From b59b72091e21861dbc610e64c6e193d9f8accfc0 Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 13:41:15 +0200 Subject: [PATCH 1/7] adds initial setup for the repo --- .github/CODEOWNERS | 2 + .github/workflows/ci-checks-tf.yaml | 68 +++++++++++ .github/workflows/create-tag-and-release.yaml | 37 ++++++ .pre-commit-config.yaml | 11 ++ .terraform.lock.hcl | 25 ++++ README.md | 64 ++++++++++ asg.tf | 79 +++++++++++++ iam.tf | 91 +++++++++++++++ locals.tf | 15 +++ main.tf | 2 + outputs.tf | 0 sg.tf | 38 ++++++ variables.tf | 109 ++++++++++++++++++ versions.tf | 10 ++ 14 files changed, 551 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/ci-checks-tf.yaml create mode 100644 .github/workflows/create-tag-and-release.yaml create mode 100644 .pre-commit-config.yaml create mode 100644 .terraform.lock.hcl create mode 100644 README.md create mode 100644 asg.tf create mode 100644 iam.tf create mode 100644 locals.tf create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 sg.tf create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..c7b498d --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# This team by definition owns the repository +* @Persgroep/team-platform diff --git a/.github/workflows/ci-checks-tf.yaml b/.github/workflows/ci-checks-tf.yaml new file mode 100644 index 0000000..e3a5d57 --- /dev/null +++ b/.github/workflows/ci-checks-tf.yaml @@ -0,0 +1,68 @@ +name: v1-ci-checks-tf + +on: + pull_request: + types: [opened, reopened, synchronize, labeled, unlabeled] + +permissions: + id-token: write + contents: write + pull-requests: write + + +jobs: + pre-commit: + runs-on: ubuntu-latest + container: ghcr.io/antonbabenko/pre-commit-terraform:v1.79.1 + steps: + - uses: actions/checkout@v3 + + - name: 'pre-commit::add-github-repo-safe' + run: | + git config --global --add safe.directory $GITHUB_WORKSPACE + + - name: 'pre-commit::run-all-checks' + run: | + pre-commit run -a --show-diff-on-failure -v + + module-required-files: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: 'tf-module::check-required-files' + id: check_files + uses: andstor/file-existence-action@v2 + with: + files: "variables.tf, main.tf, README.md, versions.tf" + fail: true + + label-required-semver: + runs-on: ubuntu-latest + steps: + - name: 'pr::check-required-semver' + uses: docker://agilepathway/pull-request-label-checker:latest + with: + prefix_mode: true + one_of: "release/" # patch , minor , major + repo_token: ${{ secrets.GITHUB_TOKEN }} + + label-required-pr-type: + runs-on: ubuntu-latest + steps: + - name: 'pr::check-required-pr-type' + uses: docker://agilepathway/pull-request-label-checker:latest + with: + any_of: bug,enhancement,documentation,security + repo_token: ${{ secrets.GITHUB_TOKEN }} + + label-do-not-merge: + runs-on: ubuntu-latest + steps: + - name: 'pr::check-required-semver' + uses: docker://agilepathway/pull-request-label-checker:latest + with: + none_of: do-not-merge + repo_token: ${{ secrets.GITHUB_TOKEN }} + + diff --git a/.github/workflows/create-tag-and-release.yaml b/.github/workflows/create-tag-and-release.yaml new file mode 100644 index 0000000..354162e --- /dev/null +++ b/.github/workflows/create-tag-and-release.yaml @@ -0,0 +1,37 @@ +name: v1-func-create-tag-and-release + +on: + pull_request: + types: [closed] + +jobs: + create-new-release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions-ecosystem/action-release-label@v1 + id: release-label + if: ${{ github.event.pull_request.merged == true }} + + - uses: actions-ecosystem/action-get-latest-tag@v1 + id: get-latest-tag + if: ${{ steps.release-label.outputs.level != null }} + + - uses: actions-ecosystem/action-bump-semver@v1 + id: bump-semver + if: ${{ steps.release-label.outputs.level != null }} + with: + current_version: ${{ steps.get-latest-tag.outputs.tag }} + level: ${{ steps.release-label.outputs.level }} + + - uses: actions-ecosystem/action-push-tag@v1 + if: ${{ steps.release-label.outputs.level != null }} + with: + tag: ${{ steps.bump-semver.outputs.new_version }} + message: '${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}' + + - name: 'gh::release' + if: ${{ steps.release-label.outputs.level != null }} + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ steps.bump-semver.outputs.new_version }} \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..94c8f54 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,11 @@ +repos: +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_validate + - id: terraform_fmt + - id: terraform_docs + args: + - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. + - --hook-config=--add-to-existing-file=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=true # Boolean. true or false \ No newline at end of file diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..cebb6a7 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.65.0" + constraints = ">= 4.0.0, >= 4.57.0, >= 5.59.0" + hashes = [ + "h1:OG8xMZjGZL/OtEV9OwX0CTPcUzvSfcfiB0X9lcs2joY=", + "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", + "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", + "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", + "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", + "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", + "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", + "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", + "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", + "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", + "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", + "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", + "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", + "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", + ] +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..c06bef7 --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +# terraform-aws-proxy +Repository containing code for terraform-aws-proxy + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.0.0, <2.0 | +| [aws](#requirement\_aws) | >= 5.59 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.65.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [asg](#module\_asg) | terraform-aws-modules/autoscaling/aws | v6.10.0 | +| [iam\_assumable\_role\_ssm](#module\_iam\_assumable\_role\_ssm) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | v5.44.0 | +| [iam\_policy\_ssm\_connect](#module\_iam\_policy\_ssm\_connect) | terraform-aws-modules/iam/aws//modules/iam-policy | v5.30.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_iam\_policies](#input\_additional\_iam\_policies) | List of additional IAM policies to attach to the role | `list(string)` | `[]` | no | +| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Controls if the role allows self-assume or not | `bool` | `true` | no | +| [ami\_filter](#input\_ami\_filter) | Defines query params for AMI | 
object({
    filter_name = string,
    owner       = string,
  })
| 
{
  "filter_name": "amzn2-ami-kernel-5.10-hvm-2.0.20220912.1-x86_64-gp2",
  "owner": "137112412989"
}
| no | +| [app\_name](#input\_app\_name) | Name of the application | `string` | `"ssm-proxy"` | no | +| [create](#input\_create) | Controls if the resources are created or not | `bool` | n/a | yes | +| [create\_instance\_profile](#input\_create\_instance\_profile) | Controls if the instance profile is created or not | `bool` | `true` | no | +| [create\_role](#input\_create\_role) | Controls if the role is created or not | `bool` | `true` | no | +| [environment](#input\_environment) | Name of the environment (i.e.: prd, acc, dev, test) | `string` | n/a | yes | +| [instance\_type](#input\_instance\_type) | The type of instance to start | `string` | `"t3.micro"` | no | +| [project](#input\_project) | Name of the project | `string` | n/a | yes | +| [role\_requires\_mfa](#input\_role\_requires\_mfa) | Controls if the role requires MFA or not | `bool` | `false` | no | +| [schedules](#input\_schedules) | Map of schedules to add to the autoscaling group | `any` | `{}` | no | +| [security\_group\_rules](#input\_security\_group\_rules) | Map of security group rules to add to the ec2 security group instance | `any` | `{}` | no | +| [tags](#input\_tags) | A map of tags to add to all resources created by this module | `map(string)` | `{}` | no | +| [user\_data](#input\_user\_data) | User data to be used in the EC2 instance | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC id where the resources will be deployed | `string` | n/a | yes | +| [vpc\_zone\_identifier](#input\_vpc\_zone\_identifier) | A list of subnet IDs to launch resources in ( ASG ) | `list(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [iam\_policy](#output\_iam\_policy) | n/a | + diff --git a/asg.tf b/asg.tf new file mode 100644 index 0000000..3250c2a --- /dev/null +++ b/asg.tf @@ -0,0 +1,79 @@ +locals { + user_data = var.user_data != "" ? var.user_data : <<-EOT + #!