From 56332ce4749b7a2d237eac82c9d171c959fe5d9f Mon Sep 17 00:00:00 2001 From: Dan Vaida Date: Mon, 18 Oct 2021 10:48:23 +0300 Subject: [PATCH 1/3] Allows the choice between security policies --- README.md | 1 + main.tf | 2 +- variables.tf | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 771aeb1..ad6de56 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,7 @@ The following resources _CAN_ be created: | redirect\_rules | A list with maps populated with redirect rules | list(map(string)) | `[]` | no | | response\_code | The default status code to return when no rules have been met | string | `"500"` | no | | response\_message\_body | The default response message body in case no rules have been met | string | `"No match"` | no | +| ssl\_policy | Security policy used for front-end connections. | string | `"ELBSecurityPolicy-FS-1-2-Res-2020-10"` | no | | tags | Extra tags to be applied to the resources | map(string) | `{}` | no | ## Outputs diff --git a/main.tf b/main.tf index 7a564e6..1cc79cb 100644 --- a/main.tf +++ b/main.tf @@ -144,7 +144,7 @@ resource "aws_lb_listener" "https" { port = 443 protocol = "HTTPS" certificate_arn = var.certificate_arn - ssl_policy = "ELBSecurityPolicy-2016-08" + ssl_policy = var.ssl_policy default_action { type = "fixed-response" diff --git a/variables.tf b/variables.tf index 1efa93e..b78d418 100644 --- a/variables.tf +++ b/variables.tf @@ -61,3 +61,9 @@ variable "response_code" { default = "500" description = "The default status code to return when no rules have been met" } + +variable "ssl_policy" { + description = "Security policy used for front-end connections." + type = string + default = "ELBSecurityPolicy-FS-1-2-Res-2020-10" +} From 1b3cdd5a1085d02f0a25ab86a471fbbe78d9d8a7 Mon Sep 17 00:00:00 2001 From: Dan Vaida Date: Mon, 18 Oct 2021 10:48:42 +0300 Subject: [PATCH 2/3] Formats code --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1cc79cb..1156554 100644 --- a/main.tf +++ b/main.tf @@ -198,7 +198,7 @@ resource "aws_lb_listener_rule" "this" { } } - dynamic condition { + dynamic "condition" { for_each = lookup(each.value, "path_match", "*") != "*" ? [1] : [] content { path_pattern { @@ -207,7 +207,7 @@ resource "aws_lb_listener_rule" "this" { } } - dynamic condition { + dynamic "condition" { for_each = lookup(each.value, "host_match", "*") != "*" ? [1] : [] content { host_header { From eff59c913a52248cb980838b42794958ce48d094 Mon Sep 17 00:00:00 2001 From: Dan Vaida Date: Mon, 18 Oct 2021 11:13:45 +0300 Subject: [PATCH 3/3] Removes deprecated TF params and updates CI automation --- .gitignore | 2 + Makefile | 206 ++++++++++++++++++++++++------------ README.md | 145 +++++++++++++++++++++---- examples/complete/README.md | 15 +++ 4 files changed, 285 insertions(+), 83 deletions(-) diff --git a/.gitignore b/.gitignore index 1fef4ab..bd815bf 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,5 @@ # .tfvars files *.tfvars + +.terraform.lock.hcl diff --git a/Makefile b/Makefile index fa512b9..9e18263 100644 --- a/Makefile +++ b/Makefile @@ -2,25 +2,52 @@ ifneq (,) .error This Makefile requires GNU Make. endif -.PHONY: help gen lint test _gen-main _gen-examples _gen-modules _lint_files _lint_fmt _pull-tf _pull-tf-docs +.PHONY: help gen lint test _gen-main _gen-examples _gen-modules _lint-files _lint-fmt _lint-json _pull-tf _pull-tfdocs _pull-fl _pull-jl -CURRENT_DIR = $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) -TF_EXAMPLES = $(sort $(dir $(wildcard $(CURRENT_DIR)examples/*/))) -TF_MODULES = $(sort $(dir $(wildcard $(CURRENT_DIR)modules/*/))) +CURRENT_DIR = $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) +TF_EXAMPLES = $(sort $(dir $(wildcard $(CURRENT_DIR)examples/*/))) +TF_MODULES = $(sort $(dir $(wildcard $(CURRENT_DIR)modules/*/))) -TF_VERSION = light -TF_DOCS_VERSION = 0.6.0 +# ------------------------------------------------------------------------------------------------- +# Container versions +# ------------------------------------------------------------------------------------------------- +TF_VERSION = 0.14.11 +TFDOCS_VERSION = 0.10.1 +FL_VERSION = 0.4 +JL_VERSION = 1.6.0-0.5 + +# ------------------------------------------------------------------------------------------------- +# Enable linter (file-lint, terraform fmt, jsonlint) +# ------------------------------------------------------------------------------------------------- +LINT_FL_ENABLE = 1 +LINT_TF_ENABLE = 1 +LINT_JL_ENABLE = 1 + + +# ------------------------------------------------------------------------------------------------- +# terraform-docs defines +# ------------------------------------------------------------------------------------------------- # Adjust your delimiter here or overwrite via make arguments DELIM_START = DELIM_CLOSE = +# What arguments to append to terraform-docs command +TFDOCS_ARGS = --sort=false + +# ------------------------------------------------------------------------------------------------- +# Default target +# ------------------------------------------------------------------------------------------------- help: - @echo "gen Generate terraform-docs output and replace in all README.md's" + @echo "gen Generate terraform-docs output and replace in README.md's" @echo "lint Static source code analysis" @echo "test Integration tests" -gen: _pull-tf-docs + +# ------------------------------------------------------------------------------------------------- +# Standard targets +# ------------------------------------------------------------------------------------------------- +gen: _pull-tfdocs @echo "################################################################################" @echo "# Terraform-docs generate" @echo "################################################################################" @@ -28,9 +55,16 @@ gen: _pull-tf-docs @$(MAKE) --no-print-directory _gen-examples @$(MAKE) --no-print-directory _gen-modules -lint: _pull-tf - @$(MAKE) --no-print-directory _lint_files - @$(MAKE) --no-print-directory _lint_fmt +lint: + @if [ "$(LINT_FL_ENABLE)" = "1" ]; then \ + $(MAKE) --no-print-directory _lint-files; \ + fi + @if [ "$(LINT_TF_ENABLE)" = "1" ]; then \ + $(MAKE) --no-print-directory _lint-fmt; \ + fi + @if [ "$(LINT_JL_ENABLE)" = "1" ]; then \ + $(MAKE) --no-print-directory _lint-json; \ + fi test: _pull-tf @$(foreach example,\ @@ -43,7 +77,7 @@ test: _pull-tf echo "------------------------------------------------------------"; \ echo "# Terraform init"; \ echo "------------------------------------------------------------"; \ - if docker run -it --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \ + if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \ init \ -verify-plugins=true \ -lock=false \ @@ -56,37 +90,85 @@ test: _pull-tf echo "OK"; \ else \ echo "Failed"; \ - docker run -it --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \ + docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \ exit 1; \ fi; \ echo; \ echo "------------------------------------------------------------"; \ echo "# Terraform validate"; \ echo "------------------------------------------------------------"; \ - if docker run -it --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \ + if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \ validate \ $(ARGS) \ .; then \ echo "OK"; \ - docker run -it --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \ + docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \ else \ echo "Failed"; \ - docker run -it --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \ + docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \ exit 1; \ fi; \ echo; \ ) + +# ------------------------------------------------------------------------------------------------- +# Helper Targets +# ------------------------------------------------------------------------------------------------- _gen-main: @echo "------------------------------------------------------------" @echo "# Main module" @echo "------------------------------------------------------------" - @if docker run --rm \ + @if docker run $$(tty -s && echo "-it" || echo) --rm \ + -v $(CURRENT_DIR):/data \ + -e DELIM_START='' \ + -e DELIM_CLOSE='' \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace --show-all=false --show header md tbl --indent 2 --sort README.md; then \ + echo "OK"; \ + else \ + echo "Failed"; \ + exit 1; \ + fi + @if docker run $$(tty -s && echo "-it" || echo) --rm \ + -v $(CURRENT_DIR):/data \ + -e DELIM_START='' \ + -e DELIM_CLOSE='' \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace --show-all=false --show providers md tbl --indent 2 --sort README.md; then \ + echo "OK"; \ + else \ + echo "Failed"; \ + exit 1; \ + fi + @if docker run $$(tty -s && echo "-it" || echo) --rm \ + -v $(CURRENT_DIR):/data \ + -e DELIM_START='' \ + -e DELIM_CLOSE='' \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace --show-all=false --show requirements md tbl --indent 2 --sort README.md; then \ + echo "OK"; \ + else \ + echo "Failed"; \ + exit 1; \ + fi + @if docker run $$(tty -s && echo "-it" || echo) --rm \ -v $(CURRENT_DIR):/data \ - -e DELIM_START='$(DELIM_START)' \ - -e DELIM_CLOSE='$(DELIM_CLOSE)' \ - cytopia/terraform-docs:$(TF_DOCS_VERSION) \ - terraform-docs-replace-012 --sort-inputs-by-required --with-aggregate-type-defaults md README.md; then \ + -e DELIM_START='' \ + -e DELIM_CLOSE='' \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace --show-all=false --show inputs md doc --indent 2 $(TFDOCS_ARGS) README.md; then \ + echo "OK"; \ + else \ + echo "Failed"; \ + exit 1; \ + fi + @if docker run $$(tty -s && echo "-it" || echo) --rm \ + -v $(CURRENT_DIR):/data \ + -e DELIM_START='' \ + -e DELIM_CLOSE='' \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace --show-all=false --show outputs md tbl --indent 2 --sort README.md; then \ echo "OK"; \ else \ echo "Failed"; \ @@ -100,13 +182,12 @@ _gen-examples: echo "------------------------------------------------------------"; \ echo "# $${DOCKER_PATH}"; \ echo "------------------------------------------------------------"; \ - if docker run --rm \ + if docker run $$(tty -s && echo "-it" || echo) --rm \ -v $(CURRENT_DIR):/data \ - --workdir "/data/$${DOCKER_PATH}" \ -e DELIM_START='$(DELIM_START)' \ -e DELIM_CLOSE='$(DELIM_CLOSE)' \ - cytopia/terraform-docs:$(TF_DOCS_VERSION) \ - terraform-docs-replace-012 --sort-inputs-by-required --with-aggregate-type-defaults md README.md; then \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace $(TFDOCS_ARGS) md $${DOCKER_PATH}/README.md; then \ echo "OK"; \ else \ echo "Failed"; \ @@ -121,12 +202,12 @@ _gen-modules: echo "------------------------------------------------------------"; \ echo "# $${DOCKER_PATH}"; \ echo "------------------------------------------------------------"; \ - if docker run --rm \ + if docker run $$(tty -s && echo "-it" || echo) --rm \ -v $(CURRENT_DIR):/data \ -e DELIM_START='$(DELIM_START)' \ -e DELIM_CLOSE='$(DELIM_CLOSE)' \ - cytopia/terraform-docs:$(TF_DOCS_VERSION) \ - terraform-docs-replace-012 --sort-inputs-by-required --with-aggregate-type-defaults md README.md; then \ + cytopia/terraform-docs:$(TFDOCS_VERSION) \ + terraform-docs-replace $(TFDOCS_ARGS) md $${DOCKER_PATH}/README.md; then \ echo "OK"; \ else \ echo "Failed"; \ @@ -134,41 +215,19 @@ _gen-modules: fi; \ ) -_lint_files: - @# Lint all non-binary files for trailing spaces +_lint-files: _pull-fl + @# Basic file linting @echo "################################################################################" - @echo "# Lint files" + @echo "# File-lint" @echo "################################################################################" - @echo - @echo "------------------------------------------------------------" - @echo "# Trailing spaces" - @echo "------------------------------------------------------------" - find . -type f -not \( -path "*/.git/*" -o -path "*/.github/*" -o -path "*/.terraform/*" \) -print0 \ - | xargs -0 -n1 grep -Il '' \ - | tr '\n' '\0' \ - | xargs -0 -n1 \ - sh -c 'if [ -f "$${1}" ]; then if LC_ALL=C grep --color=always -inHE "^.