Merge pull request #123 from trussworks/barry-update-things

chore: update all the things and tflint and trivy

.github/workflows/validate.yml.noop

@@ -0,0 +1,28 @@
+name: Validate - Terraform
+
+on:
+  workflow_call:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  validate-tf:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - name: Install terraform-docs
+        run: |
+          curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-linux-amd64.tar.gz
+          tar -xzf terraform-docs.tar.gz
+          chmod +x terraform-docs
+          sudo mv terraform-docs /usr/local/bin/
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: "3.13"
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.gitignore

@@ -1,6 +1,52 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+*.envrc.local
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+tfplan
+*.plan
+*.out
+
+#Editors
 .DS_Store
-.terraform
-terraform.tfstate
-terraform.tfstate.backup
-terraform.tfstate.*.backup
-vendor
+*.swp
+*.sublime-*
+.*.stamp
+.idea
+.vscode
+tmp/
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.markdownlintrc

@@ -0,0 +1,9 @@
+{
+  "default": true,
+  "first-header-h1": false,
+  "first-line-h1": false,
+  "line_length": false,
+  "no-multiple-blanks": false,
+  "no-inline-html": false,
+  "no-alt-text": false
+}

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -15,7 +15,7 @@ repos:
       - id: mixed-line-ending
 
   - repo: https://github.com/executablebooks/mdformat
-    rev: 0.7.16
+    rev: 0.7.21
     hooks:
       - id: mdformat
         additional_dependencies:
@@ -25,19 +25,22 @@ repos:
         exclude: README.m(ark)?d(own)?
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.33.0
+    rev: v0.44.0
     hooks:
       - id: markdownlint
 
-  - repo: https://github.com/detailyang/pre-commit-shell
-    rev: 1.0.5
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.19.0"
     hooks:
-      - id: shell-lint
+      - id: terraform-docs-system
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.97.0
     hooks:
-      - id: terraform_docs
-        args:
-          - --args=--config=.terraform-docs.yml
+      - id: terraform_validate
       - id: terraform_fmt
+      - id: terraform_tflint
+      - id: terraform_trivy
+        args:
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore.yaml
+          - --args=--config=__GIT_WORKING_DIR__trivy.yaml

.terraform-docs.yml

@@ -1,4 +1,35 @@
+version: ">= 0.19.0, < 1.0.0"
+
 settings:
   html: false
   anchor: false
+  escape: false
+  lockfile: false
+  hide-empty: false # set to true when Terraform exists
 formatter: "markdown table"
+
+sort:
+  enabled: true
+  by: required
+
+sections:
+  show:
+    - requirements
+    - providers
+    - modules
+    - data-sources
+    - resources
+    - inputs
+    - outputs
+
+recursive:
+  enabled: false
+  include-main: false
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->

.terraform-version

@@ -1 +1 @@
-1.10.4
+1.5.7

.trivyignore.yaml

@@ -0,0 +1,7 @@
+# These are just examples to get you started.
+misconfigurations:
+  - id: AVD-AWS-0342 # (MEDIUM): IAM policy allows 'iam:PassRole' action
+  - id: AVD-AWS-0104 # (CRITICAL): Security group rule allows unrestricted egress to any IP address.
+  - id: AVD-AWS-0176 # (MEDIUM): Instance does not have IAM Authentication enabled
+  - id: AVD-AWS-0133 # (LOW): Instance does not have performance insights enabled.
+  - id: AVD-AWS-0099 # (LOW): Security group explicitly uses the default description.

Makefile

@@ -1,13 +1,7 @@
-.PHONY: ensure_pre_commit
-ensure_pre_commit: .git/hooks/pre-commit ## Ensure pre-commit is installed
-.git/hooks/pre-commit: /usr/local/bin/pre-commit
-	pre-commit install
-	pre-commit install-hooks
-
-.PHONY: pre_commit_tests
-pre_commit_tests: ensure_pre_commit ## Run pre-commit tests
-	pre-commit run --all-files
-
-.PHONY: clean
-clean:
-	rm -f .*.stamp
+.PHONY: target_lock
+target_lock:
+	terraform providers lock \
+  		-platform=windows_amd64 \
+  		-platform=darwin_amd64 \
+  		-platform=darwin_arm64 \
+  		-platform=linux_amd64

README.md

@@ -24,13 +24,13 @@ module "example" {
 }
 ```
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 1.3.7 |
-| aws | ~> 4.52.0 |
+| terraform | 1.5.7 |
+| aws | ~> 5.0 |
 
 ## Providers
 
@@ -51,14 +51,20 @@ No inputs.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 ## Developer Setup
 
+- [Pre-Commit](https://pre-commit.com/)
+- [TFenv](https://github.com/tfutils/tfenv)
+- [Terraform-Docs](https://terraform-docs.io/)
+- [TFLint](https://github.com/terraform-linters/tflint)
+- [Trivy](https://trivy.dev/)
+
 Install dependencies (macOS)
 
 ```shell
-brew install pre-commit tfenv terraform-docs
+brew install pre-commit tfenv terraform-docs tflint trivy
 tfenv install
 pre-commit install --install-hooks
 ```

renovate.json

@@ -1,51 +1,33 @@
 {
   "extends": [
-    "config:base",
-    ":disableDependencyDashboard"
+    "config:recommended",
+    "helpers:pinGitHubActionDigests"
   ],
   "labels": [
     "dependencies"
   ],
   "packageRules": [
-    {
-      "automerge": true,
-      "description": "Automerge all updates except major versions",
-      "matchUpdateTypes": [
-        "patch",
-        "pin",
-        "digest",
-        "minor"
-      ]
-    },
-    {
-      "description": "Tag the waddlers Github Team for major updates",
-      "matchUpdateTypes": [
-        "major"
-      ],
-      "reviewers": [
-        "team:waddlers"
-      ]
-    },
     {
       "automerge": true,
       "description": "Group minor and patch updates into a single PR",
       "groupName": "dependencies",
-      "managers": [
+      "matchManagers": [
         "terraform",
         "pre-commit",
-        "dockerfile",
         "github-actions"
       ],
       "matchUpdateTypes": [
         "minor",
-        "patch"
+        "patch",
+        "pin",
+        "digest"
       ]
     }
   ],
-  "prConcurrentLimit": 2,
   "schedule": [
     "every weekend"
   ],
   "separateMinorPatch": true,
-  "timezone": "America/Los_Angeles"
+  "separateMultipleMajor": true,
+  "separateMultipleMinor": true
 }

terraform.tf

@@ -0,0 +1,11 @@
+# Last MPL Licensed Terraform version
+terraform {
+  required_version = "1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}

trivy.yaml

@@ -0,0 +1,14 @@
+quiet: true
+
+scan:
+  skip-dirs:
+    - "**/.terraform"
+
+misconfiguration:
+  scanners:
+    - terraform
+
+  terraform:
+    exclude-downloaded-modules: true
+
+ignorefile: ".trivyignore.yaml"