/bin/bash + echo "Hello Terraform!" + EOT +} + +data "aws_ami" "amazon_linux" { + most_recent = true + + filter { + name = "name" + values = [var.ami_filter.filter_name] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = [var.ami_filter.owner] # the current account +} + +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "v6.10.0" + + # Autoscaling group + name = local.full_service_name + + vpc_zone_identifier = var.vpc_zone_identifier # module.vpc.private_subnets + + min_size = 0 + max_size = 3 + desired_capacity = 1 + + # Launch template + create_launch_template = true + launch_template_name = local.full_service_name + launch_template_description = "Launch template for SSM proxy hosts" + update_default_version = true + image_id = data.aws_ami.amazon_linux.id + instance_type = var.instance_type # "t3.micro" + user_data = base64encode(local.user_data) + + + # instance profile setup + create_iam_instance_profile = false # as we need to use our own precreated instance profile + iam_instance_profile_arn = module.iam_assumable_role_ssm.iam_instance_profile_arn + + # Security setup + security_groups = [aws_security_group.this.id] + + # Autoscaling Schedule + schedules = var.schedules + + # tags + tag_specifications = [ + { + resource_type = "instance" + tags = local.tags_app_module + }, + { + resource_type = "volume" + tags = local.tags_app_module + }, + # { + # resource_type = "spot-instances-request" + # tags = merge({ WhatAmI = "SpotInstanceRequest" }) + # } + ] + + tags = merge( + {}, + local.tags_app_module + ) +} + + diff --git a/iam.tf b/iam.tf new file mode 100644 index 0000000..4fd7dd0 --- /dev/null +++ b/iam.tf @@ -0,0 +1,91 @@ +module "iam_assumable_role_ssm" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "v5.44.0" + + create_role = var.create_role + create_instance_profile = var.create_instance_profile + + + role_name = "${local.full_service_name}-role" + role_description = "IAM Role for ${local.full_service_name}" + + role_requires_mfa = var.role_requires_mfa + + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + allow_self_assume_role = var.allow_self_assume_role + + trusted_role_services = [ + "ec2.amazonaws.com" + ] + + custom_role_policy_arns = concat( + var.additional_iam_policies, + [ + "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + ] + ) + + tags = merge( + { + }, + local.tags_app_module + ) + +} + + +data "aws_iam_policy_document" "this" { + statement { + sid = "AllowStartSessionForEnv" + effect = "Allow" + actions = ["ssm:StartSession"] + resources = ["arn:aws:ec2:*:*:instance/*"] + condition { + test = "StringEquals" + variable = "aws:ResourceTag/environment" + values = var.environment == "prd" ? ["prd"] : ["tst", "dev", "acc", "qa", "prv", "stg", "qas"] + } + } + + statement { + sid = "AllowPortForwardingViaDocument" + effect = "Allow" + actions = ["ssm:StartSession"] + resources = ["arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost"] + } + + statement { + sid = "AllowResumeAndTerminateSession" + effect = "Allow" + actions = ["ssm:ResumeSession", "ssm:TerminateSession"] + resources = ["arn:aws:ssm:*:*:session/*"] + } +} + +module "iam_policy_ssm_connect" { + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "v5.30.0" + + name = "${local.full_service_name}-default" + path = "/" + description = "IAM Policy for establishing ssm connection" + + policy = data.aws_iam_policy_document.this.json + + tags = merge( + { + }, + local.tags_app_module + ) +} + +output "iam_policy" { + value = { + "default" : { + "id" : module.iam_policy_ssm_connect.id, + "arn" : module.iam_policy_ssm_connect.arn, + "name" : module.iam_policy_ssm_connect.name, + "path" : module.iam_policy_ssm_connect.path, + } + } +} diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..8481cbe --- /dev/null +++ b/locals.tf @@ -0,0 +1,15 @@ +locals { + resource_prefix = "${var.project}-${var.environment}" # computed naming standard convention for all resources + + full_service_name = "${local.resource_prefix}-${var.app_name}" # abc-prod-ssm-proxy + + tags_app_module = merge( + var.tags, # Tags coming from calling TF + local.tags_module # Tags locally added + ) + + ssm_app_path = "/app/${var.environment}/${var.project}-${var.app_name}" + + tags_module = { + } +} \ No newline at end of file diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..d8b9200 --- /dev/null +++ b/main.tf @@ -0,0 +1,2 @@ +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/sg.tf b/sg.tf new file mode 100644 index 0000000..2d5021d --- /dev/null +++ b/sg.tf @@ -0,0 +1,38 @@ +resource "aws_security_group" "this" { + + description = "Security group allowing access to resources via AWS SSM" + vpc_id = var.vpc_id + name = local.full_service_name + + tags = local.tags_app_module +} + +resource "aws_security_group_rule" "default" { + + type = "egress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "To reach SSM required endpoints" + security_group_id = aws_security_group.this.id + +} + + +resource "aws_security_group_rule" "this" { + for_each = { for k, v in var.security_group_rules : k => v } + + type = try(each.value.type, "ingress") + from_port = try(each.value.from_port, "443") + to_port = try(each.value.to_port, "443") + protocol = try(each.value.protocol, "tcp") + security_group_id = aws_security_group.this.id + + # optional + cidr_blocks = try(each.value.cidr_blocks, null) + description = try(each.value.description, null) + ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null) + prefix_list_ids = try(each.value.prefix_list_ids, null) + source_security_group_id = try(each.value.source_security_group_id, null) +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..8e5821f --- /dev/null +++ b/variables.tf @@ -0,0 +1,109 @@ +variable "app_name" { + description = "Name of the application" + type = string + default = "ssm-proxy" +} + +variable "create" { + type = bool + description = "Controls if the resources are created or not" +} + +variable "project" { + type = string + description = "Name of the project" +} + +variable "environment" { + type = string + description = "Name of the environment (i.e.: prd, acc, dev, test)" + validation { + condition = contains(["prd", "acc", "dev", "tst", "prv", "stg", "qas"], var.environment) + error_message = "The environment needs to be in prod, acc, dev, test, preview." + } +} + +variable "tags" { + type = map(string) + description = "A map of tags to add to all resources created by this module" + default = {} +} + +variable "vpc_id" { + type = string + description = "VPC id where the resources will be deployed" +} +variable "vpc_zone_identifier" { + description = "A list of subnet IDs to launch resources in ( ASG )" + type = list(string) + default = [] +} + +variable "create_role" { + type = bool + description = "Controls if the role is created or not" + default = true +} + +variable "create_instance_profile" { + type = bool + description = "Controls if the instance profile is created or not" + default = true +} + + +variable "role_requires_mfa" { + type = bool + description = "Controls if the role requires MFA or not" + default = false +} + +variable "instance_type" { + type = string + description = "The type of instance to start" + default = "t3.micro" +} + +variable "allow_self_assume_role" { + type = bool + description = "Controls if the role allows self-assume or not" + default = true +} + +variable "ami_filter" { + type = object({ + filter_name = string, + owner = string, + }) + + default = { + filter_name = "amzn2-ami-kernel-5.10-hvm-2.0.20220912.1-x86_64-gp2" + owner = "137112412989" + } + + description = "Defines query params for AMI" +} + +variable "security_group_rules" { + description = "Map of security group rules to add to the ec2 security group instance" + type = any + default = {} +} + +variable "user_data" { + description = "User data to be used in the EC2 instance" + type = string + default = "" +} + +variable "schedules" { + description = "Map of schedules to add to the autoscaling group" + type = any + default = {} +} + +variable "additional_iam_policies" { + description = "List of additional IAM policies to attach to the role" + type = list(string) + default = [] +} \ No newline at end of file diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..10f8ce2 --- /dev/null +++ b/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">=1.0.0, <2.