diff --git a/.commitlintrc.yaml b/.commitlintrc.yaml
new file mode 100644
index 0000000..70a3ab0
--- /dev/null
+++ b/.commitlintrc.yaml
@@ -0,0 +1,19 @@
+---
+rules:
+ body-leading-blank: [1, always]
+ body-max-line-length: [2, always, 100]
+ footer-leading-blank: [1, always]
+ footer-max-line-length: [2, always, 100]
+ header-max-length: [2, always, 100]
+ subject-case:
+ - 2
+ - never
+ - [sentence-case, start-case, pascal-case, upper-case]
+ subject-empty: [2, never]
+ subject-full-stop: [2, never, "."]
+ type-case: [2, always, lower-case]
+ type-empty: [2, never]
+ type-enum:
+ - 2
+ - always
+ - [build, chore, ci, docs, feat, fix, perf, refactor, revert, style, test]
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
new file mode 100644
index 0000000..0c044ad
--- /dev/null
+++ b/.terraform-docs.yml
@@ -0,0 +1,28 @@
+#header-from: .header.md
+settings:
+ anchor: true
+ color: true
+ default: true
+ escape: true
+ html: true
+ indent: 2
+ required: true
+ sensitive: true
+ type: true
+ lockfile: false
+
+formatter: "markdown table"
+
+output:
+ file: README.md
+ mode: inject
+
+sections:
+ show:
+ - providers
+ - inputs
+ - outputs
+
+sort:
+ enabled: true
+ by: required
diff --git a/.tflint.hcl b/.tflint.hcl
index 31a4e68..ea9c639 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -1,12 +1,12 @@
plugin "aws" {
enabled = true
- version = "0.32.0"
+ version = "0.34.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
plugin "terraform" {
enabled = true
- version = "0.7.0"
+ version = "0.9.1"
source = "github.com/terraform-linters/tflint-ruleset-terraform"
}
diff --git a/Makefile b/Makefile
index c63a3d1..2045b2f 100644
--- a/Makefile
+++ b/Makefile
@@ -36,20 +36,35 @@ examples:
documentation:
@echo "--> Generating documentation"
- @terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
+ @terraform-docs .
$(MAKE) documentation-modules
$(MAKE) documentation-examples
documentation-modules:
@echo "--> Generating documentation for modules"
- @if [ -d modules ]; then \
- find modules -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \; ; \
- fi
+ @find . -type d -regex '.*/modules/[a-za-z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Generating documentation for module: $$dir"; \
+ terraform-docs $$dir; \
+ done;
documentation-examples:
- @echo "--> Generating documentation examples"
+ @echo "--> Generating documentation for examples"
+ @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null| while read -r dir; do \
+ echo "--> Generating documentation for example: $$dir"; \
+ terraform-docs $$dir; \
+ done;
+
+upgrade-terraform-providers:
+ @printf "%s Upgrading Terraform providers for %-24s" "-->" "."
+ @terraform init -upgrade >/dev/null && echo "[OK]" || echo "[FAILED]"
+ @$(MAKE) upgrade-terraform-example-providers
+
+upgrade-terraform-example-providers:
@if [ -d examples ]; then \
- find examples -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \; ; \
+ find examples -type d -mindepth 1 -maxdepth 1 2>/dev/null | while read -r dir; do \
+ printf "%s Upgrading Terraform providers for %-24s" "-->" "$$dir"; \
+ terraform -chdir=$$dir init -upgrade >/dev/null && echo "[OK]" || echo "[FAILED]"; \
+ done; \
fi
init:
@@ -64,21 +79,17 @@ security:
security-modules:
@echo "--> Running Security checks on modules"
- @if [ -d modules ]; then \
- find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
- echo "--> Validating $$dir"; \
- trivy config --format table --exit-code 1 --severity CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
- done; \
- fi
+ @find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Validating $$dir"; \
+ trivy config --format table --exit-code 1 --severity CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
+ done;
security-examples:
@echo "--> Running Security checks on examples"
- @if [ -d examples ]; then \
- find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
- echo "--> Validating $$dir"; \
- trivy config --format table --exit-code 1 --severity CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
- done; \
- fi
+ @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Validating $$dir"; \
+ trivy config --format table --exit-code 1 --severity CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
+ done;
tests:
@echo "--> Running Terraform Tests"
@@ -90,26 +101,28 @@ validate:
@terraform validate
$(MAKE) validate-modules
$(MAKE) validate-examples
+ $(MAKE) validate-commits
validate-modules:
@echo "--> Running terraform validate on modules"
- @if [ -d modules ]; then \
- find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
- echo "--> Validating $$dir"; \
- terraform -chdir=$$dir init -backend=false; \
- terraform -chdir=$$dir validate; \
- done; \
- fi
+ @find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Validating Module $$dir"; \
+ terraform -chdir=$$dir init -backend=false; \