*[[:blank:]]+$$" "$${1}";then false; else true; fi; fi' -- - @echo - @echo "------------------------------------------------------------" - @echo "# Windows line feeds (CRLF)" - @echo "------------------------------------------------------------" - find . -type f -not \( -path "*/.git/*" -o -path "*/.github/*" -o -path "*/.terraform/*" \) -print0 \ - | xargs -0 -n1 grep -Il '' \ - | tr '\n' '\0' \ - | xargs -0 -n1 \ - sh -c 'if [ -f "$${1}" ]; then if file "$${1}" | grep --color=always -E "[[:space:]]CRLF[[:space:]].*line"; then false; else true; fi; fi' -- - @echo - @echo "------------------------------------------------------------" - @echo "# Single trailing newline" - @echo "------------------------------------------------------------" - find . -type f -not \( -path "*/.git/*" -o -path "*/.github/*" -o -path "*/.terraform/*" \) -print0 \ - | xargs -0 -n1 grep -Il '' \ - | tr '\n' '\0' \ - | xargs -0 -n1 \ - sh -c 'if [ -f "$${1}" ]; then if ! (tail -c 1 "$${1}" | grep -Eq "^$$" && tail -c 2 "$${1}" | grep -Eqv "^$$"); then echo "$${1}"; false; else true; fi; fi' -- - @echo + @docker run $$(tty -s && echo "-it" || echo) --rm -v $(CURRENT_DIR):/data cytopia/file-lint:$(FL_VERSION) file-cr --text --ignore '.git/,.github/,.terraform/' --path . + @docker run $$(tty -s && echo "-it" || echo) --rm -v $(CURRENT_DIR):/data cytopia/file-lint:$(FL_VERSION) file-crlf --text --ignore '.git/,.github/,.terraform/' --path . + @docker run $$(tty -s && echo "-it" || echo) --rm -v $(CURRENT_DIR):/data cytopia/file-lint:$(FL_VERSION) file-trailing-single-newline --text --ignore '.git/,.github/,.terraform/' --path . + @docker run $$(tty -s && echo "-it" || echo) --rm -v $(CURRENT_DIR):/data cytopia/file-lint:$(FL_VERSION) file-trailing-space --text --ignore '.git/,.github/,.terraform/' --path . + @docker run $$(tty -s && echo "-it" || echo) --rm -v $(CURRENT_DIR):/data cytopia/file-lint:$(FL_VERSION) file-utf8 --text --ignore '.git/,.github/,.terraform/' --path . + @docker run $$(tty -s && echo "-it" || echo) --rm -v $(CURRENT_DIR):/data cytopia/file-lint:$(FL_VERSION) file-utf8-bom --text --ignore '.git/,.github/,.terraform/' --path . -_lint_fmt: +_lint-fmt: _pull-tf @# Lint all Terraform files @echo "################################################################################" @echo "# Terraform fmt" @@ -177,8 +236,8 @@ _lint_fmt: @echo "------------------------------------------------------------" @echo "# *.tf files" @echo "------------------------------------------------------------" - @if docker run --rm -v "$(CURRENT_DIR):/t:ro" --workdir "/t" hashicorp/terraform:$(TF_VERSION) \ - fmt -check=true -diff=true -write=false -list=true /t; then \ + @if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t:ro" --workdir "/t" hashicorp/terraform:$(TF_VERSION) \ + fmt -check=true -diff=true -write=false -list=true .; then \ echo "OK"; \ else \ echo "Failed"; \ @@ -188,7 +247,7 @@ _lint_fmt: @echo "------------------------------------------------------------" @echo "# *.tfvars files" @echo "------------------------------------------------------------" - @if docker run --rm --entrypoint=/bin/sh -v "$(CURRENT_DIR)/terraform:/t:ro" hashicorp/terraform:$(TF_VERSION) \ + @if docker run $$(tty -s && echo "-it" || echo) --rm --entrypoint=/bin/sh -v "$(CURRENT_DIR):/t:ro" --workdir "/t" hashicorp/terraform:$(TF_VERSION) \ -c "find . -name '*.tfvars' -type f -print0 | xargs -0 -n1 terraform fmt -check=true -write=false -diff=true -list=true"; then \ echo "OK"; \ else \ @@ -197,8 +256,25 @@ _lint_fmt: fi; @echo +_lint-json: _pull-jl + @# Lint all JSON files + @echo "################################################################################" + @echo "# Jsonlint" + @echo "################################################################################" + @if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/data:ro" cytopia/jsonlint:$(JL_VERSION) \ + -t ' ' -i '*.terraform/*' '*.json'; then \ + echo "OK"; \ + else \ + echo "Failed"; \ + exit 1; \ + fi; + @echo + _pull-tf: docker pull hashicorp/terraform:$(TF_VERSION) -_pull-tf-docs: - docker pull