diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9704244..c48f2b3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +1,21 @@
-# https://dependabot.com/docs/config-file-beta/validator/
---
version: 2
updates:
-
- - package-ecosystem: "github-actions"
- directory: "/"
+ - package-ecosystem: github-actions
+ directory: /
+ open-pull-requests-limit: 5
schedule:
- interval: "weekly"
- day: "wednesday"
+ interval: monthly
+ day: wednesday
+ - package-ecosystem: terraform
+ directory: modules/aws-asg
+ open-pull-requests-limit: 5
+ schedule:
+ interval: monthly
+ day: wednesday
+ - package-ecosystem: terraform
+ directory: modules/aws-asg/examples
+ open-pull-requests-limit: 5
+ schedule:
+ interval: monthly
+ day: wednesday
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
deleted file mode 100644
index 2371030..0000000
--- a/.github/workflows/main.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-name: Terraform Check
-
-on:
- push:
- branches:
- - main
- pull_request:
- branches:
- - main
-
-permissions: read-all
-
-defaults:
- run:
- shell: sh
-
-jobs:
-
- validate:
- name: Validate
- runs-on: ubuntu-latest
- container: hashicorp/terraform:light
- steps:
- - name: Checkout
- uses: actions/checkout@v2
- - name: Validate
- run: find ./modules/ -maxdepth 1 -mindepth 1
- -exec terraform init {} \;
- -exec terraform validate {} \;
-
- format:
- name: Format
- runs-on: ubuntu-latest
- container: hashicorp/terraform:light
- steps:
- - name: Checkout
- uses: actions/checkout@v2
- - name: Format
- run: terraform fmt -check -diff -recursive
-
- lint:
- name: Lint
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v2
- - name: Setup
- uses: terraform-linters/setup-tflint@v1.1.0
- - name: Show version
- run: tflint --version
- - name: Run
- run: >
- find ./modules/ -maxdepth 1 -mindepth 1
- -exec tflint {} --loglevel=info \;
-
- security:
- name: Security
- runs-on: ubuntu-latest
- permissions:
- checks: write
- contents: read
- security-events: write
- statuses: write
- steps:
- - name: Checkout
- uses: actions/checkout@v2
- - name: tfsec
- uses: tfsec/tfsec-sarif-action@master
- with:
- sarif_file: tfsec.sarif
- - name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
- with:
- sarif_file: tfsec.sarif
diff --git a/.github/workflows/terraform-checks.yml b/.github/workflows/terraform-checks.yml
new file mode 100644
index 0000000..7aa0f49
--- /dev/null
+++ b/.github/workflows/terraform-checks.yml
@@ -0,0 +1,77 @@
+name: Terraform Check
+
+on:
+ pull_request:
+ branches:
+ - main
+
+env:
+ TERRAFORM_DOCS_VERSION: v0.16.0
+
+jobs:
+ collectInputs:
+ name: Collect workflow inputs
+ runs-on: ubuntu-latest
+ outputs:
+ directories: ${{ steps.dirs.outputs.directories }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Get root directories
+ id: dirs
+ uses: clowdhaus/terraform-composite-actions/directories@v1.3.0
+
+ preCommitMinVersions:
+ name: Min TF pre-commit
+ needs: collectInputs
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Terraform min/max versions
+ id: minMax
+ uses: clowdhaus/terraform-min-max@v1.0.3
+ with:
+ directory: ${{ matrix.directory }}
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+ # Run only validate pre-commit check on min version supported
+ if: ${{ matrix.directory != '.' }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.minVersion }}
+ args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+ # Run only validate pre-commit check on min version supported
+ if: ${{ matrix.directory == '.' }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.minVersion }}
+ args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
+
+ preCommitMaxVersion:
+ name: Max TF pre-commit
+ runs-on: ubuntu-latest
+ needs: collectInputs
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+ repository: ${{github.event.pull_request.head.repo.full_name}}
+
+ - name: Terraform min/max versions
+ id: minMax
+ uses: clowdhaus/terraform-min-max@v1.0.3
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+ terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
diff --git a/.github/workflows/terraform-security.yml b/.github/workflows/terraform-security.yml
new file mode 100644
index 0000000..f200856
--- /dev/null
+++ b/.github/workflows/terraform-security.yml
@@ -0,0 +1,27 @@
+name: Terraform Security
+
+on:
+ pull_request:
+ branches:
+ - main
+
+jobs:
+ security:
+ name: Security
+ runs-on: ubuntu-latest
+ permissions:
+ checks: write
+ contents: read
+ security-events: write
+ statuses: write
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ - name: tfsec
+ uses: tfsec/tfsec-sarif-action@master
+ with:
+ sarif_file: tfsec.sarif
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: tfsec.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6beab84..e90ecc3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,14 @@
---
repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
- rev: v1.31.0
- hooks:
- - id: terraform_fmt
- - id: terraform_validate
- - id: terraform_docs_replace
- - id: terraform_tflint
- - id: terraform_tfsec
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.63.0
+ hooks:
+ - id: terraform_fmt
+ - id: terraform_validate
+ - id: terraform_docs
+ - id: terraform_tflint
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.1.0
+ hooks:
+ - id: check-merge-conflict
+ - id: end-of-file-fixer
diff --git a/README.md b/README.md
index 102370f..5a3cdb0 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,9 @@ Check the [Product Documentation](https://campus.barracuda.com/product/cloudgena
## Misc
- This repository has [pre-commit](https://github.com/antonbabenko/pre-commit-terraform) configured
- - Test all the pre-commit hooks with `pre-commit run -a`
+ - Test all the pre-commit hooks with:
+ - `docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:latest run -a`
+ - Cleanup, in case of plugin issues: `find . -name ".terraform*" -print0 | xargs -0 rm -r`
- Test github actions with [nektos/act](https://github.com/nektos/act)
## Links
diff --git a/modules/aws-asg/README.md b/modules/aws-asg/README.md
index ae9437c..1ac865e 100644
--- a/modules/aws-asg/README.md
+++ b/modules/aws-asg/README.md
@@ -79,3 +79,4 @@ No modules.
