Dev

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @hallllow29

.github/workflows/deploy-dev.yaml

@@ -1,19 +1,19 @@
 name: Deploy Dev
 
+# Corre quando um PR é mergeado para dev.
+# Cria/atualiza o ambiente DEV (ephemeral) para testes.
+
 on:
-  pull_request:
-    types:
-      - closed
+  push:
     branches:
-      - main
+      - dev
 
 concurrency:
-  group: deploy-${{ github.ref }}
-  cancel-in-progress: true
+  group: deploy-dev
+  cancel-in-progress: false
 
 jobs:
   deploy-dev:
-    if: github.event.pull_request.merged == true
     runs-on: [self-hosted, paris]
     environment: dev-approval
     timeout-minutes: 120
@@ -43,7 +43,7 @@ jobs:
           chmod +x $HOME/bin/terragrunt
           echo "$HOME/bin" >> $GITHUB_PATH
 
-      - name: Deploy to Dev
+      - name: Deploy to Dev (Ireland)
         run: |
           terragrunt run --all apply --working-dir environments/dev --non-interactive
 
@@ -63,3 +63,10 @@ jobs:
         run: |
           curl -fsS --max-time 30 -X POST ${{ secrets.SLACK_WEBHOOK }} \
             -d '{"text": "Deploy Dev falhou! Ver: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' || true
+
+      - name: Notify on Success
+        if: success()
+        continue-on-error: true
+        run: |
+          curl -fsS --max-time 30 -X POST ${{ secrets.SLACK_WEBHOOK }} \
+            -d '{"text": "Deploy Dev concluído! Faz testes e depois abre PR dev → main para promover a prod."}' || true

.github/workflows/deploy-prod.yaml

@@ -1,14 +1,23 @@
 name: Deploy Prod
 
+# Corre quando um PR de dev é mergeado para main.
+# 1) Destrói o ambiente dev (que serviu para validação)
+# 2) Faz deploy/atualização no prod (Frankfurt)
+
 on:
-  workflow_dispatch:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
 
 concurrency:
   group: deploy-prod
   cancel-in-progress: false
 
 jobs:
   destroy-dev:
+    if: github.event.pull_request.merged == true
     runs-on: [self-hosted, paris]
     permissions:
       id-token: write
@@ -23,6 +32,12 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           aws-region: eu-west-1
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.9.0"
+          terraform_wrapper: false
+
       - name: Setup Terragrunt
         run: |
           mkdir -p $HOME/bin
@@ -42,6 +57,7 @@ jobs:
             -d '{"text": "Destroy Dev falhou! Ver: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' || true
 
   deploy-prod:
+    if: github.event.pull_request.merged == true
     needs: destroy-dev
     environment: production
     runs-on: [self-hosted, paris]
@@ -72,7 +88,7 @@ jobs:
           chmod +x $HOME/bin/terragrunt
           echo "$HOME/bin" >> $GITHUB_PATH
 
-      - name: Deploy to Prod
+      - name: Deploy to Prod (Frankfurt)
         run: |
           terragrunt run --all apply --working-dir environments/prod --non-interactive
 

.github/workflows/pr-checks.yaml

@@ -1,8 +1,12 @@
 name: PR Checks
 
+# Corre em PRs contra dev ou main.
+# Validate + plan + OPA + SonarQube + Trivy.
+
 on:
   pull_request:
     branches:
+      - dev
       - main
 
 concurrency:
@@ -53,7 +57,7 @@ jobs:
         continue-on-error: true
         run: |
           cd environments/dev
-          terragrunt run --all plan -- -out=tfplan
+          terragrunt run --all plan --queue-exclude-dir eks-addons -- -out=tfplan
 
       - name: Setup Conftest
         run: |
@@ -65,7 +69,7 @@ jobs:
         continue-on-error: true
         run: |
           cd environments/dev
-          terragrunt run --all show -- -json tfplan > $GITHUB_WORKSPACE/plan.json || true
+          terragrunt run --all show --queue-exclude-dir eks-addons -- -json tfplan > $GITHUB_WORKSPACE/plan.json || true
           cd $GITHUB_WORKSPACE
           conftest test plan.json --policy policies/ || true
 

.github/workflows/security-scan.yaml

@@ -1,9 +1,17 @@
 name: Security Scan
 
+# Corre quando um PR é aberto contra dev ou main.
+# Faz scans de secrets e IaC ANTES de qualquer review humano.
+
 on:
-  push:
+  pull_request:
     branches:
       - dev
+      - main
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 concurrency:
   group: security-scan-${{ github.ref }}
@@ -16,6 +24,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -42,11 +51,8 @@ jobs:
           framework: terraform
           soft_fail: true
 
-      - name: Inspect KICS output
-        run: |
-          ls -la results/ || true
-          find . -name "results.json" -type f 2>/dev/null | head -5
-          head -3 results/results.json 2>/dev/null || true
+      - name: Find Checkov output
+        run: find . -name "results*.sarif" -type f 2>/dev/null || true
 
       - name: Upload KICS results to DefectDojo
         continue-on-error: true
@@ -61,9 +67,6 @@ jobs:
             -F "product_type_name=Research and Development" \
             http://${{ secrets.DEFECTDOJO_URL }}/api/v2/import-scan/
 
-      - name: Find Checkov output
-        run: find . -name "results*.sarif" -type f 2>/dev/null || true
-
       - name: Upload Checkov results to DefectDojo
         continue-on-error: true
         run: |
@@ -84,4 +87,4 @@ jobs:
         continue-on-error: true
         run: |
           curl -fsS --max-time 30 -X POST ${{ secrets.SLACK_WEBHOOK }} \
-            -d '{"text": "Security Scan falhou! Ver: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' || true
+            -d '{"text": "Security Scan falhou! Ver: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' || true

.gitignore

@@ -1,44 +1,49 @@
-# Local .terraform directories
+# Terraform
 .terraform/
-
-# .tfstate files
 *.tfstate
 *.tfstate.*
-
-# Crash log files
-crash.log
-crash.*.log
-
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
+.terraform.lock.hcl
+.terraform.tfstate.lock.info
 *.tfvars
 *.tfvars.json
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
+!*.tfvars.example
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
-
-# Ignore transient lock info files created by terraform apply
-.terraform.tfstate.lock.info
-
-# Include override files you do wish to add to version control using negated pattern
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
+crash.log
+crash.*.log
 .terraformrc
 terraform.rc
 
-# Optional: ignore graph output files generated by `terraform graph`
-# *.dot
-
-# Optional: ignore plan files saved before destroying Terraform configuration
-# Uncomment the line below if you want to ignore planout files.
-# planout
+# Terragrunt
+.terragrunt-cache/
+terragrunt-debug*.tfvars.json
+
+# Terraform plan output
+tfplan
+*.tfplan
+plan.json
+
+# Kubernetes
+kubeconfig
+*.kubeconfig
+
+# Scan outputs
+results/
+*.sarif
+trivy-results.*
+del.json
+delete-objects.json
+trust.json
+
+# OS / Editor
+.DS_Store
+Thumbs.db
+.vscode/
+.idea/
+
+# Misc
+*.db
+ruvector.db
+*.log