rhythmictech · cdaniluk · Sep 13, 2024
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -3,6 +3,7 @@ name: pre-commit-check
 on:
   push:
     branches:
+      - main
       - master
       - prod
       - develop

diff --git a/.github/workflows/pullRequest.yaml b/.github/workflows/pullRequest.yaml
@@ -24,7 +24,7 @@ jobs:
             terraform_tflint_deep,
             no-commit-to-branch,
             terraform_tflint_nocreds,
-            terraform_tfsec
+            terraform_trivy
   tflint:
     runs-on: ubuntu-latest
     steps:
@@ -41,7 +41,7 @@ jobs:
           filter_mode: added
           flags: --module
           level: error
-  tfsec:
+  trivy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

diff --git a/.github/workflows/tfsec.yaml b/.github/workflows/tfsec.yaml
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,31 @@
+---
+name: trivy
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
+      - name: Terraform init
+        run: terraform init --backend=false
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,9 @@
 
 # .tfvars files
 *.tfvars
+
+# macs
+.DS_Store
+
+# temp folders
+tmp
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,70 +1,35 @@
 exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.1
+    rev: v1.92.2
     hooks:
       - id: terraform_docs
         always_run: true
       - id: terraform_fmt
+      - id: terraform_validate
+        args:
+        - --hook-config=--retry-once-with-cleanup=true
+        exclude: ^examples
       - id: terraform_tflint
         alias: terraform_tflint_nocreds
+        exclude: ^examples
         name: terraform_tflint_nocreds
-      - id: terraform_tfsec
-  - repo: local
-    hooks:
-      - id: terraform_validate
-        name: terraform_validate
-        entry: |
-          bash -c '
-            AWS_DEFAULT_REGION=us-east-1
-            declare -a DIRS
-            for FILE in "$@"
-            do
-              DIRS+=($(dirname "$FILE"))
-            done
-            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
-            do
-              cd $(dirname "$FILE")
-              terraform init --backend=false
-              terraform validate .
-              cd ..
-            done
-          '
-        language: system
-        verbose: true
-        files: \.tf(vars)?$
-        exclude: examples
-      - id: tflock
-        name: provider_locks
-        entry: |
-          bash -c '
-            AWS_DEFAULT_REGION=us-east-1
-            declare -a DIRS
-            for FILE in "$@"
-            do
-              DIRS+=($(dirname "$FILE"))
-            done
-            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
-            do
-              cd $(dirname "$FILE")
-              terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
-              cd ..
-            done
-          '
-        language: system
-        verbose: true
-        files: \.tf(vars)?$
-        exclude: examples
+      - id: terraform_trivy
+        args:
+        - --args=--skip-dirs="**/.terraform,examples/*"
+      - id: terraform_providers_lock
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.6.0
     hooks:
+      - id: check-added-large-files
       - id: check-case-conflict
       - id: check-json
       - id: check-merge-conflict
       - id: check-symlinks
       - id: check-yaml
         args:
           - --unsafe
+      - id: detect-private-key
       - id: end-of-file-fixer
       - id: mixed-line-ending
         args:
@@ -86,4 +51,4 @@ repos:
           - --markdown-linebreak-ext=md
         exclude: README.md
 ci:
-  skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock]
+  skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock]
diff --git a/.terraform-version b/.terraform-version
@@ -1 +1 @@
-latest:^1.1
+latest:^1.6
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -2,6 +2,12 @@ config {
   module     = true
 }
 
+plugin "aws" {
+    enabled = true
+    version = "0.30.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Rhythmic Technologies, Inc.
+Copyright (c) 2024 Rhythmic Technologies, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -1,21 +1,27 @@
 # terraform-aws-config
 
-[![](https://github.com/rhythmictech/terraform-aws-config/workflows/check/badge.svg)](https://github.com/rhythmictech/terraform-aws-config/actions)
+[![tflint](https://github.com/rhythmictech/terraform-aws-config/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-config/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
+[![trivy](https://github.com/rhythmictech/terraform-aws-config/workflows/trivy/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-config/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster)
+[![yamllint](https://github.com/rhythmictech/terraform-aws-config/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-config/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
+[![misspell](https://github.com/rhythmictech/terraform-aws-config/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-config/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
+[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-config/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-config/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
+<a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=twitter" alt="follow on Twitter"></a>
+
 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.4 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.8 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.56.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
 
