diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..f66dd675 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @grupoboticario/sq-devops-dea-ped \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..6a0263bf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 + +registries: + github-grupoboticario: + type: git + url: https://github.com + username: x-access-token + password: ${{ secrets.GB_TERRAFORM_API_TOKEN }} + +updates: + - package-ecosystem: github-actions + directory: / + open-pull-requests-limit: 10 + schedule: + interval: weekly + +updates: diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml new file mode 100644 index 00000000..bfea24f4 --- /dev/null +++ b/.github/workflows/dependabot.yaml @@ -0,0 +1,22 @@ +name: Update Dependabot Config File + +on: + - pull_request + +permissions: + contents: write + pull-requests: read + deployments: write + +jobs: + updateDependabotCfgFile: + runs-on: [self-hosted, core-shr] + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update Dependabot Config File + uses: grupoboticario/actions-tf-dependabot@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml new file mode 100644 index 00000000..a116df99 --- /dev/null +++ b/.github/workflows/devsecops.yml @@ -0,0 +1,13 @@ +run-name: DevSecOps +name: DevSecOps +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] + +jobs: + devsecops: + uses: grupoboticario/actions-devsecops-workflows/.github/workflows/devsecops.yml@v0 \ No newline at end of file diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index b8f1b8a5..f0ae78e4 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,78 +1,16 @@ -name: Pre-Commit +name: pre-commit on: pull_request: - branches: - - main - - master - -env: - TERRAFORM_DOCS_VERSION: v0.16.0 + branches: [main] + push: + branches: [main] jobs: - collectInputs: - name: Collect workflow inputs - runs-on: ubuntu-latest - outputs: - directories: ${{ steps.dirs.outputs.directories }} + pre-commit: + runs-on: [self-hosted, core-shr] steps: - name: Checkout - uses: actions/checkout@v2 - - - name: Get root directories - id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.3.0 - - preCommitMinVersions: - name: Min TF pre-commit - needs: collectInputs - runs-on: ubuntu-latest - strategy: - matrix: - directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - with: - directory: ${{ matrix.directory }} - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 - with: - terraform-version: ${{ steps.minMax.outputs.maxVersion }} - terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} + uses: actions/checkout@v4 + - name: pre-commit + uses: grupoboticario/actions-tf-pre-commit@v1 diff --git a/.gitignore b/.gitignore index 397af322..0019b8fb 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ override.tf.json # Ignore CLI configuration files .terraformrc terraform.rc +.terraform.lock.hcl \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8a010fdd..a87eec37 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,29 +1,32 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.64.0 + rev: v1.89.0 hooks: - - id: terraform_fmt - - id: terraform_validate - - id: terraform_docs + - id: terraform_checkov args: - - '--args=--lockfile=false' + - --args=--skip-check CKV_AWS_23 + - --args=--skip-check CKV_AWS_18 + - --args=--skip-check CKV_AWS_109 + - --args=--skip-check CKV_AWS_111 + - --args=--skip-check CKV_AWS_144 + - --args=--skip-check CKV_AWS_145 + - --args=--skip-check CKV_AWS_149 + - --args=--skip-check CKV_AWS_274 + - --args=--skip-check CKV_AWS_356 + - --args=--skip-check CKV2_AWS_5 + - --args=--skip-check CKV2_AWS_57 + - --args=--skip-check CKV2_AWS_61 + - --args=--skip-check CKV2_AWS_62 + - --args=--skip-check CKV2_AWS_65 + - --args=--skip-check CKV_TF_1 + - --args=--skip-check CKV2_GHA_1 + - id: terraform_docs + - id: terraform_docs_without_aggregate_type_defaults + - id: terraform_fmt - id: terraform_tflint - args: - - '--args=--only=terraform_deprecated_interpolation' - - '--args=--only=terraform_deprecated_index' - - '--args=--only=terraform_unused_declarations' - - '--args=--only=terraform_comment_syntax' - - '--args=--only=terraform_documented_outputs' - - '--args=--only=terraform_documented_variables' - - '--args=--only=terraform_typed_variables' - - '--args=--only=terraform_module_pinned_source' - - '--args=--only=terraform_naming_convention' - - '--args=--only=terraform_required_version' - - '--args=--only=terraform_required_providers' - - '--args=--only=terraform_standard_module_structure' - - '--args=--only=terraform_workspace_remote' - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 - hooks: - - id: check-merge-conflict - - id: end-of-file-fixer + - id: terraform_trivy + # - id: terraform_validate + # - id: terrascan + # args: + # - --args=--non-recursive + # - --args=--skip-rules="AC_AWS_0500" diff --git a/README.md b/README.md index 73b0fbfc..d59f759b 100644 --- a/README.md +++ b/README.md @@ -201,6 +201,7 @@ Users have the ability to: 1. This module does not create RDS security group. Use [terraform-aws-security-group](https://github.com/terraform-aws-modules/terraform-aws-security-group) module for this. + ## Requirements | Name | Version | diff --git a/examples/complete-mssql/README.md b/examples/complete-mssql/README.md index 342899fd..05b53973 100644 --- a/examples/complete-mssql/README.md +++ b/examples/complete-mssql/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/complete-mssql/versions.tf b/examples/complete-mssql/versions.tf index 3752560a..b6702785 100644 --- a/examples/complete-mssql/versions.tf +++ b/examples/complete-mssql/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/complete-mysql/README.md b/examples/complete-mysql/README.md index 5337410b..fd12ee0c 100644 --- a/examples/complete-mysql/README.md +++ b/examples/complete-mysql/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/complete-mysql/versions.tf b/examples/complete-mysql/versions.tf index 3752560a..b6702785 100644 --- a/examples/complete-mysql/versions.tf +++ b/examples/complete-mysql/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/complete-oracle/README.md b/examples/complete-oracle/README.md index fe11d4f9..247f25d3 100644 --- a/examples/complete-oracle/README.md +++ b/examples/complete-oracle/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/complete-oracle/versions.tf b/examples/complete-oracle/versions.tf index 3752560a..b6702785 100644 --- a/examples/complete-oracle/versions.tf +++ b/examples/complete-oracle/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/complete-postgres/README.md b/examples/complete-postgres/README.md index d6d9b97b..7fd8a544 100644 --- a/examples/complete-postgres/README.md +++ b/examples/complete-postgres/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/complete-postgres/versions.tf b/examples/complete-postgres/versions.tf index 3752560a..b6702785 100644 --- a/examples/complete-postgres/versions.tf +++ b/examples/complete-postgres/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/cross-region-replica-postgres/README.md b/examples/cross-region-replica-postgres/README.md index e338764c..4b672dc6 100644 --- a/examples/cross-region-replica-postgres/README.md +++ b/examples/cross-region-replica-postgres/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/cross-region-replica-postgres/versions.tf b/examples/cross-region-replica-postgres/versions.tf index 3752560a..b6702785 100644 --- a/examples/cross-region-replica-postgres/versions.tf +++ b/examples/cross-region-replica-postgres/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/enhanced-monitoring/README.md b/examples/enhanced-monitoring/README.md index cfc4898e..b0b41280 100644 --- a/examples/enhanced-monitoring/README.md +++ b/examples/enhanced-monitoring/README.md @@ -17,6 +17,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/enhanced-monitoring/versions.tf b/examples/enhanced-monitoring/versions.tf index 3752560a..b6702785 100644 --- a/examples/enhanced-monitoring/versions.tf +++ b/examples/enhanced-monitoring/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/groups/README.md b/examples/groups/README.md index 85566cef..22df9411 100644 --- a/examples/groups/README.md +++ b/examples/groups/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/groups/versions.tf b/examples/groups/versions.tf index 3752560a..b6702785 100644 --- a/examples/groups/versions.tf +++ b/examples/groups/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/replica-mysql/README.md b/examples/replica-mysql/README.md index f49bdcee..d59f446d 100644 --- a/examples/replica-mysql/README.md +++ b/examples/replica-mysql/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/replica-mysql/versions.tf b/examples/replica-mysql/versions.tf index 3752560a..b6702785 100644 --- a/examples/replica-mysql/versions.tf +++ b/examples/replica-mysql/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/replica-postgres/README.md b/examples/replica-postgres/README.md index 0f8b810f..88e17a08 100644 --- a/examples/replica-postgres/README.md +++ b/examples/replica-postgres/README.md @@ -15,6 +15,7 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/replica-postgres/versions.tf b/examples/replica-postgres/versions.tf index 3752560a..b6702785 100644 --- a/examples/replica-postgres/versions.tf +++ b/examples/replica-postgres/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } } } diff --git a/examples/s3-import-mysql/README.md b/examples/s3-import-mysql/README.md index d17cb0a7..68e7f12b 100644 --- a/examples/s3-import-mysql/README.md +++ b/examples/s3-import-mysql/README.md @@ -44,6 +44,7 @@ $ mv /tmp/backup ./backup Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + ## Requirements | Name | Version | diff --git a/examples/s3-import-mysql/versions.tf b/examples/s3-import-mysql/versions.tf index c849c1e9..7864b362 100644 --- a/examples/s3-import-mysql/versions.tf +++ b/examples/s3-import-mysql/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } random = { diff --git a/modules/db_instance/README.md b/modules/db_instance/README.md index f3814b36..889cd3bf 100644 --- a/modules/db_instance/README.md +++ b/modules/db_instance/README.md @@ -1,6 +1,7 @@ # aws_db_instance + ## Requirements | Name | Version | diff --git a/modules/db_instance/versions.tf b/modules/db_instance/versions.tf index c849c1e9..7864b362 100644 --- a/modules/db_instance/versions.tf +++ b/modules/db_instance/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } random = { diff --git a/modules/db_option_group/README.md b/modules/db_option_group/README.md index 2ad344a4..f1cae8d8 100644 --- a/modules/db_option_group/README.md +++ b/modules/db_option_group/README.md @@ -1,6 +1,7 @@ # aws_db_option_group + ## Requirements | Name | Version | diff --git a/modules/db_option_group/versions.tf b/modules/db_option_group/versions.tf index c7b91448..b6702785 100644 --- a/modules/db_option_group/versions.tf +++ b/modules/db_option_group/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.62" + version = ">= 4" } } } diff --git a/modules/db_parameter_group/README.md b/modules/db_parameter_group/README.md index 2487816b..2531b7fe 100644 --- a/modules/db_parameter_group/README.md +++ b/modules/db_parameter_group/README.md @@ -1,6 +1,7 @@ # aws_db_parameter_group + ## Requirements | Name | Version | diff --git a/modules/db_parameter_group/versions.tf b/modules/db_parameter_group/versions.tf index c7b91448..b6702785 100644 --- a/modules/db_parameter_group/versions.tf +++ b/modules/db_parameter_group/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.62" + version = ">= 4" } } } diff --git a/modules/db_subnet_group/README.md b/modules/db_subnet_group/README.md index 7e605618..bae8eaf8 100644 --- a/modules/db_subnet_group/README.md +++ b/modules/db_subnet_group/README.md @@ -1,6 +1,7 @@ # aws_db_subnet_group + ## Requirements | Name | Version | diff --git a/modules/db_subnet_group/versions.tf b/modules/db_subnet_group/versions.tf index c7b91448..b6702785 100644 --- a/modules/db_subnet_group/versions.tf +++ b/modules/db_subnet_group/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.62" + version = ">= 4" } } } diff --git a/versions.tf b/versions.tf index c849c1e9..7864b362 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 4" } random = {