diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..1b3251f --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,19 @@ +Feature: + - head-branch: ['^feature', 'feature'] +Hotfix: + - head-branch: ['^hotfix', 'hotfix'] +Documentation: +- changed-files: + - any-glob-to-any-file: '**/*.md' +CICD: +- changed-files: + - any-glob-to-any-file: '.github/**' + +typescript: +- changed-files: + - any-glob-to-any-file: '**/*.ts' +css: +- changed-files: + - any-glob-to-any-file: '**/*.css' + + diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..ccf23da --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,33 @@ +# Description + +Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change. + +Fixes # (issue) + +## Type of change + +Please delete options that are not relevant. + +- [ ] Bug fix (non-breaking change which fixes an issue) +- [ ] New feature (non-breaking change which adds functionality) +- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) +- [ ] This change requires a documentation update + +# How Has This Been Tested? + +Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration + +- [ ] Test A +- [ ] Test B + + +# Checklist: + +- [ ] My code follows the style guidelines of this project +- [ ] I have performed a self-review of my code +- [ ] I have commented my code, particularly in hard-to-understand areas +- [ ] I have made corresponding changes to the documentation +- [ ] My changes generate no new warnings +- [ ] I have added tests or screenshots that prove my fix is effective or that my feature works +- [ ] Any dependent changes have been merged and published in downstream modules + diff --git a/.github/reviewers.yml b/.github/reviewers.yml new file mode 100644 index 0000000..0e371d2 --- /dev/null +++ b/.github/reviewers.yml @@ -0,0 +1,4 @@ +reviewers: + defaults: + - repository-owners + - bbrauneck \ No newline at end of file diff --git a/.github/workflows/commit-message-validator.yaml b/.github/workflows/commit-message-validator.yaml new file mode 100644 index 0000000..173ce0c --- /dev/null +++ b/.github/workflows/commit-message-validator.yaml @@ -0,0 +1,12 @@ +name: Commit linter +on: + pull_request: + branches: [main, master] +jobs: + commitlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: wagoid/commitlint-github-action@v5 diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml index 3e8a4d8..ecbd70f 100644 --- a/.github/workflows/dependabot.yaml +++ b/.github/workflows/dependabot.yaml @@ -11,7 +11,7 @@ jobs: steps: - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v1.2.1 + uses: dependabot/fetch-metadata@v2.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Approve a PR diff --git a/.github/workflows/labelling.yaml b/.github/workflows/labelling.yaml new file mode 100644 index 0000000..205e046 --- /dev/null +++ b/.github/workflows/labelling.yaml @@ -0,0 +1,47 @@ +name: label PRs +on: + pull_request: + branches: [dev, master] +jobs: + size-label: + needs: pr-reviewer + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: size-label + uses: "pascalgn/size-label-action@v0.5.0" + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + sizes: > + { + "0": "XS", + "20": "S", + "50": "M", + "200": "L", + "800": "XL", + "2000": "XXL" + } + - name: general-labels + uses: actions/labeler@v5 + with: + sync-labels: true + pr-reviewer: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + fetch-depth: 0 + - name: Request review and assign + uses: necojackarc/auto-request-review@v0.13.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + config: .github/reviewers.yml + use_local: true diff --git a/.github/workflows/megalinter.yaml b/.github/workflows/megalinter.yaml index c3945b4..f1cf0cb 100644 --- a/.github/workflows/megalinter.yaml +++ b/.github/workflows/megalinter.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} fetch-depth: 0 @@ -26,7 +26,7 @@ jobs: DISABLE_LINTERS: TERRAFORM_TERRASCAN - name: Archive production artifacts if: ${{ success() }} || ${{ failure() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: MegaLinter reports path: | diff --git a/.github/workflows/tagging.yaml b/.github/workflows/tagging.yaml index 2a89990..816de24 100644 --- a/.github/workflows/tagging.yaml +++ b/.github/workflows/tagging.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} fetch-depth: 0 diff --git a/.gitignore b/.gitignore index b0d92b9..96a4948 100644 --- a/.gitignore +++ b/.gitignore @@ -1,21 +1,464 @@ +# Misc +mega-linter.log +.idea + +# Local .terraform directories **/.terraform/* + +# .tfstate files *.tfstate *.tfstate.* -terraform.rc -.terraformrc + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json +**/*.tfvars +**/**.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in override.tf override.tf.json *_override.tf *_override.tf.json -**/*.tfvars -**/**.tfvars.json -cache/** -crash.log +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +.terraform +# MacOS General +.DS_Store +.AppleDouble +.LSOverride +# Icon must end with two \r +Icon +# Thumbnails +._* -**/.DS_STORE -report/** -mega-linter.log +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5cd2118..bb5c949 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,13 +1,13 @@ --- repos: - repo: https://github.com/compilerla/conventional-pre-commit - rev: v1.2.0 + rev: v3.2.0 hooks: - id: conventional-pre-commit stages: [commit-msg] args: [] - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 + rev: v4.6.