grv-shr · grv-shr · Jul 30, 2023 · Jun 7, 2023 · Jun 8, 2023 · Jun 22, 2023
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,33 +1,23 @@
-## :bangbang: PLEASE READ THIS FIRST :bangbang:
-
-The direction for EKS Blueprints will soon shift from providing an all-encompassing, monolithic "framework" and instead focus more on how users can organize a set of modular components to create the desired solution on Amazon EKS. We have updated the [examples](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/examples) to show how we use the https://github.com/terraform-aws-modules/terraform-aws-eks for EKS cluster and node group creation. We will not be accepting any PRs that apply to EKS cluster or node group creation process. Any such PR may be closed by the maintainers.
-
-We are hitting also the pause button on new add-on creations at this time until a future roadmap for add-ons is finalized. Please do not submit new add-on PRs. Any such PR may be closed by the maintainers.
-
-Please track progress, learn what's new and how the migration path would look like to upgrade your current Terraform deployments. We welcome the EKS Blueprints community to continue the discussion in issue https://github.com/aws-ia/terraform-aws-eks-blueprints/issues/1421
-
-### What does this PR do?
+# Description
 
+<!--
 🛑 Please open an issue first to discuss any significant work and flesh out details/direction - we would hate for your time to be wasted.
 Consult the [CONTRIBUTING](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/CONTRIBUTING.md#contributing-via-pull-requests) guide for submitting pull-requests.
 
-<!-- A brief description of the change being made with this pull request. -->
+A brief description of the change being made with this pull request.
+-->
 
-### Motivation
+### Motivation and Context
 
 <!-- What inspired you to submit this pull request? -->
 - Resolves #<issue-number>
 
-### More
+### How was this change tested?
 
 - [ ] Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
 - [ ] Yes, I have updated the [docs](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/docs) for this feature
 - [ ] Yes, I ran `pre-commit run -a` with this PR
 
-### For Moderators
-
-- [ ] E2E Test successfully complete before merge?
-
 ### Additional Notes
 
 <!-- Anything else we should know when reviewing? -->
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: daily
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+ with:
+ egress-policy: audit
+
+ - name: 'Checkout Repository'
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
diff --git a/.github/workflows/e2e-parallel-destroy.yml b/.github/workflows/e2e-parallel-destroy.yml
@@ -10,6 +10,9 @@ on:
 
 concurrency: e2e-parallel-destroy
 
+permissions:
+ contents: read
+
 jobs:
  deploy:
  name: Run e2e test
@@ -34,6 +37,11 @@ jobs:
  - example_path: examples/vpc-cni-custom-networking
 
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout
  uses: actions/checkout@v3
 
@@ -42,7 +50,7 @@ jobs:
  run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf
 
  - name: Auth AWS
- uses: aws-actions/configure-aws-credentials@v1-node16
+ uses: aws-actions/configure-aws-credentials@v2.2.0
  with:
  role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
  aws-region: us-west-2

diff --git a/.github/workflows/e2e-parallel-full.yml b/.github/workflows/e2e-parallel-full.yml
@@ -14,6 +14,9 @@ env:
  IAMLIVE_VERSION: v0.48.0
  BUCKET_NAME: terraform-eks-blueprints-iam-policies-examples
 
+permissions:
+ contents: read
+
 jobs:
  prereq-cleanup:
  name: Prerequisite Cleanup
@@ -23,11 +26,16 @@ jobs:
  id-token: write
  contents: read
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout
  uses: actions/checkout@v3
 
  - name: Auth AWS
- uses: aws-actions/configure-aws-credentials@v1
+ uses: aws-actions/configure-aws-credentials@v2.2.0
  with:
  role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
  aws-region: us-west-2
@@ -62,6 +70,11 @@ jobs:
  - example_path: examples/stateful
  - example_path: examples/vpc-cni-custom-networking
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout
  uses: actions/checkout@v3
 
@@ -70,7 +83,7 @@ jobs:
  run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf
 
  - name: Auth AWS
- uses: aws-actions/configure-aws-credentials@v1-node16
+ uses: aws-actions/configure-aws-credentials@v2.2.0
  with:
  role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
  aws-region: us-west-2
@@ -147,11 +160,16 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  # Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code.
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout
  uses: actions/checkout@v3
 
