Merge branch 'main' into trunk-io/update-trunk

Author: westonplatter

.github/renovate.json5

@@ -3,16 +3,9 @@
     "config:best-practices",
     "github>aquaproj/aqua-renovate-config#2.7.5"
   ],
-  "schedule": [
-    "after 9am on the first day of the month"
-  ],
-  "assigneesFromCodeOwners": true,
-  "dependencyDashboardAutoclose": true,
-  "addLabels": [
-    "auto-upgrade"
-  ],
   "enabledManagers": [
-    "terraform"
+    "terraform",
+    "github-actions"
   ],
   "terraform": {
     "ignorePaths": [
@@ -23,34 +16,49 @@
       "\\.tofu$"
     ]
   },
+  "schedule": [
+    "after 9am on the first day of the month"
+  ],
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "addLabels": ["{{manager}}"],
   "packageRules": [
     {
-      "matchDepTypes": [
-        "optionalDependencies"
-      ],
-      // Allow auto merge if it's not a major version update
-      "matchUpdateTypes": [
-        "minor",
-        "patch",
-        "pin",
-        "digest"
-      ],
-      "automerge": true
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": true,
+      "automergeType": "branch",
+      "groupName": "github-actions-auto-upgrade",
+      "addLabels": ["auto-upgrade"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major"],
+      "groupName": "github-actions-needs-review",
+      "addLabels": ["needs-review"]
+    },
+    {
+      "matchManagers": ["terraform"],
+      "groupName": "tf",
+      "addLabels": ["needs-review"]
     },
     {
       "matchFileNames": ["**/*.tofu", "**/*.tf"],
       "matchDatasources": ["terraform-provider", "terraform-module"],
-      "registryUrls": ["https://registry.opentofu.org"]
+      "registryUrls": ["https://registry.opentofu.org"],
+      "groupName": "tf"
     },
     {
       "matchFileNames": ["**/*.tofu"],
       "matchDepTypes": ["required_version"],
-      "registryUrls": ["https://registry.opentofu.org"]
+      "registryUrls": ["https://registry.opentofu.org"],
+      "groupName": "tf"
     },
     {
       "matchFileNames": ["**/*.tf"],
       "matchDepTypes": ["required_version"],
-      "registryUrls": ["https://registry.terraform.io"]
+      "registryUrls": ["https://registry.terraform.io"],
+      "groupName": "tf"
     }
   ]
 }

.github/workflows/lint.yaml

@@ -1,5 +1,9 @@
 name: Lint
 
+concurrency:
+  group: lint-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 on: pull_request
 
 permissions:
@@ -13,6 +17,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
-        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 #v1.1.19
+        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+
+  conventional-title:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
 
 permissions:
   actions: read
@@ -13,9 +13,6 @@ permissions:
   id-token: write
   pull-requests: read
 
-env:
-  AWS_REGION: us-east-1
-
 jobs:
   tf-test:
     name: 🧪 ${{ matrix.tf }} test
@@ -24,46 +21,8 @@ jobs:
       matrix:
         tf: [tofu, terraform]
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Aqua Cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing
+      - uses: masterpointio/github-action-tf-test@c3b619f3bca9e4f482b9e0fb3166ab3f02d9d54c # v1.0.0
         with:
-          path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
-
-      - name: Install Aqua
-        uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1
-        with:
-          aqua_version: v2.48.1
-
-      - name: Aqua Install
-        shell: bash
-        run: aqua install --tags ${{ matrix.tf }}
-
-      - name: Check if TF AWS provider is used
-        id: check_aws_provider
-        run: |
-          if grep -q "aws" $(find . -name "versions.tf" -o -name "versions.tofu" -type f); then
-            echo "Found aws in versions.tf or versions.tofu files"
-            echo "contains_hashicorp=true" >> $GITHUB_OUTPUT
-          else
-            echo "No versions.tf or versions.tofu files contain aws"
-            echo "contains_hashicorp=false" >> $GITHUB_OUTPUT
-          fi
-
-      # Assume into the `masterpoint-testing` AWS account with OIDC for testing ONLY if the AWS provider is used
-      # Not needed for modules that don't use the AWS provider, for example, exclusive Spacelift modules
-      - name: Configure AWS Credentials on `masterpoint-testing` AWS Account
-        if: steps.check_aws_provider.outputs.contains_hashicorp == 'true'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
-        with:
-          role-to-assume: arn:aws:iam::115843287071:role/mp-ue1-testing-oidc-github
-          role-session-name: GitHubActionsOIDC-MP-Infra-Repo
-          aws-region: ${{ env.AWS_REGION }}
-
-      - run: ${{ matrix.tf }} init
-      - run: ${{ matrix.tf }} test
+          tf_type: ${{ matrix.tf }}
+          aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/trunk-upgrade.yaml

@@ -27,8 +27,17 @@ jobs:
           private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
 