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer @@ -32,7 +32,7 @@ repos: args: - -b main - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.62.0 + rev: v1.89.1 hooks: - id: terraform_fmt - id: terraform_docs @@ -40,14 +40,12 @@ repos: - --hook-config=--path-to-file=README.md - --hook-config=--add-to-existing-file=true - --hook-config=--create-file-if-not-exist=true - - id: terraform_tfsec - - id: checkov - repo: https://github.com/sirosen/check-jsonschema - rev: 0.13.0 + rev: 0.28.3 hooks: - id: check-github-workflows - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.5.1 + rev: v4.0.0-alpha.8 hooks: - id: prettier stages: [commit] diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..88c4db8 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,132 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +- Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +- The use of sexualized language or imagery, and sexual attention or advances of + any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, + without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +[INSERT CONTACT METHOD]. +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][mozilla coc]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][faq]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[mozilla coc]: https://github.com/mozilla/diversity +[faq]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations diff --git a/README.md b/README.md index d91a53d..684cdaf 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,101 @@ +[![Maintained](https://img.shields.io/badge/Maintained%20by-XOAP-success)](https://xoap.io) +[![Terraform](https://img.shields.io/badge/Terraform-%3E%3D1.1.6-blue)](https://terraform.io) +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) + # Table of Contents -- [Table of Contents](#table-of-contents) - - [Usage](#usage) - - [Requirements](#requirements) - - [Providers](#providers) - - [Modules](#modules) - - [Resources](#resources) - - [Inputs](#inputs) - - [Outputs](#outputs) +- [Introduction](#introduction) +- [Guidelines](#guidelines) +- [Requirements](#requirements) +- [Providers](#providers) +- [Modules](#modules) +- [Resources](#resources) +- [Inputs](#inputs) +- [Outputs](#outputs) + +--- + +## Introduction + +This is a template for Terraform modules. + +It is part of our XOAP Automation Forces Open Source community library to give you a quick start into Infrastructure as Code deployments with Terraform. + +We have a lot of Terraform modules that are Open Source and maintained by the XOAP staff. + +Please check the links for more info, including usage information and full documentation: + +- [XOAP Website](https://xoap.io) +- [XOAP Documentation](https://docs.xoap.io) +- [Twitter](https://twitter.com/xoap_io) +- [LinkedIn](https://www.linkedin.com/company/xoap_io) + +--- + +## Guidelines + +We are using the following guidelines to write code and make it easier for everyone to follow a destinctive guideline. Please check these links before starting to work on changes. + +[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md) + +Git Naming Conventions are an important part of the development process. They descrtibe how Branched, Commit Messages, Pull Requests and Tags should look like to make the easily understandebla for everybody in the development chain. + +[Git Naming Conventions](https://namingconvention.org/git/) + +he Conventional Commits specification is a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of. + +[Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) + +The better a Pull Request description is, the better a review can understand and decide on how to review the changes. This improves implementation speed and reduces communication between the requester and the reviewer resulting in much less overhead. + +[Wiriting A Great Pull Request Description](https://www.pullrequest.com/blog/writing-a-great-pull-request-description/) + +Versioning is a crucial part for Terraform Stacks and Modules. Without version tags you cannot clearly create a stable environment and be sure that your latest changes won't crash your production environment (sure it still can happen, but we are trying our best to implement everything that we can to reduce the risk) + +[Semantic Versioning](https://semver.org) + +Naming Conventions for Terraform resources must be used. + +[Terraform Naming Conventions](https://www.terraform-best-practices.com/naming) + +--- ## Usage -various commands +### Installation + +For the first ime using this template necessary tools need to be installed. +A script for PowerShell Core is provided under ./build/init.ps1 + +This script will install following dependencies: + +- [pre-commit](https://github.com/pre-commit/pre-commit) +- [terraform-docs](https://github.com/terraform-docs/terraform-docs) +- [tflint](https://github.com/terraform-linters/tflint) +- [tfsec](https://github.com/aquasecurity/tfsec) +- [checkov](https://github.com/bridgecrewio/checkov) +- [terrascan](https://github.com/accurics/terrascan) +- [kics](https://github.com/Checkmarx/kics) -[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md) +This