From 1782426fa1d697a0136bd7e79c11d2a89fc92d7d Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 13:59:13 -0600
Subject: [PATCH 1/9] chore: additional ignores for git

---
 .gitignore | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 51 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2fa5ebc..0136837 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,52 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+*.envrc.local
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+tfplan
+*.plan
+*.out
+
+#Editors
 .DS_Store
-.terraform
-terraform.tfstate
-terraform.tfstate.backup
-terraform.tfstate.*.backup
-vendor
+*.swp
+*.sublime-*
+.*.stamp
+.idea
+.vscode
+tmp/
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

From 829c5e049038f7cf3ec9d5e3e0d140d0aef45cec Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:00:05 -0600
Subject: [PATCH 2/9] chore: pin Terraform to 1.5.7 for now

---
 .terraform-version  |  2 +-
 .terraform.lock.hcl | 28 ++++++++++++++++++++++++++++
 terraform.tf        | 11 +++++++++++
 versions.tf         | 14 --------------
 4 files changed, 40 insertions(+), 15 deletions(-)
 create mode 100644 .terraform.lock.hcl
 create mode 100644 terraform.tf
 delete mode 100644 versions.tf

diff --git a/.terraform-version b/.terraform-version
index 18b3114..f01291b 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-1.10.4
+1.5.7
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..3062d2b
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,28 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.84.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:EJLTu1eqP93P4+DexFZHnuMCwEapkmHhEUirUT+tjZw=",
+    "h1:OJ53RNte7HLHSMxSkzu1S6H8sC0T8qnCAOcNLjjtMpc=",
+    "h1:TpsSFMkiuLC1V29n4Ov99g4L6jlsBmBMWxqDX3GZNww=",
+    "h1:dwpeFUdcxgXVAc0JSqO57xf0/r2qOBLPloombCQWFz8=",
+    "zh:078f77438aba6ec8bf9154b7d223e5c71c48d805d6cd3bcf9db0cc1e82668ac3",
+    "zh:1f6591ff96be00501e71b792ed3a5a14b21ff03afec9a1c4a3fd9300e6e5b674",
+    "zh:2ab694e022e81dd74485351c5836148a842ed71cf640664c9d871cb517b09602",
+    "zh:33c8ccb6e3dc496e828a7572dd981366c6271075c1189f249b9b5236361d7eff",
+    "zh:6f31068ebad1d627e421c72ccdaafe678c53600ca73714e977bf45ff43ae5d17",
+    "zh:7488623dccfb639347cae66f9001d39cf06b92e8081975235a1ac3a0ac3f44aa",
+    "zh:7f042b78b9690a8725c95b91a70fc8e264011b836605bcc342ac297b9ea3937d",
+    "zh:88b56ac6c7209dc0a775b79975a371918f3aed8f015c37d5899f31deff37c61a",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a1979ba840d704af0932f8de5f541cbb4caa9b6bbd25ed552a24e6772175ba07",
+    "zh:b058c0533dae580e69d1adbc1f69e6a80632374abfc10e8634d06187a108e87b",
+    "zh:c88610af9cf957f8dcf4382e0c9ca566ef10e3290f5de01d4d90b2d81b078aa8",
+    "zh:e9562c055a2247d0c287772b55abef468c79f8d66a74780fe1c5e5dae1a284a9",
+    "zh:f7a7c71d28441d925a25c08c4485c015b2d9f0338bc9707443e91ff8e161d3d9",
+    "zh:fee533e81976d0900aa6fa443dc54ef171cbd901847f28a6e8edb1d161fa6fde",
+  ]
+}
diff --git a/terraform.tf b/terraform.tf
new file mode 100644
index 0000000..c56488d
--- /dev/null
+++ b/terraform.tf
@@ -0,0 +1,11 @@
+# Last MPL Licensed Terraform version
+terraform {
+  required_version = "1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/versions.tf b/versions.tf
deleted file mode 100644
index b74d991..0000000
--- a/versions.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 1.3.7"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.84.0"
-    }
-  }
-}
-
-provider "aws" {
-  region = "us-west-2"
-}

From 70cbd87fb7e9bf5f21093bc9c94e17a9dc9506b3 Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:30:30 -0600
Subject: [PATCH 3/9] docs: updated readme

