Merge pull request #11 from barracuda-cloudgen-access/remove-explicit…

…-provider

Remove aws provider from the module and update examples

.github/dependabot.yml

@@ -1,10 +1,21 @@
-# https://dependabot.com/docs/config-file-beta/validator/
 ---
 version: 2
 updates:
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
+    open-pull-requests-limit: 5
     schedule:
-      interval: "weekly"
-      day: "wednesday"
+      interval: monthly
+      day: wednesday
+  - package-ecosystem: terraform
+    directory: modules/aws-asg
+    open-pull-requests-limit: 5
+    schedule:
+      interval: monthly
+      day: wednesday
+  - package-ecosystem: terraform
+    directory: modules/aws-asg/examples
+    open-pull-requests-limit: 5
+    schedule:
+      interval: monthly
+      day: wednesday

.github/workflows/terraform-checks.yml

@@ -0,0 +1,77 @@
+name: Terraform Check
+
+on:
+  pull_request:
+    branches:
+      - main
+
+env:
+  TERRAFORM_DOCS_VERSION: v0.16.0
+
+jobs:
+  collectInputs:
+    name: Collect workflow inputs
+    runs-on: ubuntu-latest
+    outputs:
+      directories: ${{ steps.dirs.outputs.directories }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Get root directories
+        id: dirs
+        uses: clowdhaus/terraform-composite-actions/directories@v1.3.0
+
+  preCommitMinVersions:
+    name: Min TF pre-commit
+    needs: collectInputs
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@v1.0.3
+        with:
+          directory: ${{ matrix.directory }}
+
+      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+        # Run only validate pre-commit check on min version supported
+        if: ${{ matrix.directory !=  '.' }}
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+        with:
+          terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
+
+      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+        # Run only validate pre-commit check on min version supported
+        if: ${{ matrix.directory ==  '.' }}
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+        with:
+          terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
+
+  preCommitMaxVersion:
+    name: Max TF pre-commit
+    runs-on: ubuntu-latest
+    needs: collectInputs
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@v1.0.3
+
+      - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+        with:
+          terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+          terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}

.github/workflows/terraform-security.yml

@@ -0,0 +1,27 @@
+name: Terraform Security
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  security:
+    name: Security
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      security-events: write
+      statuses: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: tfsec
+        uses: tfsec/tfsec-sarif-action@master
+        with:
+          sarif_file: tfsec.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: tfsec.sarif

.pre-commit-config.yaml

@@ -1,10 +1,14 @@
 ---
 repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.31.0
-  hooks:
-    - id: terraform_fmt
-    - id: terraform_validate
-    - id: terraform_docs_replace
-    - id: terraform_tflint
-    - id: terraform_tfsec
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.63.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+      - id: terraform_tflint
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer

README.md

@@ -15,7 +15,9 @@ Check the [Product Documentation](https://campus.barracuda.com/product/cloudgena
 ## Misc
 
 - This repository has [pre-commit](https://github.com/antonbabenko/pre-commit-terraform) configured
-  - Test all the pre-commit hooks with `pre-commit run -a`
+  - Test all the pre-commit hooks with:
+    - `docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:latest run -a`
+    - Cleanup, in case of plugin issues: `find . -name ".terraform*" -print0 | xargs -0 rm -r`
 - Test github actions with [nektos/act](https://github.com/nektos/act)
 
 ## Links

modules/aws-asg/README.md

@@ -79,3 +79,4 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_Network_Load_Balancer_DNS_Name"></a> [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | Update the CloudGen Access Proxy in the Console with this DNS name |
+| <a name="output_Security_Group_for_Resources"></a> [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | Use this group to allow CloudGen Access Proxy access to internal resources |

modules/aws-asg/examples/README.md → modules/aws-asg/examples/cga-with-vpc/README.md

@@ -6,8 +6,8 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.1 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | 3.1.0 |
 
 ## Modules
 
@@ -35,3 +35,4 @@ No requirements.
 | Name | Description |
 |------|-------------|
 | <a name="output_Network_Load_Balancer_DNS_Name"></a> [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | n/a |
+| <a name="output_Security_Group_for_Resources"></a> [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | n/a |

modules/aws-asg/examples/cga_with_vpc.tf → modules/aws-asg/examples/cga-with-vpc/main.tf

@@ -16,17 +16,24 @@ locals {
 
 provider "aws" {
   region = local.aws_region
+  default_tags {
+    tags = {
+      Owner       = "team"
+      Environment = "test"
+    }
+  }
 }
 
 #
 # CloudGen Access Proxy
 #
 
 module "cloudgen-access-proxy" {
-  source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.2.2"
+  source = "../../"
 
   # More examples
   # run 'rm -rf .terraform/' after changing source
+  # source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=vx.x.x"
   # source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=<branch-name>"
   # source = "../"
 
@@ -51,8 +58,7 @@ module "cloudgen-access-proxy" {
   launch_cfg_key_pair_name = module.key_pair.key_pair_key_name
 
   tags = {
-    Environment = "test"
-    Team        = "awesome"
+    extra_tag = "extra-value"
   }
 }
 
@@ -68,7 +74,7 @@ output "Security_Group_for_Resources" {
 # SSH key for instances
 #
 
-# (!) The private key will be saves in the terraform state file
+# (!) The private key will be saved in the terraform state file
 resource "tls_private_key" "private_key" {
   algorithm = "RSA"
 }
@@ -127,7 +133,7 @@ module "vpc" {
   manage_default_security_group  = true
 
   tags = {
-    environment = local.application
+    extra_tag = "extra-value"
   }
 
   vpc_tags = {
@@ -139,8 +145,7 @@ resource "aws_default_route_table" "default" {
   default_route_table_id = module.vpc.default_route_table_id
 
   tags = {
-    Name        = "${local.application}-default"
-    environment = local.application
-    warning     = "This is created by AWS for the VPC and cannot be removed"
+    Name    = "${local.application}-default"
+    warning = "This is created by AWS for the VPC and cannot be removed"
   }
 }

modules/aws-asg/main.tf

@@ -96,14 +96,14 @@ resource "aws_security_group" "inbound" {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS008
+    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS009
+    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   }
 
   tags = {
@@ -237,11 +237,17 @@ resource "aws_launch_configuration" "launch_config" {
   instance_type               = var.launch_cfg_instance_type
   key_name                    = var.launch_cfg_key_pair_name
   name_prefix                 = "cga-proxy-${random_string.prefix.result}-"
+
+  metadata_options {
+    http_tokens = "required"
+  }
+
   security_groups = compact([
     aws_security_group.inbound.id,
     aws_security_group.resources.id,
     local.redis_enabled ? aws_security_group.redis[0].id : ""
   ])
+
   user_data = <<-EOT
   #!/bin/bash
   %{~if var.cloudwatch_logs_enabled~}