initial setup

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# This team by definition owns the repository
+*  @Persgroep/team-platform

.github/workflows/ci-checks-tf.yaml

@@ -0,0 +1,68 @@
+name: v1-ci-checks-tf
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    container: ghcr.io/antonbabenko/pre-commit-terraform:latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: 'pre-commit::add-github-repo-safe'
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE     
+
+      - name: 'pre-commit::run-all-checks'
+        run: |
+          pre-commit run -a --show-diff-on-failure -v
+
+  module-required-files:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: 'tf-module::check-required-files'
+        id: check_files
+        uses: andstor/file-existence-action@v2
+        with:
+          files: "variables.tf, main.tf, README.md, versions.tf"
+          fail: true
+
+  label-required-semver:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'pr::check-required-semver'
+        uses: docker://agilepathway/pull-request-label-checker:latest
+        with:
+          prefix_mode: true
+          one_of: "release/" # patch , minor , major
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+
+  label-required-pr-type:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'pr::check-required-pr-type'
+        uses: docker://agilepathway/pull-request-label-checker:latest
+        with:
+          any_of: bug,enhancement,documentation,security
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+
+  label-do-not-merge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'pr::check-required-semver'
+        uses: docker://agilepathway/pull-request-label-checker:latest
+        with:
+          none_of: do-not-merge
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+
+

.github/workflows/create-tag-and-release.yaml

@@ -0,0 +1,37 @@
+name: v1-func-create-tag-and-release
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  create-new-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions-ecosystem/action-release-label@v1
+        id: release-label
+        if: ${{ github.event.pull_request.merged == true }}
+
+      - uses: actions-ecosystem/action-get-latest-tag@v1
+        id: get-latest-tag
+        if: ${{ steps.release-label.outputs.level != null }}
+
+      - uses: actions-ecosystem/action-bump-semver@v1
+        id: bump-semver
+        if: ${{ steps.release-label.outputs.level != null }}
+        with:
+          current_version: ${{ steps.get-latest-tag.outputs.tag }}
+          level: ${{ steps.release-label.outputs.level }}
+
+      - uses: actions-ecosystem/action-push-tag@v1
+        if: ${{ steps.release-label.outputs.level != null }}
+        with:
+          tag: ${{ steps.bump-semver.outputs.new_version }}
+          message: '${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}'
+
+      - name: 'gh::release'
+        if: ${{ steps.release-label.outputs.level != null }}
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.bump-semver.outputs.new_version }}

.pre-commit-config.yaml

@@ -0,0 +1,30 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.94.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    hooks:
+      - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true     # Boolean. true or false
+          - --tf-init-args=-upgrade
+          # - --tf-init-args=-lockfile=readonly
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
+          - --hook-config=--add-to-existing-file=true     # Boolean. true or false
+          - --hook-config=--create-file-if-not-exist=false # Boolean. true or false
+      - id: terraform_tflint
+        args:
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'

README.md

@@ -0,0 +1,62 @@
+# terraform-aws-proxy
+Repository containing code for terraform-aws-proxy
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.0.0, <2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | = 5.65.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.65.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_asg"></a> [asg](#module\_asg) | terraform-aws-modules/autoscaling/aws | v6.10.0 |
+| <a name="module_iam_assumable_role_ssm"></a> [iam\_assumable\_role\_ssm](#module\_iam\_assumable\_role\_ssm) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | v5.44.0 |
+| <a name="module_iam_policy_ssm_connect"></a> [iam\_policy\_ssm\_connect](#module\_iam\_policy\_ssm\_connect) | terraform-aws-modules/iam/aws//modules/iam-policy | v5.44.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/resources/security_group) | resource |
+| [aws_security_group_rule.default](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/resources/security_group_rule) | resource |
+| [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/data-sources/ami) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/5.65.0/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_iam_policies"></a> [additional\_iam\_policies](#input\_additional\_iam\_policies) | List of additional IAM policies to attach to the role | `list(string)` | `[]` | no |
+| <a name="input_allow_self_assume_role"></a> [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Controls if the role allows self-assume or not | `bool` | `true` | no |
+| <a name="input_ami_filter"></a> [ami\_filter](#input\_ami\_filter) | Defines query params for AMI | <pre>object({<br>    filter_name = string,<br>    owner       = string,<br>  })</pre> | <pre>{<br>  "filter_name": "amzn2-ami-kernel-5.10-hvm-2.0.20220912.1-x86_64-gp2",<br>  "owner": "137112412989"<br>}</pre> | no |
+| <a name="input_app_name"></a> [app\_name](#input\_app\_name) | Name of the application | `string` | `"ssm-proxy"` | no |
+| <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Controls if the instance profile is created or not | `bool` | `true` | no |
+| <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Controls if the role is created or not | `bool` | `true` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Name of the environment (i.e.: prd, acc, dev, test) | `string` | n/a | yes |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of instance to start | `string` | `"t3.micro"` | no |
+| <a name="input_project"></a> [project](#input\_project) | Name of the project | `string` | n/a | yes |
+| <a name="input_role_requires_mfa"></a> [role\_requires\_mfa](#input\_role\_requires\_mfa) | Controls if the role requires MFA or not | `bool` | `false` | no |
+| <a name="input_schedules"></a> [schedules](#input\_schedules) | Map of schedules to add to the autoscaling group | `any` | `{}` | no |
+| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | Map of security group rules to add to the ec2 security group instance | `any` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources created by this module | `map(string)` | `{}` | no |
+| <a name="input_user_data"></a> [user\_data](#input\_user\_data) | User data to be used in the EC2 instance | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC id where the resources will be deployed | `string` | n/a | yes |
+| <a name="input_vpc_zone_identifier"></a> [vpc\_zone\_identifier](#input\_vpc\_zone\_identifier) | A list of subnet IDs to launch resources in ( ASG ) | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_iam_policy"></a> [iam\_policy](#output\_iam\_policy) | IAM Policy for establishing ssm connection |
+<!-- END_TF_DOCS -->