+ terraform -chdir=$$dir validate; \
+ done;
validate-examples:
@echo "--> Running terraform validate on examples"
- @if [ -d examples ]; then \
- find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
- echo "--> Validating $$dir"; \
- terraform -chdir=$$dir init -backend=false; \
- terraform -chdir=$$dir validate; \
- done; \
- fi
+ @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Validating $$dir"; \
+ terraform -chdir=$$dir init -backend=false; \
+ terraform -chdir=$$dir validate; \
+ done;
+
+validate-commits:
+ @echo "--> Running commitlint against the main branch"
+ @command -v commitlint >/dev/null 2>&1 || { echo "commitlint is not installed. Please install it by running 'npm install -g commitlint'"; exit 1; }
+ @git log --pretty=format:"%s" origin/main..HEAD | commitlint --from=origin/main
lint:
@echo "--> Running tflint"
@@ -120,23 +133,19 @@ lint:
lint-modules:
@echo "--> Running tflint on modules"
- @if [ -d modules ]; then \
- find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
- echo "--> Linting $$dir"; \
- tflint --chdir=$$dir --init; \
- tflint --chdir=$$dir -f compact; \
- done; \
- fi
+ @find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Linting $$dir"; \
+ tflint --chdir=$$dir --init; \
+ tflint --chdir=$$dir -f compact; \
+ done;
lint-examples:
@echo "--> Running tflint on examples"
- @if [ -d examples ]; then \
- find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
- echo "--> Linting $$dir"; \
- tflint --chdir=$$dir --init; \
- tflint --chdir=$$dir -f compact; \
- done; \
- fi
+ @find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+ echo "--> Linting $$dir"; \
+ tflint --chdir=$$dir --init; \
+ tflint --chdir=$$dir -f compact; \
+ done;
format:
@echo "--> Running terraform fmt"
@@ -144,7 +153,7 @@ format:
clean:
@echo "--> Cleaning up"
- @find . -type d -name ".terraform" | while read -r dir; do \
+ @find . -type d -name ".terraform" 2>/dev/null | while read -r dir; do \
echo "--> Removing $$dir"; \
rm -rf $$dir; \
done
diff --git a/examples/cost-analysis-support/.terraform-docs.yml b/examples/cost-analysis-support/.terraform-docs.yml
deleted file mode 100644
index 6a1dac5..0000000
--- a/examples/cost-analysis-support/.terraform-docs.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-content: |-
- # Example: AWS Cost Analysis Support
-
- This example demonstrates how to deploy the AWS Cost Analysis support resources using Terraform in your AWS Cost Analysis Account.
-
- ## Deployment
-
- 1. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
- 2. Run `terraform init -upgrade`
- 3. Run `terraform plan -out=tfplan`
- 4. Run `terraform apply tfplan`
-
- ## Updating Docs
-
- The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
- 1. Make changes to the `.terraform-docs.yml` file
- 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
- 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-
- {{ .Inputs }}
-
- {{ .Outputs }}
diff --git a/examples/cost-analysis-support/README.md b/examples/cost-analysis-support/README.md
index 44d0075..890e71a 100644
--- a/examples/cost-analysis-support/README.md
+++ b/examples/cost-analysis-support/README.md
@@ -17,41 +17,27 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-## Inputs
+
+## Requirements
-| Name | Description | Type | Default | Required |
-| --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | ------------- | ------------- | :------: |
-| [enable_cost_analysis_support](#input_enable_cost_analysis_support) | Enable the creation of the finops role in the customer account | `bool` | `true` | no |
-| [enable_landing_zone_support](#input_enable_landing_zone_support) | Enable the creation of the support role in the customer account | `bool` | `false` | no |
-| [external_account_id](#input_external_account_id) | The external account id from where the support role will be assumed | `string` | n/a | yes |
-| [external_region](#input_external_region) | The external region from where the support role will be assumed | `string` | `"eu-west-2"` | no |
-| [external_role_name](#input_external_role_name) | The external account name from where the support role will be assumed | `string` | n/a | yes |
-| [tags](#input_tags) | A map of tags to add to the resources | `map(string)` | `{}` | no |
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
-## Outputs
+## Providers
-| Name | Description |
-| -------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
-| [appvia_cost_analysis_support_role_arn](#output_appvia_cost_analysis_support_role_arn) | The name of the Cost Analysis Support IAM role to be assumed by the Appvia support team |
+No providers.
-
-# Example: AWS Cost Analysis Support
+## Modules
-This example demonstrates how to deploy the AWS Cost Analysis support resources using Terraform in your AWS Cost Analysis Account.
