Test live coding 6

.amazonq/agents/default.json

@@ -0,0 +1,71 @@
+{
+  "name": "q_ide_default",
+  "description": "Default agent configuration",
+  "prompt": "",
+  "mcpServers": {
+    "terraform": {
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "hashicorp/terraform-mcp-server:0.3"
+      ]
+    }
+  },
+  "tools": [
+    "fs_read",
+    "execute_bash",
+    "fs_write",
+    "report_issue",
+    "use_aws",
+    "@terraform",
+    "fsRead",
+    "fsWrite",
+    "fsReplace",
+    "listDirectory",
+    "fileSearch",
+    "executeBash",
+    "codeReview",
+    "displayFindings"
+  ],
+  "toolAliases": {},
+  "allowedTools": [
+    "fs_read",
+    "report_issue",
+    "use_aws",
+    "execute_bash",
+    "fs_write",
+    "fsRead",
+    "listDirectory",
+    "fileSearch",
+    "codeReview",
+    "displayFindings"
+  ],
+  "toolsSettings": {
+    "use_aws": {
+      "alwaysAllow": [
+        {
+          "preset": "readOnly"
+        }
+      ]
+    },
+    "execute_bash": {
+      "alwaysAllow": [
+        {
+          "preset": "readOnly"
+        }
+      ]
+    }
+  },
+  "resources": [
+    "file://AmazonQ.md",
+    "file://README.md",
+    "file://.amazonq/rules/**/*.md"
+  ],
+  "hooks": {
+    "agentSpawn": [],
+    "userPromptSubmit": []
+  },
+  "useLegacyMcpJson": true
+}

.amazonq/mcp.json

@@ -0,0 +1,37 @@
+{
+  "mcpServers": {
+    "terraform": {
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "hashicorp/terraform-mcp-server:0.3"
+      ]
+    },
+    "github": {
+      "type": "stdio",
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "-e",
+        "GITHUB_PERSONAL_ACCESS_TOKEN",
+        "ghcr.io/github/github-mcp-server:0.20.1"
+      ],
+      "env": {
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_AWS_Q_PERSONAL_ACCESS_TOKEN}"
+      }
+    },
+    "awslabs.iam-mcp-server": {
+      "command": "uvx",
+      "args": ["awslabs.iam-mcp-server@latest"],
+      "env": {
+        "AWS_PROFILE": "ippon-data-lab",
+        "AWS_REGION": "eu-west-3",
+        "FASTMCP_LOG_LEVEL": "ERROR"
+      }
+    }
+  }
+}

.amazonq/rules/common.md

@@ -0,0 +1,7 @@
+# Common best Practices
+
+## Linting and testing
+
+- Use pre-commit to lint the code
+- Run "pre-commit run -a" before commiting/pushing to git remote
+- Use common hooks from https://github.com/pre-commit/pre-commit-hooks

.amazonq/rules/github_actions.md

@@ -0,0 +1,8 @@
+# GitHub Actions Best Practices
+
+When generating or modifying GitHub actions template files, follow these best practices:
+
+## Code Best Practices
+
+- When you use setup-* actions, try to get the latest versions of the software you need to install
+- Use pre-commit to run the hooks of the repository in the CI and install required software so hooks can work

