Merge pull request #1 from Gooygeek/feat/new-format

Gooygeek · web-flow · commit 4e5b2828a63b · 2022-03-27T18:50:29.000+11:00
Feat/new format
diff --git a/.env.template b/.env.template
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,5 +23,5 @@ jobs:
           npm install @semantic-release/exec
       - name: "release :: tag repo"
         env:
-          GITHUB_TOKEN: ${{ secrets.X_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npx semantic-release
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -1,63 +1,137 @@
-name: Terraform
-on: [push]
+name: 'Terraform'
+on:
+  push:
+    branches:
+      - main
+  pull_request:
 
 env:
-  TERRAFORM_VERSION: 1.0.9
+  TERRAFORM_VERSION: 1.1.7
+  TFLINT_VERSION: 0.34.1
   AWS_DEFAULT_REGION: ap-southeast-2
 
 jobs:
-  format:
-    name: Format
+  terraform:
+    name: 'Terraform'
     runs-on: ubuntu-latest
-    timeout-minutes: 5
     steps:
       - name: Checkout
-        uses: actions/checkout@v2.1.0
-      - name: Format all
-        uses: hashicorp/terraform-github-actions@v0.8.0
+        uses: actions/checkout@v2
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        # with:
+          # terraform_version: ${{ env.TERRAFORM_VERSION }} ## Use the latest version
+          # cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check -diff
+        continue-on-error: true
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      # - name: Terraform Plan
+      #   id: plan
+      #   if: github.event_name == 'pull_request'
+      #   run: terraform plan -no-color
+      #   continue-on-error: true
+
+      - name: Update Pull Request
+        uses: actions/github-script@0.9.0
+        if: github.event_name == 'pull_request'
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FMT: "\n${{ steps.fmt.outputs.stdout }}"
+        #   PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
         with:
-          tf_actions_version: ${{ env.TERRAFORM_VERSION }}
-          tf_actions_comment: true
-          tf_actions_subcommand: fmt
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details>
+            <summary>Show Format</summary>
+
+            \`\`\`diff
+            ${process.env.FMT}
+            \`\`\`
+
+            </details>
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+### Add to the above  details section if running a plan
+# <summary>Show Plan</summary>
+
+# \`\`\`\n
+# ${process.env.PLAN}
+# \`\`\`
+
+# - name: Terraform Plan Status
+#   if: steps.plan.outcome == 'failure'
+#   run: exit 1
+
+# - name: Terraform Apply
+#   if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+#   run: terraform apply -auto-approve
 
-  validate:
-    name: Validate
+  tflint:
+    name: Lint
+    needs: terraform
     runs-on: ubuntu-latest
-    timeout-minutes: 5
-    strategy:
-      matrix:
-        dir:
-          - '.'
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2.1.0
-      - name: Init
-        uses: hashicorp/terraform-github-actions@v0.8.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tf_actions_version: ${{ env.TERRAFORM_VERSION }}
-          tf_actions_working_dir: ${{ matrix.dir }}
-          tf_actions_comment: true
-          tf_actions_subcommand: init
-      - name: Validate
-        uses: hashicorp/terraform-github-actions@v0.8.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tf_actions_version: ${{ env.TERRAFORM_VERSION }}
-          tf_actions_working_dir: ${{ matrix.dir }}
-          tf_actions_comment: true
-          tf_actions_subcommand: validate
+    - name: Checkout
+      uses: actions/checkout@v2
 
