Skip to content

Commit

Permalink
Merge pull request #3 from rhythmictech/ENG-2953
Browse files Browse the repository at this point in the history
Fix Readme, update ci, tidy up variables, add dns servers variable
  • Loading branch information
sblack4 authored May 23, 2022
2 parents d4eb3d4 + 3bd4a68 commit 6125613
Show file tree
Hide file tree
Showing 13 changed files with 133 additions and 166 deletions.
17 changes: 2 additions & 15 deletions .github/workflows/pre-commit.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: pre-commit-check
on:
push:
branches: -- main
branches:
- master
- prod
- develop
Expand All @@ -16,14 +16,10 @@ jobs:
uses: actions/setup-python@v2
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: ~0.13.5
- name: initialize Terraform
run: terraform init --backend=false
- name: pre-commit
uses: pre-commit/[email protected].0
uses: pre-commit/[email protected].3
env:
AWS_DEFAULT_REGION: us-east-1
# many of these are covered by better reviewdog linters below
Expand All @@ -32,12 +28,3 @@ jobs:
no-commit-to-branch,
terraform_tflint_nocreds,
terraform_tfsec
- uses: stefanzweifel/git-auto-commit-action@v4
if: ${{ failure() }}
with:
commit_message: Apply automatic changes
commit_options: "--no-verify"
# Optional commit user and author settings
commit_user_name: Linter Bot
commit_user_email: [email protected]
commit_author: Linter Bot <[email protected]>
27 changes: 5 additions & 22 deletions .github/workflows/pullRequest.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,10 @@ jobs:
uses: actions/setup-python@v2
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: ~0.13.5
- name: initialize Terraform
run: terraform init --backend=false
- name: pre-commit
uses: pre-commit/[email protected].0
uses: pre-commit/[email protected].3
env:
AWS_DEFAULT_REGION: us-east-1
# many of these are covered by better reviewdog linters below
Expand All @@ -29,23 +25,12 @@ jobs:
no-commit-to-branch,
terraform_tflint_nocreds,
terraform_tfsec
- uses: stefanzweifel/git-auto-commit-action@v4
if: ${{ failure() }}
with:
commit_message: Apply automatic changes
commit_options: "--no-verify"
# Optional commit user and author settings
commit_user_name: Linter Bot
commit_user_email: [email protected]
commit_author: Linter Bot <[email protected]>
tflint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: ~0.13.5
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Terraform init
run: terraform init --backend=false
- name: tflint
Expand All @@ -60,10 +45,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: ~0.13.5
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Terraform init
run: terraform init --backend=false
- name: tfsec
Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/tflint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: ~0.13.5
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Terraform init
run: terraform init --backend=false
- name: tflint
Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/tfsec.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: ~0.13.5
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Terraform init
run: terraform init --backend=false
- name: tfsec
Expand Down
35 changes: 26 additions & 9 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,17 +1,11 @@
exclude: ".terraform"
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.43.0
rev: v1.71.0
hooks:
- id: terraform_docs
always_run: true
args:
- --args=--sort-by-required
- id: terraform_fmt
- id: terraform_tflint
alias: terraform_tflint_deep
name: terraform_tflint_deep
args:
- --args=--deep
- id: terraform_tflint
alias: terraform_tflint_nocreds
name: terraform_tflint_nocreds
Expand Down Expand Up @@ -40,8 +34,29 @@ repos:
verbose: true
files: \.tf(vars)?$
exclude: examples
- id: tflock
name: provider_locks
entry: |
bash -c '
AWS_DEFAULT_REGION=us-east-1
declare -a DIRS
for FILE in "$@"
do
DIRS+=($(dirname "$FILE"))
done
for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
do
cd $(dirname "$FILE")
terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
cd ..
done
'
language: system
verbose: true
files: \.tf(vars)?$
exclude: examples
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.3.0
rev: v4.2.0
hooks:
- id: check-case-conflict
- id: check-json
Expand Down Expand Up @@ -70,3 +85,5 @@ repos:
args:
- --markdown-linebreak-ext=md
exclude: README.md
ci:
skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock]
3 changes: 1 addition & 2 deletions .tflint.hcl
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
config {
module = true
deep_check = false
}

rule "terraform_deprecated_interpolation" {
Expand Down Expand Up @@ -37,7 +36,7 @@ rule "terraform_naming_convention" {
}

rule "terraform_required_version" {
enabled = true
enabled = false
}

rule "terraform_required_providers" {
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2020 Rhythmic Technologies, Inc.
Copyright (c) 2022 Rhythmic Technologies, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
100 changes: 68 additions & 32 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,63 +1,99 @@
# terraform-terraform-template
Template repository for terraform modules. Good for any cloud and any provider.