script configures: + +- global git template under ~/.git-template +- global pre-commit hooks for prepare-commit-msg and commit-msg under ~/.git-template/hooks +- github actions: + - linting and checks for pull requests from dev to master/main + - automatic tagging and release creation on pushes to master/main + - dependabot updates + +It currently supports the automated installation for macOS. Support for Windows and Linux will be available soon. + +### Synchronisation + +We provided a script under ./build/sync_template.ps1 to fetch the latest changes from this template repository. +Please be aware that this is mainly a copy operation which means all your current changes have to be committed first and after running the script you have to merge this changes into your codebase. + +### Configuration + +--- @@ -22,32 +104,81 @@ various commands | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.1.6 | -| [aws](#requirement\_aws) | >=4.0.0 | +| [terraform](#requirement\_terraform) | >=1.1.6 | +| [aws](#requirement\_aws) | >= 4.8.0 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.8.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [bucket](#module\_bucket) | git::github.com/xoap-io/terraform-aws-storage-s3.git | v0.1.3 | +| [this\_label](#module\_this\_label) | git::github.com/xoap-io/terraform-aws-misc-label | v0.1.1 | ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_cloudfront_cache_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy) | resource | +| [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource | +| [aws_cloudfront_origin_request_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource | +| [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [context](#input\_context) | Default context for naming and tagging purpose | 
object({
    organization = string
    environment  = string
    account      = string
    product      = string
    tags         = map(string)
  })
| n/a | yes | +| [allowed\_methods](#input\_allowed\_methods) | Allowed methods for accessing the CloudFront Distribution | `list(string)` | 
[
  "GET",
  "HEAD",
  "OPTIONS"
]
| no | +| [cached\_methods](#input\_cached\_methods) | Cache methods for accessing the CloudFront Distribution | `list(string)` | 
[
  "GET",
  "HEAD"
]
| no | +| [cf\_default\_ttl](#input\_cf\_default\_ttl) | CloudFront default TTL for cachine | `string` | `"86400"` | no | +| [cf\_max\_ttl](#input\_cf\_max\_ttl) | CloudFront maximum TTL for caching | `string` | `"31536000"` | no | +| [cf\_min\_ttl](#input\_cf\_min\_ttl) | CloudFront minimum TTL for caching | `string` | `"0"` | no | +| [cf\_price\_class](#input\_cf\_price\_class) | CloudFront price class | `string` | `"PriceClass_All"` | no | +| [cloudfront\_aliases](#input\_cloudfront\_aliases) | List of hostnames to serve site on. E.g. with and without www | `list(string)` | n/a | yes | +| [cloudfront\_allowed\_methods](#input\_cloudfront\_allowed\_methods) | Allowed methods for accessing the CloudFront Distribution | `list(string)` | 
[
  "GET",
  "HEAD",
  "OPTIONS",
  "PUT",
  "POST",
  "PATCH",
  "DELETE"
]
| no | +| [cloudfront\_cached\_methods](#input\_cloudfront\_cached\_methods) | Cache methods for accessing the CloudFront Distribution | `list(string)` | 
[
  "GET",
  "HEAD"
]
| no | +| [cloudfront\_certificate\_arn](#input\_cloudfront\_certificate\_arn) | ARN of the ACM certificate to use for cloudfront. Must be issued in us-east-1 | `string` | n/a | yes | +| [cloudfront\_default\_ttl](#input\_cloudfront\_default\_ttl) | CloudFront default TTL for cachine | `string` | `"1"` | no | +| [cloudfront\_max\_ttl](#input\_cloudfront\_max\_ttl) | CloudFront maximum TTL for caching | `string` | `"10"` | no | +| [cloudfront\_min\_ttl](#input\_cloudfront\_min\_ttl) | CloudFront minimum TTL for caching | `string` | `"0"` | no | +| [cloudfront\_minimum\_tls\_version](#input\_cloudfront\_minimum\_tls\_version) | Minimum allowed TLS version | `string` | `"TLSv1.2_2021"` | no | +| [cloudfront\_origin\_id](#input\_cloudfront\_origin\_id) | Origin ID used in CloudFront | `string` | `"alb"` | no | +| [cloudfront\_price\_class](#input\_cloudfront\_price\_class) | CloudFront price class | `string` | `"PriceClass_All"` | no | +| [cloudfront\_viewer\_protocol\_policy](#input\_cloudfront\_viewer\_protocol\_policy) | One of allow-all, https-only, or redirect-to-https | `string` | `"redirect-to-https"` | no | +| [context](#input\_context) | Default environmental context | 
object({
    organization = string
    environment  = string
    account      = string
    product      = string
    tags         = map(string)
  })
| n/a | yes | +| [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of headers allowed in CORS | `list(string)` | `[]` | no | +| [cors\_allowed\_methods](#input\_cors\_allowed\_methods) | List of methods allowed in CORS | `list(string)` | 
[
  "GET"
]
| no | +| [cors\_allowed\_origins](#input\_cors\_allowed\_origins) | List of origins allowed to make CORS requests | `list(string)` | 
[
  "https://s3.amazonaws.com"
]