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.59" + } + } +} \ No newline at end of file From 526e957aa5ed4c73a012a43dd81953a11239471e Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 13:49:49 +0200 Subject: [PATCH 2/7] update lock file --- .terraform.lock.hcl | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index cebb6a7..112a886 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,25 +1,22 @@ -# This file is maintained automatically by "terraform init". +# This file is maintained automatically by "tofu init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/aws" { +provider "registry.opentofu.org/hashicorp/aws" { version = "5.65.0" constraints = ">= 4.0.0, >= 4.57.0, >= 5.59.0" hashes = [ - "h1:OG8xMZjGZL/OtEV9OwX0CTPcUzvSfcfiB0X9lcs2joY=", - "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", - "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", - "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", - "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", - "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", - "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", - "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", - "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", - "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", - "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", - "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", - "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", - "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", + "h1:/sP96T8BtmiEK8ku/9Idt6wvvLrC1g5rWw+AyTPwVB4=", + "h1:GcMGRKRfY6sJqoWoFN/rCRT2XUnKyX3e5LUYPNKfmYg=", + "h1:nT0VS72bhbIBkPFSwEjiCFeN6NAiVVJ0TBjmGmFLoQw=", + "zh:15cb1116168255f15c8ba0bbdea3c3d15d4e1af8f05dad81c4df72f973792e73", + "zh:39157802cfcc55d2940150f2e29f3df80903bfaff57e04d8a445b59febaae43c", + "zh:490d9e0185b3a4d4c4808f5f1ed317dffe1aebab8c89b2cdde82c27b25112254", + "zh:539182c184bae1b51819ae21b72853404904c0004e54311266b1801cb7ac2088", + "zh:797bb51e72ac12020c67bb8a68f234faa1756f07fb3d74583a899b3fe0c82fc0", + "zh:8bf337c34dfda9031e44beb52c5b8c19d164e8560b40d771b13eb5e6493faa40", + "zh:99539be3efbfea97f7eae7aecba3825a8591f9e933591b8a5c6fdc4539d5ca91", + "zh:a255b97db8c6c3801e93c000f16eb5a25d40c05f2dc88e89b0ad61b71fa7b19c", + "zh:b4d4a1f433ac0d95bab2e538a824788defdc57144c5a252fc895b4358efefaac", + "zh:f40ff9b8ee7677adb1d340afc0a749a846439110fa0a00457e54a674a6d5705e", ] } From 816ae0f0babc25833e174202269b1f45a64c74e1 Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 14:22:35 +0200 Subject: [PATCH 3/7] update validations and linting --- .pre-commit-config.yaml | 35 +++++++++++++++++++++++++---------- .terraform.lock.hcl | 35 +++++++++++++++++++---------------- README.md | 19 ++++++++----------- iam.tf | 11 ----------- locals.tf | 2 -- main.tf | 2 -- outputs.tf | 11 +++++++++++ variables.tf | 5 ----- versions.tf | 2 +- 9 files changed, 64 insertions(+), 58 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 94c8f54..3abac9e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,11 +1,26 @@ repos: -- repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases - hooks: - - id: terraform_validate - - id: terraform_fmt - - id: terraform_docs - args: - - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. - - --hook-config=--add-to-existing-file=true # Boolean. true or false - - --hook-config=--create-file-if-not-exist=true # Boolean. true or false \ No newline at end of file + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false + - id: terraform_fmt + - id: terraform_docs + args: + - '--args=--lockfile=false' + - id: terraform_tflint + args: + - '--args=--only=terraform_deprecated_interpolation' + - '--args=--only=terraform_deprecated_index' + - '--args=--only=terraform_unused_declarations' + - '--args=--only=terraform_comment_syntax' + - '--args=--only=terraform_documented_outputs' + - '--args=--only=terraform_documented_variables' + - '--args=--only=terraform_typed_variables' + - '--args=--only=terraform_module_pinned_source' + - '--args=--only=terraform_naming_convention' + - '--args=--only=terraform_required_version' + - '--args=--only=terraform_required_providers' + - '--args=--only=terraform_standard_module_structure' + - '--args=--only=terraform_workspace_remote' \ No newline at end of file diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 112a886..aa4e390 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,22 +1,25 @@ -# This file is maintained automatically by "tofu init". +# This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.opentofu.org/hashicorp/aws" { +provider "registry.terraform.io/hashicorp/aws" { version = "5.65.0" - constraints = ">= 4.0.0, >= 4.57.0, >= 5.59.0" + constraints = ">= 4.0.0, >= 4.57.0, 5.65.0" hashes = [ - "h1:/sP96T8BtmiEK8ku/9Idt6wvvLrC1g5rWw+AyTPwVB4=", - "h1:GcMGRKRfY6sJqoWoFN/rCRT2XUnKyX3e5LUYPNKfmYg=", - "h1:nT0VS72bhbIBkPFSwEjiCFeN6NAiVVJ0TBjmGmFLoQw=", - "zh:15cb1116168255f15c8ba0bbdea3c3d15d4e1af8f05dad81c4df72f973792e73", - "zh:39157802cfcc55d2940150f2e29f3df80903bfaff57e04d8a445b59febaae43c", - "zh:490d9e0185b3a4d4c4808f5f1ed317dffe1aebab8c89b2cdde82c27b25112254", - "zh:539182c184bae1b51819ae21b72853404904c0004e54311266b1801cb7ac2088", - "zh:797bb51e72ac12020c67bb8a68f234faa1756f07fb3d74583a899b3fe0c82fc0", - "zh:8bf337c34dfda9031e44beb52c5b8c19d164e8560b40d771b13eb5e6493faa40", - "zh:99539be3efbfea97f7eae7aecba3825a8591f9e933591b8a5c6fdc4539d5ca91", - "zh:a255b97db8c6c3801e93c000f16eb5a25d40c05f2dc88e89b0ad61b71fa7b19c", - "zh:b4d4a1f433ac0d95bab2e538a824788defdc57144c5a252fc895b4358efefaac", - "zh:f40ff9b8ee7677adb1d340afc0a749a846439110fa0a00457e54a674a6d5705e", + "h1:OG8xMZjGZL/OtEV9OwX0CTPcUzvSfcfiB0X9lcs2joY=", + "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", + "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", + "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", + "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", + "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", + "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", + "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", + "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", + "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", + "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", + "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", + "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", + "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", ] } diff --git a/README.md b/README.md index c06bef7..953b9b9 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ Repository containing code for terraform-aws-proxy | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >=1.0.0, <2.0 | -| [aws](#requirement\_aws) | >= 5.59 | +| [aws](#requirement\_aws) | = 5.65.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.65.0 | +| [aws](#provider\_aws) | = 5.65.0 | ## Modules @@ -26,13 +26,11 @@ Repository containing code for terraform-aws-proxy | Name | Type | |------|------| -| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_security_group_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/resources/security_group) | resource | +| [aws_security_group_rule.default](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/resources/security_group_rule) | resource | +| [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/data-sources/ami) | data source | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/data-sources/iam_policy_document) | data source | ## Inputs @@ -42,7 +40,6 @@ Repository containing code for terraform-aws-proxy | [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Controls if the role allows self-assume or not | `bool` | `true` | no | | [ami\_filter](#input\_ami\_filter) | Defines query params for AMI | 
object({
    filter_name = string,
    owner       = string,
  })
| 
{
  "filter_name": "amzn2-ami-kernel-5.10-hvm-2.0.20220912.1-x86_64-gp2",
  "owner": "137112412989"
}
