = each.value.description
+  policy      = file("\${path.module}/policy/\${each.value.path}")
+}
+# @ref: aws-iam-role
+# Trust policy != permission policy. The trust policy answers
+# "who is allowed to become this role?". Permissions come from attachments.
+resource "aws_iam_role" "roles" {
+  for_each = local.account_roles
+  provider = aws.access
+  name = each.value.name
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/\${each.value.assume_role_policy_file}",
+    each.value.assume_role_policy_variable,
+  )
+}
+# @ref: aws-role-policy-attachment (custom)
+resource "aws_iam_role_policy_attachment" "custom_role_policy" {
+  for_each = local.custom_role_attachments
+  provider = aws.access
+  role       = aws_iam_role.roles[each.value.tf_role_key].name
+  policy_arn = aws_iam_policy.policies[each.value.tf_policy_key].arn
+}
+# @ref: aws-role-policy-attachment (managed)
+resource "aws_iam_role_policy_attachment" "managed_role_policy" {
+  for_each = local.managed_role_attachments
+  provider = aws.access
+  role       = aws_iam_role.roles[each.value.tf_role_key].name
+  policy_arn = each.value.policy_arn
+}
+# @ref: aws-iam-user
+# Long-lived identity. Kept as an exercise; modern setups prefer roles
+# + federation, but the real module still supports both.
+resource "aws_iam_user" "users" {
+  for_each = local.account_users
+  provider = aws.access
+  name          = each.value.name
+  path          = "/"
+  force_destroy = true
+}
+resource "aws_iam_user_policy_attachment" "custom_user_policy" {
+  for_each = local.custom_user_attachments
+  provider = aws.access
+  user       = aws_iam_user.users[each.value.tf_user_key].name
+  policy_arn = aws_iam_policy.policies[each.value.tf_policy_key].arn
+}
+resource "aws_iam_user_policy_attachment" "managed_user_policy" {
+  for_each = local.managed_user_attachments
+  provider = aws.access
+  user       = aws_iam_user.users[each.value.tf_user_key].name
+  policy_arn = each.value.policy_arn
+}
+`,
+  "ado.tf": `# @ref: aws-ado-role
+# Mirrors the real ado.tf: a per-account role assumed by an Azure DevOps
+# pipeline via OIDC, with AdministratorAccess attached. On LocalStack the
+# role exists but the actual federation handshake is not exercised.
+locals {
+  ado_accounts = ["access", "workload"]
+}
+resource "aws_iam_role" "ado_role" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+  name = "ado-role-\${each.key}"
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/ado-assume-role.json",
+    {
+      account_id  = "000000000000"
+      environment = "lab"
+    },
+  )
+}
+resource "aws_iam_role_policy_attachment" "ado_admin" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+  role       = aws_iam_role.ado_role[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+resource "aws_iam_role" "ado_readonly" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+  name = "ado-role-readonly-\${each.key}"
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/ado-assume-role.json",
+    {
+      account_id  = "000000000000"
+      environment = "lab"
+    },
+  )
+}
+resource "aws_iam_role_policy_attachment" "ado_readonly" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+  role       = aws_iam_role.ado_readonly[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+`,
+  "outputs.tf": `output "policy_arns" {
+  description = "ARNs of all custom policies that were created."
+  value       = { for k, p in aws_iam_policy.policies : k => p.arn }
+}
+output "role_arns" {
+  description = "ARNs of all roles that were created."
+  value       = { for k, r in aws_iam_role.roles : k => r.arn }
+}
+output "ado_role_arns" {
+  description = "ARNs of the Azure DevOps deployment roles."
+  value       = { for k, r in aws_iam_role.ado_role : k => r.arn }
+}
+`,
+  "terraform.tfvars": `# Sample data that drives the module. Everything below is what would
+# normally live in variables.<env>.tfvars in the real repo.
+policies = {
+  "access/external-dns-policy-v1" = {
+    path        = "external-dns-policy-v1.json"
+    description = "Allows external-dns to manage Route53 records."
+  }
+  "access/cloudwatch-exporter-policy-v1" = {
+    path        = "cloudwatch-exporter-policy-v1.json"
+    description = "Allows the cloudwatch exporter to read metrics."