[![tflint](https://github.com/rhythmictech/terraform-terraform-template/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
[![tfsec](https://github.com/rhythmictech/terraform-terraform-template/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
[![yamllint](https://github.com/rhythmictech/terraform-terraform-template/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
[![misspell](https://github.com/rhythmictech/terraform-terraform-template/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
[![pre-commit-check](https://github.com/rhythmictech/terraform-terraform-template/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
# terraform-aws-client-vpn-federated
Creates an AWS Client VPN with federated client authentication

[![tflint](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
[![tfsec](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
[![yamllint](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
[![misspell](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-client-vpn-federated/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
<a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=twitter" alt="follow on Twitter"></a>

## Example

Here's what using the module will look like
```hcl
module "example" {
source = "rhythmictech/terraform-mycloud-mymodule
module "vpn" {
source = "rhythmictech/client-vpn-federated/aws"
name = "vpn"
additional_routes = var.additional_routes
associated_subnets = var.associated_subnets
client_cidr_block = var.vpn_client_cidr_block
saml_metadata_document = file("${path.module}/saml-metadata.xml")
server_certificate_arn = data.aws_acm_certificate.com_cert.arn
tags = local.tags
vpc_id = var.vpc_id
authorization_rules = [{
name = "allow-all"
access_group_id = null
authorize_all_groups = true
description = "Allow All Groups"
target_network_cidr = var.cidr_block
}]
}
```

## About
A bit about this module

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| terraform | ~> 0.13.0 |
| aws | ~> 3.5 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.5 |

## Providers

| Name | Version |
|------|---------|
| aws | ~> 3.5 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.5 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_saml_is_defined"></a> [saml\_is\_defined](#module\_saml\_is\_defined) | rhythmictech/errorcheck/terraform | ~> 1.2 |
| <a name="module_saml_not_defined_twice"></a> [saml\_not\_defined\_twice](#module\_saml\_not\_defined\_twice) | rhythmictech/errorcheck/terraform | ~> 1.2 |

