Update v0

.aliases

@@ -1,17 +1,9 @@
 #!/bin/env sh
 alias gs='git status'
 alias gd='git diff'
+alias gc='git checkout'
 alias tf='terraform'
-alias tfa='if [ -f ssh_key ]; then chmod 600 ssh_key && ssh-add ssh_key; fi; terraform init; terraform apply --auto-approve'
+alias tfa='terraform apply --auto-approve'
 alias tfd='terraform destroy --auto-approve'
-alias tfp='terraform init || terraform providers && terraform validate && terraform plan'
-alias tfr='terraform destroy --auto-approve;if [ -f ssh_key ]; then chmod 600 ssh_key && ssh-add ssh_key; fi; terraform init; terraform apply --auto-approve'
-alias tfl='terraform state list'
 alias k='kubectl'
-alias tt='run_tests'
-# expects AGE_ variables to be set, see .variables and .rcs
-alias es='encrypt_secrets' # looks in the secret file list and converts the files into encrypted ones, see .functions
-alias ds='decrypt_secrets' # looks in the secret file list and converts all the encrtypted files in to unencrypted ones, see .functions
-alias ef='encrypt_file' # see .functions
-alias cl='clear_local' # clears all of the temporary files from the directory, see .functions
 alias sc='shell_check' # runs shellcheck -x on all files with a shbang

.github/CODEOWNERS

@@ -1 +1 @@
-* @rancher/k3s
+* @rancher/terraform-maintainers

.github/pull_request_template.md

@@ -1,16 +1,22 @@
 ## Related Issue
 
-Fixes # <!-- INSERT ISSUE NUMBER -->
+Addresses #1234 (main issue)
+
+## Releases
+
+If this PR should be released, please add labels for each release branch it targets.
+Use the 'release/v0' tags, not the 'version/v0' tags.
 
 ## Description
 
-In plain English, describe your approach to addressing the issue linked above. For example, if you made a particular design decision, let us know why you chose this path instead of another solution.
+Describe your change and how it addresses the issue linked above.
+
+## Testing
 
-<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
-## Rollback Plan
+Please describe how you verified this change or why testing isn't relevant.
 
-- [ ] If a change needs to be reverted, we will roll out an update to the code within 7 days.
+## Breaking
 
-## Changes to Security Controls
+Does this change alter an interface that users of the provider will need to adjust to?
+Will there be any existing configurations broken by this change?
 
-Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

.github/workflows/backport-prs.yml

@@ -0,0 +1,106 @@
+name: 'Auto Cherry-Pick to Release Branches'
+
+on:
+  push:
+    branches: ['main']
+
+jobs:
+  create-cherry-pick-prs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: read 
+
+    steps:
+      - name: 'Wait for merge to settle'
+        run: sleep 10
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: 'Find Issues and Create Cherry-Pick PRs'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const execSync = require('child_process').execSync;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const mergeCommitSha = context.payload.head_commit.id;
+
+            const { data: associatedPrs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+              owner,
+              repo,
+              commit_sha: mergeCommitSha
+            });
+            const pr = associatedPrs.find(p => p.base.ref === 'main' && p.merged_at);
+            if (!pr) {
+              core.info(`No merged PR found for commit ${mergeCommitSha}. This may have been a direct push. Exiting.`);
+              return;
+            }
+            core.info(`Found associated PR: #${pr.number}`);
+
+            // https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-issues-and-pull-requests
+            core.info(`Searching for 'internal/main' issue linked to PR #${pr.number}`);
+            const { data: searchResults } = await github.request('GET /search/issues', {
+              q: `is:issue label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`,
+              advanced_search: true,
+              headers: {
+                'X-GitHub-Api-Version': '2022-11-28'
+              }
+            });
+            if (searchResults.total_count === 0) {
+              core.info(`No 'internal/main' issue found for PR #${pr.number}. Exiting.`);
+              return;
+            }
+            const mainIssue = searchResults.items[0];
+            core.info(`Found main issue: #${mainIssue.number}`);
+
+            // https://docs.github.com/en/rest/issues/sub-issues?apiVersion=2022-11-28#add-sub-issue
+            core.info(`Fetching sub-issues for main issue #${mainIssue.number}`);
+            const { data: subIssues } = await github.request('GET /repos/{owner}/{repo}/issues/{issue_number}/sub_issues', {
+              owner: owner,
+              repo: repo,
+              issue_number: mainIssue.number,
+              headers: {
+                'X-GitHub-Api-Version': '2022-11-28'
+              }
+            });
+            if (subIssues.length === 0) {
+              core.info(`No sub-issues found for issue #${mainIssue.number}. Exiting.`);
+              return;
+            }
+            core.info(`Found ${subIssues.length} sub-issues.`);
+
+            for (const subIssue of subIssues) {
+              const subIssueNumber = subIssue.number;
+              // Find the release label directly on the sub-issue object
+              const releaseLabel = subIssue.labels.find(label => label.name.startsWith('release/v'));
+              if (!releaseLabel) {
+                core.warning(`Sub-issue #${subIssueNumber} has no 'release/v...' label. Skipping.`);
+                continue;
+              }
+              const targetBranch = releaseLabel.name
+              core.info(`Processing sub-issue #${subIssueNumber} for target branch: ${targetBranch}`);
+              const newBranchName = `backport-${pr.number}-${targetBranch.replace(/\//g, '-')}`;
+              execSync(`git config user.name "github-actions[bot]"`);
+              execSync(`git config user.email "github-actions[bot]@users.noreply.github.com"`);
+              execSync(`git fetch origin ${targetBranch}`);
+              execSync(`git checkout -b ${newBranchName} origin/${targetBranch}`);
+              execSync(`git cherry-pick -x ${mergeCommitSha} -X theirs`);
+              execSync(`git push origin ${newBranchName}`);
+
+              core.info(`Creating pull request for branch ${newBranchName} targeting ${targetBranch}...`);
+              const { data: newPr } = await github.rest.pulls.create({
+                owner,
+                repo,
+                title: pr.title,
+                head: newBranchName,
+                base: targetBranch,
+                body: "This pull request cherry-picks the changes from #" + pr.number + " into " + targetBranch + "\n" +
+                  "WARNING!: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" +
+                  "Please make sure to carefully inspect this PR so that you don't revert anything!",
+                assignees: ['terraform-maintainers']
+              });
+            }

.github/workflows/backport.yml

@@ -0,0 +1,44 @@
+name: Backports
+# This workflow generates "backport" issues when a release branch label is added to an issue
+on:
+  issues:
+    types: [labeled] # triggered when any label is added to an issue
+
+jobs:
+  create-issue:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.label.name == 'version/v0' }}
+    steps:
+      - name: Create GitHub Issue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const parentIssue = context.payload.issue;
+            const parentIssueTitle = parentIssue.title;
+            const parentIssueNumber = parentIssue.number;
+            const repo = context.repo.repo;
+            const owner = context.repo.owner;
+
+            // Note: can't get terraform-maintainers team, the default token can't access org level objects
+            // Create the sub-issue
+            const newIssue = await github.rest.issues.create({
+              owner: owner,
+              repo: repo,
+              title: "Backport #" + parentIssueNumber + " to release/v0",
+              body:  "Backport #" + parentIssueNumber + " to release/v0",
+              labels: ['release/v0'],
+              assignees: ['matttrach']
+            });
+
+            const subIssueId = newIssue.data.id;
+
+            // Attach the sub-issue to the parent using API request
+            await github.request('POST /repos/{owner}/{repo}/issues/{issue_number}/sub_issues', {
+              owner: owner,
+              repo: repo,
+              issue_number: parentIssueNumber,
+              sub_issue_id: subIssueId,
+              headers: {
+                'X-GitHub-Api-Version': '2022-11-28'
+              }
+            });