+  }
+}
+roles = {
+  "access/external-dns" = {
+    name                        = "external-dns-role"
+    assume_role_policy_file     = "eks-irsa-assume-role.json"
+    assume_role_policy_variable = {
+      account_id     = "000000000000"
+      oidc_provider  = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+      namespace      = "kube-system"
+      service_account = "external-dns"
+    }
+    custom_policies = [
+      "access/external-dns-policy-v1",
+    ]
+    managed_policy_arns = []
+  }
+  "access/cw-exporter" = {
+    name                        = "cloudwatch-exporter-role"
+    assume_role_policy_file     = "eks-irsa-assume-role.json"
+    assume_role_policy_variable = {
+      account_id     = "000000000000"
+      oidc_provider  = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+      namespace      = "monitoring"
+      service_account = "cloudwatch-exporter"
+    }
+    custom_policies = [
+      "access/cloudwatch-exporter-policy-v1",
+    ]
+    managed_policy_arns = [
+      "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
+    ]
+  }
+}
+users = {
+  "access/break-glass" = {
+    name = "break-glass-admin"
+    custom_policies = []
+    managed_policy_arns = [
+      "arn:aws:iam::aws:policy/ReadOnlyAccess",
+    ]
+  }
+}
+oidc_identity = {
+  "access/eks-main" = {
+    account    = "access"
+    oidc_url   = "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+    audiences  = ["sts.amazonaws.com"]
+    thumbprint = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  }
+  "access/azure-devops" = {
+    account    = "access"
+    oidc_url   = "https://vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000"
+    audiences  = ["api://AzureADTokenExchange"]
+    thumbprint = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  }
+}
+`,
+  "policy/external-dns-policy-v1.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": "arn:aws:route53:::hostedzone/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+`,
+  "policy/cloudwatch-exporter-policy-v1.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:GetMetricData",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:ListMetrics",
+        "tag:GetResources"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+`,
+  "assume_role/eks-irsa-assume-role.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::\${account_id}:oidc-provider/\${oidc_provider}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "\${oidc_provider}:sub": "system:serviceaccount:\${namespace}:\${service_account}",
+          "\${oidc_provider}:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+`,
+  "assume_role/ado-assume-role.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::\${account_id}:oidc-provider/vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:aud": "api://AzureADTokenExchange"
+        },
+        "StringLike": {
+          "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:sub": "sc://my-org/my-project/\${environment}-*"
+        }
+      }
+    }
+  ]
+}
+`,
+};
+export const AWS_GOVERNANCE_IAM_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "AWS Governance IAM Lab",
+  provider: "aws",
+  executionMode: "localstack",
+  activeFile: "README.md",
+  files: AWS_GOVERNANCE_IAM_FILES,
+};

package/template/client/src/components/LabsPanel.tsx CHANGED Viewed

@@ -8,12 +8,14 @@ import {
   parseInfraLabWorkspace,
 } from "../infraLab";
 import {
+  AWS_GOVERNANCE_GHA_LAB,
   DEFAULT_GHA_LAB,
   GOVERNANCE_GHA_LAB,
   parseGhaLabWorkspace,
   REACT_VITE_TYPESCRIPT_GHA_LAB,
 } from "../githubActionsLab";
 import { ENTERPRISE_LOCAL_AUTH_LAB } from "../enterpriseLocalLab";
+import { AWS_GOVERNANCE_IAM_LAB } from "../awsGovernanceIamLab";
 import {
   parseFrontendLabWorkspace,
   ISOLATED_MODULE_FEDERATION_LAB,
@@ -672,6 +674,12 @@ export default function LabsPanel() {
                   "Terraform deploys NestJS BFF, OIDC mock, Redis & claims API",
                 onClick: () => openInfraLab(ENTERPRISE_LOCAL_AUTH_LAB),
               },
+              {
+                label: "AWS Governance IAM",
+                description:
+                  "Roles, policies, attachments, users & OIDC mirroring a real governance-iam module on LocalStack",
+                onClick: () => openInfraLab(AWS_GOVERNANCE_IAM_LAB),
+              },
             ]}
             onOpen={openInfraFile}
             openTitle="Open in Infrastructure Lab"
@@ -703,6 +711,12 @@ export default function LabsPanel() {
                   "PLF-style mono-repo: CODEOWNERS, PR template, Azure PIM/Policy + AWS IAM deploy workflows, offboarding",
                 onClick: () => openGhaLab(GOVERNANCE_GHA_LAB),
               },
+              {
+                label: "AWS Governance IAM via GitHub Actions",
+                description:
+                  "PR plan + main-branch apply workflows that drive a real Terraform IAM module against LocalStack via a reusable composite action",
+                onClick: () => openGhaLab(AWS_GOVERNANCE_GHA_LAB),
+              },
             ]}
             onOpen={openGhaFile}
             openTitle="Open in GitHub Lab"

package/template/client/src/githubActionsLab.ts CHANGED Viewed

@@ -12,6 +12,7 @@ import type {
   GithubLabRulesetRules,
 } from "./types";
 import { rulesetFromLegacyProtection } from "./codeowners";
+import { AWS_GOVERNANCE_IAM_FILES } from "./awsGovernanceIamLab";
 // ─── Default GitHub Lab "org" roster ────────────────────────────────────
 //
@@ -2169,6 +2170,238 @@ Write-Host "\`nDone. DryRun=$DryRun"
 `,
 };
+// ─── AWS Governance IAM via GitHub Actions ───────────────────────────────
+//
+// Combines the Infra Lab's `governance-iam` Terraform module with a
+// GitHub-Actions-driven deploy flow that mirrors the real PLF setup, but
+// runs entirely locally via `act` + LocalStack:
+//
+//   - PR opens / updates  → `terraform-pr.yml`  runs `tofu plan`
+//   - merge to main       → `terraform-ci.yml`  runs `tofu apply`
+//   - shared steps live in a composite action `./.github/actions/run-tofu-action`
+//
+// LocalStack is reachable from the act runner container at
+// `host.docker.internal:4566` on macOS / Windows, and via the
+// `--network host` runner override (or the literal IP) on Linux.