 ## Modules
 
@@ -33,7 +39,11 @@ No modules.
 | [aws_iam_role_policy_attachment.awsconfig_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_sns_topic.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -46,16 +56,35 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name of the S3 bucket to record to (do not use with multi-region module) | `string` | `null` | no |
 | <a name="input_bucket_suffix"></a> [bucket\_suffix](#input\_bucket\_suffix) | Suffix to append to S3 bucket name | `string` | `"awsconfig"` | no |
+| <a name="input_create_sns_topic"></a> [create\_sns\_topic](#input\_create\_sns\_topic) | Whether to create an SNS topic | `bool` | `false` | no |
 | <a name="input_delivery_channel_name"></a> [delivery\_channel\_name](#input\_delivery\_channel\_name) | Name of the delivery channel | `string` | `"awsconfig-s3"` | no |
-| <a name="input_enable_global_logging"></a> [enable\_global\_logging](#input\_enable\_global\_logging) | Enable recording of global events (E.g., IAM) | `bool` | `true` | no |
+| <a name="input_grant_s3_kms_access"></a> [grant\_s3\_kms\_access](#input\_grant\_s3\_kms\_access) | Whether to grant the IAM role access to the S3 bucket KMS key | `bool` | `true` | no |
+| <a name="input_grant_sns_kms_access"></a> [grant\_sns\_kms\_access](#input\_grant\_sns\_kms\_access) | Whether to grant the IAM role access to the SNS topic KMS key | `bool` | `true` | no |
 | <a name="input_logging_bucket"></a> [logging\_bucket](#input\_logging\_bucket) | Optional target for S3 access logging | `string` | `null` | no |
 | <a name="input_logging_prefix"></a> [logging\_prefix](#input\_logging\_prefix) | Optional target prefix for S3 access logging (only used if `s3_access_logging_bucket` is set) | `string` | `null` | no |
 | <a name="input_recorder_name"></a> [recorder\_name](#input\_recorder\_name) | Name of the config recorder | `string` | `"awsconfig"` | no |
-| <a name="input_snapshot_delivery_frequency"></a> [snapshot\_delivery\_frequency](#input\_snapshot\_delivery\_frequency) | Deliery frequency: One\_Hour, Three\_Hours, Six\_Hours, Twelve\_Hours, TwentyFour\_Hours | `string` | `"Six_Hours"` | no |
+| <a name="input_recording_group_all_supported"></a> [recording\_group\_all\_supported](#input\_recording\_group\_all\_supported) | Specifies whether AWS Config records configuration changes for every supported type of regional resource. If set to 'false', you must specify resource types in 'recording\_group\_resource\_types'. | `bool` | `true` | no |
+| <a name="input_recording_group_exclusion_resource_types"></a> [recording\_group\_exclusion\_resource\_types](#input\_recording\_group\_exclusion\_resource\_types) | A list of resource types to exclude from recording. Only valid when 'recording\_group\_all\_supported' is true. | `list(string)` | `[]` | no |
+| <a name="input_recording_group_include_global_resource_types"></a> [recording\_group\_include\_global\_resource\_types](#input\_recording\_group\_include\_global\_resource\_types) | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. Only valid when 'recording\_group\_all\_supported' is true. | `bool` | `true` | no |
+| <a name="input_recording_group_recording_strategy_use_only"></a> [recording\_group\_recording\_strategy\_use\_only](#input\_recording\_group\_recording\_strategy\_use\_only) | Specifies whether AWS Config limits recording to the resource types specified in 'recording\_group\_resource\_types'. Valid values: 'ALL\_SUPPORTED\_RESOURCE\_TYPES' or 'INCLUSION\_BY\_RESOURCE\_TYPES'. | `string` | `null` | no |
+| <a name="input_recording_group_resource_types"></a> [recording\_group\_resource\_types](#input\_recording\_group\_resource\_types) | A list of valid AWS resource types to include in this recording group. Only used if 'recording\_group\_all\_supported' is false. | `list(string)` | `[]` | no |
+| <a name="input_recording_mode_override_description"></a> [recording\_mode\_override\_description](#input\_recording\_mode\_override\_description) | A description for the recording mode override. | `string` | `null` | no |
