Running pre-commit on repo (#15)

* Running pre-commit on repo

* Ignoring terragrunt for pre-commit ci

* Pre-commit github actions

* Update action name

* [pre-commit.ci lite] apply automatic fixes

* Add README

* move tf docs to dedicated job, install tflint

* terraform-docs: automated action

* Remove terraform-docs from pre-commit

* Tweak names

* Re-enable tflint

* tflint autofix

* Upgrade

* Bump tflint version

* tweak tflint

* Add help output

* Fix autofix

* [pre-commit.ci lite] apply automatic fixes

* Fixing variable type to bool

* Update license and security markdown

* Add ci order

* Incorporate tf_docs into pre-commit for ease of autocorrect

* Reset readme

* [pre-commit.ci lite] apply automatic fixes

* cleanup

---------

Co-authored-by: pre-commit-ci-lite[bot] <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 3 people

.github/workflows/pre-commit.yaml

@@ -0,0 +1,47 @@
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  pre_commit:
+    name: Run pre-commit and commit any autocorrections
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.6.6
+    - name: Setup Terragrunt
+      uses: autero1/action-terragrunt@v1.1.0
+      with:
+        terragrunt_version: 0.54.8
+        # To avoid rate-limiting
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - uses: terraform-linters/setup-tflint@v3
+      name: TFLint - Setup
+      with:
+        tflint_version: latest
+
+    - name: TFLint - Init
+      run: tflint --init
+      env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: TFLint - Show version
+      run: tflint --version
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Terraform Docs - Install
+      run: |
+        curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.17.0/terraform-docs-v0.17.0-$(uname)-amd64.tar.gz
+        tar -xzf terraform-docs.tar.gz -- terraform-docs
+        chmod +x terraform-docs
+        echo $PATH
+        mv terraform-docs /usr/local/bin/terraform-docs
+        terraform-docs --version
+    - uses: pre-commit/action@v3.0.0
+    - uses: pre-commit-ci/lite-action@v1.0.1
+      if: always()

.pre-commit-config.yaml

@@ -2,19 +2,20 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
     -   id: trailing-whitespace
     -   id: end-of-file-fixer
     -   id: check-yaml
         args: ["--allow-multiple-documents"]
     -   id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt     #  args: ["--enable require-variable-braces,deprecate-which"]
       - id: terraform_tflint
-        exclude: .*
+        args:
+          - "--args=--fix"
       - id: terragrunt_fmt
       - id: terraform_docs
 ci:
@@ -26,5 +27,5 @@ ci:
     autoupdate_branch: ''
     autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
     autoupdate_schedule: weekly
-    skip: []
+    skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs]
     submodules: false

LICENSE.md

@@ -0,0 +1,34 @@
+# License
+
+As a work of the [United States government](https://www.usa.gov/), this project
+is in the public domain within the United States of America.
+
+Additionally, we waive copyright and related rights in the work worldwide
+through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full
+text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to the
+public domain by waiving all of their rights to the work worldwide under
+copyright law, including all related and neighboring rights, to the extent
+allowed by law.
+
+You can copy, modify, distribute, and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0, nor
+are the rights that other persons may have in the work or in how the work is
+used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with this
+deed makes no warranties about the work, and disclaims liability for all uses
+of the work, to the fullest extent permitted by applicable law. When using or
+citing the work, you should not imply endorsement by the author or the
+affirmer.

README.md

@@ -0,0 +1,52 @@
+# batcave-tf-buckets
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.61.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.61.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.landing_zone_buckets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_lifecycle_configuration.lifecycle_expiration_days](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_ownership_controls.landing_zone_buckets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.landing_zone_buckets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | n/a | `bool` | `true` | no |
+| <a name="input_lifecycle_expiration_days"></a> [lifecycle\_expiration\_days](#input\_lifecycle\_expiration\_days) | Number of days for object lifecycle to expire the objects in dev env.  Defaults to 0, which disables the rule | `number` | `"0"` | no |
+| <a name="input_replication_permission_iam_role"></a> [replication\_permission\_iam\_role](#input\_replication\_permission\_iam\_role) | n/a | `string` | `null` | no |
+| <a name="input_s3_bucket_kms_key_id"></a> [s3\_bucket\_kms\_key\_id](#input\_s3\_bucket\_kms\_key\_id) | KMS Key used to encrypt s3 buckets.  Defaults to null, which uses default aws/s3 key | `string` | `null` | no |
+| <a name="input_s3_bucket_names"></a> [s3\_bucket\_names](#input\_s3\_bucket\_names) | n/a | `list(string)` | `[]` | no |
+| <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms, defaults to aws:kms. | `string` | `"aws:kms"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | `{}` | no |
+| <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | n/a | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_verisioning"></a> [bucket\_verisioning](#output\_bucket\_verisioning) | n/a |
+| <a name="output_s3_buckets"></a> [s3\_buckets](#output\_s3\_buckets) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

SECURITY.md

@@ -0,0 +1,17 @@
+# Security and Responsible Disclosure Policy
+
+*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
+email or via GitHub Issues. Please use our website to submit vulnerabilities at
+[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
+HHS maintains an acknowledgements page to recognize your efforts on behalf of
+the American public, but you are also welcome to submit anonymously.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.
+
+If you have other cybersecurity related questions, please contact us at
+[csirc@hhs.gov.](mailto:csirc@hhs.gov).

