From bd1ce9df19289650cd23ec567c1eedfc49b867c8 Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Sun, 3 Dec 2023 22:57:06 +0000 Subject: [PATCH] refresh --- .github/workflows/compare.yml | 128 ------------------ .github/workflows/master.yml | 85 ------------ .github/workflows/pull_request.yml | 37 +++-- .github/workflows/verify.yml | 89 ++++++++++++ .pre-commit-config.yaml | 26 ++-- LICENSE | 2 +- README.md | 44 +++--- ...decommit_approval_rule_template.example.tf | 2 - ...ws_iam_policy_document.sns_topic_policy.tf | 1 - example/examplea/Makefile | 1 - example/examplea/aws_kms_key.codecommit.tf | 1 - example/examplea/module.codecommit.tf | 1 - example/examplea/outputs.tf | 1 - example/examplea/terraform.tf | 4 +- main.tf | 1 - outputs.tf | 1 - validate.ps1 | 1 - validate.sh | 1 - variables.tf | 5 - 19 files changed, 160 insertions(+), 271 deletions(-) delete mode 100644 .github/workflows/compare.yml delete mode 100644 .github/workflows/master.yml create mode 100644 .github/workflows/verify.yml diff --git a/.github/workflows/compare.yml b/.github/workflows/compare.yml deleted file mode 100644 index 03e0d9f..0000000 --- a/.github/workflows/compare.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -# yamllint disable rule:line-length -name: Compare -on: - workflow_dispatch: -jobs: - tfsec: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - token: ${{ github.token }} - fetch-depth: '0' - - name: tfsec - run: | - pip3 install lastversion - lastversion tfsec/tfsec --assets -d - chmod +x tfsec-linux-amd64 - ./tfsec-linux-amd64 example/examplea -f json --out tfsec.json - continue-on-error: true - - name: store - uses: actions/upload-artifact@v2 - with: - name: tfsec - path: tfsec.json - if-no-files-found: error - checkov: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - token: ${{ github.token }} - fetch-depth: '0' - - name: install checkov - run: | - pip3 install checkov - - name: run checkov - run: checkov -d example/examplea -o json | tee checkov.json - continue-on-error: true - - name: store - uses: actions/upload-artifact@v2 - with: - name: checkov - path: checkov.json - if-no-files-found: error - terrascan: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - token: ${{ github.token }} - fetch-depth: '0' - - uses: actions/setup-python@v2 - with: - python-version: 3.8 - - name: install terrascan - run: | - pip3 install lastversion - lastversion accurics/terrascan --assets -d --verbose - tar -xvf terrascan*.tar.gz - chmod +x ./terrascan - - name: run terrascan - run: | - ./terrascan init - ./terrascan scan -d example/examplea -o json -x json | tee terrascan.json - continue-on-error: true - - name: store - uses: actions/upload-artifact@v2 - with: - name: terrascan - path: terrascan.json - if-no-files-found: warn - kics: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - token: ${{ github.token }} - fetch-depth: '0' - - name: install kics - run: | - pip3 install lastversion - lastversion Checkmarx/kics --assets -d --verbose - tar -xvf kics*.tar.gz - - name: run kics - run: ./kics scan -p example/examplea -o kics.json --report-formats json - continue-on-error: true - - name: store - uses: actions/upload-artifact@v2 - with: - name: kics - path: kics.json - if-no-files-found: warn - - upload: - needs: [kics, terrascan, checkov, tfsec] - runs-on: ubuntu-latest - steps: - - name: Get Time - id: time - uses: nanzm/get-time-action@v1.1 - with: - timeZone: 8 - format: "YYYY-MM-DD-HH-mm-ss" - - name: mkdir - run: | - mkdir tos3 - - uses: actions/download-artifact@v2 - with: - path: tos3 - - uses: jakejarvis/s3-sync-action@master - with: - args: --acl public-read --follow-symlinks --delete - env: - AWS_S3_BUCKET: compare-data-680235478471 - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_KEY }} - AWS_REGION: "eu-west-2" - SOURCE_DIR: tos3 - DEST_DIR: ${{ github.repository }}/${{ steps.time.outputs.time }} diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml deleted file mode 100644 index d9a228b..0000000 --- a/.github/workflows/master.