       - name: Upgrade
+        id: trunk-upgrade
         uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "
+
+      - name: Merge PR automatically
+        if: steps.trunk-upgrade.outputs.pull-request-number != ''
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
+        run: |
+          gh pr merge "$PR_NUMBER" --squash --auto --delete-branch

.trunk/trunk.yaml

@@ -20,17 +20,17 @@ lint:
     # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331
     - terrascan
   enabled:
-    - [email protected].0
+    - [email protected].6
     - [email protected]
     - [email protected]
-    - [email protected].413
+    - [email protected].420
     - git-diff-check
     - [email protected]
     - [email protected]
-    - tflint@0.56.0
-    - trivy@0.61.1
-    - [email protected].26
-    - [email protected].0
+    - tflint@0.57.0
+    - trivy@0.62.1
+    - [email protected].29
+    - [email protected].1
   ignore:
     - linters: [tofu]
       paths:

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [1.4.0](https://github.com/masterpointio/terraform-aws-ssm-agent/compare/v1.3.0...v1.4.0) (2025-05-15)
+
+
+### Features
+
+* allow configuring of additional security group rules ([#38](https://github.com/masterpointio/terraform-aws-ssm-agent/issues/38)) ([5f9e32d](https://github.com/masterpointio/terraform-aws-ssm-agent/commit/5f9e32deeaf207b4ebf7a8a7a924cf132d3fb44a))
+
+
+### Bug Fixes
+
+* **gha:** tf test pr target ([#40](https://github.com/masterpointio/terraform-aws-ssm-agent/issues/40)) ([5a2e766](https://github.com/masterpointio/terraform-aws-ssm-agent/commit/5a2e766f9c92f096aa81ca35e22e5b22e80a7230))
+
 ## [1.3.0](https://github.com/masterpointio/terraform-aws-ssm-agent/compare/1.2.1...v1.3.0) (2025-01-04)
 
 

LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2024 Masterpoint
+   Copyright 2025 Masterpoint
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -20,7 +20,6 @@ Big shout out to the following projects which this project uses/depends on/menti
 1. [cloudposse/terraform-aws-dynamic-subnets](https://github.com/cloudposse/terraform-aws-dynamic-subnets)
 1. [cloudposse/terraform-aws-kms-key](https://github.com/cloudposse/terraform-aws-kms-key)
 1. [cloudposse/terraform-aws-s3-bucket](https://github.com/cloudposse/terraform-aws-s3-bucket)
-1. Cloud Posse's Terratest Setup.
 
 ![SSM Agent Session Manager Example](https://i.imgur.com/lWcRiQf.png)
 
@@ -116,6 +115,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_launch_template.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.allow_all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_ssm_document.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource |
 | [null_resource.validate_instance_type](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -131,6 +131,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | Security groups that will be attached to the app instances | `list(string)` | `[]` | no |
+| <a name="input_additional_security_group_rules"></a> [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | Additional security group rules that will be attached to the primary security group | <pre>map(object({<br/>    type      = string<br/>    from_port = number<br/>    to_port   = number<br/>    protocol  = string<br/><br/>    description      = optional(string)<br/>    cidr_blocks      = optional(list(string))<br/>    ipv6_cidr_blocks = optional(list(string))<br/>    prefix_list_ids  = optional(list(string))<br/>    self             = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
 | <a name="input_ami"></a> [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no |
 | <a name="input_architecture"></a> [architecture](#input\_architecture) | The architecture of the AMI (e.g., x86\_64, arm64) | `string` | `"arm64"` | no |

main.tf

@@ -159,6 +159,23 @@ resource "aws_security_group_rule" "allow_all_egress" {
   security_group_id = aws_security_group.default.id
 }
 
+resource "aws_security_group_rule" "additional" {
+  for_each = var.additional_security_group_rules
+
+  type      = lookup(each.value, "type")
+  from_port = lookup(each.value, "from_port")
+  to_port   = lookup(each.value, "to_port")
+  protocol  = lookup(each.value, "protocol")
+
+  description      = lookup(each.value, "description", null)
+  cidr_blocks      = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
+  prefix_list_ids  = lookup(each.value, "prefix_list_ids", null)
+  self             = lookup(each.value, "self", null)
+
+  security_group_id = aws_security_group.default.id
+}
+
 #######################
 ## SECURITY LOGGING ##
 #####################

variables.tf

@@ -62,6 +62,23 @@ variable "additional_security_group_ids" {
   default     = []
 }
 
+variable "additional_security_group_rules" {
+  description = "Additional security group rules that will be attached to the primary security group"
+  type = map(object({
+    type      = string
+    from_port = number
+    to_port   = number
+    protocol  = string
+
+    description      = optional(string)
+    cidr_blocks      = optional(list(string))
+    ipv6_cidr_blocks = optional(list(string))
+    prefix_list_ids  = optional(list(string))
+    self             = optional(bool)
+  }))
+  default = {}
+}
+
 variable "monitoring_enabled" {
   description = "Enable detailed monitoring of instance"
   type        = bool