From e3ab1e1bb9a73f0b3da2ec5c15fa903cca0d9063 Mon Sep 17 00:00:00 2001 From: zuriguardiola Date: Wed, 3 Nov 2021 09:41:00 +0000 Subject: [PATCH 1/5] Initial module commit --- .github/workflows/documentation.yml | 25 ++++ .../workflows/terraform-static-analysis.yml | 47 +++++++ main.tf | 121 ++++++++++++++++++ outputs.tf | 0 providers.tf | 7 + variables.tf | 12 ++ versions.tf | 0 7 files changed, 212 insertions(+) create mode 100644 .github/workflows/documentation.yml create mode 100644 .github/workflows/terraform-static-analysis.yml create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 providers.tf create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml new file mode 100644 index 0000000..0bebeec --- /dev/null +++ b/.github/workflows/documentation.yml @@ -0,0 +1,25 @@ +name: Generate Terraform README docs +on: + workflow_dispatch: + pull_request: + branches: + - main + paths: + - '**.md' + - '.github/workflows/documentation.yml' + +jobs: + docs: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Render terraform docs and push changes back to PR + uses: terraform-docs/gh-actions@v0.10.0 + with: + working-dir: . + output-file: README.md + output-method: inject + git-push: "true" diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml new file mode 100644 index 0000000..d0f3fe1 --- /dev/null +++ b/.github/workflows/terraform-static-analysis.yml @@ -0,0 +1,47 @@ +name: Terraform Static Code Analysis + +on: + workflow_dispatch: + pull_request: + branches: + - main + paths: + - '**.tf' + - '.github/workflows/terraform-static-analysis.yml' + +jobs: + terraform-static-analysis: + name: Terraform Static Analysis + runs-on: ubuntu-latest + if: github.event_name != 'workflow_dispatch' + steps: + - name: Checkout + uses: actions/checkout@v2.3.4 + with: + fetch-depth: 0 + - name: Run Analysis + uses: ministryofjustice/github-actions/terraform-static-analysis@main + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + scan_type: single + tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 + checkov_exclude: CKV_GIT_1, CKV_AWS_23 + + terraform-static-analysis-full-scan: + name: Terraform Static Analysis - scan all directories + runs-on: ubuntu-latest + if: github.event_name == 'workflow_dispatch' + steps: + - name: Checkout + uses: actions/checkout@v2.3.4 + with: + fetch-depth: 0 + - name: Run Analysis + uses: ministryofjustice/github-actions/terraform-static-analysis@main + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + scan_type: full + tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 + checkov_exclude: CKV_GIT_1, CKV_AWS_23 diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..19b825e --- /dev/null +++ b/main.tf @@ -0,0 +1,121 @@ + +module "s3-bucket" { + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v4.0.0" + + providers = { + aws.bucket-replication = aws.bucket-replication + } + bucket_prefix = var.bucket_prefix + replication_enabled = false + + lifecycle_rule = [ + { + id = "main" + enabled = true + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = var.tags +} + +resource "aws_iam_role" "vmimport" { + name = "vmimport" + assume_role_policy = data.aws_iam_policy_document.vmimport-trust-policy.json + tags = merge( + var.tags, + { + Name = "${var.application_name}-vmimport-role" + } + ) +} + +data "aws_iam_policy_document" "vmimport-trust-policy" { + version = "2012-10-17" + statement { + sid = "" + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + principals { + type = "Service" + identifiers = [ + "vmie.amazonaws.com" + ] + } + } +} + +resource "aws_iam_policy" "vmimport-policy" { + name = "${var.application_name}-vmimport-policy" + policy = < Date: Wed, 3 Nov 2021 10:56:52 +0000 Subject: [PATCH 2/5] Add versions and update README --- README.md | 26 ++++++++++++++++---------- versions.tf | 9 +++++++++ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 0826d50..a4cada5 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,21 @@ -# Ministry of Justice Template Repository +## Usage -Use this template to [create a repository] with the default initial files for a Ministry of Justice Github repository, including: +```hcl -* The correct LICENSE -* Github actions -* .gitignore file +module "vm-import" { -Once you have created your repository, please: + source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import" -* Edit the copy of this README.md file to document your project -* Grant permissions to the appropriate MoJ teams -* Setup branch protection + bucket_prefix = local.application_data.accounts[local.environment].bucket_prefix + tags = local.tags + application_name = local.application_name -[create a repository]: https://github.com/ministryofjustice/template-repository/generate +} + +``` + + + + +## Looking for issues? +If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues). diff --git a/versions.tf b/versions.tf index e69de29..812a9f5 100644 --- a/versions.tf +++ b/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + version = ">= 3.47.0" + source = "hashicorp/aws" + } + } + required_version = ">= 1.0.1" +} From 817f488a150b99381837f18ed92f9a0d4d5c9e68 Mon Sep 17 00:00:00 2001 From: zuriguardiola Date: Thu, 4 Nov 2021 08:57:01 +0000 Subject: [PATCH 3/5] Parameterise account number for the s3 replication provider --- main.tf | 1 - providers.tf | 2 +- variables.tf | 4 ++++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 19b825e..cdbfbc1 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,3 @@ - module "s3-bucket" { source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v4.0.0" diff --git a/providers.tf b/providers.tf index 3989a68..4c0b4f7 100644 --- a/providers.tf +++ b/providers.tf @@ -2,6 +2,6 @@ provider "aws" { alias = "bucket-replication" region = "eu-west-2" assume_role { - role_arn = "arn:aws:iam::276038508461:role/MemberInfrastructureAccess" + role_arn = "arn:aws:iam::${var.account_number}:role/MemberInfrastructureAccess" } } diff --git a/variables.tf b/variables.tf index 0f1fb6f..a199a2b 100644 --- a/variables.tf +++ b/variables.tf @@ -2,6 +2,10 @@ variable "bucket_prefix" { type = string description = "Prefix for s3 bucket" } +variable "account_number" { + type = string + description = "Account number of current environment" +} variable "tags" { type = map(string) description = "Common tags to be used by all resources" From 07c8a304d5bee38fd0d5f1778dd19e0d202cad7b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 4 Nov 2021 09:00:52 +0000 Subject: [PATCH 4/5] terraform-docs: automated action --- README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/README.md b/README.md index a4cada5..5dbd469 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,46 @@ module "vm-import" { ``` +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.1 | +| [aws](#requirement\_aws) | >= 3.47.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.47.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [s3-bucket](#module\_s3-bucket) | git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket | v4.0.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.vmimport-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.vmimport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.vmimport_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy_document.vmimport-trust-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_number](#input\_account\_number) | Account number of current environment | `string` | n/a | yes | +| [application\_name](#input\_application\_name) | Name of application | `string` | n/a | yes | +| [bucket\_prefix](#input\_bucket\_prefix) | Prefix for s3 bucket | `string` | n/a | yes | +| [tags](#input\_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes | + +## Outputs + +No outputs. From fa7e9e76ddd08a79e4399f6debb2c42c81d019c0 Mon Sep 17 00:00:00 2001 From: zuriguardiola Date: Thu, 4 Nov 2021 09:19:21 +0000 Subject: [PATCH 5/5] Update static analysis exclusions --- .github/workflows/terraform-static-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml index d0f3fe1..243eab5 100644 --- a/.github/workflows/terraform-static-analysis.yml +++ b/.github/workflows/terraform-static-analysis.yml @@ -26,7 +26,7 @@ jobs: with: scan_type: single tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 - checkov_exclude: CKV_GIT_1, CKV_AWS_23 + checkov_exclude: CKV_GIT_1 terraform-static-analysis-full-scan: name: Terraform Static Analysis - scan all directories @@ -44,4 +44,4 @@ jobs: with: scan_type: full tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 - checkov_exclude: CKV_GIT_1, CKV_AWS_23 + checkov_exclude: CKV_GIT_1