initial commit

Author: IA Automator

.config/.checkov.yml

@@ -0,0 +1,15 @@
+download-external-modules: False
+evaluate-variables: true
+directory:
+- ./
+framework:
+- terraform
+skip-check:
+- CKV2_GCP*
+- CKV_AZURE*
+- CKV2_AZURE*
+- CKV_TF_1 # default to Terraform registry instead of Git
+summary-position: bottom
+output: 'cli'
+compact: True
+quiet: True

.config/.mdlrc

@@ -0,0 +1,5 @@
+# Ignoring the following rules
+# MD007 Unordered list indentation
+# MD013 Line length
+# MD029 Ordered list item prefix
+rules "~MD007", "~MD013", "~MD029"

.config/.terraform-docs.yaml

@@ -0,0 +1,20 @@
+formatter: markdown
+header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace

.config/.tflint.hcl

@@ -0,0 +1,66 @@
+# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
+# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
+
+plugin "aws" {
+  enabled = true
+  version = "0.22.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  module = true
+  force  = false
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}

.config/.tfsec.yml

@@ -0,0 +1,3 @@
+{
+  "minimum_severity": "MEDIUM"
+}

.config/.tfsec/launch_configuration_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS002",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/launch_template_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS001",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_template"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/no_launch_config_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS003",
+      "description": "Use `aws_launch_template` over `aws_launch_configuration",
+      "impact": "Launch configurations are not capable of versions",
+      "resolution": "Convert resource type and attributes to `aws_launch_template`",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "image_id"
+        },
+
+      "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS005",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "egress"
+        },
+
+      "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

.config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS004",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "ingress"
+        },
+
+      "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

.config/functional_tests/post-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the end of functional test
+## Use this to load any configurations after the functional test 
+## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Post-Entrypoint Helpers"

.config/functional_tests/pre-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the start of functional test
+## use this to load any configuration before the functional test 
+## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Pre-Entrypoint Helpers"

.config/static_tests/post-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the end of static test
+## Use this to load any configurations after the static test 
+## TIPS: avoid modifying the .project_automation/static_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Post-Entrypoint Helpers"

.config/static_tests/pre-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the start of static test
+## use this to load any configuration before the static test 
+## TIPS: avoid modifying the .project_automation/static_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Pre-Entrypoint Helpers"

.copier-answers.yml

@@ -0,0 +1,6 @@
+# This file is auto-generated, changes will be overwritten
+_commit: v0.1.4
+_src_path: /task/5fb04518-3f98-11ef-99b5-ee50a2171c8f/projecttype
+starting_version: v0.0.0
+version_file: VERSION
+

.gitignore

@@ -0,0 +1,46 @@
+build/
+plan.out
+plan.out.json
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+
+# Terratest / GoLang 
+go.mod
+go.sum
+
+# Terraform tests 
+tests/*.auto.tfvars

.header.md

@@ -0,0 +1,7 @@
+# Terraform Module Project
+
+:no_entry_sign: Do not edit this readme.md file. To learn how to change this content and work with this repository, refer to CONTRIBUTING.md
+
+## Readme Content
+
+This file will contain any instructional information about this module.

.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+---
+fail_fast: false
+minimum_pre_commit_version: "2.6.0"
+repos:
+  -
+    repo: https://github.com/terraform-docs/terraform-docs
+    # To update run:
+    # pre-commit autoupdate --freeze
+    rev: 212db41760d7fc45d736d5eb94a483d0d2a12049  # frozen: v0.16.0
+    hooks:
+      - id: terraform-docs-go
+        args: 
+          - "--config=.config/.terraform-docs.yaml"
+          - "--lockfile=false"
+          - "--recursive"
+          - "--recursive-path=examples/"
+          - "./"