Man2Dev
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 88 additions & 0 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎.github/workflows/pr-check.yml‎
Lines changed: 37 additions & 0 deletions b/‎.github/workflows/pr-check.yml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎.github/workflows/terraform-validate.yml‎
Lines changed: 110 additions & 0 deletions b/‎.github/workflows/terraform-validate.yml‎
Lines changed: 110 additions & 0 deletions
@@ -0,0 +1,88 @@
+name: Deploy to AWS
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deployment environment'
+        required: true
+        default: 'dev'
+        type: choice
+        options:
+          - dev
+          - prod
+
+env:
+  TF_VERSION: "1.5.0"
+  AWS_REGION: "us-east-1"
+
+jobs:
+  deploy:
+    name: Deploy Infrastructure
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.environment }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - name: Build Lambda Package
+        run: |
+          mkdir -p package
+          pip install -r requirements.txt -t ./package
+          cp handler.py package/
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Create terraform.tfvars
+        run: |
+          cat > terraform.tfvars <<EOF
+          telegram_token     = "${{ secrets.TELEGRAM_TOKEN }}"
+          lab_role_arn       = "${{ secrets.LAB_ROLE_ARN }}"
+          environment        = "${{ github.event.inputs.environment }}"
+          log_retention_days = 14
+          EOF
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan
+        run: terraform plan -out=tfplan
+
+      - name: Terraform Apply
+        run: terraform apply -auto-approve tfplan
+
+      - name: Get Outputs
+        id: outputs
+        run: |
+          echo "api_url=$(terraform output -raw api_gateway_url)" >> $GITHUB_OUTPUT
+          echo "lambda_name=$(terraform output -raw lambda_function_name)" >> $GITHUB_OUTPUT
+
+      - name: Setup Webhook
+        run: |
+          API_URL="${{ steps.outputs.outputs.api_url }}"
+          curl -s "https://api.telegram.org/bot${{ secrets.TELEGRAM_TOKEN }}/setWebhook?url=${API_URL}"
+
+      - name: Deployment Summary
+        run: |
+          echo "## Deployment Complete! :rocket:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Environment:** ${{ github.event.inputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "**API Gateway URL:** ${{ steps.outputs.outputs.api_url }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Lambda Function:** ${{ steps.outputs.outputs.lambda_name }}" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,37 @@
+name: PR Check
+
+on:
+  pull_request:
+    branches: [main, master]
+    types: [opened, synchronize, reopened]
+
+jobs:
+  check:
+    name: PR Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Check branch name
+        run: |
+          BRANCH_NAME="${{ github.head_ref }}"
+          if [[ ! "$BRANCH_NAME" =~ ^(dev|feature/|bugfix/|hotfix/) ]]; then
+            echo "::warning::Branch name should follow convention: dev, feature/*, bugfix/*, or hotfix/*"
+          fi
+
+      - name: Check for terraform.tfvars in PR
+        run: |
+          if git diff --name-only origin/${{ github.base_ref }}...${{ github.head_ref }} | grep -q "terraform.tfvars$"; then
+            echo "::error::terraform.tfvars should not be committed! Add it to .gitignore"
+            exit 1
+          fi
+
+      - name: Check for sensitive data
+        run: |
+          # Check for potential secrets in files
+          if grep -rE "(aws_access_key_id|aws_secret_access_key|AKIA[0-9A-Z]{16})" --include="*.tf" --include="*.py" --include="*.sh" .; then
+            echo "::error::Potential sensitive data found in files!"
+            exit 1
+          fi
@@ -0,0 +1,110 @@
+name: Terraform Validate
+
+on:
+  push:
+    branches: [dev, main, master]
+  pull_request:
+    branches: [main, master]
+
+env:
+  TF_VERSION: "1.5.0"
+
+jobs:
+  validate:
+    name: Validate Terraform
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Terraform Format Check
+        id: fmt
+        run: terraform fmt -check -recursive
+        continue-on-error: true
+
+      - name: Create dummy tfvars for validation
+        run: |
+          cat > terraform.tfvars <<EOF
+          telegram_token = "dummy-token-for-validation"
+          lab_role_arn   = "arn:aws:iam::123456789012:role/LabRole"
+          environment    = "dev"
+          EOF
+
+      - name: Create dummy package directory
+        run: |
+          mkdir -p package
+          cp handler.py package/
+          touch package/__init__.py
+
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend=false
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate
+
+      - name: Post Validation Status
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const output = `#### Terraform Format 🖌 \`${{ steps.fmt.outcome }}\`
+            #### Terraform Init ⚙️ \`${{ steps.init.outcome }}\`
+            #### Terraform Validate 🤖 \`${{ steps.validate.outcome }}\`
+
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+  lint:
+    name: Lint Python
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install flake8
+
+      - name: Lint with flake8
+        run: |
+          # Stop build if there are Python syntax errors or undefined names
+          flake8 handler.py --count --select=E9,F63,F7,F82 --show-source --statistics
+          # Exit-zero treats all errors as warnings
+          flake8 handler.py --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Checkov (Terraform Security)
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          framework: terraform
+          soft_fail: true
+          output_format: cli