main.tf

@@ -1,4 +1,3 @@
-# S3 buckets for landing zone
 terraform {
   required_providers {
     aws = {
@@ -7,7 +6,6 @@ terraform {
     }
   }
   required_version = ">= 1.2"
-
 }
 
 resource "aws_s3_bucket" "landing_zone_buckets" {
@@ -18,24 +16,23 @@ resource "aws_s3_bucket" "landing_zone_buckets" {
 }
 
 locals {
-  buckets = aws_s3_bucket.landing_zone_buckets
 }
 
 resource "aws_s3_bucket_ownership_controls" "landing_zone_buckets" {
   ## Iterate over the list from var's to avoid some chicken/egg problems
-  for_each      = toset(var.s3_bucket_names)
+  for_each = toset(var.s3_bucket_names)
   ## Refer to the id from the bucket resource to retain the dependency
-  bucket   = aws_s3_bucket.landing_zone_buckets[each.value].id
+  bucket = aws_s3_bucket.landing_zone_buckets[each.value].id
   rule {
     object_ownership = "BucketOwnerEnforced"
   }
 }
 
 resource "aws_s3_bucket_public_access_block" "landing_zone_buckets" {
   ## Iterate over the list from var's to avoid some chicken/egg problems
-  for_each      = toset(var.s3_bucket_names)
+  for_each = toset(var.s3_bucket_names)
   ## Refer to the id from the bucket resource to retain the dependency
-  bucket   = aws_s3_bucket.landing_zone_buckets[each.value].id
+  bucket = aws_s3_bucket.landing_zone_buckets[each.value].id
 
   block_public_acls       = true
   block_public_policy     = true
@@ -47,7 +44,7 @@ resource "aws_s3_bucket_versioning" "bucket_versioning" {
   ## Iterate over the list from var's to avoid some chicken/egg problems
   for_each = var.versioning_enabled ? toset(var.s3_bucket_names) : []
   ## Refer to the id from the bucket resource to retain the dependency
-  bucket   = aws_s3_bucket.landing_zone_buckets[each.value].id
+  bucket = aws_s3_bucket.landing_zone_buckets[each.value].id
   versioning_configuration {
     status = "Enabled"
   }
@@ -57,7 +54,7 @@ resource "aws_s3_bucket_policy" "bucket" {
   ## Iterate over the list from var's to avoid some chicken/egg problems
   for_each = toset(var.s3_bucket_names)
   ## Refer to the id from the bucket resource to retain the dependency
-  bucket   = aws_s3_bucket.landing_zone_buckets[each.value].id
+  bucket = aws_s3_bucket.landing_zone_buckets[each.value].id
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -70,7 +67,7 @@ resource "aws_s3_bucket_policy" "bucket" {
         Action    = "s3:*"
         Resource = [
           "${aws_s3_bucket.landing_zone_buckets[each.value].arn}/*",
-          "${aws_s3_bucket.landing_zone_buckets[each.value].arn}",
+          aws_s3_bucket.landing_zone_buckets[each.value].arn,
         ]
         Condition = {
           Bool = {
@@ -85,7 +82,7 @@ resource "aws_s3_bucket_policy" "bucket" {
         Action    = "s3:*"
         Resource = [
           "${aws_s3_bucket.landing_zone_buckets[each.value].arn}/*",
-          "${aws_s3_bucket.landing_zone_buckets[each.value].arn}",
+          aws_s3_bucket.landing_zone_buckets[each.value].arn,
         ]
         Condition = {
           NumericLessThan = {
@@ -99,7 +96,7 @@ resource "aws_s3_bucket_policy" "bucket" {
           Sid    = "ReplicaPermissionsFiles"
           Effect = "Allow"
           Principal = {
-            "AWS" : "${var.replication_permission_iam_role}"
+            "AWS" : var.replication_permission_iam_role
           }
           Action = ["s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags"]
           Resource = [
@@ -110,11 +107,11 @@ resource "aws_s3_bucket_policy" "bucket" {
           Sid    = "ReplicaPermissions"
           Effect = "Allow"
           Principal = {
-            "AWS" : "${var.replication_permission_iam_role}"
+            "AWS" : var.replication_permission_iam_role
           }
           Action = ["s3:GetReplicationConfiguration", "s3:ListBucket"]
           Resource = [
-            "${aws_s3_bucket.landing_zone_buckets[each.value].arn}",
+            aws_s3_bucket.landing_zone_buckets[each.value].arn,
           ]
         }
       ]
@@ -126,7 +123,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
   ## Iterate over the list from var's to avoid some chicken/egg problems
   for_each = toset(var.s3_bucket_names)
   ## Refer to the id from the bucket resource to retain the dependency
-  bucket   = aws_s3_bucket.landing_zone_buckets[each.value].id
+  bucket = aws_s3_bucket.landing_zone_buckets[each.value].id
 
   rule {
     apply_server_side_encryption_by_default {
@@ -141,7 +138,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle_expiration_days" {
   ## Iterate over the list from var's to avoid some chicken/egg problems
   for_each = var.lifecycle_expiration_days > 0 ? toset(var.s3_bucket_names) : []
   ## Refer to the id from the bucket resource to retain the dependency
-  bucket   = aws_s3_bucket.landing_zone_buckets[each.value].id
+  bucket = aws_s3_bucket.landing_zone_buckets[each.value].id
 
   dynamic "rule" {
     for_each = var.lifecycle_expiration_days > 0 ? [1] : []

variables.tf

@@ -5,6 +5,7 @@ variable "s3_bucket_names" {
 
 variable "force_destroy" {
   default = true
+  type    = bool
 }
 
 variable "tags" {
@@ -36,6 +37,6 @@ variable "versioning_enabled" {
 }
 
 variable "replication_permission_iam_role" {
-  type     = string
-  default  = null
-}
+  type    = string
+  default = null
+}