feat: Add extra tags variable and PR check workflow

.github/workflows/auto_assignee.yml

@@ -7,7 +7,7 @@ on:
   workflow_dispatch:
 jobs:
   assignee:
-    uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@master
+    uses: clouddrove/github-shared-workflows/.github/workflows/pr-auto-assignee.yml@master
     secrets:
       GITHUB: ${{ secrets.GITHUB }}
     with:

.github/workflows/automerge.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
 jobs:
   auto-merge:
-    uses: clouddrove/github-shared-workflows/.github/workflows/auto_merge.yml@master
+    uses: clouddrove/github-shared-workflows/.github/workflows/pr-auto-merge.yml@master
     secrets:
       GITHUB: ${{ secrets.GITHUB }}
     with:

.github/workflows/changelog.yml

@@ -1,13 +1,21 @@
+---
 name: changelog
 permissions: write-all
 on:
   push:
     tags:
       - "*"
   workflow_dispatch:
+    inputs:
+      tag:
+        required: true
+        type: string
+        description: "Enter the semantic version tag (eg: 3.4.2) for which you want to update the changelog"
 jobs:
   changelog:
-    uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@master
+    uses: clouddrove/github-shared-workflows/.github/workflows/release-changelog.yml@master
     secrets: inherit
     with:
       branch: 'master'
+      tag: ${{ inputs.tag || '' }}
+...

.github/workflows/pr-checks.yml

@@ -0,0 +1,9 @@
+name: 🔍 PR Checks
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+jobs:
+  pr-validation:
+    uses: clouddrove/github-shared-workflows/.github/workflows/pr-checks.yml@master

.github/workflows/tf-checks.yml

@@ -1,62 +1,116 @@
 name: tf-checks
+permissions:
+  id-token: write
 on:
-  push:
-    branches: [ master ]
   pull_request:
-  workflow_dispatch:
 jobs:
   complete:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/complete/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   byte_match_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/byte_match_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   geo_allowlist_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/geo_allowlist_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   geo_match_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/geo_match_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   ip_set_reference_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/ip_set_reference_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   managed_rule_group_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/managed_rule_group_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   rate_based_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/rate_based_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   regex_match_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/regex_match_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   size_constraint_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/size_constraint_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   sqli_match_statement_rules:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/sqli_match_statement_rules/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
   xss_match_statement:
+    if: github.actor != 'dependabot[bot]'
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/xss_match_statement/'
-      provider: none
+      provider: aws
+      enable_plan: true
+      show_plan: false
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}

.github/workflows/tfsec.yml

@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
 jobs:
   tfsec:
-    uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@master
+    uses: clouddrove/github-shared-workflows/.github/workflows/security-tfsec.yml@master
     secrets: inherit
     with:
       working_directory: '.'

main.tf

@@ -11,6 +11,7 @@ module "labels" {
   managedby   = var.managedby
   label_order = var.label_order
   repository  = var.repository
+  extra_tags  = var.tags
 }
 
 #Module      : WAF
@@ -1247,6 +1248,7 @@ resource "aws_kms_key" "kms" {
   count                   = var.enable && var.waf_enabled && var.create_logging_configuration ? 1 : 0
   deletion_window_in_days = var.kms_key_deletion_window
   enable_key_rotation     = var.enable_key_rotation
+  tags                    = module.labels.tags
 }
 
 resource "aws_kms_alias" "kms-alias" {
@@ -1392,6 +1394,7 @@ resource "aws_glue_catalog_database" "database" {
 
   name        = format("glue-%s", module.labels.id)
   description = "Glue Catalog Database for ${lower(module.labels.id)} WAF Logs"
+  tags        = module.labels.tags
 }
 
 # This table store column information that is needed by Amazon Kinesis Firehose as data format conversion configuration, for transforming from JSON to Parquet.

variables.tf

@@ -6,6 +6,12 @@ variable "name" {
   description = "Name  (e.g. `app` or `cluster`)."
 }
 
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
 variable "environment" {
   type        = string
   default     = ""

versions.tf

@@ -9,7 +9,4 @@ terraform {
     }
   }
 
-  provider_meta "aws" {
-    module_name = "clouddrove/terraform-aws-waf"
-  }
 }