initial implementation (#1)

* initial implementation

.github/workflows/pre-commit.yaml

@@ -3,6 +3,7 @@ name: pre-commit-check
 on:
   push:
     branches:
+      - main
       - master
       - prod
       - develop

.github/workflows/pullRequest.yaml

@@ -24,7 +24,7 @@ jobs:
             terraform_tflint_deep,
             no-commit-to-branch,
             terraform_tflint_nocreds,
-            terraform_tfsec
+            terraform_trivy
   tflint:
     runs-on: ubuntu-latest
     steps:
@@ -41,7 +41,7 @@ jobs:
           filter_mode: added
           flags: --module
           level: error
-  tfsec:
+  trivy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

.github/workflows/trivy.yaml

@@ -0,0 +1,31 @@
+---
+name: trivy
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
+      - name: Terraform init
+        run: terraform init --backend=false
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -13,5 +13,3 @@
 
 # temp folders
 tmp
-
-.terraform.lock.hcl

.pre-commit-config.yaml

@@ -1,70 +1,35 @@
 exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.92.2
     hooks:
       - id: terraform_docs
         always_run: true
       - id: terraform_fmt
+      - id: terraform_validate
+        args:
+        - --hook-config=--retry-once-with-cleanup=true
+        exclude: ^examples
       - id: terraform_tflint
         alias: terraform_tflint_nocreds
+        exclude: ^examples
         name: terraform_tflint_nocreds
-      - id: terraform_tfsec
-  - repo: local
-    hooks:
-      - id: terraform_validate
-        name: terraform_validate
-        entry: |
-          bash -c '
-            AWS_DEFAULT_REGION=us-east-1
-            declare -a DIRS
-            for FILE in "$@"
-            do
-              DIRS+=($(dirname "$FILE"))
-            done
-            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
-            do
-              cd $(dirname "$FILE")
-              terraform init --backend=false
-              terraform validate .
-              cd ..
-            done
-          '
-        language: system
-        verbose: true
-        files: \.tf(vars)?$
-        exclude: examples
-      - id: tflock
-        name: provider_locks
-        entry: |
-          bash -c '
-            AWS_DEFAULT_REGION=us-east-1
-            declare -a DIRS
-            for FILE in "$@"
-            do
-              DIRS+=($(dirname "$FILE"))
-            done
-            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
-            do
-              cd $(dirname "$FILE")
-              terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
-              cd ..
-            done
-          '
-        language: system
-        verbose: true
-        files: \.tf(vars)?$
-        exclude: examples
+      - id: terraform_trivy
+        args:
+        - --args=--skip-dirs="**/.terraform,examples/*"
+      - id: terraform_providers_lock
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0
     hooks:
+      - id: check-added-large-files
       - id: check-case-conflict
       - id: check-json
       - id: check-merge-conflict
       - id: check-symlinks
       - id: check-yaml
         args:
           - --unsafe
+      - id: detect-private-key
       - id: end-of-file-fixer
       - id: mixed-line-ending
         args:
@@ -86,4 +51,4 @@ repos:
           - --markdown-linebreak-ext=md
         exclude: README.md
 ci:
-  skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock]
+  skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock]

.tflint.hcl

@@ -2,6 +2,12 @@ config {
   module     = true
 }
 
+plugin "aws" {
+    enabled = true
+    version = "0.30.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Rhythmic Technologies, Inc.
+Copyright (c) 2024 Rhythmic Technologies, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,55 +1,82 @@
-# terraform-terraform-template
-Template repository for terraform modules. Good for any cloud and any provider.
-
-[![tflint](https://github.com/rhythmictech/terraform-terraform-template/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
-[![tfsec](https://github.com/rhythmictech/terraform-terraform-template/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
-[![yamllint](https://github.com/rhythmictech/terraform-terraform-template/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
-[![misspell](https://github.com/rhythmictech/terraform-terraform-template/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
-[![pre-commit-check](https://github.com/rhythmictech/terraform-terraform-template/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
+# terraform-aws-tag-policy
+Facilitate the creation of tag policies in AWS Organizations.
+
+[![tflint](https://github.com/rhythmictech/terraform-aws-tag-policy/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-tag-policy/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
+[![trivy](https://github.com/rhythmictech/terraform-aws-tag-policy/workflows/trivy/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-tag-policy/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster)
+[![yamllint](https://github.com/rhythmictech/terraform-aws-tag-policy/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-tag-policy/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
+[![misspell](https://github.com/rhythmictech/terraform-aws-tag-policy/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-tag-policy/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
+[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-tag-policy/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-tag-policy/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
 <a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=twitter" alt="follow on Twitter"></a>
 