  - name: Configure AWS credentials from Test account
- uses: aws-actions/configure-aws-credentials@v1-node16
+ uses: aws-actions/configure-aws-credentials@v2.2.0
  with:
  role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
  aws-region: us-west-2

diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
@@ -13,10 +13,18 @@ on:
  paths:
  - "**/*.md"
 
+permissions:
+ contents: read
+
 jobs:
  markdown-link-check:
  runs-on: ubuntu-latest
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - uses: actions/checkout@v3
  - uses: actions/setup-node@v3
  with:

diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml
@@ -11,6 +11,9 @@ concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: true
 
+permissions:
+ contents: read
+
 jobs:
  getExampleDirectories:
  name: Get example directories
@@ -23,6 +26,11 @@ jobs:
  directories: ${{ steps.dirs.outputs.directories }}
  steps:
  # Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code.
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout
  uses: actions/checkout@v3
 
@@ -49,6 +57,11 @@ jobs:
  directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }}
 
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Remove default Terraform
  run: rm -rf $(which terraform)
 
@@ -75,7 +88,7 @@ jobs:
  - '*.tf'
 
  - name: Configure AWS credentials from Test account
- uses: aws-actions/configure-aws-credentials@v1-node16
+ uses: aws-actions/configure-aws-credentials@v2.2.0
  if: steps.changes.outputs.src== 'true'
  with:
  role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -7,12 +7,23 @@ on:
  - edited
  - synchronize
 
+permissions:
+ contents: read
+
 jobs:
  main:
+ permissions:
+ pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
+ statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
  name: Validate PR title
  runs-on: ubuntu-latest
  steps:
- - uses: amannn/[email protected]
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
+ - uses: amannn/[email protected]
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  with:

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -26,12 +26,17 @@ jobs:
  outputs:
  directories: ${{ steps.dirs.outputs.directories }}
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout
  uses: actions/checkout@v3
 
  - name: Get root directories
  id: dirs
- uses: clowdhaus/terraform-composite-actions/[email protected].0
+ uses: clowdhaus/terraform-composite-actions/[email protected].3
 
  preCommitMinVersions:
  name: Min TF pre-commit
@@ -41,6 +46,11 @@ jobs:
  matrix:
  directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Remove default Terraform
  run: rm -rf $(which terraform)
 
@@ -70,7 +80,7 @@ jobs:
  restore-keys: ${{ runner.os }}-terraform-
 
  - name: Terraform min/max versions
- uses: clowdhaus/[email protected].0
+ uses: clowdhaus/[email protected].7
  if: steps.changes.outputs.src== 'true'
  id: minMax
  with:
@@ -99,6 +109,11 @@ jobs:
  runs-on: ubuntu-latest
  needs: collectInputs
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Remove default Terraform
  run: rm -rf $(which terraform)
 
@@ -130,7 +145,7 @@ jobs:
 
  - name: Terraform min/max versions
  id: minMax
- uses: clowdhaus/[email protected].0
+ uses: clowdhaus/[email protected].7
  if: steps.changes.outputs.src== 'true'
 
  - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -3,38 +3,40 @@ on:
  push:
  branches:
  - main
- paths:
- - 'docs/**'
- - mkdocs.yml
- - README.md
- - '.github/workflows/publish-docs.yml'
- release:
- types:
- - published
 
 env:
  PYTHON_VERSION: 3.x
 
+permissions:
+ contents: read
+
 jobs:
  build:
  name: Deploy docs
  runs-on: ubuntu-latest
+ permissions:
+ contents: write
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit
+
  - name: Checkout main
  uses: actions/checkout@v3
  with:
  fetch-depth: 0
 
  - name: Set up Python ${{ env.PYTHON_VERSION }}
- uses: actions/setup-python@v3
+ uses: actions/setup-python@v4
  with:
  python-version: ${{ env.PYTHON_VERSION }}
 
  - name: Install dependencies
  run: |
  python -m pip install --upgrade pip
  pip install mike==1.1.2 \
- mkdocs-material==9.1.4 \
+ mkdocs-material==9.1.19 \
  mkdocs-include-markdown-plugin==4.0.4 \
  mkdocs-awesome-pages-plugin==2.9.1