.github/workflows/main-issue.yml

@@ -0,0 +1,41 @@
+name: MainIssue
+# This workflow generates a "main" issue when a PR is created targeting main.
+on:
+  pull_request_target:
+    branches: [main]
+    types: [opened]
+
+jobs:
+  generate-issue:
+    name: 'Create Main Issue'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const repo = context.repo.repo;
+            const owner = context.repo.owner;
+            const pr = context.payload.pull_request;
+            const newLabels = ['internal/main'];
+            const releaseLabel = pr.labels.find(label => label.name.startsWith('release/v'));
+            if (releaseLabel) {
+              const versionLabel = releaseLabel.name.replace('release/', 'version/');
+              newLabels.push(versionLabel);
+            }
+            // Note: can't get terraform-maintainers team, the default token can't access org level objects
+            // Create the main issue
+            // https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28#create-an-issue
+            // Note: issues can't have teams assigned to them
+            const newIssue = await github.rest.issues.create({
+              owner: owner,
+              repo: repo,
+              title: pr.title,
+              body:  "This is the main issue tracking #" + pr.number + " \n\n" +
+                "Please add labels indicating the release versions eg. 'version/v0' \n\n" +
+                "Please add comments for user issues which this issue addresses. \n\n" +
+                "Description copied from PR: \n" + pr.body,
+              labels: newLabels,
+              assignees: ['matttrach']
+            });

.github/workflows/release.yml

@@ -3,7 +3,8 @@ name: release
 on:
   push:
     branches:
-    - main
+    - release/v0
+    - release/v1
 
 permissions: write-all
 
@@ -76,6 +77,43 @@ jobs:
               repo: "${{ github.event.repository.name }}",
               body: "Tests Failed!"
             })
+      - name: retrieve GPG Credentials
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
+      - name: import_gpg_key
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
+        env:
+          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_KEY: ${{ env.GPG_KEY }}
+        run: |
+          cleanup() {
+            # clear history just in case
+            history -c
+          }
+          trap cleanup EXIT TERM
+
+          # sanitize variables
+          if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi
+          if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi
+          if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi
+
+          echo "Importing gpg key"
+          echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
+      - name: Run GoReleaser
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
+        with:
+          args: release --snapshot --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+
 
       # These run after release-please generates a release, so when the release PR is merged
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -87,13 +125,19 @@ jobs:
         with:
           go-version-file: 'go.mod'
           cache: true
+      - name: retrieve GPG Credentials
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
       - name: import_gpg_key
         if: steps.release-please.outputs.version
-        id: import_gpg_key
         env:
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
-          GPG_KEY: ${{ secrets.GPG_KEY }}
+          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_KEY: ${{ env.GPG_KEY }}
         run: |
           cleanup() {
             # clear history just in case
@@ -115,5 +159,5 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}

.goreleaser.yml

@@ -1,11 +1,10 @@
 # Copyright (c) HashiCorp, Inc.
 
-# Visit https://goreleaser.com for documentation on how to customize this
-# behavior.
+# https://goreleaser.com for documentation
+
 version: 2
 before:
   hooks:
-    # this is just an example and not a requirement for provider building/publishing
     - go mod tidy
 builds:
 - env:
@@ -25,12 +24,8 @@ builds:
     - darwin
   goarch:
     - amd64
-    - '386'
     - arm
     - arm64
-  ignore:
-    - goos: darwin
-      goarch: '386'
   binary: '{{ .ProjectName }}_v{{ .Version }}'
 archives:
   - formats: [ 'zip' ]
@@ -55,6 +50,10 @@ signs:
       - "${signature}"
       - "--sign"
       - "${artifact}"
+snapshot:
+  # "snapshot" is the type of release we use for release candidates
+  #  that are generated when a release branch gets a new merge
+  name_template: "{{ .ProjectName }}_{{ .ShortCommit }}"
 release:
   extra_files:
     - glob: 'terraform-registry-manifest.json'