| no | +| [cors\_expose\_headers](#input\_cors\_expose\_headers) | List of headers to expose in CORS response | `list(string)` | `[]` | no | +| [cors\_max\_age\_seconds](#input\_cors\_max\_age\_seconds) | Specifies time in seconds that browser can cache the response for a preflight request | `string` | `3000` | no | +| [custom\_error\_response](#input\_custom\_error\_response) | Optionally a list of custom error response configurations for CloudFront distribution | 
set(object({
    error_code         = number
    response_code      = number
    response_page_path = string
  }))
| `null` | no | +| [default\_root\_object](#input\_default\_root\_object) | CloudFront distribution default\_root\_object | `string` | `"index.html"` | no | +| [error\_document](#input\_error\_document) | Error page document in S3 bucket | `string` | `"404.html"` | no | +| [index\_document](#input\_index\_document) | Index page document in S3 bucket | `string` | `"index.html"` | no | +| [logging\_bucket](#input\_logging\_bucket) | Target Bucket name for logging | `string` | n/a | yes | +| [minimum\_tls\_version](#input\_minimum\_tls\_version) | Minimum support TLS version | `string` | `"TLSv1.2_2021"` | no | +| [origin\_path](#input\_origin\_path) | Path in S3 bucket for hosted files, with leading slash | `string` | `""` | no | +| [routing\_rules](#input\_routing\_rules) | A json array containing routing rules describing redirect behavior and when redirects are applied | `map(string)` | 
{
  "/": "index.html"
}
| no | +| [s3\_origin\_id](#input\_s3\_origin\_id) | Origin ID used in CloudFront | `string` | `"s3-origin"` | no | +| [site\_name](#input\_site\_name) | Name of bucket to be created in S3. Must be globally unique. | `string` | n/a | yes | +| [viewer\_protocol\_policy](#input\_viewer\_protocol\_policy) | One of allow-all, https-only, or redirect-to-https | `string` | `"redirect-to-https"` | no | ## Outputs | Name | Description | |------|-------------| -| [context](#output\_context) | Exported context from input variable | +| [aliases](#output\_aliases) | n/a | +| [cloudfront\_arn](#output\_cloudfront\_arn) | n/a | +| [cloudfront\_hostname](#output\_cloudfront\_hostname) | n/a | +| [cloudfront\_id](#output\_cloudfront\_id) | n/a | +| [cloudfront\_zone\_id](#output\_cloudfront\_zone\_id) | n/a | +| [s3](#output\_s3) | n/a | +| [this](#output\_this) | n/a | diff --git a/build/init.ps1 b/build/init.ps1 new file mode 100644 index 0000000..1b10fe4 --- /dev/null +++ b/build/init.ps1 @@ -0,0 +1,78 @@ +$brewPackages = @( + "pre-commit", + "gawk", + "terraform-docs", + "tflint", + "tfsec", + "coreutils", + "checkov", + "terrascan", + "golang", + "Checkmarx/tap/kics" + +) +function ReplaceAllStringsInFile($SearchString, $ReplaceString, $FullPathToFile) { + $content = [System.IO.File]::ReadAllText("$FullPathToFile").Replace("$SearchString", "$ReplaceString") + [System.IO.File]::WriteAllText("$FullPathToFile", $content) +} +function SetupPreCommit { + Write-host "Configuring pre-commit..." + $dir = Join-Path $env:HOME ".git-template" + if (Test-Path "$dir") { + Remove-item -Recurse -Force -Path "$dir" -Verbose + } + $globalHooks = Join-path $dir "hooks" + $localHooks = "$PSScriptRoot/../.git/hooks" + if (Test-Path "$localHooks") { + Remove-item -Recurse -Force -Path "$localHooks" -Verbose + } + + New-Item -ItemType Directory -Path $dir + git config --global init.templateDir $dir + git config --global core.hooksPath $dir/hooks + pre-commit init-templatedir -t pre-commit $dir + pre-commit init-templatedir -t prepare-commit-msg $dir + pre-commit init-templatedir -t commit-msg $dir + + Copy-Item $globalHooks -Destination $localHooks -Recurse -Verbose +} +function InstallMacDependencies { + foreach ($package in $brewPackages) { + Write-Host "Going to check for package $package" + brew install $package + } +} +function FixReadme { + $file = "$PSScriptRoot/../README.md" + $path = Get-Item "$PSScriptRoot/.." + ReplaceAllStringsInFile -SearchString "TERRAFORM-MODULE-TEMPLATE" -ReplaceString $path.Name.ToUpper() -FullPathToFile $file +} + +function PrintAdditionalNeededConfig { + Write-Host "Please add following statements to your .bashrc or .zshrc" + Write-host " +Optional: + export GOPATH=`$HOME/dev/go-workspace + export GOROOT=/usr/local/opt/go/libexec + export PATH=`$PATH:`$GOPATH/bin + export PATH=`$PATH:`$GOROOT/bin +Required: + export TF_PLUGIN_CACHE_DIR=~/.terraform-cache + export KICS_QUERIES_PATH=/usr/local/opt/kics/share/kics/assets/queries" +} + +if ($IsWindows) { + Write-Error "This script is currently not able to setup windows systems" + exit 1 +} +if ($IsLinux) { + Write-Error "This script is currently not able to setup linux systems" + exit 1 +} +if ($IsMacOS) { + InstallMacDependencies + PrintAdditionalNeededConfig +} + +SetupPreCommit +FixReadme diff --git a/build/sync_template.ps1 b/build/sync_template.ps1 new file mode 100644 index 0000000..27499ab --- /dev/null +++ b/build/sync_template.ps1 @@ -0,0 +1,27 @@ +$protectedFiles = @( + "main.tf", + "outputs.tf" + "variables.tf" +) +$ChangedFiles = $(git status --porcelain | Measure-Object | Select-Object -expand Count) +if ($ChangedFiles -gt 0) +{ + Write-Error "Found $ChangedFiles changed files. Please commit or stash them before using this script." + exit 0 +} + +$tempPath = Join-Path $([system.io.path]::GetTempPath()) "xoap-template" + +if(Test-path "$tempPath"){ + Write-Host "Removing old temporary files for xoap module template" + Remove-Item "$tempPath" -Recurse -Force -Verbose +} + +git clone https://github.com/xoap-io/terraform-module-template.git $tempPath + +$templateItems = Get-ChildItem $tempPath -File | Where-Object {$_.Name -notin $protectedFiles} + +foreach($item in $templateItems){ + $targetPath = $item.FullName.Replace($tempPath, "${PSScriptRoot}/..") + Copy-Item $item.FullName -Destination $targetPath -Force -Verbose +} diff --git a/docs/BEST-PRACTICES.md b/docs/BEST-PRACTICES.md index f2be2d6..9ca37b7 100644 --- a/docs/BEST-PRACTICES.md +++ b/docs/BEST-PRACTICES.md @@ -2,7 +2,7 @@ ## Module naming -terraform-- eg. terraform-aws-ec2 +terraform-PROVIDER-NAME eg. terraform-aws-ec2 ## Release Tags @@ -23,12 +23,12 @@ We recommend always having a license file, even if it is not an open source lice ## Files - +### MODULENAME -├── README.md -├── main.tf -├── variables.tf -├── outputs.tf +- README.md +- main.tf +- variables.tf +- outputs.tf For a simple module, this may be where all the resources are created. For a complex module, resource creation may be split into multiple files but any nested module calls should be in the main file. @@ -40,11 +40,11 @@ Must have subscriptions and type declarations. ## Nested modules -Nested modules should exist under the modules/ subdirectory. Any nested module with a README.md is considered usable by an external user. If a README doesn't exist, it is considered for internal use only. +Nested modules should exist under the modules/ subdirectory. Any nested module with a README.md is considered usable by an external user. If a README.md doesn't exist, it is considered for internal use only. ## Examples -Examples of using the module should exist under the examples/ subdirectory at the root of the repository. Each example may have a README to explain the goal and usage of the example. +Examples of using the module should exist under the examples/subdirectory at the root of the repository. Each example may have a README.md to explain the goal and usage of the example. ## Providers diff --git a/docs/BUG_REPORT.md b/docs/BUG_REPORT.md index 5d89a19..abd4621 100644 --- a/docs/BUG_REPORT.md +++ b/docs/BUG_REPORT.md @@ -1,15 +1,11 @@ ---- -name: Bug report -about: Create a report to help us improve -title: "" -labels: "" -assignees: "" ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**To Reproduce** +# Bug Report + +This guideline should help you in reporting bugs. + +## Describe the bug + +Describe in detail what happens when. Add as much information as you can. + Steps to reproduce the behavior: 1. Go to '...' @@ -17,52 +13,34 @@ Steps to reproduce the behavior: 3. Scroll down to '....' 4. See error -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Environment (please complete the following information):** - -- OS: [e.g. Windows, macOS, Linux] -- Rover Version [e.g. ] - -**Additional context** -Add any other context about the problem here. +Add code if needed. ---- - -name: Bug report -about: Create a bug report to help us improve. -title: '' -labels: bug -assignees: '' +```hcl +// paste code snippets here +``` ---- +## Expected behavior - +A description of what you expected to happen. -**Describe the bug** -A clear and concise description of what the bug is. +## Screenshots -**To Reproduce** -Steps to reproduce the behavior including the relevant Terraform/Terragrunt/Packer version number and any code snippets and module inputs you used. +Add as much screenshots as necessary to explain the bug. Alternatively add a video. -```hcl -// paste code snippets here -``` +## Environment -**Expected behavior** -A clear and concise description of what you expected to happen. +- Operating System +- Build and language +- Terraform version +- DSC Module version +- ... -**Nice to have** +## Additional resources -- [ ] Terminal output -- [ ] Screenshots +Add anything else that might help us understand the problem. -**Additional context** -Add any other context about the problem here. +- Screenshots +- Links +- Videos +- logs +- Terminal outputs diff --git a/docs/FEATURE_REQUEST.md b/docs/FEATURE_REQUEST.md index 5259c47..f396728 100644 --- a/docs/FEATURE_REQUEST.md +++ b/docs/FEATURE_REQUEST.md @@ -1,59 +1,28 @@ ---- -name: Feature request -about: Submit a feature request for this repo. -title: "" -labels: enhancement -assignees: "" ---- +# Feature Request - +This guideline should help you in the creation process of a feature request. -**Describe the solution you'd like** -A clear and concise description of what you want to happen. +## Feature -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. - ---- - -name: Feature Request -about: Suggest an idea for this project -title: '' -labels: 'feature request' -assignees: '' - ---- - -Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/). - -[![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) - -## Describe the Feature - -A clear and concise description of what the bug is. +A clear and detailed description of what feature you are missing or what is not working as expected. ## Expected