Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

configure precommit ci #38

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/workflows/pre-commit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
on:
pull_request:
push:
branches: [main]

jobs:
pre_commit:
name: Run pre-commit and commit any autocorrections
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.6.6
- name: Setup Terragrunt
uses: autero1/action-terragrunt@v1.1.0
with:
terragrunt_version: 0.54.8
# To avoid rate-limiting
token: ${{ secrets.GITHUB_TOKEN }}
- uses: terraform-linters/setup-tflint@v3
name: TFLint - Setup
with:
tflint_version: latest

- name: TFLint - Init
run: tflint --init
env:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
GITHUB_TOKEN: ${{ github.token }}
- name: TFLint - Show version
run: tflint --version
- uses: actions/setup-python@v4
with:
python-version: 3.x
- name: Terraform Docs - Install
run: |
curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.17.0/terraform-docs-v0.17.0-$(uname)-amd64.tar.gz
tar -xzf terraform-docs.tar.gz -- terraform-docs
chmod +x terraform-docs
echo $PATH
mv terraform-docs /usr/local/bin/terraform-docs
terraform-docs --version
- uses: pre-commit/action@v3.0.0
- uses: pre-commit-ci/lite-action@v1.0.1
if: always()
21 changes: 17 additions & 4 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,31 @@
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
args: ["--allow-multiple-documents"]
- id: check-added-large-files
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt # args: ["--enable require-variable-braces,deprecate-which"]
- id: terraform_tflint
exclude: .*
args:
- "--args=--fix"
- id: terragrunt_fmt
- id: terraform_docs
## Disable terraform_docs for misc-modules
#- id: terraform_docs
ci:
autofix_commit_msg: |
[pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
autofix_prs: true
autoupdate_branch: ''
autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
autoupdate_schedule: weekly
skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs]
submodules: false
34 changes: 34 additions & 0 deletions LICENSE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# License

As a work of the [United States government](https://www.usa.gov/), this project
is in the public domain within the United States of America.

Additionally, we waive copyright and related rights in the work worldwide
through the CC0 1.0 Universal public domain dedication.

## CC0 1.0 Universal Summary

This is a human-readable summary of the [Legal Code (read the full
text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).

### No Copyright

The person who associated a work with this deed has dedicated the work to the
public domain by waiving all of their rights to the work worldwide under
copyright law, including all related and neighboring rights, to the extent
allowed by law.

You can copy, modify, distribute, and perform the work, even for commercial
purposes, all without asking permission.

### Other Information

In no way are the patent or trademark rights of any person affected by CC0, nor
are the rights that other persons may have in the work or in how the work is
used, such as publicity or privacy rights.

Unless expressly stated otherwise, the person who associated a work with this
deed makes no warranties about the work, and disclaims liability for all uses
of the work, to the fullest extent permitted by applicable law. When using or
citing the work, you should not imply endorsement by the author or the
affirmer.
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# batCAVE Misc Modules
# batcave-tf-misc-modules

Miscellaneous modules for use in one-off circumstances on batCAVE.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
17 changes: 17 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Security and Responsible Disclosure Policy

*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
email or via GitHub Issues. Please use our website to submit vulnerabilities at
[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
HHS maintains an acknowledgements page to recognize your efforts on behalf of
the American public, but you are also welcome to submit anonymously.

Review the HHS Disclosure Policy and websites in scope:
[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).

This policy describes *what systems and types of research* are covered under this
policy, *how to send* us vulnerability reports, and *how long* we ask security
researchers to wait before publicly disclosing vulnerabilities.