+| Name | Source | Version |
+|------|--------|---------|
+| [appvia\_cost\_analysis\_support\_role](#module\_appvia\_cost\_analysis\_support\_role) | ../../modules/costanalysis | n/a |
-## Deployment
+## Resources
-1. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
-2. Run `terraform init -upgrade`
-3. Run `terraform plan -out=tfplan`
-4. Run `terraform apply tfplan`
-
-## Updating Docs
-
-The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
-1. Make changes to the `.terraform-docs.yml` file
-2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
-3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
+No resources.
## Inputs
@@ -64,4 +50,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
| Name | Description |
|------|-------------|
| [appvia\_cost\_analysis\_support\_role\_arn](#output\_appvia\_cost\_analysis\_support\_role\_arn) | The name of the Cost Analysis Support IAM role to be assumed by the Appvia support team |
-
\ No newline at end of file
+
+
diff --git a/examples/lza-support/.terraform-docs.yml b/examples/lza-support/.terraform-docs.yml
deleted file mode 100644
index 1b9849b..0000000
--- a/examples/lza-support/.terraform-docs.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-content: |-
- # Example: AWS Landing Zone Accelerator Support
-
- This example demonstrates how to deploy the AWS Landing Zone Accelerator (LZA) support resources using Terraform in your AWS Management Account where Control Tower is configured.
-
- ## Deployment
-
- 1. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
- 2. Run `terraform init -upgrade`
- 3. Run `terraform plan -out=tfplan`
- 4. Run `terraform apply tfplan`
-
- ## Updating Docs
-
- The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
- 1. Make changes to the `.terraform-docs.yml` file
- 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
- 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-
- {{ .Inputs }}
-
- {{ .Outputs }}
diff --git a/examples/lza-support/README.md b/examples/lza-support/README.md
index e7a00cb..d3f0464 100644
--- a/examples/lza-support/README.md
+++ b/examples/lza-support/README.md
@@ -1,4 +1,3 @@
-
# Example: AWS Landing Zone Accelerator Support
This example demonstrates how to deploy the AWS Landing Zone Accelerator (LZA) support resources using Terraform in your AWS Management Account where Control Tower is configured.
@@ -13,10 +12,33 @@ This example demonstrates how to deploy the AWS Landing Zone Accelerator (LZA) s
## Updating Docs
The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
+
1. Make changes to the `.terraform-docs.yml` file
2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [appvia\_lza\_support\_role](#module\_appvia\_lza\_support\_role) | ../../modules/lza | n/a |
+
+## Resources
+
+No resources.
+
## Inputs
| Name | Description | Type | Default | Required |
@@ -30,4 +52,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
|------|-------------|
| [appvia\_cost\_analysis\_support\_role\_arn](#output\_appvia\_cost\_analysis\_support\_role\_arn) | The ARN of the IAM role to be assumed by the support team for cost analysis |
| [appvia\_landing\_zone\_support\_role\_arn](#output\_appvia\_landing\_zone\_support\_role\_arn) | The name of the Landing Zone Support IAM role to be assumed by the Appvia support team |
-
\ No newline at end of file
+
+
diff --git a/modules/costanalysis/policies.tf b/modules/costanalysis/policies.tf
index 7ca33e0..53c11e5 100644
--- a/modules/costanalysis/policies.tf
+++ b/modules/costanalysis/policies.tf
@@ -32,6 +32,65 @@ data "aws_iam_policy_document" "policy" {
resources = ["*"]
}
+ statement {
+ sid = "AllowStepFunctions"
+ effect = "Allow"
+ actions = [
+ "states:Describe*",
+ "states:Get*",
+ "states:List*",
+ "states:StartExecution",
+ "states:StopExecution"
+ ]
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "AllowCloudWatchLogs"
+ effect = "Allow"
+ actions = [
+ "logs:DescribeLogGroups",
+ ]
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "AllowLambda"
+ effect = "Allow"
+ actions = [
+ "lambda:GetFunction",
+ "lambda:ListFunctions",
+ "lambda:GetFunctionConfiguration",
+ "lambda:ListTags",
+ "lambda:ListVersionsByFunction",
+ ]
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "AllowCudosLogs"
+ effect = "Allow"
+ actions = [
+ "logs:DescribeLogStreams",
+ "logs:GetLogEvents",
+ "logs:FilterLogEvents"
+ ]
+ resources = [
+ "arn:aws:logs:*:*:log-group:/aws/lambda/CID-DC*",
+ ]
+ }
+
+ statement {
+ sid = "AllowCloudWatchAlarms"
+ effect = "Allow"
+ actions = [
+ "cloudwatch:Describe*",
+ "cloudwatch:List*",
+ "cloudwatch:Get*",
+ ]
+ resources = ["*"]
+ }
+
statement {
sid = "AllowAthenaAdmin"
effect = "Allow"