From a7119a2530ecb8bdeabd344aff00608512ba5224 Mon Sep 17 00:00:00 2001 From: Charles Bushong Date: Thu, 21 Dec 2023 13:55:02 -0500 Subject: [PATCH 1/3] Adding pre-commit config --- .github/workflows/pre-commit.yaml | 47 +++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 18 ++++++++++-- 2 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/pre-commit.yaml diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..5dbd054 --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,47 @@ +on: + pull_request: + push: + branches: [main] + +jobs: + pre_commit: + name: Run pre-commit and commit any autocorrections + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.6.6 + - name: Setup Terragrunt + uses: autero1/action-terragrunt@v1.1.0 + with: + terragrunt_version: 0.54.8 + # To avoid rate-limiting + token: ${{ secrets.GITHUB_TOKEN }} + - uses: terraform-linters/setup-tflint@v3 + name: TFLint - Setup + with: + tflint_version: latest + + - name: TFLint - Init + run: tflint --init + env: + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ github.token }} + - name: TFLint - Show version + run: tflint --version + - uses: actions/setup-python@v4 + with: + python-version: 3.x + - name: Terraform Docs - Install + run: | + curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.17.0/terraform-docs-v0.17.0-$(uname)-amd64.tar.gz + tar -xzf terraform-docs.tar.gz -- terraform-docs + chmod +x terraform-docs + echo $PATH + mv terraform-docs /usr/local/bin/terraform-docs + terraform-docs --version + - uses: pre-commit/action@v3.0.0 + - uses: pre-commit-ci/lite-action@v1.0.1 + if: always() diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 11d16c9..ab25c67 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer @@ -10,10 +10,22 @@ repos: args: ["--allow-multiple-documents"] - id: check-added-large-files - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt # args: ["--enable require-variable-braces,deprecate-which"] - id: terraform_tflint - exclude: .* + args: + - "--args=--fix" - id: terragrunt_fmt - id: terraform_docs +ci: + autofix_commit_msg: | + [pre-commit.ci] auto fixes from pre-commit.com hooks + + for more information, see https://pre-commit.ci + autofix_prs: true + autoupdate_branch: '' + autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate' + autoupdate_schedule: weekly + skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs] + submodules: false From 3af21b12a8f0a8b22eb5e414f71a8ccaf107baf8 Mon Sep 17 00:00:00 2001 From: Charles Bushong Date: Thu, 21 Dec 2023 13:55:04 -0500 Subject: [PATCH 2/3] Adding markdown files --- LICENSE.md | 34 ++++++++++++++++++++++++++++++++++ README.md | 5 +++++ SECURITY.md | 17 +++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 SECURITY.md diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..f2a0872 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,34 @@ +# License + +As a work of the [United States government](https://www.usa.gov/), this project +is in the public domain within the United States of America. + +Additionally, we waive copyright and related rights in the work worldwide +through the CC0 1.0 Universal public domain dedication. + +## CC0 1.0 Universal Summary + +This is a human-readable summary of the [Legal Code (read the full +text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). + +### No Copyright + +The person who associated a work with this deed has dedicated the work to the +public domain by waiving all of their rights to the work worldwide under +copyright law, including all related and neighboring rights, to the extent +allowed by law. + +You can copy, modify, distribute, and perform the work, even for commercial +purposes, all without asking permission. + +### Other Information + +In no way are the patent or trademark rights of any person affected by CC0, nor +are the rights that other persons may have in the work or in how the work is +used, such as publicity or privacy rights. + +Unless expressly stated otherwise, the person who associated a work with this +deed makes no warranties about the work, and disclaims liability for all uses +of the work, to the fullest extent permitted by applicable law. When using or +citing the work, you should not imply endorsement by the author or the +affirmer. diff --git a/README.md b/README.md new file mode 100644 index 0000000..68c138a --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# batcave-tf-kms + + + + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..90e23aa --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security and Responsible Disclosure Policy + +*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via +email or via GitHub Issues. Please use our website to submit vulnerabilities at +[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com). +HHS maintains an acknowledgements page to recognize your efforts on behalf of +the American public, but you are also welcome to submit anonymously. + +Review the HHS Disclosure Policy and websites in scope: +[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html). + +This policy describes *what systems and types of research* are covered under this +policy, *how to send* us vulnerability reports, and *how long* we ask security +researchers to wait before publicly disclosing vulnerabilities. + +If you have other cybersecurity related questions, please contact us at +[csirc@hhs.gov.](mailto:csirc@hhs.gov). From bb38196d6ebf73a64ef3b7db49590b24cf542003 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 18:55:59 +0000 Subject: [PATCH 3/3] [pre-commit.ci lite] apply automatic fixes --- README.md | 41 +++++++++++++++++++++++++++++++++++++++++ main.tf | 2 +- variables.tf | 6 +++--- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 68c138a..2c7c6fb 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,46 @@ # batcave-tf-kms +## Requirements +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alias](#input\_alias) | n/a | `string` | `"alias/batcave-landing-sops"` | no | +| [customer\_master\_key\_spec](#input\_customer\_master\_key\_spec) | n/a | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | n/a | `string` | `"10"` | no | +| [description](#input\_description) | n/a | `string` | `"KMS key"` | no | +| [enable\_key\_rotation](#input\_enable\_key\_rotation) | n/a | `string` | `"true"` | no | +| [is\_enabled](#input\_is\_enabled) | n/a | `string` | `"true"` | no | +| [key\_usage](#input\_key\_usage) | n/a | `string` | `"ENCRYPT_DECRYPT"` | no | +| [multi\_region](#input\_multi\_region) | n/a | `string` | `"false"` | no | +| [name](#input\_name) | n/a | `string` | `"cms"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [alias](#output\_alias) | n/a | +| [arn](#output\_arn) | ############################################################################### AWS KMS Key ############################################################################### | +| [key\_id](#output\_key\_id) | n/a | diff --git a/main.tf b/main.tf index ac49144..5c0e9f5 100644 --- a/main.tf +++ b/main.tf @@ -9,7 +9,7 @@ resource "aws_kms_key" "this" { is_enabled = var.is_enabled enable_key_rotation = var.enable_key_rotation multi_region = var.multi_region - tags = { + tags = { Name = var.name } } diff --git a/variables.tf b/variables.tf index c0c81ff..3ed985b 100644 --- a/variables.tf +++ b/variables.tf @@ -4,7 +4,7 @@ variable "name" { variable "description" { default = "KMS key" } - + variable "deletion_window_in_days" { default = "10" } @@ -12,7 +12,7 @@ variable "deletion_window_in_days" { variable "key_usage" { default = "ENCRYPT_DECRYPT" } - + variable "customer_master_key_spec" { default = "SYMMETRIC_DEFAULT" } @@ -20,7 +20,7 @@ variable "customer_master_key_spec" { variable "is_enabled" { default = "true" } - + variable "enable_key_rotation" { default = "true" }