If you have other cybersecurity related questions, please contact us at
[csirc@hhs.gov.](mailto:csirc@hhs.gov).
2 changes: 1 addition & 1 deletion account_alias/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@

Sets the account alias for an AWS account. https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html

Variable account_alias will be set for the account, e.g. "batcave-dev". Queryable with [ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)
Variable account_alias will be set for the account, e.g. "batcave-dev". Queryable with [ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)
2 changes: 1 addition & 1 deletion account_alias/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ variable "alias_name" {
condition = length(var.alias_name) >= 3 && length(var.alias_name) <= 63
error_message = "Account Alias must have between 3 and 63 characters."
}
}
}
4 changes: 2 additions & 2 deletions cwl_subscriptions/firehose.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ resource "aws_kinesis_firehose_delivery_stream" "panther_firehose" {
destination = "extended_s3"

extended_s3_configuration {
bucket_arn = data.aws_s3_bucket.firehose_bucket.arn
bucket_arn = data.aws_s3_bucket.firehose_bucket.arn
buffering_size = var.buffering_size
buffering_interval = var.buffering_interval_in_seconds
role_arn = aws_iam_role.firehose_s3_role.arn
role_arn = aws_iam_role.firehose_s3_role.arn

prefix = "cloudwatchlogs/"
error_output_prefix = "cloudwatchlogs/error/"
Expand Down
10 changes: 5 additions & 5 deletions delete_ebs_volumes/lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ resource "null_resource" "lambda_package" {
}
triggers = {
# re-build when requirements change
deps = filemd5("${path.module}/python/requirements.txt")
deps = filemd5("${path.module}/python/requirements.txt")
# re-build when source code changes
source = jsonencode({for f in fileset("${path.module}/python/", "*.py") : f => filemd5("${path.module}/python/${f}")})
source = jsonencode({ for f in fileset("${path.module}/python/", "*.py") : f => filemd5("${path.module}/python/${f}") })
# re-build if the build output is missing locally or inconsistent with the latest deployed build
build_log = fileexists("${path.module}/python/build.log") ? filemd5("${path.module}/python/build.log") : timestamp()
}
Expand All @@ -34,7 +34,7 @@ resource "aws_lambda_function" "delete_ebs_volumes" {
LOG_LEVEL = "INFO"
}
}
tags = {
tags = {
environment = var.environment
project = var.project
}
Expand Down Expand Up @@ -77,7 +77,7 @@ resource "aws_iam_role" "delete_ebs_volumes_lambda_role" {
path = var.iam_path
permissions_boundary = var.permissions_boundary
managed_policy_arns = [aws_iam_policy.delete_ebs_volumes_lambda_policy.arn]
assume_role_policy = jsonencode(
assume_role_policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
Expand All @@ -98,7 +98,7 @@ resource "aws_iam_policy" "delete_ebs_volumes_lambda_policy" {
name = "delete_ebs_volumes_lambda_policy"
path = var.iam_path
description = "Policy to be used by lambda which deletes available EBS volumes"
policy = jsonencode(
policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
Expand Down
1 change: 0 additions & 1 deletion delete_ebs_volumes/variables.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
variable "iam_path" {}
variable "permissions_boundary" {}
variable "lambda_name" {}
variable "aws_region" {}
variable "environment" {}
variable "project" {}
variable "event_schedule_cron" {}
Expand Down
60 changes: 30 additions & 30 deletions role/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@ data "aws_caller_identity" "current" {}
resource "aws_iam_role" "api-service-role" {
name = "${var.GroupName}-api-service-role"
depends_on = [
aws_iam_policy.api-policy
]
path = var.iam_role_path
aws_iam_policy.api-policy
]
path = var.iam_role_path
permissions_boundary = var.permissions_boundary
tags = var.tags
assume_role_policy = <<-EOF
{
tags = var.tags
assume_role_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
Expand All @@ -33,13 +33,13 @@ resource "aws_iam_role" "api-service-role" {
resource "aws_iam_role" "job-scheduler-service-role" {
name = "${var.GroupName}-job-scheduler-service-role"
depends_on = [
aws_iam_policy.job-scheduler-policy
]
path = var.iam_role_path
aws_iam_policy.job-scheduler-policy
]
path = var.iam_role_path
permissions_boundary = var.permissions_boundary
tags = var.tags
assume_role_policy = <<-EOF
{
tags = var.tags
assume_role_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
Expand All @@ -62,15 +62,15 @@ resource "aws_iam_role" "job-scheduler-service-role" {
resource "aws_iam_role" "cms-cloud-s3-snowflake-role" {
name = "cms-cloud-${var.GroupName}-s3-snowflake-role"
depends_on = [
aws_iam_policy.snowflake-access-policy
]
path = var.iam_role_path
aws_iam_policy.snowflake-access-policy
]
path = var.iam_role_path
permissions_boundary = var.permissions_boundary
tags = var.tags
assume_role_policy = <<-EOF
tags = var.tags
assume_role_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement":
"Statement":
[
{
"Effect": "Allow",
Expand All @@ -84,17 +84,17 @@ resource "aws_iam_role" "cms-cloud-s3-snowflake-role" {
"StringEquals": {
"sts:ExternalId": "${var.SDLExternalId}"
}
}
}
}
]
}
}
EOF
}

