diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..07a5767 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,38 @@ +name: Pre-Commit Checks + +on: + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + pre-commit: + name: Run pre-commit checks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: endorama/asdf-parse-tool-versions@v1 + + - name: Setup Python + uses: actions/setup-python@v5.6.0 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Setup Trivy + uses: aquasecurity/setup-trivy@v0.2.3 + with: + version: v${{ env.TRIVY_VERSION }} + + - name: Setup OpenTofu + uses: opentofu/setup-opentofu@v1 + with: + tofu_version: ${{ env.OPENTOFU_VERSION }} + tofu_wrapper: false + + - name: Run Pre-Commit Checks + uses: pre-commit/action@v3.0.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..52c90e2 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,31 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + # Security + - id: detect-private-key + - repo: https://github.com/gitleaks/gitleaks + rev: v8.25.1 + hooks: + - id: gitleaks + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.99.0 + hooks: + - id: terraform_fmt + - id: terragrunt_fmt + - id: terraform_trivy + stages: + - manual + args: + - --hook-config=--parallelism-ci-cpu-cores=1 + - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore + - id: terraform_docs + stages: + - manual + args: + - --args=--config=.tfdocs-config.yml + - --hook-config=--create-file-if-not-exist=true diff --git a/.tfdocs-config.yml b/.tfdocs-config.yml new file mode 100644 index 0000000..c7ec506 --- /dev/null +++ b/.tfdocs-config.yml @@ -0,0 +1,19 @@ +formatter: markdown + +content: |- + {{ .Header }} + {{ .Footer }} + {{ .Inputs }} + {{ .Modules }} + {{ .Outputs }} + {{ .Providers }} + {{ .Requirements }} + {{ .Resources }} + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 0000000..6ea41e8 --- /dev/null +++ b/.tool-versions @@ -0,0 +1,3 @@ +opentofu 1.8.7 +python 3.13.1 +trivy 0.58.2 diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..92a842f --- /dev/null +++ b/.trivyignore @@ -0,0 +1,27 @@ +# Ignore warnings about cloudwatch log groups using customer-managed keys for encryption +AVD-AWS-0017 + +# DynamoDB +AVD-AWS-0024 +AVD-AWS-0025 + +# Ignore warnings about X-Ray tracing for Lambda functions +AVD-AWS-0066 + +# Ignore since S3 buckets block public access by default +AVD-AWS-0086 + +# Ignore since S3 buckets are encrypted by default +AVD-AWS-0087 +AVD-AWS-0088 +AVD-AWS-0089 +AVD-AWS-0091 +AVD-AWS-0093 +AVD-AWS-0094 +AVD-AWS-0132 + +# Ignore warnings about missing security group descriptions +AVD-AWS-0124 + +# Ignore warnings about encrypting SNS topics with KMS +AVD-AWS-0136 diff --git a/README.md b/README.md index 8714cb8..bb7924a 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ The running instances can be accessed via SSM for debugging purposes. ```hcl module "squid_proxy" { source = "git@github.com:digorgonzola/squid_proxy.git?ref=v1.0.0" - + private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"] public_subnet_ids = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"] vpc_id = "vpc-1eb7bfbe312f068e1"