| no | | [app\_name](#input\_app\_name) | Name of the application | `string` | `"ssm-proxy"` | no | -| [create](#input\_create) | Controls if the resources are created or not | `bool` | n/a | yes | | [create\_instance\_profile](#input\_create\_instance\_profile) | Controls if the instance profile is created or not | `bool` | `true` | no | | [create\_role](#input\_create\_role) | Controls if the role is created or not | `bool` | `true` | no | | [environment](#input\_environment) | Name of the environment (i.e.: prd, acc, dev, test) | `string` | n/a | yes | @@ -60,5 +57,5 @@ Repository containing code for terraform-aws-proxy | Name | Description | |------|-------------| -| [iam\_policy](#output\_iam\_policy) | n/a | +| [iam\_policy](#output\_iam\_policy) | IAM Policy for establishing ssm connection | diff --git a/iam.tf b/iam.tf index 4fd7dd0..62e2685 100644 --- a/iam.tf +++ b/iam.tf @@ -78,14 +78,3 @@ module "iam_policy_ssm_connect" { local.tags_app_module ) } - -output "iam_policy" { - value = { - "default" : { - "id" : module.iam_policy_ssm_connect.id, - "arn" : module.iam_policy_ssm_connect.arn, - "name" : module.iam_policy_ssm_connect.name, - "path" : module.iam_policy_ssm_connect.path, - } - } -} diff --git a/locals.tf b/locals.tf index 8481cbe..2e37b82 100644 --- a/locals.tf +++ b/locals.tf @@ -8,8 +8,6 @@ locals { local.tags_module # Tags locally added ) - ssm_app_path = "/app/${var.environment}/${var.project}-${var.app_name}" - tags_module = { } } \ No newline at end of file diff --git a/main.tf b/main.tf index d8b9200..e69de29 100644 --- a/main.tf +++ b/main.tf @@ -1,2 +0,0 @@ -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index e69de29..e802c72 100644 --- a/outputs.tf +++ b/outputs.tf @@ -0,0 +1,11 @@ +output "iam_policy" { + description = "IAM Policy for establishing ssm connection" + value = { + "default" : { + "id" : module.iam_policy_ssm_connect.id, + "arn" : module.iam_policy_ssm_connect.arn, + "name" : module.iam_policy_ssm_connect.name, + "path" : module.iam_policy_ssm_connect.path, + } + } +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 8e5821f..a54f36a 100644 --- a/variables.tf +++ b/variables.tf @@ -4,11 +4,6 @@ variable "app_name" { default = "ssm-proxy" } -variable "create" { - type = bool - description = "Controls if the resources are created or not" -} - variable "project" { type = string description = "Name of the project" diff --git a/versions.tf b/versions.tf index 10f8ce2..5940947 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.59" + version = "= 5.65.0" } } } \ No newline at end of file From 39290b2925bab9e78c1c32e9df7a8a84f102af93 Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 14:27:31 +0200 Subject: [PATCH 4/7] use latest precommit --- .github/workflows/ci-checks-tf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-checks-tf.yaml b/.github/workflows/ci-checks-tf.yaml index e3a5d57..5af8024 100644 --- a/.github/workflows/ci-checks-tf.yaml +++ b/.github/workflows/ci-checks-tf.yaml @@ -13,7 +13,7 @@ permissions: jobs: pre-commit: runs-on: ubuntu-latest - container: ghcr.io/antonbabenko/pre-commit-terraform:v1.79.1 + container: ghcr.io/antonbabenko/pre-commit-terraform:latest steps: - uses: actions/checkout@v3 From bbccc635c62b108c6893f7e1e1d775eb07802c26 Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 14:35:00 +0200 Subject: [PATCH 5/7] adds file changes --- .pre-commit-config.yaml | 11 +++++++---- README.md | 6 +++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3abac9e..4db871a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,14 +1,17 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.94.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_validate - args: - - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false + # args: + # - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false - id: terraform_fmt - id: terraform_docs args: - - '--args=--lockfile=false' + # - '--args=--lockfile=false' + - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. + - --hook-config=--add-to-existing-file=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=true # Boolean. true or false - id: terraform_tflint args: - '--args=--only=terraform_deprecated_interpolation' diff --git a/README.md b/README.md index 953b9b9..789789c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # terraform-aws-proxy Repository containing code for terraform-aws-proxy - + ## Requirements | Name | Version | @@ -12,7 +12,7 @@ Repository containing code for terraform-aws-proxy | Name | Version | |------|---------| -| [aws](#provider\_aws) | = 5.65.0 | +| [aws](#provider\_aws) | 5.65.0 | ## Modules @@ -58,4 +58,4 @@ Repository containing code for terraform-aws-proxy | Name | Description | |------|-------------| | [iam\_policy](#output\_iam\_policy) | IAM Policy for establishing ssm connection | - + From b1025281e3180a1eafc631cef788c1eab3c71a41 Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 14:41:14 +0200 Subject: [PATCH 6/7] Adds updated readme.md --- .pre-commit-config.yaml | 3 +-- README.md | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4db871a..83d6e6e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,10 +8,9 @@ repos: - id: terraform_fmt - id: terraform_docs args: - # - '--args=--lockfile=false' - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. - --hook-config=--add-to-existing-file=true # Boolean. true or false - - --hook-config=--create-file-if-not-exist=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=false # Boolean. true or false - id: terraform_tflint args: - '--args=--only=terraform_deprecated_interpolation' diff --git a/README.md b/README.md index 789789c..2db001f 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # terraform-aws-proxy Repository containing code for terraform-aws-proxy + ## Requirements From 1825f4e18b6f3b8e16f800dfced0322d495971f5 Mon Sep 17 00:00:00 2001 From: Rafal P | Raftech Date: Fri, 30 Aug 2024 15:11:59 +0200 Subject: [PATCH 7/7] remove lock file from the pre-commit --- .pre-commit-config.yaml | 6 ++++-- .terraform.lock.hcl | 25 ------------------------- README.md | 2 +- iam.tf | 2 +- 4 files changed, 6 insertions(+), 29 deletions(-) delete mode 100644 .terraform.lock.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 83d6e6e..c812dd7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,8 +3,10 @@ repos: rev: v1.94.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_validate - # args: - # - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false + args: + - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false + - --tf-init-args=-upgrade + # - --tf-init-args=-lockfile=readonly - id: terraform_fmt - id: terraform_docs args: diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100644 index aa4e390..0000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.65.0" - constraints = ">= 4.0.0, >= 4.57.0, 5.65.0" - hashes = [ - "h1:OG8xMZjGZL/OtEV9OwX0CTPcUzvSfcfiB0X9lcs2joY=", - "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", - "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", - "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", - "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", - "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", - "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", - "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", - "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", - "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", - "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", - "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", - "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", - "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", - ] -} diff --git a/README.md b/README.md index 2db001f..5345296 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Repository containing code for terraform-aws-proxy |------|--------|---------| | [asg](#module\_asg) | terraform-aws-modules/autoscaling/aws | v6.10.0 | | [iam\_assumable\_role\_ssm](#module\_iam\_assumable\_role\_ssm) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | v5.44.0 | -| [iam\_policy\_ssm\_connect](#module\_iam\_policy\_ssm\_connect) | terraform-aws-modules/iam/aws//modules/iam-policy | v5.30.0 | +| [iam\_policy\_ssm\_connect](#module\_iam\_policy\_ssm\_connect) | terraform-aws-modules/iam/aws//modules/iam-policy | v5.44.0 | ## Resources diff --git a/iam.tf b/iam.tf index 62e2685..54f2422 100644 --- a/iam.tf +++ b/iam.tf @@ -64,7 +64,7 @@ data "aws_iam_policy_document" "this" { module "iam_policy_ssm_connect" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "v5.30.0" + version = "v5.44.0" name = "${local.full_service_name}-default" path = "/"