Behavior -A clear and concise description of what you expected to happen. +What should happen by implementing your feature request. ## Use Case -Is your feature request related to a problem/challenge you are trying to solve? Please provide some additional context of why this feature or capability will be valuable. +Is your feature request related to a problem? Please provide additional context of why this feature or capability will be valuable. +Add external references to further describe the use case. -## Describe Ideal Solution +## Describe Solution -A clear and concise description of what you want to happen. If you don't know, that's okay. +What would be the best case by implementing the feature request? -## Alternatives Considered +## Alternatives -Explain what alternative solutions or features you've considered. +Is there another way of implementing the feature request. What else did you think of? -## Additional Context +## Additional resources -Add any other context or screenshots about the feature request here. +Add all resources here that make your request clearer or that describe it better (links, blogs, articles or pictures). diff --git a/docs/PR_TEMPLATE.md b/docs/PR_TEMPLATE.md index 9a96807..b0e17e1 100644 --- a/docs/PR_TEMPLATE.md +++ b/docs/PR_TEMPLATE.md @@ -1,88 +1,65 @@ -# [Issue-id](https://github.com/Azure/caf-terraform-landingzones-starter/issues/ISSUE-ID-GOES-HERE) +# PR Checklist -## PR Checklist +Use the check list below to ensure your branch is ready for PR. ---- +- You have updated the documentation accordingly +- You have added tests to cover your changes +- All new and existing tests passed +- Your code follows the code style guidlines of this project +- You ran lint checks locally +- You checked to ensure there aren't other open Pull Requests for the same change? - +## Summary -- [ ] I have updated the documentation accordingly. -- [ ] I have added tests to cover my changes. -- [ ] All new and existing tests passed. -- [ ] My code follows the code style of this project. -- [ ] I ran lint checks locally prior to submission. -- [ ] Have you checked to ensure there aren't other open Pull Requests for the same update/change? +Please create a detailed description of the feature, fix or that is being added -## Description +- Provide the justifications for the changes (e.g. business case). +- Describe why these changes were made (e.g. why do these commits fix the problem?) +- Use bullet points to be concise and to the point. - +### Example -## Does this introduce a breaking change +#### What? -- [ ] YES -- [ ] NO +I've added support for authentication to implement Key Result 2 of OKR1. It includes +model, table, controller and test. For more background, see ticket #AZD-123. - +#### Why? -## Testing +These changes complete the user login and account creation experience. +See #AZD-123 for more information. - +#### How? - +This includes a migration, model and controller for user authentication. I'm using Devise to do the heavy lifting. I ran Devise migrations and those are included here. + +## Testing + +Please add detailed instructions for testing and validation of your code. Are there any prerequisites a tester must take care of? ## Description - +Please add a short description of the changes introduced by your change. If you cahnged UI sepcific things please attach screenshots. ### Documentation - +- Update any references for the documentation. +- Create a stub for documentation including bullet points for how to use the feature with code snippets and everything else that is needed to create a full documentation - +Important: Did you make any backward incompatible changes? If yes, then you must write a migration guide! ## TODOs -Please ensure all of these TODOs are completed before asking for a review. +Ensure all of these TODOs are completed before asking for a review. -- [ ] Ensure the branch is named correctly with the issue number. e.g: `feature/new-vpc-endpoints-955` or `bug/missing-count-param-434`. -- [ ] Update the docs. -- [ ] Keep the changes backward compatible where possible. -- [ ] Run the pre-commit checks successfully. -- [ ] Run the relevant tests successfully. -- [ ] Ensure any 3rd party code adheres with our [license policy](https://www.notion.so/gruntwork/Gruntwork-licenses-and-open-source-usage-policy-f7dece1f780341c7b69c1763f22b1378) or delete this line if its not applicable. +- Ensure the branch is named correctly with the issue number (see developer guidelines for guidance) +- Update the documentation +- Keep the changes backward compatible where possible +- Run the pre-commit checks until everything passes successfully +- Run the relevant tests until everything runs successfully ## Related Issues - - -## what - -- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) -- Use bullet points to be concise and to the point. - -## why - -- Provide the justifications for the changes (e.g. business case). -- Describe why these changes were made (e.g. why do these commits fix the problem?) -- Use bullet points to be concise and to the point. - -## references - -- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow). -- Use `closes #123`, if this PR closes a GitHub issue `#123` +Link