---
 README.md | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 82ef3ce..70231d0 100644
--- a/README.md
+++ b/README.md
@@ -24,13 +24,13 @@ module "example" {
 }
 ```
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 1.3.7 |
-| aws | ~> 4.52.0 |
+| terraform | 1.5.7 |
+| aws | ~> 5.0 |
 
 ## Providers
 
@@ -51,14 +51,20 @@ No inputs.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 ## Developer Setup
 
+- [Pre-Commit](https://pre-commit.com/)
+- [TFenv](https://github.com/tfutils/tfenv)
+- [Terraform-Docs](https://terraform-docs.io/)
+- [TFLint](https://github.com/terraform-linters/tflint)
+- [Trivy](https://trivy.dev/)
+
 Install dependencies (macOS)
 
 ```shell
-brew install pre-commit tfenv terraform-docs
+brew install pre-commit tfenv terraform-docs tflint trivy
 tfenv install
 pre-commit install --install-hooks
 ```

From 70c46693285cb8ec2c3f6453c9d50d57014edbbf Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:31:13 -0600
Subject: [PATCH 4/9] chore: pre-commit autoupdate, terraform-docs and
 markdownlintrc

---
 .markdownlintrc         |  9 +++++++++
 .pre-commit-config.yaml | 20 ++++++++++----------
 .terraform-docs.yml     | 31 +++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 10 deletions(-)
 create mode 100644 .markdownlintrc

diff --git a/.markdownlintrc b/.markdownlintrc
new file mode 100644
index 0000000..3e0ef98
--- /dev/null
+++ b/.markdownlintrc
@@ -0,0 +1,9 @@
+{
+  "default": true,
+  "first-header-h1": false,
+  "first-line-h1": false,
+  "line_length": false,
+  "no-multiple-blanks": false,
+  "no-inline-html": false,
+  "no-alt-text": false
+}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 043e348..bd634ac 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -15,7 +15,7 @@ repos:
       - id: mixed-line-ending
 
   - repo: https://github.com/executablebooks/mdformat
-    rev: 0.7.16
+    rev: 0.7.21
     hooks:
       - id: mdformat
         additional_dependencies:
@@ -25,19 +25,19 @@ repos:
         exclude: README.m(ark)?d(own)?
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.33.0
+    rev: v0.44.0
     hooks:
       - id: markdownlint
 
-  - repo: https://github.com/detailyang/pre-commit-shell
-    rev: 1.0.5
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.19.0"
     hooks:
-      - id: shell-lint
+      - id: terraform-docs-system
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.97.0
     hooks:
-      - id: terraform_docs
-        args:
-          - --args=--config=.terraform-docs.yml
+      - id: terraform_validate
       - id: terraform_fmt
+      - id: terraform_tflint
+      - id: terraform_trivy
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
index fb05467..97e600f 100644
--- a/.terraform-docs.yml
+++ b/.terraform-docs.yml
@@ -1,4 +1,35 @@
+version: ">= 0.19.0, < 1.0.0"
+
 settings:
   html: false
   anchor: false
+  escape: false
+  lockfile: false
+  hide-empty: false # set to true when Terraform exists
 formatter: "markdown table"
+
+sort:
+  enabled: true
+  by: required
+
+sections:
+  show:
+    - requirements
+    - providers
+    - modules
+    - data-sources
+    - resources
+    - inputs
+    - outputs
+
+recursive:
+  enabled: false
+  include-main: false
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->

From e1c958d5d1dd5b7eeb0c9bee7fac961362b5d2bf Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:31:50 -0600
Subject: [PATCH 5/9] chore: Download providers for common operating systems
 for better interoperability

---
 Makefile | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
index 0c4b637..69005d0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,7 @@
-.PHONY: ensure_pre_commit
-ensure_pre_commit: .git/hooks/pre-commit ## Ensure pre-commit is installed
-.git/hooks/pre-commit: /usr/local/bin/pre-commit
-	pre-commit install
-	pre-commit install-hooks
-
-.PHONY: pre_commit_tests
-pre_commit_tests: ensure_pre_commit ## Run pre-commit tests
-	pre-commit run --all-files
-
-.PHONY: clean
-clean:
-	rm -f .*.stamp
+.PHONY: target_lock
+target_lock:
+	terraform providers lock \
+  		-platform=windows_amd64 \
+  		-platform=darwin_amd64 \
+  		-platform=darwin_arm64 \
+  		-platform=linux_amd64

From 57c669eceed14a8a7d952557d7fc34f9d37300ec Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:32:16 -0600
Subject: [PATCH 6/9] chore: renovate the renovate config

---
 renovate.json | 34 ++++++++--------------------------