 ## Example
 Here's what using the module will look like
 ```hcl
 module "example" {
-  source = "rhythmictech/terraform-mycloud-mymodule
+  name        = "require-owner-tag"
+
+  tag_policy = {
+    Owner = {
+      tag_key = "Owner"
+      enforced_for = [
+        "*"
+      ]
+    }
+  }
 }
 ```
 
 ## About
-A bit about this module
+This module creates a tag policy in AWS Organizations. It can be attached to the organization or to a list of OUs. It is possible to attach multiple tag policies to an organization or OU by using this module multiple times. 
+
+This module supports inheritance of tag policies. It uses the `@@assign` operator by default, so the effective tag policy will be the union of all tag policies attached to an organization or OU. It is possible to use the `@@append` and `@@remove` operators to modify the tag policy, as well as to define child inheritance rules. Thus, 
+
+Rolling out a tag policy in a running environment can cause unexpected results. Be sure to test in a dedicated AWS account and roll out carefully. Consult AWS documentation:
+
+* [Getting started with tag policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-getting-started.html)
+* [Services and resource types that support enforcement](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_supported-resources-enforcement.html)
+* [Inheritance examples](https://docs.aws.amazon.com/organizations/latest/userguide/inheritance-examples.html)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.64.0 |
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 |
+No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_organizations_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy_attachment.tag_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
+| [aws_organizations_policy_attachment.tag_policy_attachment_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_attach_ous"></a> [attach\_ous](#input\_attach\_ous) | List of OU IDs to attach the tag policies to | `list(string)` | `[]` | no |
+| <a name="input_attach_to_org"></a> [attach\_to\_org](#input\_attach\_to\_org) | Whether to attach the tag policy to the organization (set to false if you want to attach to OUs) | `bool` | `true` | no |
+| <a name="input_description"></a> [description](#input\_description) | Description of the tag policy | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Moniker to apply to all resources in the module | `string` | n/a | yes |
+| <a name="input_tag_policy"></a> [tag\_policy](#input\_tag\_policy) | List of tag policies to create | <pre>map(object({<br>    enforced_for                                      = optional(list(string))<br>    enforced_for_operator                             = optional(string)<br>    enforced_for_operators_allowed_for_child_policies = optional(list(string))<br>    tag_key                                           = string<br>    tag_key_operator                                  = optional(string)<br>    tag_key_operators_allowed_for_child_policies      = optional(list(string))<br>    values                                            = optional(list(string))<br>    values_operator                                   = optional(string)<br>    values_operators_allowed_for_child_policies       = optional(list(string))<br>  }))</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | User-Defined tags | `map(string)` | `{}` | no |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_tags_module"></a> [tags\_module](#output\_tags\_module) | Tags Module in it's entirety |
+No outputs.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Getting Started
@@ -59,9 +86,9 @@ This workflow has a few prerequisites which are installed through the `./bin/ins
 - [terraform](https://terraform.io)
 - [tfenv](https://github.com/tfutils/tfenv)
 - [terraform-docs](https://github.com/segmentio/terraform-docs)
-- [tfsec](https://github.com/tfsec/tfsec)
+- [trivy](https://github.com/trivy/trivy)
 - [tflint](https://github.com/terraform-linters/tflint)
 
 We use `tfenv` to manage `terraform` versions, so the version is defined in the `versions.tf` and `tfenv` installs the latest compliant version.
 `pre-commit` is like a package manager for scripts that integrate with git hooks. We use them to run the rest of the tools before apply. 
-`terraform-docs` creates the beautiful docs (above),  `tfsec` scans for security no-nos, `tflint` scans for best practices. 
+`terraform-docs` creates the beautiful docs (above),  `trivy` scans for security no-nos, `tflint` scans for best practices. 

bin/install-macos.sh

@@ -2,9 +2,8 @@
 
 echo 'installing brew packages'
 brew update
-brew tap liamg/tfsec
-brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
-brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
+brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
+brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
 
 echo 'installing pre-commit hooks'
 pre-commit install

bin/install-ubuntu.sh

@@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
 tfenv install
+
+wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb
+sudo dpkg -i trivy_0.54.1_Linux-64bit.deb