| Name | Description |
|------|-------------|
| [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | Update the CloudGen Access Proxy in the Console with this DNS name |
+| [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | Use this group to allow CloudGen Access Proxy access to internal resources |
diff --git a/modules/aws-asg/examples/README.md b/modules/aws-asg/examples/cga-with-vpc/README.md
similarity index 83%
rename from modules/aws-asg/examples/README.md
rename to modules/aws-asg/examples/cga-with-vpc/README.md
index 8682c38..2eb5047 100644
--- a/modules/aws-asg/examples/README.md
+++ b/modules/aws-asg/examples/cga-with-vpc/README.md
@@ -6,8 +6,8 @@ No requirements.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | n/a |
-| [tls](#provider\_tls) | n/a |
+| [aws](#provider\_aws) | 3.74.1 |
+| [tls](#provider\_tls) | 3.1.0 |
## Modules
@@ -35,3 +35,4 @@ No requirements.
| Name | Description |
|------|-------------|
| [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | n/a |
+| [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | n/a |
diff --git a/modules/aws-asg/examples/cga_with_vpc.tf b/modules/aws-asg/examples/cga-with-vpc/main.tf
similarity index 86%
rename from modules/aws-asg/examples/cga_with_vpc.tf
rename to modules/aws-asg/examples/cga-with-vpc/main.tf
index e28847c..4abe96f 100644
--- a/modules/aws-asg/examples/cga_with_vpc.tf
+++ b/modules/aws-asg/examples/cga-with-vpc/main.tf
@@ -16,6 +16,12 @@ locals {
provider "aws" {
region = local.aws_region
+ default_tags {
+ tags = {
+ Owner = "team"
+ Environment = "test"
+ }
+ }
}
#
@@ -23,10 +29,11 @@ provider "aws" {
#
module "cloudgen-access-proxy" {
- source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.2.2"
+ source = "../../"
# More examples
# run 'rm -rf .terraform/' after changing source
+ # source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=vx.x.x"
# source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref="
# source = "../"
@@ -51,8 +58,7 @@ module "cloudgen-access-proxy" {
launch_cfg_key_pair_name = module.key_pair.key_pair_key_name
tags = {
- Environment = "test"
- Team = "awesome"
+ extra_tag = "extra-value"
}
}
@@ -68,7 +74,7 @@ output "Security_Group_for_Resources" {
# SSH key for instances
#
-# (!) The private key will be saves in the terraform state file
+# (!) The private key will be saved in the terraform state file
resource "tls_private_key" "private_key" {
algorithm = "RSA"
}
@@ -127,7 +133,7 @@ module "vpc" {
manage_default_security_group = true
tags = {
- environment = local.application
+ extra_tag = "extra-value"
}
vpc_tags = {
@@ -139,8 +145,7 @@ resource "aws_default_route_table" "default" {
default_route_table_id = module.vpc.default_route_table_id
tags = {
- Name = "${local.application}-default"
- environment = local.application
- warning = "This is created by AWS for the VPC and cannot be removed"
+ Name = "${local.application}-default"
+ warning = "This is created by AWS for the VPC and cannot be removed"
}
}
diff --git a/modules/aws-asg/main.tf b/modules/aws-asg/main.tf
index 1088b55..b9230cf 100644
--- a/modules/aws-asg/main.tf
+++ b/modules/aws-asg/main.tf
@@ -96,14 +96,14 @@ resource "aws_security_group" "inbound" {
from_port = 443
to_port = 443
protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS008
+ cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS009
+ cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
}
tags = {
@@ -237,11 +237,17 @@ resource "aws_launch_configuration" "launch_config" {
instance_type = var.launch_cfg_instance_type
key_name = var.launch_cfg_key_pair_name
name_prefix = "cga-proxy-${random_string.prefix.result}-"
+
+ metadata_options {
+ http_tokens = "required"
+ }
+
security_groups = compact([
aws_security_group.inbound.id,
aws_security_group.resources.id,
local.redis_enabled ? aws_security_group.redis[0].id : ""
])
+
user_data = <<-EOT
#!/bin/bash
%{~if var.cloudwatch_logs_enabled~}
diff --git a/modules/aws-asg/provider.tf b/modules/aws-asg/provider.tf
deleted file mode 100644
index 73541ff..0000000
--- a/modules/aws-asg/provider.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-provider "aws" {
- region = var.aws_region
-
- default_tags {
- tags = local.common_tags_map
- }
-}