diff --git a/.circleci/config.yml b/.circleci/config.yml index 39d74165..a87bd017 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,16 +1,39 @@ -version: "2.1" +version: 2.1 orbs: terraform: circleci/terraform@3.2.0 jobs: - build: + pre-commit: + docker: + - image: cimg/python:3.11.1 + parameters: + terraform_version: + type: string + + steps: + - checkout + + - terraform/install: + terraform_version: <> + - run: + name: pre-commit + command: | + curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash + curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash + curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz | tar -C /tmp -xzf - && chmod +x /tmp/terraform-docs && sudo mv /tmp/terraform-docs /usr/local/bin + pip3 install checkov pre-commit + SKIP=no-commit-to-branch,circleci-validate pre-commit run --all-files + + test: docker: - image: cimg/aws:2022.11 parameters: workspace: type: string default: circleci-<< pipeline.number >> + terraform_version: + type: string environment: WORKSPACE: << parameters.workspace >> @@ -18,10 +41,7 @@ jobs: - checkout - terraform/install: - terraform_version: '1.3.6' - - - terraform/fmt: - path: . + terraform_version: <> - run: name: Configure test cluster env @@ -54,3 +74,18 @@ jobs: command: | terraform workspace select default terraform workspace delete ${WORKSPACE} + +parameters: + terraform_version: + default: "1.3.6" + type: string + +workflows: + build: + jobs: + - pre-commit: + terraform_version: << pipeline.parameters.terraform_version >> + - test: + terraform_version: << pipeline.parameters.terraform_version >> + requires: + - pre-commit diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4a907a83..159b6d9f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,21 +12,20 @@ repos: - id: circleci-validate args: [--org-slug, github/cerebrotech] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.75.0 + rev: v1.77.0 hooks: - id: terraform_providers_lock args: - --tf-init-args=-upgrade - - id: terraform_fmt - - id: terraform_validate - id: terraform_docs args: + - '--args=--lockfile=false' - '--hook-config=--path-to-file=README.md' - '--hook-config=--add-to-existing-file=true' - '--hook-config=--create-file-if-not-exist=true' - '--hook-config=--recursive.enabled=true' - '--hook-config=--recursive.path=submodules' - - '--hook-config=--lockfile=false' + - id: terraform_fmt - id: terraform_tflint args: - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl' @@ -46,6 +45,11 @@ repos: - '--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns' - '--args=--enable-rule=aws_iam_policy_gov_friendly_arns' - '--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns' + - id: terraform_checkov + args: + - '--args=--compact' + - '--args=--quiet' + - '--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88' # - id: terrascan # Skipping until they update lifecycle block; Data resources do not have lifecycle settings, so a lifecycle block is not allowed. # args: # - '--args=--non-recursive' diff --git a/.tflint.hcl b/.tflint.hcl index 2df7f5af..414fc676 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -1,6 +1,6 @@ plugin "aws" { enabled = true deep_check = true - version = "0.21.0" + version = "0.21.1" source = "github.com/terraform-linters/tflint-ruleset-aws" } diff --git a/README.md b/README.md index 77bcbad4..5783a513 100644 --- a/README.md +++ b/README.md @@ -76,8 +76,8 @@ aws s3 rb s3://"${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" --force | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.40.0 | -| [tls](#provider\_tls) | 4.0.4 | +| [aws](#provider\_aws) | >= 4.0 | +| [tls](#provider\_tls) | >= 3.4.0 | ## Modules diff --git a/iam-bootstrap/README.md b/iam-bootstrap/README.md new file mode 100644 index 00000000..30da41e7 --- /dev/null +++ b/iam-bootstrap/README.md @@ -0,0 +1,45 @@ +# iam-bootstrap + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [aws](#requirement\_aws) | >= 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_caller_identity.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes | +| [iam\_policy\_paths](#input\_iam\_policy\_paths) | IAM policies to provision and use for deployment role, can be terraform templates | `list(any)` | `[]` | no | +| [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration for role in seconds | `number` | `43200` | no | +| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes | +| [template\_config](#input\_template\_config) | Variables to use for any templating in the IAM policies. AWS account ID (as 'account\_id'), deploy\_id, region and partition are automatically included. | `map(any)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [role\_arn](#output\_role\_arn) | ARN of bootstrap role | + diff --git a/iam-bootstrap/iam.tf b/iam-bootstrap/main.tf similarity index 100% rename from iam-bootstrap/iam.tf rename to iam-bootstrap/main.tf diff --git a/iam-bootstrap/variables.tf b/iam-bootstrap/variables.tf index 606ba5ed..94c32089 100644 --- a/iam-bootstrap/variables.tf +++ b/iam-bootstrap/variables.tf @@ -20,7 +20,7 @@ variable "iam_policy_paths" { } variable "template_config" { - type = map + type = map(any) description = "Variables to use for any templating in the IAM policies. AWS account ID (as 'account_id'), deploy_id, region and partition are automatically included." default = {} } diff --git a/submodules/bastion/README.md b/submodules/bastion/README.md index 73230236..4f04cc46 100644 --- a/submodules/bastion/README.md +++ b/submodules/bastion/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.32.0 | +| [aws](#provider\_aws) | >= 4.0 | ## Modules diff --git a/submodules/eks/README.md b/submodules/eks/README.md index 24d750b8..17830440 100644 --- a/submodules/eks/README.md +++ b/submodules/eks/README.md @@ -13,8 +13,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.32.0 | -| [null](#provider\_null) | 3.1.1 | +| [aws](#provider\_aws) | >= 4.0 | +| [null](#provider\_null) | >= 3.1.0 | ## Modules diff --git a/submodules/k8s/README.md b/submodules/k8s/README.md index 0a2649c0..0f5e43c1 100644 --- a/submodules/k8s/README.md +++ b/submodules/k8s/README.md @@ -14,8 +14,8 @@ | Name | Version | |------|---------| -| [local](#provider\_local) | 2.2.3 | -| [null](#provider\_null) | 3.1.1 | +| [local](#provider\_local) | >= 2.2.0 | +| [null](#provider\_null) | >= 3.1.0 | ## Modules diff --git a/submodules/network/README.md b/submodules/network/README.md index 273e13d2..4fca953c 100644 --- a/submodules/network/README.md +++ b/submodules/network/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.32.0 | +| [aws](#provider\_aws) | >= 4.0 | ## Modules diff --git a/submodules/storage/README.md b/submodules/storage/README.md index 02a40fd5..b477cffe 100644 --- a/submodules/storage/README.md +++ b/submodules/storage/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.32.0 | +| [aws](#provider\_aws) | >= 4.0 | ## Modules diff --git a/tests/README.md b/tests/README.md index f15e3e78..118c7389 100644 --- a/tests/README.md +++ b/tests/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws.local](#provider\_aws.local) | 4.40.0 | +| [aws.local](#provider\_aws.local) | >= 4.0 | ## Modules