resource "aws_iam_policy" "api-policy" {
name = "${var.GroupName}-api-policy"
path = "/delegatedadmin/developer/"
tags = var.tags
name = "${var.GroupName}-api-policy"
path = "/delegatedadmin/developer/"
tags = var.tags

policy = <<-EOF
{
Expand Down Expand Up @@ -122,13 +122,13 @@ resource "aws_iam_policy" "api-policy" {
}

locals {
ApiResources = "[\"${join("\",\"",var.ApiResources)}\"]"
ApiResources = "[\"${join("\",\"", var.ApiResources)}\"]"
}

resource "aws_iam_policy" "job-scheduler-policy" {
name = "${var.GroupName}-job-scheduler-policy"
path = "/delegatedadmin/developer/"
tags = var.tags
name = "${var.GroupName}-job-scheduler-policy"
path = "/delegatedadmin/developer/"
tags = var.tags

policy = <<-EOF
{
Expand All @@ -150,9 +150,9 @@ resource "aws_iam_policy" "job-scheduler-policy" {
}

resource "aws_iam_policy" "snowflake-access-policy" {
name = "${var.GroupName}-snowflake-access-policy"
path = "/delegatedadmin/developer/"
tags = var.tags
name = "${var.GroupName}-snowflake-access-policy"
path = "/delegatedadmin/developer/"
tags = var.tags

policy = <<-EOF
{
Expand Down
2 changes: 1 addition & 1 deletion role/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,4 @@ variable "tags" {
description = "A mapping of tags to assign to all resources"
type = map(string)
default = {}
}
}
1 change: 0 additions & 1 deletion sdl_logs/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
# SDL logs

Sends all object create events on the logging bucket to eventbridge, a trigger to SNS, and connection to the Panther SQS queue for ingestion.

6 changes: 3 additions & 3 deletions sdl_logs/eventbridge.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ resource "aws_cloudwatch_event_target" "target" {
"awsRegion":<region>,
"eventTime":<time>,
"eventName":"PutObject",
"s3":{
"s3":{
"s3SchemaVersion":"1.0",
"bucket":{
"bucket":{
"name":"${data.aws_s3_bucket.cms_logging_bucket.id}",
"arn":"${data.aws_s3_bucket.cms_logging_bucket.arn}"
},
Expand All @@ -55,4 +55,4 @@ resource "aws_cloudwatch_event_target" "target" {
}
EOF
}
}
}
2 changes: 1 addition & 1 deletion sdl_logs/guardduty.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ resource "aws_guardduty_publishing_destination" "s3-export" {
resource "aws_s3_object" "guardduty_directory" {
bucket = aws_s3_bucket.gd_export_s3_bucket.id
key = "guardduty/"
}
}
2 changes: 1 addition & 1 deletion sdl_logs/kms.tf
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,4 @@ resource "aws_kms_key" "kms_key" {
resource "aws_kms_alias" "kms_key" {
name = "alias/batcave-panther"
target_key_id = aws_kms_key.kms_key.id
}
}
1 change: 0 additions & 1 deletion sdl_logs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -88,4 +88,3 @@ resource "aws_iam_role_policy" "kms_decryption" {
]
})
}

Loading
Loading