introduce tf best practices (#4)

* introduce tf best practices

* add subnets for tf-plan workflow

* add checkov skip statement

.github/workflows/checkov.yml

@@ -8,14 +8,19 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python 3.9
-        uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.9
+          python-version: 3.11
       - name: Scan with Checkov
         id: checkov
-        uses: bridgecrewio/checkov-action@master
+        uses: bridgecrewio/checkov-action@v12
         with:
           directory: .
           framework: terraform
+          quiet: true
+          download_external_modules: false
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          skip_path: examples

.github/workflows/release.yml

@@ -7,9 +7,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
       - name: Terraform Init
         id: init
         run: terraform init
@@ -19,23 +19,25 @@ jobs:
   checkov:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python 3.9
-        uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.9
+          python-version: 3.11
       - name: Scan with Checkov
         id: checkov
-        uses: bridgecrewio/checkov-action@master
+        uses: bridgecrewio/checkov-action@v12
         with:
           directory: .
           framework: terraform
+          quiet: true
+          download_external_modules: false
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          skip_path: examples
   release:
     runs-on: ubuntu-latest
     needs: [test, checkov]
     steps:
-      - uses: actions/checkout@v3
-      - uses: "marvinpinto/action-automatic-releases@v1.1.2"
-        with:
-          repo_token: "${{ secrets.GITHUB_TOKEN }}"
-          prerelease: false
+      - uses: actions/checkout@v4
+      - uses: softprops/action-gh-release@v2

.github/workflows/tf-plan.yml

@@ -0,0 +1,29 @@
+name: tf-plan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.TF_READ_ONLY_GITHUB_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+      - name: Terraform Init
+        id: init
+        run: terraform init
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -var 'cluster_name=test' -var 'subnet_ids=["${{ secrets.PVT_SUBNET_ID_1 }}", "${{ secrets.PVT_SUBNET_ID_2 }}"]'

.gitignore

@@ -1,18 +1,20 @@
 # Local .terraform directories
-.terraform*
+**/.terraform/*
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
 
 # Crash log files
 crash.log
+crash.*.log
 
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
 *.tfvars
+*.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -22,13 +24,14 @@ override.tf.json
 *_override.tf.json
 
 # Include override files you do wish to add to version control using negated pattern
-#
 # !example_override.tf
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
-provider.tf
-header.tf
-footer.tf
-*.sh
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Lock file
+*.lock.hcl

.pre-commit-config.yaml

@@ -0,0 +1,35 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.6.0
+  hooks:
+  - id: trailing-whitespace
+  - id: end-of-file-fixer
+  - id: check-yaml
+  - id: check-json
+  - id: check-symlinks
+  - id: detect-private-key
+  - id: no-commit-to-branch
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.18.42
+  hooks:
+    - id: gitleaks
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.92.0
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_validate
+      exclude: examples/
+    - id: terraform_tflint
+      exclude: examples/
+      args:
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl --fix
+- repo: https://github.com/bridgecrewio/checkov.git
+  rev: "3.2.183"
+  hooks:
+    - id: checkov
+      args: ["--quiet", "--compact", "--framework", "terraform", "--download-external-modules", "false", "--skip-path", "examples"]
+- repo: https://github.com/terraform-docs/terraform-docs
+  rev: v0.18.0
+  hooks:
+    - id: terraform-docs-go
+      args: ["."]

.terraform-docs.yml

@@ -0,0 +1,63 @@
+formatter: "markdown table" # this is required
+
+header-from: .tf-header.md
+footer-from: .tf-footer.md
+
+recursive:
+  enabled: false
+  path: modules
+
+sections:
+  hide:
+  - resources
+  - data-sources
+  - modules
+  - providers
+
+content: |-
+  {{ .Header }}
+
+  # Usage Instructions
+  ## Example
+  ```hcl
+  {{ include "examples/default.tf" }}
+  ```
+
+  {{ .Requirements }}
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}
+
+  {{ .Footer }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: false
+  color: true
+  default: true
+  description: false
+  escape: false
+  hide-empty: false
+  html: false
+  indent: 2
+  lockfile: false # because .terraform.lock.hcl is not checked in the repository
+  read-comments: true
+  required: true
+  sensitive: false
+  type: true

.tf-footer.md

@@ -0,0 +1,5 @@
+## Autoscaling nodes
+
+For autoscaling nodes you can setup either of two:
+- [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md) - [Helm Chart](https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler)
+- [Karpenter](https://karpenter.sh/) - [Helm Chart](https://github.com/aws/karpenter-provider-aws/tree/main/charts/karpenter)

.tf-header.md

@@ -0,0 +1,9 @@
+# Title
+
+![License](https://img.shields.io/github/license/terrablocks/aws-eks-managed-node-group?style=for-the-badge) ![Plan](https://img.shields.io/github/actions/workflow/status/terrablocks/aws-eks-managed-node-group/tf-plan.yml?branch=main&label=Plan&style=for-the-badge) ![Checkov](https://img.shields.io/github/actions/workflow/status/terrablocks/aws-eks-managed-node-group/checkov.yml?branch=main&label=Checkov&style=for-the-badge) ![Commit](https://img.shields.io/github/last-commit/terrablocks/aws-eks-managed-node-group?style=for-the-badge) ![Release](https://img.shields.io/github/v/release/terrablocks/aws-eks-managed-node-group?style=for-the-badge)
+
+This terraform module will deploy the following services:
+- EKS Node Group
+- Auto Scaling Group
+- IAM Role
+- IAM Role Policy

.tflint.hcl

@@ -0,0 +1,10 @@
+plugin "aws" {
+  enabled = true
+  version = "0.30.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}

LICENCE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Vimal Paliwal
+Copyright (c) 2024 terrablocks (by SkildOps)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

examples/default.tf

@@ -0,0 +1,6 @@
+module "eks_managed_node_group" {
+  source = "github.com/terrablocks/aws-eks-managed-node-group.git?ref=" # Always use `ref` to point module to a specific version or hash
+
+  cluster_name = "eks-cluster"
+  subnet_ids   = ["subnet-xxxx", "subnet-yyyy"]
+}

main.tf

@@ -35,6 +35,8 @@ resource "aws_iam_role_policy_attachment" "ng_registry_policy" {
 
 # Policy required for cluster autoscaling
 resource "aws_iam_role_policy" "eks_scaling_policy" {
+  # checkov:skip=CKV_AWS_290: write access without constraint is required
+  # checkov:skip=CKV_AWS_355: "*" for resource is required
   count       = var.create_ng_role ? 1 : 0
   name_prefix = "${var.cluster_name}-ng-role-policy-"
   role        = join(", ", aws_iam_role.eks_ng_role.*.id)

requirements.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.8.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.44.0"
+      version = ">= 5.0.0"
     }
   }
 }

vars.tf → variables.tf

@@ -64,9 +64,9 @@ variable "capacity_type" {
 }
 
 variable "instance_type" {
-  type        = string
-  default     = "t3.medium"
-  description = "Type of instance to be used for EKS nodes"
+  type        = list(string)
+  default     = ["t3.medium"]
+  description = "List of type of instances to be used as EKS nodes"
 }
 
 variable "disk_size" {