.amazonq/rules/terraform_aws.md

@@ -0,0 +1,88 @@
+# Terraform AWS Best Practices
+
+When generating or modifying Terraform code for AWS, follow these best practices:
+
+## Structure and Organization
+
+- Use a modular structure with reusable modules
+- Prefer to use existing OSS Terraform modules on the internet
+    - As a priority, use official Terraform registry: https://registry.terraform.io/namespaces/terraform-aws-modules
+    - Else, use CloudPosse registry: https://registry.terraform.io/namespaces/cloudposse
+- Separate environments (dev, staging, prod) with separate workspaces or directories
+- Use variables for all configurable parameters
+- Prefer relative paths for local modules
+- In Terraform root modules, put the Terraform providers' configuration in a file called providers.tf
+- Terraform version constraints' and providers' constraints must stay in file called versions.tf
+- Try to regroup resources by the Cloud Provider's services to avoid having all the code in one main.tf file
+
+## Security
+
+- Never use hard-coded credentials in code
+- Use IAM roles with the principle of least privilege
+- Enable default encryption for all services that support it (S3, RDS, etc.)
+- Use restrictive security groups for network resources
+- Prefer private VPCs with VPC endpoints over public access
+
+## State Management
+
+- Use a remote backend to store Terraform state
+- Store the configuration of the Terraform backend in backend.tf Terraform file
+- Enable versioning on the S3 state bucket
+- Use state locking with S3 file lock (not DynamoDB)
+- Do not include sensitive data in outputs
+
+## Naming and Tagging
+
+- Use a consistent naming scheme for all resources
+- Do not add resource type as a suffix or prefix to resource names (for instance, use "my-app" instead of "my-app-vpc")
+- Systematically apply tags for:
+    - Environment (dev, staging, prod)
+    - Owner
+    - Project
+    - Cost Center
+    - Managed By: “terraform”
+    - Root Module URL: <URL of the current Git repository from which the terraform apply that manages this resource will be launched>
+
+## Performance and Costs
+
+- Use on-demand instances for development and reserved instances for production
+- Configure lifecycle policies for S3 buckets
+- Use Auto Scaling Groups to scale resources on demand
+- Configure CloudWatch alarms to monitor costs
+
+## Code Best Practices
+
+- Always use fixed versions for providers and modules to avoid regressions between two `terraform plan` commands (do not use Terraform version constraint ~>)
+- Document code as much as possible with README.md, variable descriptions, output descriptions, and comments (do not over-comment either when datasource/resource are self explaining)
+- Use validations for input variables
+- Prefer conditional resources over count for optional resources
+- Use for_each over count for multiple resources
+- Always add .terraform.lock.hcl files to Terraform root modules to be consistent between multiple deployments
+
+## Networking
+
+- Use private subnets for resources that do not require direct Internet access
+- Configure NAT Gateways only in environments that require them
+- Use Transit Gateways for multi-account/multi-VPC architectures
+
+## Deployment
+
+- Always use terraform plan before applying changes
+- Integrate Terraform into CI/CD pipelines for production environments
+- Use blue/green approaches for critical updates
+
+## Non-regression
+
+- To avoid regressions, it is best to fix dependency versions.
+- For Terraform OSS modules, use a fixed version (preferably the latest available on the Terraform registry) in the module version field
+
+## Linting and testing
+
+- Use pre-commit to lint the code with the following hooks: terraform_fmt, terraform_validate, terraform_docs, terraform_docs, terraform_trivy
+- Each validator for Terraform input variables must be tested, but only failed cases.
+- For each module generated, an example must be provided.
+- For each example, there must be a test that runs it.
+
+## Use of MCP
+
+- Check each generated code to ensure that everything is correct (syntax, Terraform arguments) using the MCP server `terraform-mcp-server`. Before generating any code, ensure that interaction with this MCP server is working properly.

.github/workflows/vpc-demo-deploy.yml

@@ -0,0 +1,95 @@
+name: VPC Demo - Terraform Deploy
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'vpc-demo/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'vpc-demo/**'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform:
+    name: Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: vpc-demo
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.13.5
+          terraform_wrapper: false
+
+      - name: Install terraform-docs
+        run: |
+          curl -sSLo /tmp/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-linux-amd64.tar.gz
+          tar -xzf /tmp/terraform-docs.tar.gz -C /tmp
+          sudo mv /tmp/terraform-docs /usr/local/bin/
+
+      - name: Install trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run pre-commit
+        uses: pre-commit/[email protected]
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
+          aws-region: eu-west-3
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color -var="aws_profile=" -out=tfplan
+        continue-on-error: true
+
+      - name: Comment PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const output = `#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`terraform
+            ${{ steps.plan.outputs.stdout }}
+            \`\`\`
+
+            </details>`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -var="aws_profile=" tfplan

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.96.2
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exists=true
+      - id: terraform_trivy
+        args:
+          - --args=--severity=HIGH,CRITICAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace

README.md

@@ -49,7 +49,7 @@ git checkout -b live-coding-5
 Prompt enrichi via les Q rules, le serveur MCP Terraform et code généré à partir d'un schéma Excalidraw ajouté dans le contexte du prompt suivant :
 
 ```
-Create the Terraform code from the schema. 
+Create the Terraform code from the schema.
 ```
 
 ## Live coding 6
@@ -58,8 +58,16 @@ Create the Terraform code from the schema.
 git checkout -b live-coding-6
 ```
 
-Prompt enrichi via des Q rules "prod-ready" (Terraform / GitHub Actions / ...) et de multiples serveurs MCP pour déployer jusqu'en production :
+Les prompts sont enrichis via des Q rules "prod-ready" et de multiples serveurs MCP pour déployer jusqu'en production.
+
+Prompt pour configurer un OIDC provider :
+
+```
+Could you configure an IAM provider with OIDC in my AWS account with profile ippon-data-lab so that I can use it from GitHub please? You can store the Terraform state in aws-q-academy-terraform-states S3 bucket and use the same profile to store the state on S3.
+```
+
+Prompt pour déployer un VPC :
 
 ```
-Create a VPC with 3 private and 3 public subnets with Terraform and deploy it thanks to GitHub Actions.
+Create a VPC with 3 private and 3 public subnets with Terraform in folder vpc-demo and deploy it thanks to GitHub Actions.
 ```