+| <a name="input_recording_mode_override_enabled"></a> [recording\_mode\_override\_enabled](#input\_recording\_mode\_override\_enabled) | Specifies whether to enable recording mode override. | `bool` | `false` | no |
+| <a name="input_recording_mode_override_recording_frequency"></a> [recording\_mode\_override\_recording\_frequency](#input\_recording\_mode\_override\_recording\_frequency) | The frequency for the recording mode override. Valid values: CONTINUOUS, PERIODIC\_1\_HOUR, PERIODIC\_3\_HOURS, PERIODIC\_6\_HOURS, PERIODIC\_12\_HOURS, PERIODIC\_24\_HOURS | `string` | `"CONTINUOUS"` | no |
+| <a name="input_recording_mode_override_resource_types"></a> [recording\_mode\_override\_resource\_types](#input\_recording\_mode\_override\_resource\_types) | A list of resource types to be recorded at the frequency specified in recording\_mode\_override\_recording\_frequency. | `list(string)` | `[]` | no |
+| <a name="input_recording_mode_recording_frequency"></a> [recording\_mode\_recording\_frequency](#input\_recording\_mode\_recording\_frequency) | The frequency with which AWS Config records configuration changes. Valid values: CONTINUOUS, PERIODIC\_1\_HOUR, PERIODIC\_3\_HOURS, PERIODIC\_6\_HOURS, PERIODIC\_12\_HOURS, PERIODIC\_24\_HOURS | `string` | `"CONTINUOUS"` | no |
+| <a name="input_s3_bucket_kms_key_id"></a> [s3\_bucket\_kms\_key\_id](#input\_s3\_bucket\_kms\_key\_id) | The ARN of the KMS key to use for encrypting the S3 bucket. If not provided, AES256 encryption will be used. | `string` | `null` | no |
+| <a name="input_s3_key_prefix"></a> [s3\_key\_prefix](#input\_s3\_key\_prefix) | The prefix for the specified S3 bucket. | `string` | `null` | no |
+| <a name="input_snapshot_delivery_frequency"></a> [snapshot\_delivery\_frequency](#input\_snapshot\_delivery\_frequency) | Delivery frequency. Valid values: One\_Hour, Three\_Hours, Six\_Hours, Twelve\_Hours, TwentyFour\_Hours | `string` | `"Six_Hours"` | no |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | SNS topic to deliver config rule notifications to | `string` | `null` | no |
+| <a name="input_sns_topic_kms_key_id"></a> [sns\_topic\_kms\_key\_id](#input\_sns\_topic\_kms\_key\_id) | The ARN of the KMS key to use for encrypting the SNS topic. If not provided, the default AWS managed key for SNS will be used. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to resources that support it | `map(string)` | `{}` | no |
 
 ## Outputs
 
 No outputs.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Additional Information
+
+The SNS topic created by this module (when `sns_topic_arn` is not provided) will have a name prefix based on the `recorder_name` variable, followed by "-config-topic-". AWS will append a unique suffix to this prefix to ensure uniqueness.
diff --git a/bin/install-macos.sh b/bin/install-macos.sh
@@ -2,9 +2,8 @@
 
 echo 'installing brew packages'
 brew update
-brew tap liamg/tfsec
-brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
-brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
+brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
+brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
 
 echo 'installing pre-commit hooks'
 pre-commit install

diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh
@@ -7,7 +7,7 @@ pip3 install pre-commit
 # terraform docs
 mkdir tmp
 cd tmp
-curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz
 tar -xzf terraform-docs.tar.gz
 chmod +x terraform-docs
 sudo mv terraform-docs /usr/bin/
@@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
 tfenv install
+
+wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb
+sudo dpkg -i trivy_0.54.1_Linux-64bit.deb
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,7 @@ name: pre-commit-check @@
     on:
       push:
         branches:
+          - main
           - master
           - prod
           - develop
@@ Expand Down @@