 1 file changed, 8 insertions(+), 26 deletions(-)

diff --git a/renovate.json b/renovate.json
index fa3c75e..41c3c59 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,51 +1,33 @@
 {
   "extends": [
-    "config:base",
-    ":disableDependencyDashboard"
+    "config:recommended",
+    "helpers:pinGitHubActionDigests"
   ],
   "labels": [
     "dependencies"
   ],
   "packageRules": [
-    {
-      "automerge": true,
-      "description": "Automerge all updates except major versions",
-      "matchUpdateTypes": [
-        "patch",
-        "pin",
-        "digest",
-        "minor"
-      ]
-    },
-    {
-      "description": "Tag the waddlers Github Team for major updates",
-      "matchUpdateTypes": [
-        "major"
-      ],
-      "reviewers": [
-        "team:waddlers"
-      ]
-    },
     {
       "automerge": true,
       "description": "Group minor and patch updates into a single PR",
       "groupName": "dependencies",
-      "managers": [
+      "matchManagers": [
         "terraform",
         "pre-commit",
-        "dockerfile",
         "github-actions"
       ],
       "matchUpdateTypes": [
         "minor",
-        "patch"
+        "patch",
+        "pin",
+        "digest"
       ]
     }
   ],
-  "prConcurrentLimit": 2,
   "schedule": [
     "every weekend"
   ],
   "separateMinorPatch": true,
-  "timezone": "America/Los_Angeles"
+  "separateMultipleMajor": true,
+  "separateMultipleMinor": true
 }

From 78c6bf64767670898dd4837d44f6085599e44b4d Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:44:59 -0600
Subject: [PATCH 7/9] a sample GitHub workflow that can be get a person started

---
 .github/workflows/validate.yml.noop | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/validate.yml.noop

diff --git a/.github/workflows/validate.yml.noop b/.github/workflows/validate.yml.noop
new file mode 100644
index 0000000..52156bf
--- /dev/null
+++ b/.github/workflows/validate.yml.noop
@@ -0,0 +1,28 @@
+name: Validate - Terraform
+
+on:
+  workflow_call:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  validate-tf:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - name: Install terraform-docs
+        run: |
+          curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-linux-amd64.tar.gz
+          tar -xzf terraform-docs.tar.gz
+          chmod +x terraform-docs
+          sudo mv terraform-docs /usr/local/bin/
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: "3.13"
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

From 2cf45e89f128f2bd83cc56483843029e84c16143 Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:45:22 -0600
Subject: [PATCH 8/9] chore: Trivy conf and ignore file samples

---
 .trivyignore.yaml |  7 +++++++
 trivy.yaml        | 14 ++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 .trivyignore.yaml
 create mode 100644 trivy.yaml

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 0000000..9d3e6ca
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,7 @@
+# These are just examples to get you started.
+misconfigurations:
+  - id: AVD-AWS-0342 # (MEDIUM): IAM policy allows 'iam:PassRole' action
+  - id: AVD-AWS-0104 # (CRITICAL): Security group rule allows unrestricted egress to any IP address.
+  - id: AVD-AWS-0176 # (MEDIUM): Instance does not have IAM Authentication enabled
+  - id: AVD-AWS-0133 # (LOW): Instance does not have performance insights enabled.
+  - id: AVD-AWS-0099 # (LOW): Security group explicitly uses the default description.
diff --git a/trivy.yaml b/trivy.yaml
new file mode 100644
index 0000000..84ae08f
--- /dev/null
+++ b/trivy.yaml
@@ -0,0 +1,14 @@
+quiet: true
+
+scan:
+  skip-dirs:
+    - "**/.terraform"
+
+misconfiguration:
+  scanners:
+    - terraform
+
+  terraform:
+    exclude-downloaded-modules: true
+
+ignorefile: ".trivyignore.yaml"

From 13078be322dabb3cf01d193037ad26c5e91a4ada Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:47:36 -0600
Subject: [PATCH 9/9] chore: pre-commit actually calls trivy with args

---
 .pre-commit-config.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bd634ac..3cb9b37 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -41,3 +41,6 @@ repos:
       - id: terraform_fmt
       - id: terraform_tflint
       - id: terraform_trivy
+        args:
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore.yaml
+          - --args=--config=__GIT_WORKING_DIR__trivy.yaml