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -# yamllint disable rule:line-length -name: Verify and Bump -on: - workflow_dispatch: - push: - branches: - - master -jobs: - terraform: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - token: ${{ github.token }} - fetch-depth: '0' - - name: Config Terraform plugin cache - run: | - echo 'plugin_cache_dir="$HOME/.terraform.d/plugin-cache"' >~/.terraformrc - mkdir --parents ~/.terraform.d/plugin-cache - - name: Cache Terraform - uses: actions/cache@v2 - with: - path: | - ~/.terraform.d/plugin-cache - key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} - restore-keys: | - ${{ runner.os }}-terraform- - - name: Terraform Init - uses: hashicorp/terraform-github-actions@master - with: - tf_actions_version: 1.0.1 - tf_actions_subcommand: init - tf_actions_working_dir: example/examplea - - name: Terraform Validate - uses: hashicorp/terraform-github-actions@master - with: - tf_actions_version: 1.0.1 - tf_actions_subcommand: validate - tf_actions_working_dir: example/examplea - - name: Terraform Plan - uses: hashicorp/terraform-github-actions@master - with: - tf_actions_version: 1.0.1 - tf_actions_subcommand: plan - tf_actions_working_dir: example/examplea - env: - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_KEY }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - security: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: master - token: ${{ github.token }} - fetch-depth: '0' - - uses: actions/setup-python@v2 - with: - python-version: 3.8 - - run: | - pip3 install lastversion - lastversion terraform-docs --assets -d --verbose - mkdir $GITHUB_WORKSPACE/bin - tar -xvf terraform-docs*.tar.gz --directory $GITHUB_WORKSPACE/bin - chmod +x $GITHUB_WORKSPACE/bin/terraform-docs - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - uses: pre-commit/action@v2.0.0 - version: - name: versioning - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: '0' - - name: Bump version and push tag - uses: anothrNick/github-tag-action@1.38.0 - env: - GITHUB_TOKEN: ${{ github.token }} - DEFAULT_BUMP: patch - WITH_V: true - needs: [terraform, security] diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 8a73b5e..4f882c5 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -5,36 +5,51 @@ on: pull_request: workflow_dispatch: +env: + terraform: 1.3.0 + tf_target_dir: example/examplea + +permissions: read-all + jobs: terraform: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: token: ${{ github.token }} fetch-depth: '0' - name: Terraform Init - uses: hashicorp/terraform-github-actions@master + uses: hashicorp/terraform-github-actions@b2ca17c0c25198c67c668c37edcbc45ca086a91e # v0.8.0 with: - tf_actions_version: 1.0.1 + tf_actions_version: ${{ env.terraform }} tf_actions_subcommand: init - tf_actions_working_dir: example/examplea + tf_actions_working_dir: ${{ env.tf_target_dir }} - name: Terraform Validate - uses: hashicorp/terraform-github-actions@master + uses: hashicorp/terraform-github-actions@b2ca17c0c25198c67c668c37edcbc45ca086a91e # v0.8.0 with: - tf_actions_version: 1.0.1 + tf_actions_version: ${{ env.terraform }} tf_actions_subcommand: validate - tf_actions_working_dir: example/examplea + tf_actions_working_dir: ${{ env.tf_target_dir }} security: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: token: ${{ github.token }} fetch-depth: '0' - - uses: actions/setup-python@v2 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: - python-version: 3.8 - - uses: pre-commit/action@v2.0.0 + python-version: 3.11 + - run: | + wget https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz + mkdir "$GITHUB_WORKSPACE/bin" + tar -xvf terraform-docs*.tar.gz --directory "$GITHUB_WORKSPACE/bin" + chmod +x "$GITHUB_WORKSPACE/bin/terraform-docs" + wget https://github.com/rhysd/actionlint/releases/download/v1.6.23/actionlint_1.6.23_linux_amd64.tar.gz + tar -xvf actionlint_1.6.23_linux_amd64.tar.gz --directory "$GITHUB_WORKSPACE/bin" + chmod +x "$GITHUB_WORKSPACE/bin/actionlint" + echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH" + - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0 diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 0000000..c526a4c --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,89 @@ +--- +# yamllint disable rule:line-length +name: Verify +on: + workflow_dispatch: + push: + branches: + - master +permissions: read-all + +env: + terraform: 1.3.0 + tf_target_dir: example/examplea + branch: master + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID}} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY}} + GITHUB_API_TOKEN: ${{ github.token }} +jobs: + terraform: + runs-on: ubuntu-latest + steps: + - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.branch }} + token: ${{ github.token }} + fetch-depth: '0' + - name: Config Terraform plugin cache + run: | + echo "plugin_cache_dir=$HOME/.terraform.d/plugin-cache" >~/.terraformrc + mkdir --parents ~/.terraform.d/plugin-cache + - name: Cache Terraform + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + path: | + ~/.terraform.d/plugin-cache + key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} + restore-keys: | + ${{ runner.os }}-terraform- + - name: Terraform Init + id: init + run: terraform init + working-directory: ${{ env.tf_target_dir }} + - name: Terraform validate + id: validate + run: terraform validate + working-directory: ${{ env.tf_target_dir }} + - name: Terraform plan + id: plan + run: terraform plan + working-directory: ${{ env.tf_target_dir }} + security: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.branch }} + token: ${{ github.token }} + fetch-depth: '0' + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + with: + python-version: 3.11 + - run: | + wget https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz + mkdir "$GITHUB_WORKSPACE/bin" + tar -xvf terraform-docs*.tar.gz --directory "$GITHUB_WORKSPACE/bin" + chmod +x "$GITHUB_WORKSPACE/bin/terraform-docs" + wget https://github.com/rhysd/actionlint/releases/download/v1.6.23/actionlint_1.6.23_linux_amd64.tar.gz + tar -xvf actionlint_1.6.23_linux_amd64.tar.gz --directory "$GITHUB_WORKSPACE/bin" + chmod +x "$GITHUB_WORKSPACE/bin/actionlint" + echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH" + - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0 + version: + permissions: write-all + name: versioning + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: '0' + - name: Bump version and push tag + uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36 # 1.67.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DEFAULT_BUMP: patch + WITH_V: "true" + needs: [terraform, security] diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cc95c11..863ea4e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ --- # yamllint disable rule:line-length default_language_version: - python: python3.8 + python: python3.11 repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: check-json - id: check-merge-conflict @@ -20,7 +20,7 @@ repos: - --allow-missing-credentials - id: detect-private-key - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.5.1 + rev: v1.5.4 hooks: - id: forbid-tabs exclude_types: [python, javascript, dtd, markdown, makefile, xml] @@ -31,24 +31,30 @@ repos: - id: shell-lint exclude: template|\.template$ - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.35.0 + rev: v0.37.0 hooks: - id: markdownlint - repo: https://github.com/jameswoolfenden/pre-commit rev: v0.1.50 hooks: - id: terraform-fmt - language_version: python3.8 + language_version: python3.11 - id: tf2docs - language_version: python3.8 + language_version: python3.11 - repo: https://github.com/bridgecrewio/checkov - rev: 2.3.347 + rev: 3.1.20 hooks: - id: checkov + files: . verbose: true - entry: checkov -d example/examplea --external-checks-dir checkov --download-external-modules true + entry: checkov -d example/examplea --external-checks-dir checkov --download-external-modules true --compact - repo: https://github.com/jameswoolfenden/pike - rev: v0.2.81 + rev: v0.2.112 hooks: - id: pike-docs-go - args: ["-d", ".", "readme"] + args: ["readme","-d", ".", "-i"] + - repo: https://github.com/jameswoolfenden/ghat + rev: v0.1.1 + hooks: + - id: ghat-go + args: ["swot","-d", "."] diff --git a/LICENSE b/LICENSE index 087bbea..a6e5d2f 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work. same "printed page" as the copyright notice for easier identification within third-party archives. -Copyright 2021-2022 James Woolfenden +Copyright 2021-2023 James Woolfenden Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 99533b8..19a20b6 100644 --- a/README.md +++ b/README.md @@ -114,18 +114,6 @@ resource "aws_iam_policy" "terraform_pike" { { "Sid": "VisualEditor0", "Effect": "Allow", - "Action": [ - "SNS:CreateTopic", - "SNS:DeleteTopic", - "SNS:GetTopicAttributes", - "SNS:ListTagsForResource", - "SNS:SetTopicAttributes" - ], - "Resource": "*" - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", "Action": [ "codecommit:CreateRepository", "codecommit:DeleteRepository", @@ -134,10 +122,12 @@ resource "aws_iam_policy" "terraform_pike" { "codecommit:ListTagsForResource", "codecommit:UpdateRepositoryDescription" ], - "Resource": "*" + "Resource": [ + "*" + ] }, { - "Sid": "VisualEditor2", + "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "events:DeleteRule", @@ -148,10 +138,12 @@ resource "aws_iam_policy" "terraform_pike" { "events:PutTargets", "events:RemoveTargets" ], - "Resource": "*" + "Resource": [ + "*" + ] }, { - "Sid": "VisualEditor3", + "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "iam:AttachGroupPolicy", @@ -163,7 +155,23 @@ resource "aws_iam_policy" "terraform_pike" { "iam:ListAttachedGroupPolicies", "iam:ListPolicyVersions" ], - "Resource": "*" + "Resource": [ + "*" + ] + }, + { + "Sid": "VisualEditor3", + "Effect": "Allow", + "Action": [ + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:GetTopicAttributes", + "sns:ListTagsForResource", + "sns:SetTopicAttributes" + ], + "Resource": [ + "*" + ] } ] }) @@ -272,7 +280,7 @@ Please use the [issue tracker](https://github.com/jameswoolfenden/terraform-aws- ## Copyrights -Copyright © 2019-2022 James Woolfenden +Copyright © 2019-2023 James Woolfenden ## License diff --git a/aws_codecommit_approval_rule_template.example.tf b/aws_codecommit_approval_rule_template.example.tf index a2d5a1a..d015ba1 100644 --- a/aws_codecommit_approval_rule_template.example.tf +++ b/aws_codecommit_approval_rule_template.example.tf @@ -14,8 +14,6 @@ resource "aws_codecommit_approval_rule_template" "example" { } EOF } - - resource "aws_codecommit_approval_rule_template_association" "link" { approval_rule_template_name = aws_codecommit_approval_rule_template.example.name repository_name = aws_codecommit_repository.repo.repository_name diff --git a/data.aws_iam_policy_document.sns_topic_policy.tf b/data.aws_iam_policy_document.sns_topic_policy.tf index 1713543..f419690 100644 --- a/data.aws_iam_policy_document.sns_topic_policy.tf +++ b/data.aws_iam_policy_document.sns_topic_policy.tf @@ -1,5 +1,4 @@ data "aws_caller_identity" "current" {} - data "aws_iam_policy_document" "sns_topic_policy" { statement { effect = "Allow" diff --git a/example/examplea/Makefile b/example/examplea/Makefile index 0eb42b5..0d7ac7f 100644 --- a/example/examplea/Makefile +++ b/example/examplea/Makefile @@ -48,7 +48,6 @@ docs: valid: -terraform fmt -recursive -checkov -d . --external-checks-dir ../../checkov - -tfsec . --tfvars-file examples.auto.tfvars -terrascan scan docker pull checkmarx/kics:latest docker run -v $(CURDIR):/path checkmarx/kics:latest scan --path /path diff --git a/example/examplea/aws_kms_key.codecommit.tf b/example/examplea/aws_kms_key.codecommit.tf index 1b64e75..81237ce 100644 --- a/example/examplea/aws_kms_key.codecommit.tf +++ b/example/examplea/aws_kms_key.codecommit.tf @@ -1,4 +1,3 @@ - resource "aws_kms_key" "codecommit" { enable_key_rotation = true } diff --git a/example/examplea/module.codecommit.tf b/example/examplea/module.codecommit.tf index 7d4c32a..bdd5720 100644 --- a/example/examplea/module.codecommit.tf +++ b/example/examplea/module.codecommit.tf @@ -4,5 +4,4 @@ module "codecommit" { approver_role = "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/CodeCommitReview/*" kms_master_key_id = aws_kms_key.codecommit.arn } - data "aws_caller_identity" "current" {} diff --git a/example/examplea/outputs.tf b/example/examplea/outputs.tf index 956b280..35992c4 100644 --- a/example/examplea/outputs.tf +++ b/example/examplea/outputs.tf @@ -1,7 +1,6 @@ output "clone_url_https" { value = module.codecommit.clone_url_https } - output "clone_url_ssh" { value = module.codecommit.clone_url_ssh } diff --git a/example/examplea/terraform.tf b/example/examplea/terraform.tf index bf1263b..c4fdeac 100644 --- a/example/examplea/terraform.tf +++ b/example/examplea/terraform.tf @@ -1,9 +1,9 @@ terraform { required_providers { aws = { - version = "4.6.0" + version = "5.13.1" source = "hashicorp/aws" } } - required_version = ">=0.14.8" + required_version = ">= 1.3.5" } diff --git a/main.tf b/main.tf index 860aabb..e69de29 100644 --- a/main.tf +++ b/main.tf @@ -1 +0,0 @@ -# required by Hashicorp diff --git a/outputs.tf b/outputs.tf index 8de90ad..c2c9bb1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,7 +1,6 @@ output "clone_url_https" { value = aws_codecommit_repository.repo.clone_url_http } - output "clone_url_ssh" { value = aws_codecommit_repository.repo.clone_url_ssh } diff --git a/validate.ps1 b/validate.ps1 index 335075c..522bf09 100644 --- a/validate.ps1 +++ b/validate.ps1 @@ -8,5 +8,4 @@ Remove-Item .terraform.lock.hcl -ErrorAction SilentlyContinue terraform init -upgrade terraform validate make valid -make cost Pop-Location diff --git a/validate.sh b/validate.sh index f4d9856..8bb91d4 100644 --- a/validate.sh +++ b/validate.sh @@ -5,5 +5,4 @@ rm .terraform.lock.hcl 2>/dev/null rm .terraform -fr 2>/dev/null terraform init -upgrade terraform validate -make cost make valid diff --git a/variables.tf b/variables.tf index cf3d9af..6f604b8 100644 --- a/variables.tf +++ b/variables.tf @@ -2,29 +2,24 @@ variable "repository_name" { type = string description = "The name of your GIT repository" } - variable "default_branch" { type = string description = "The name of the default repository branch" default = "main" } - variable "developer_group" { description = "An existing Iam Group to attach the policy permissions to" type = string default = "" } - variable "kms_master_key_id" { type = string description = "The kms key to use" } - variable "approver_role" { type = string description = "ARN of approver role" } - variable "template" { default = { name = "MyExampleApprovalRuleTemplate"