asg.tf

@@ -0,0 +1,79 @@
+locals {
+  user_data = var.user_data != "" ? var.user_data : <<-EOT
+    #!/bin/bash
+    echo "Hello Terraform!"
+  EOT
+}
+
+data "aws_ami" "amazon_linux" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = [var.ami_filter.filter_name]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = [var.ami_filter.owner] # the current account
+}
+
+module "asg" {
+  source  = "terraform-aws-modules/autoscaling/aws"
+  version = "v6.10.0"
+
+  # Autoscaling group
+  name = local.full_service_name
+
+  vpc_zone_identifier = var.vpc_zone_identifier # module.vpc.private_subnets
+
+  min_size         = 0
+  max_size         = 3
+  desired_capacity = 1
+
+  # Launch template
+  create_launch_template      = true
+  launch_template_name        = local.full_service_name
+  launch_template_description = "Launch template for SSM proxy hosts"
+  update_default_version      = true
+  image_id                    = data.aws_ami.amazon_linux.id
+  instance_type               = var.instance_type # "t3.micro"
+  user_data                   = base64encode(local.user_data)
+
+
+  # instance profile setup
+  create_iam_instance_profile = false # as we need to use our own precreated instance profile 
+  iam_instance_profile_arn    = module.iam_assumable_role_ssm.iam_instance_profile_arn
+
+  # Security setup
+  security_groups = [aws_security_group.this.id]
+
+  # Autoscaling Schedule
+  schedules = var.schedules
+
+  # tags 
+  tag_specifications = [
+    {
+      resource_type = "instance"
+      tags          = local.tags_app_module
+    },
+    {
+      resource_type = "volume"
+      tags          = local.tags_app_module
+    },
+    # {
+    #   resource_type = "spot-instances-request"
+    #   tags          = merge({ WhatAmI = "SpotInstanceRequest" })
+    # }
+  ]
+
+  tags = merge(
+    {},
+    local.tags_app_module
+  )
+}
+
+

iam.tf

@@ -0,0 +1,80 @@
+module "iam_assumable_role_ssm" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "v5.44.0"
+
+  create_role             = var.create_role
+  create_instance_profile = var.create_instance_profile
+
+
+  role_name        = "${local.full_service_name}-role"
+  role_description = "IAM Role for ${local.full_service_name}"
+
+  role_requires_mfa = var.role_requires_mfa
+
+  # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+  allow_self_assume_role = var.allow_self_assume_role
+
+  trusted_role_services = [
+    "ec2.amazonaws.com"
+  ]
+
+  custom_role_policy_arns = concat(
+    var.additional_iam_policies,
+    [
+      "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+    ]
+  )
+
+  tags = merge(
+    {
+    },
+    local.tags_app_module
+  )
+
+}
+
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid       = "AllowStartSessionForEnv"
+    effect    = "Allow"
+    actions   = ["ssm:StartSession"]
+    resources = ["arn:aws:ec2:*:*:instance/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/environment"
+      values   = var.environment == "prd" ? ["prd"] : ["tst", "dev", "acc", "qa", "prv", "stg", "qas"]
+    }
+  }
+
+  statement {
+    sid       = "AllowPortForwardingViaDocument"
+    effect    = "Allow"
+    actions   = ["ssm:StartSession"]
+    resources = ["arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost"]
+  }
+
+  statement {
+    sid       = "AllowResumeAndTerminateSession"
+    effect    = "Allow"
+    actions   = ["ssm:ResumeSession", "ssm:TerminateSession"]
+    resources = ["arn:aws:ssm:*:*:session/*"]
+  }
+}
+
+module "iam_policy_ssm_connect" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "v5.44.0"
+
+  name        = "${local.full_service_name}-default"
+  path        = "/"
+  description = "IAM Policy for establishing ssm connection"
+
+  policy = data.aws_iam_policy_document.this.json
+
+  tags = merge(
+    {
+    },
+    local.tags_app_module
+  )
+}

locals.tf

@@ -0,0 +1,13 @@
+locals {
+  resource_prefix = "${var.project}-${var.environment}" # computed naming standard convention for all resources
+
+  full_service_name = "${local.resource_prefix}-${var.app_name}" # abc-prod-ssm-proxy
+
+  tags_app_module = merge(
+    var.tags,         # Tags coming from calling TF
+    local.tags_module # Tags locally added
+  )
+
+  tags_module = {
+  }
+}

outputs.tf

@@ -0,0 +1,11 @@
+output "iam_policy" {
+  description = "IAM Policy for establishing ssm connection"
+  value = {
+    "default" : {
+      "id" : module.iam_policy_ssm_connect.id,
+      "arn" : module.iam_policy_ssm_connect.arn,
+      "name" : module.iam_policy_ssm_connect.name,
+      "path" : module.iam_policy_ssm_connect.path,
+    }
+  }
+}