## Resources

| Name | Type |
|------|------|
| [aws_cloudwatch_log_group.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_stream.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream) | resource |
| [aws_ec2_client_vpn_authorization_rule.rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_authorization_rule) | resource |
| [aws_ec2_client_vpn_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint) | resource |
| [aws_ec2_client_vpn_network_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_network_association) | resource |
| [aws_ec2_client_vpn_route.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_route) | resource |
| [aws_iam_saml_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| associated\_subnets | List of subnets to associate with the VPN endpoint | `list(string)` | n/a | yes |
| authorization\_rules | List of objects describing the authorization rules for the client vpn | <pre>list(object({<br> name = string<br> access_group_id = string<br> authorize_all_groups = bool<br> description = string<br> target_network_cidr = string<br> }))</pre> | n/a | yes |
| client\_cidr\_block | (optional) describe your variable | `string` | n/a | yes |
| name | Name to associate with various resources | `string` | n/a | yes |
| server\_certificate\_arn | ARN of ACM certificate to use with Client VPN | `string` | n/a | yes |
| vpc\_id | ID of VPC to attach VPN to | `string` | n/a | yes |
| additional\_routes | A list of additional routes that should be attached to the Client VPN endpoint | <pre>list(object({<br> destination_cidr_block = string<br> description = string<br> target_vpc_subnet_id = string<br> }))</pre> | `[]` | no |
| additional\_security\_groups | List of security groups to attach to the client vpn network associations | `list(string)` | `[]` | no |
| cloudwatch\_log\_retention\_days | How long to keep VPN logs. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | `30` | no |
| saml\_metadata\_document | Optional SAML metadata document. Must include this or `saml_provider_arn` | `string` | `null` | no |
| saml\_provider\_arn | Optional SAML provider ARN. Must include this or `saml_metadata_document` | `string` | `null` | no |
| split\_tunnel\_enabled | Whether to enable split tunnelling | `bool` | `true` | no |
| tags | Map of strings containing tags for AWS resources | `map(string)` | `{}` | no |
| <a name="input_additional_routes"></a> [additional\_routes](#input\_additional\_routes) | A list of additional routes that should be attached to the Client VPN endpoint | <pre>list(object({<br> destination_cidr_block = string<br> description = string<br> target_vpc_subnet_id = string<br> }))</pre> | `[]` | no |
| <a name="input_additional_security_groups"></a> [additional\_security\_groups](#input\_additional\_security\_groups) | List of security groups to attach to the client vpn network associations | `list(string)` | `[]` | no |
| <a name="input_associated_subnets"></a> [associated\_subnets](#input\_associated\_subnets) | List of subnets to associate with the VPN endpoint | `list(string)` | n/a | yes |
| <a name="input_authorization_rules"></a> [authorization\_rules](#input\_authorization\_rules) | List of objects describing the authorization rules for the client vpn | <pre>list(object({<br> access_group_id = string<br> authorize_all_groups = bool<br> description = string<br> target_network_cidr = string<br> }))</pre> | n/a | yes |
| <a name="input_client_cidr_block"></a> [client\_cidr\_block](#input\_client\_cidr\_block) | IPv4 CIDR block for client addresses. /22 or greater | `string` | n/a | yes |
| <a name="input_cloudwatch_log_retention_days"></a> [cloudwatch\_log\_retention\_days](#input\_cloudwatch\_log\_retention\_days) | How long to keep VPN logs. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | `30` | no |
| <a name="input_dns_servers"></a> [dns\_servers](#input\_dns\_servers) | Up to two DNS servers | `list(string)` | `[]` | no |
| <a name="input_name"></a> [name](#input\_name) | Name to associate with various resources | `string` | n/a | yes |
| <a name="input_saml_metadata_document"></a> [saml\_metadata\_document](#input\_saml\_metadata\_document) | Optional SAML metadata document. Must include this or `saml_provider_arn` | `string` | `null` | no |
| <a name="input_saml_provider_arn"></a> [saml\_provider\_arn](#input\_saml\_provider\_arn) | Optional SAML provider ARN. Must include this or `saml_metadata_document` | `string` | `null` | no |
| <a name="input_server_certificate_arn"></a> [server\_certificate\_arn](#input\_server\_certificate\_arn) | ARN of ACM certificate to use with Client VPN | `string` | n/a | yes |
| <a name="input_split_tunnel_enabled"></a> [split\_tunnel\_enabled](#input\_split\_tunnel\_enabled) | Whether to enable split tunneling | `bool` | `true` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Map of strings containing tags for AWS resources | `map(string)` | `{}` | no |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of VPC to attach VPN to | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| vpn\_dns\_name | DNS name to be used by clients when establishing VPN session |
| vpn\_endpoint\_security\_groups | VPN endpoint security groups |

| <a name="output_vpn_dns_name"></a> [vpn\_dns\_name](#output\_vpn\_dns\_name) | DNS name to be used by clients when establishing VPN session |
| <a name="output_vpn_endpoint_security_groups"></a> [vpn\_endpoint\_security\_groups](#output\_vpn\_endpoint\_security\_groups) | VPN endpoint security groups |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## The Giants Underneath this Module
Expand Down
12 changes: 11 additions & 1 deletion bin/install-ubuntu.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,17 @@
echo 'installing dependencies'
sudo apt install python3-pip gawk &&\
pip3 install pre-commit
curl -L "$(curl -sL https://api.github.com/repos/segmentio/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64")" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/

# terraform docs
mkdir tmp
cd tmp
curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
tar -xzf terraform-docs.tar.gz
chmod +x terraform-docs
sudo mv terraform-docs /usr/bin/
cd ..
rm -rf tmp

curl -L "$(curl -sL https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
env GO111MODULE=on go get -u github.com/liamg/tfsec/cmd/tfsec
git clone https://github.com/tfutils/tfenv.git ~/.tfenv || true
Expand Down
Loading

0 comments on commit 6125613

Please sign in to comment.