-  lint:
-    name: Lint
+    - name: Cache plugin dir
+      uses: actions/cache@v2
+      with:
+        path: ~/.tflint.d/plugins
+        key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
+
+    - name: Setup TFLint
+      uses: terraform-linters/setup-tflint@v1
+      with:
+        tflint_version: "v${{ env.TFLINT_VERSION }}"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Show version
+      run: tflint --version
+
+    - name: Init TFLint
+      run: tflint --init
+
+    - name: Run TFLint
+      run: tflint -f compact
+
+  tfdocs:
+    needs: tflint
     runs-on: ubuntu-latest
-    timeout-minutes: 5
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2.1.0
-      - name: TFLint
-        run: docker run --rm -v ${PWD}:/data ghcr.io/terraform-linters/tflint
+    - name: Checkout
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - name: Render terraform docs and push changes back to PR
+      uses: terraform-docs/gh-actions@main
+      with:
+        working-dir: .
+        output-file: README.md
+        output-method: inject
+        git-push: "true"
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,49 @@
+config {
+  plugin_dir = "./.tflint.d/plugins"
+}
+
+# TF Rules
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_unused_required_providers" {
+  enabled = true
+}
+
+# AWS
+
+plugin "aws" {
+    enabled = true
+    version = "0.12.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
diff --git a/Makefile b/Makefile
@@ -0,0 +1,38 @@
+
+COMPOSE_RUN_TF = docker-compose run terraform
+COMPOSE_TF_LINT = docker-compose run terraform-lint
+COMPOSE_TF_DOCS = docker-compose run terraform-docs
+
+.env: ## Create .env file
+	@echo "No .env file found. Create new .env using .env.template"
+	cp .env.template .env
+
+.PHONY: init
+init: .env
+	$(COMPOSE_RUN_TF) terraform init
+
+.PHONY: #validate
+validate: .env init
+	$(COMPOSE_RUN_TF) terraform validate
+
+.PHONY: format
+format: .env #init
+	$(COMPOSE_RUN_TF) terraform fmt
+
+.PHONY: lint
+lint: .env #init
+	$(COMPOSE_TF_LINT) --init
+	$(COMPOSE_TF_LINT) --version
+	$(COMPOSE_TF_LINT) --format compact
+
+.PHONY: docs
+docs: .env init
+	$(COMPOSE_TF_DOCS) markdown --output-file README.md --output-mode inject .
+
+.PHONY: precommit
+precommit: .env init validate format lint docs
+	echo "Done"
+
+.PHONY: clean
+clean:
+	rm -rf .env .terraform *.tfstate .tflint.d
diff --git a/README.md b/README.md
@@ -139,3 +139,77 @@ You can send a test email once the deployment is complete and you have confirmed
 ## License
 
 This library is licensed under the MIT License. See the LICENSE file.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_archive"></a> [archive](#requirement\_archive) | ~> 2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0, < 5.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | ~> 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0, < 5.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_event_rule.trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_iam_role.iam_for_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_lambda_function.sechub_summariser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_permission.trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_securityhub_insight.all_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.auditman_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.aws_best_prac_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.aws_best_prac_by_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.chatbot_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.cis_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.cis_by_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.detective_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.fwman_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.guardduty_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.health_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.iam_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.inspector_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.macie_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.new_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.ssmops_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.ssmpm_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.ta_by_severity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_securityhub_insight.top_resource_types](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_insight) | resource |
+| [aws_sns_topic.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [archive_file.code](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_email_footer_text"></a> [additional\_email\_footer\_text](#input\_additional\_email\_footer\_text) | Additional text to append at the end of email message | `string` | `""` | no |
+| <a name="input_additional_email_header_text"></a> [additional\_email\_header\_text](#input\_additional\_email\_header\_text) | Additional text to prepend at the start of email message | `string` | `""` | no |
+| <a name="input_email"></a> [email](#input\_email) | Email Address for Subscriber to Security Hub summary. Only used if SNS arn is not specified | `string` | `null` | no |
+| <a name="input_insights"></a> [insights](#input\_insights) | list of insights and in what order to include in the summary. | `list(any)` | `[]` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS Key ID to use for encrypting the topic | `string` | `"alias/aws/sns"` | no |
+| <a name="input_name"></a> [name](#input\_name) | ID element | `string` | `"sechub-summariser"` | no |
+| <a name="input_schedule"></a> [schedule](#input\_schedule) | Expression for scheduling the Security Hub summary email. Default: Every Monday 8:00 AM UTC. Example: Every Friday 9:00 AM UTC: cron(0 9 ? * 6 *) | `string` | `"cron(0 8 ? * 2 *)"` | no |
+| <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | ARN of the SNS Topic to send summaries to. If empty, a topic is created for you. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_sns_topic_arn"></a> [sns\_topic\_arn](#output\_sns\_topic\_arn) | The SNS topic that was created |
+<!-- END_TF_DOCS -->
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,22 @@
+version: '3.6'
+
+services:
+  terraform:
+    image: hashicorp/terraform:1.1.7
+    env_file: .env
+    entrypoint: []
+    working_dir: /opt/app
+    volumes:
+      - .:/opt/app:rw
+  terraform-lint:
+    image: ghcr.io/terraform-linters/tflint
+    env_file: .env
+    working_dir: /opt/app
+    volumes:
+      - .:/opt/app:rw
+  terraform-docs:
+    image: quay.io/terraform-docs/terraform-docs:0.16.0
+    env_file: .env
+    working_dir: /opt/app
+    volumes:
+      - .:/opt/app:rw
diff --git a/providers.tf b/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0, < 5.0.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+  }
+}