cytopia/terraform-docs:$(TF_DOCS_VERSION) +_pull-tfdocs: + docker pull cytopia/terraform-docs:$(TFDOCS_VERSION) + +_pull-fl: + docker pull cytopia/file-lint:$(FL_VERSION) diff --git a/README.md b/README.md index ad6de56..99261b1 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,11 @@ This Terraform module can create HTTP 301 and 302 redirects using the AWS Application Load Balancer + + + + + ## Usage ### alb_redirect module @@ -145,31 +150,135 @@ The following resources _CAN_ be created: - 2 HTTP Listeners ( HTTP / HTTPS) - 2 HTTP Listener Rules - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| name | The name used to interpolate into the resources created | string | n/a | yes | -| certificate\_arn | The arn of the certificate | string | `""` | no | -| cidr | The cidr used for the network | string | `"172.30.0.0/16"` | no | -| extra\_ssl\_certs | The extra ssl certifice arns applied to the SSL Listener | list(string) | `[]` | no | -| extra\_ssl\_certs\_count | The count of the extra_ssl_certs | number | `"0"` | no | -| https\_enabled | Do we enable https | bool | `"false"` | no | -| lb\_ip\_address\_type | The `ip_address_type` of the LB, either 'ipv4' or 'dualstack' in case ipv6 needs to be supported as well | string | `"ipv4"` | no | -| redirect\_rules | A list with maps populated with redirect rules | list(map(string)) | `[]` | no | -| response\_code | The default status code to return when no rules have been met | string | `"500"` | no | -| response\_message\_body | The default response message body in case no rules have been met | string | `"No match"` | no | -| ssl\_policy | Security policy used for front-end connections. | string | `"ELBSecurityPolicy-FS-1-2-Res-2020-10"` | no | -| tags | Extra tags to be applied to the resources | map(string) | `{}` | no | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + + + + +## Requirements + +No requirements. + +' + + +## Required Inputs + +The following input variables are required: + +### name + +Description: The name used to interpolate into the resources created + +Type: `string` + +## Optional Inputs + +The following input variables are optional (have default values): + +### cidr + +Description: The cidr used for the network + +Type: `string` + +Default: `"172.30.0.0/16"` + +### tags + +Description: Extra tags to be applied to the resources + +Type: `map(string)` + +Default: `{}` + +### https\_enabled + +Description: Do we enable https + +Type: `bool` + +Default: `false` + +### certificate\_arn + +Description: The arn of the certificate + +Type: `string` + +Default: `""` + +### extra\_ssl\_certs + +Description: The extra ssl certifice arns applied to the SSL Listener + +Type: `list(string)` + +Default: `[]` + +### extra\_ssl\_certs\_count + +Description: The count of the extra\_ssl\_certs + +Type: `number` + +Default: `0` + +### redirect\_rules + +Description: A list with maps populated with redirect rules + +Type: `list(map(string))` + +Default: `[]` + +### lb\_ip\_address\_type + +Description: The `ip_address_type` of the LB, either 'ipv4' or 'dualstack' in case ipv6 needs to be supported as well + +Type: `string` + +Default: `"ipv4"` + +### response\_message\_body + +Description: The default response message body in case no rules have been met + +Type: `string` + +Default: `"No match"` + +### response\_code + +Description: The default status code to return when no rules have been met + +Type: `string` + +Default: `"500"` + +### ssl\_policy + +Description: Security policy used for front-end connections. + +Type: `string` + +Default: `"ELBSecurityPolicy-FS-1-2-Res-2020-10"` + + + ## Outputs | Name | Description | |------|-------------| | this\_lb\_dns\_name | Application Load Balancer fqdn | - + ## License diff --git a/examples/complete/README.md b/examples/complete/README.md index f65f762..705f0ca 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,6 +1,21 @@ # Example +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| tls | n/a | +| aws | n/a | + +## Inputs + +No input. + ## Outputs | Name | Description |