+const AWS_IAM_GHA_FILES: Record<string, string> = {
+  "README.md": `# AWS Governance IAM — GitHub Actions Lab
+End-to-end mimic of the real PLF \`governance-iam\` deploy flow, but driven
+by **GitHub Actions** (not Azure DevOps) and pointed at **LocalStack**
+instead of real AWS.
+## What this lab demonstrates
+1. \`PR opens\`        → workflow runs \`tofu plan\` (read-only preview)
+2. \`merge to main\`   → workflow runs \`tofu apply\` (deploy)
+3. **Composite action** \`./.github/actions/run-tofu-action\` factors out the
+   init/plan/apply boilerplate, exactly like the real repo's reusable action.
+4. **Auth** is faked with static \`test\` credentials and a LocalStack
+   endpoint — the *shape* matches \`provider.tf\`'s assume-role pattern.
+## How to run it
+In the right pane, pick an event + workflow and click **Run**. Useful combos:
+- \`pull_request\` + \`terraform-pr.yml\`  → simulates a plan run on a PR
+- \`push\`         + \`terraform-ci.yml\`  → simulates an apply on main
+- \`workflow_dispatch\` + either workflow → manual trigger
+You also need LocalStack running on \`localhost:4566\` on your host. The
+runner container reaches it via \`host.docker.internal:4566\`.
+## How this maps to the real PLF setup
+| Real PLF                              | This lab                                        |
+| ------------------------------------- | ----------------------------------------------- |
+| Azure DevOps pipeline (\`pr.yml\`)      | GitHub Actions workflow \`terraform-pr.yml\`     |
+| Azure DevOps pipeline (\`ci.yml\`)      | GitHub Actions workflow \`terraform-ci.yml\`     |
+| Shared template \`deploy-aws.yml\`      | Composite action \`run-tofu-action\`            |
+| AWS service connection                | Static \`test\` creds + LocalStack endpoint     |
+| Azure OIDC for state backend          | Local state file (no remote backend)            |
+| \`assume_role\` to target accounts     | Single LocalStack account, dual provider alias  |
+## File map
+- \`.github/workflows/terraform-pr.yml\`   — plan on PR
+- \`.github/workflows/terraform-ci.yml\`   — apply on push to main
+- \`.github/actions/run-tofu-action/\`     — reusable plan/apply steps
+- \`.github/CODEOWNERS\`                   — PR review routing
+- \`terraform/\`                            — full governance-iam module
+`,
+  ".github/CODEOWNERS": `# Reviewers auto-requested when terraform/ changes.
+/terraform/        @acme/platform
+/.github/          @acme/platform
+*.md               @acme/docs
+`,
+  ".github/pull_request_template.md": `## Summary
+<!-- What does this change to the IAM module? -->
+## Plan output
+\`\`\`
+<!-- Paste the relevant section of \`tofu plan\` here -->
+\`\`\`
+## Checklist
+- [ ] PR title follows conventional-commit style
+- [ ] \`terraform-pr.yml\` shows a clean plan
+- [ ] No unintended role/policy deletions
+`,
+  ".github/workflows/terraform-pr.yml": `name: terraform-pr
+# PR-only workflow. Mirrors the real PLF \`pr.yml\`: run a plan, never apply.