to any supporting GitHub issues or helpful documentation to add some context (e.g. stackoverflow). diff --git a/kics.config b/kics.config new file mode 100644 index 0000000..bac9c2d --- /dev/null +++ b/kics.config @@ -0,0 +1,15 @@ +exclude-categories: +exclude-paths: + - ".terraform" + - "*/.terraform" +exclude-queries: + - e592a0c5-5bdb-414c-9066-5dba7cdea370 #IAM Access Analyzer Undefined - always disable +fail-on: + - high + - medium +minimal-ui: false +no-color: false +no-progress: true +preview-lines: 3 +silent: false +verbose: false diff --git a/main.tf b/main.tf index e69de29..4e99905 100644 --- a/main.tf +++ b/main.tf @@ -0,0 +1,127 @@ +module "this_label" { + source = "git::github.com/xoap-io/terraform-aws-misc-label?ref=v0.1.1" + context = var.context + attributes = ["hosting", var.site_name] +} +module "bucket" { + source = "git::github.com/xoap-io/terraform-aws-storage-s3.git?ref=v0.1.3" + context = var.context + name = var.site_name + website_enabled = true + error_document = var.error_document + index_document = var.index_document + routing_rules = var.routing_rules + cors_allowed_methods = var.cors_allowed_methods + cors_allowed_origins = var.cors_allowed_origins + cors_allowed_header = var.cors_allowed_headers + cors_exposed_header = var.cors_expose_headers + kms_arn = "" + logging_bucket = "" + disable_public_access = false +} +resource "aws_cloudfront_cache_policy" "this" { + name = module.this_label.id + min_ttl = var.cf_min_ttl + default_ttl = var.cf_default_ttl + max_ttl = var.cf_max_ttl + parameters_in_cache_key_and_forwarded_to_origin { + enable_accept_encoding_gzip = true + enable_accept_encoding_brotli = true + cookies_config { + cookie_behavior = var.cf_max_ttl == 0 ? "none" : "all" + } + headers_config { + header_behavior = "none" + } + query_strings_config { + query_string_behavior = "none" + } + + } +} +resource "aws_cloudfront_origin_request_policy" "this" { + name = module.this_label.id + cookies_config { + cookie_behavior = "all" + } + headers_config { + header_behavior = "none" + } + query_strings_config { + query_string_behavior = "all" + + } + +} +resource "aws_cloudfront_response_headers_policy" "this" { + name = module.this_label.id + + cors_config { + access_control_allow_credentials = false + + access_control_allow_headers { + items = var.cors_allowed_headers + } + + access_control_allow_methods { + items = concat(var.cors_allowed_methods, ["OPTIONS"]) + } + + access_control_allow_origins { + items = var.cors_allowed_origins + } + + origin_override = true + } +} +#tfsec:ignore:AWS045 +resource "aws_cloudfront_distribution" "this" { + origin { + domain_name = module.bucket.website_endpoint + origin_id = var.s3_origin_id + origin_path = var.origin_path + custom_origin_config { + http_port = 80 + https_port = 443 + origin_protocol_policy = "http-only" + origin_ssl_protocols = ["TLSv1.2"] + } + } + dynamic "custom_error_response" { + for_each = var.custom_error_response != null ? var.custom_error_response : [] + content { + error_code = custom_error_response.value.error_code + response_code = custom_error_response.value.response_code + response_page_path = custom_error_response.value.response_page_path + } + } + enabled = true + is_ipv6_enabled = true + default_root_object = var.default_root_object + aliases = var.cloudfront_aliases + default_cache_behavior { + allowed_methods = var.allowed_methods + cached_methods = var.cached_methods + target_origin_id = var.s3_origin_id + compress = true + cache_policy_id = aws_cloudfront_cache_policy.this.id + origin_request_policy_id = aws_cloudfront_origin_request_policy.this.id + viewer_protocol_policy = var.viewer_protocol_policy + response_headers_policy_id = aws_cloudfront_response_headers_policy.this.id + } + price_class = var.cf_price_class + viewer_certificate { + acm_certificate_arn = var.cloudfront_certificate_arn + ssl_support_method = "sni-only" + minimum_protocol_version = var.minimum_tls_version + } + restrictions { + geo_restriction { + restriction_type = "none" + } + } + # logging_config { + # bucket = data.aws_s3_bucket.logging.bucket_domain_name + # prefix = "${module.this_label.id}/" + # } +} diff --git a/outputs.tf b/outputs.tf index 0c04529..1becafd 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,4 +1,28 @@ -output "context" { - value = var.context - description = "Exported context from input variable" +output "cloudfront_hostname" { + value = aws_cloudfront_distribution.this.domain_name +} +output "cloudfront_zone_id" { + value = aws_cloudfront_distribution.this.hosted_zone_id +} +output "s3" { + value = module.bucket +} +output "aliases" { + value = var.cloudfront_aliases +} +output "this" { + value = [ + for instance in var.cloudfront_aliases : + { + alias = instance + zone = aws_cloudfront_distribution.this.hosted_zone_id + hostname = aws_cloudfront_distribution.this.domain_name + } + ] +} +output "cloudfront_id" { + value = aws_cloudfront_distribution.this.id +} +output "cloudfront_arn" { + value = aws_cloudfront_distribution.this.arn } diff --git a/variables.tf b/variables.tf index 96c1e35..0c61fbe 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,171 @@ +variable "site_name" { + description = "Name of bucket to be created in S3. Must be globally unique." + type = string +} +variable "cf_default_ttl" { + description = "CloudFront default TTL for cachine" + type = string + default = "86400" +} +variable "cf_min_ttl" { + description = "CloudFront minimum TTL for caching" + type = string + default = "0" +} +variable "cf_max_ttl" { + description = "CloudFront maximum TTL for caching" + type = string + default = "31536000" +} +variable "cf_price_class" { + description = "CloudFront price class" + type = string + default = "PriceClass_All" +} +variable "allowed_methods" { + description = "Allowed methods for accessing the CloudFront Distribution" + type = list(string) + default = ["GET", "HEAD", "OPTIONS"] +} +variable "cached_methods" { + description = "Cache methods for accessing the CloudFront Distribution" + type = list(string) + default = ["GET", "HEAD"] +} +variable "cors_allowed_headers" { + description = "List of headers allowed in CORS" + type = list(string) + default = [] +} +variable "cors_allowed_methods" { + description = "List of methods allowed in CORS" + type = list(string) + default = ["GET"] +} +variable "cors_allowed_origins" { + description = "List of origins allowed to make CORS requests" + type = list(string) + default = ["https://s3.amazonaws.com"] +} +variable "cors_expose_headers" { + description = "List of headers to expose in CORS response" + type = list(string) + default = [] +} +variable "cors_max_age_seconds" { + description = "Specifies time in seconds that browser can cache the response for a preflight request" + type = string + default = 3000 +} +variable "custom_error_response" { + description = "Optionally a list of custom error response configurations for CloudFront distribution" + type = set(object({ + error_code = number + response_code = number + response_page_path = string + })) + default = null +} +variable "default_root_object" { + description = "CloudFront distribution default_root_object" + type = string + default = "index.html" +} +variable "error_document" { + description = "Error page document in S3 bucket" + type = string + default = "404.html" +} +variable "index_document" { + description = "Index page document in S3 bucket" + type = string + default = "index.html" +} +variable "origin_path" { + description = "Path in S3 bucket for hosted files, with leading slash" + type = string + default = "" +} +variable "routing_rules" { + description = "A json array containing routing rules describing redirect behavior and when redirects are applied" + type = map(string) + default = { + "/" = "index.html" + } +} +variable "minimum_tls_version" { + type = string + default = "TLSv1.2_2021" + description = "Minimum support TLS version" +} +variable "s3_origin_id" { + description = "Origin ID used in CloudFront" + type = string + default = "s3-origin" +} +variable "viewer_protocol_policy" { + description = "One of allow-all, https-only, or redirect-to-https" + type = string + default = "redirect-to-https" +} +variable "logging_bucket" { + type = string + description = "Target Bucket name for logging" +} + +variable "cloudfront_certificate_arn" { + description = "ARN of the ACM certificate to use for cloudfront. Must be issued in us-east-1" + type = string +} +variable "cloudfront_aliases" { + description = "List of hostnames to serve site on. E.g. with and without www" + type = list(string) +} +variable "cloudfront_allowed_methods" { + description = "Allowed methods for accessing the CloudFront Distribution" + type = list(string) + default = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] +} +variable "cloudfront_cached_methods" { + description = "Cache methods for accessing the CloudFront Distribution" + type = list(string) + default = ["GET", "HEAD"] +} +variable "cloudfront_minimum_tls_version" { + description = "Minimum allowed TLS version" + type = string + default = "TLSv1.2_2021" +} +variable "cloudfront_origin_id" { + description = "Origin ID used in CloudFront" + type = string + default = "alb" +} +variable "cloudfront_viewer_protocol_policy" { + description = "One of allow-all, https-only, or redirect-to-https" + type = string + default = "redirect-to-https" +} +variable "cloudfront_default_ttl" { + description = "CloudFront default TTL for cachine" + type = string + default = "1" +} +variable "cloudfront_min_ttl" { + description = "CloudFront minimum TTL for caching" + type = string + default = "0" +} +variable "cloudfront_max_ttl" { + description = "CloudFront maximum TTL for caching" + type = string + default = "10" +} +variable "cloudfront_price_class" { + description = "CloudFront price class" + type = string + default = "PriceClass_All" +} variable "context" { type = object({ organization = string @@ -6,5 +174,5 @@ variable "context" { product = string tags = map(string) }) - description = "Default context for naming and tagging purpose" + description = "Default environmental context" } diff --git a/versions.tf b/versions.tf index ff0d5d4..edad960 100644 --- a/versions.tf +++ b/versions.tf @@ -1,9 +1,9 @@ terraform { - required_version = ">= 1.1.6" required_providers { aws = { source = "hashicorp/aws" - version = ">=4.0.0" + version = ">= 4.8.0" } } + required_version = ">=1.1.6" }