+on:
+  pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-*.yml"
+      - ".github/actions/run-tofu-action/**"
+  workflow_dispatch:
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Plan IAM module
+        uses: ./.github/actions/run-tofu-action
+        with:
+          working-directory: terraform
+          mode: plan
+`,
+  ".github/workflows/terraform-ci.yml": `name: terraform-ci
+# Main-branch workflow. Mirrors the real PLF \`ci.yml\`: apply after merge.
+on:
+  push:
+    branches: [main]
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-*.yml"
+      - ".github/actions/run-tofu-action/**"
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Apply IAM module
+        uses: ./.github/actions/run-tofu-action
+        with:
+          working-directory: terraform
+          mode: apply
+`,
+  ".github/actions/run-tofu-action/action.yml": `# Reusable composite action — same idea as the real repo's run-tofu-action.
+# Hides the OpenTofu install + init + plan/apply behind a single \`uses:\`.
+name: "Run OpenTofu"
+description: "Install OpenTofu, init, then plan or apply against LocalStack."
+inputs:
+  working-directory:
+    description: "Folder containing the Terraform/OpenTofu config."
+    required: true
+  mode:
+    description: "Either 'plan' or 'apply'."
+    required: true
+    default: "plan"
+runs:
+  using: "composite"
+  steps:
+    - name: Install OpenTofu
+      shell: bash
+      run: |
+        curl -fsSL https://get.opentofu.org/install-opentofu.sh -o /tmp/install-opentofu.sh
+        chmod +x /tmp/install-opentofu.sh
+        /tmp/install-opentofu.sh --install-method standalone --skip-verify
+        tofu --version
+    - name: Tofu init
+      shell: bash
+      working-directory: \${{ inputs.working-directory }}
+      env:
+        AWS_ACCESS_KEY_ID: test
+        AWS_SECRET_ACCESS_KEY: test
+        AWS_DEFAULT_REGION: us-east-1
+      run: tofu init -input=false
+    - name: Tofu plan
+      if: \${{ inputs.mode == 'plan' }}
+      shell: bash
+      working-directory: \${{ inputs.working-directory }}
+      env:
+        AWS_ACCESS_KEY_ID: test
+        AWS_SECRET_ACCESS_KEY: test
+        AWS_DEFAULT_REGION: us-east-1
+      run: tofu plan -input=false -no-color
+    - name: Tofu apply
+      if: \${{ inputs.mode == 'apply' }}
+      shell: bash
+      working-directory: \${{ inputs.working-directory }}
+      env:
+        AWS_ACCESS_KEY_ID: test
+        AWS_SECRET_ACCESS_KEY: test
+        AWS_DEFAULT_REGION: us-east-1
+      run: tofu apply -input=false -auto-approve -no-color
+`,
+  ".actrc": `# Pin the runner image so installs are reproducible across machines.
+-P ubuntu-latest=catthehacker/ubuntu:act-latest
+--container-architecture linux/amd64
+`,
+  // Inline the full governance-iam Terraform module under \`terraform/\` so
+  // the workflows have something real to plan/apply against.
+  ...Object.fromEntries(
+    Object.entries(AWS_GOVERNANCE_IAM_FILES).map(([path, body]) => {
+      // The IAM module assumes provider endpoints point at \`localhost:4566\`,
+      // but the act runner is a separate container and can't reach
+      // \`localhost\` on the host. Rewrite to host.docker.internal so the
+      // workflow run actually succeeds.
+      const rewritten =
+        path === "provider.tf"
+          ? body.replace(
+              /http:\/\/localhost:4566/g,
+              "http://host.docker.internal:4566",
+            )
+          : body;
+      return [`terraform/${path}`, rewritten];
+    }),
+  ),
+};
+export const AWS_GOVERNANCE_GHA_LAB: GithubActionsLabWorkspace = {
+  version: 1,
+  label: "AWS Governance IAM via GitHub Actions",
+  activeFile: ".github/workflows/terraform-pr.yml",
+  defaultEvent: "pull_request",
+  defaultWorkflow: ".github/workflows/terraform-pr.yml",
+  files: AWS_IAM_GHA_FILES,
+  ghOrg: DEFAULT_GH_LAB_ORG,
+  rulesets: DEFAULT_GH_LAB_RULESETS,
+  pullRequest: DEFAULT_GH_LAB_PULL_REQUEST,
+};
 export const GOVERNANCE_GHA_LAB: GithubActionsLabWorkspace = {
   version: 1,
   label: "Platform Governance Template",

package/template/cockpit.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-  "version": "0.28.0"
+  "version": "0.29.0"
 }