digorgonzola · digorgonzola · May 1, 2025 · May 1, 2025 · May 1, 2025 · May 1, 2025
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -0,0 +1,38 @@
+name: Pre-Commit Checks
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    name: Run pre-commit checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: endorama/asdf-parse-tool-versions@v1
+
+      - name: Setup Python
+        uses: actions/setup-python@v5.6.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Setup Trivy
+        uses: aquasecurity/setup-trivy@v0.2.3
+        with:
+          version: v${{ env.TRIVY_VERSION }}
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: ${{ env.OPENTOFU_VERSION }}
+          tofu_wrapper: false
+
+      - name: Run Pre-Commit Checks
+        uses: pre-commit/action@v3.0.1
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,31 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      # Security
+      - id: detect-private-key
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.25.1
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.99.0
+    hooks:
+      - id: terraform_fmt
+      - id: terragrunt_fmt
+      - id: terraform_trivy
+        stages:
+          - manual
+        args:
+          - --hook-config=--parallelism-ci-cpu-cores=1
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore
+      - id: terraform_docs
+        stages:
+          - manual
+        args:
+          - --args=--config=.tfdocs-config.yml
+          - --hook-config=--create-file-if-not-exist=true
diff --git a/.tfdocs-config.yml b/.tfdocs-config.yml
@@ -0,0 +1,19 @@
+formatter: markdown
+
+content: |-
+  {{ .Header }}
+  {{ .Footer }}
+  {{ .Inputs }}
+  {{ .Modules }}
+  {{ .Outputs }}
+  {{ .Providers }}
+  {{ .Requirements }}
+  {{ .Resources }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
diff --git a/.tool-versions b/.tool-versions
@@ -0,0 +1,3 @@
+opentofu 1.8.7
+python 3.13.1
+trivy 0.58.2
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,27 @@
+# Ignore warnings about cloudwatch log groups using customer-managed keys for encryption
+AVD-AWS-0017
+
+# DynamoDB
+AVD-AWS-0024
+AVD-AWS-0025
+
+# Ignore warnings about X-Ray tracing for Lambda functions
+AVD-AWS-0066
+
+# Ignore since S3 buckets block public access by default
+AVD-AWS-0086
+
+# Ignore since S3 buckets are encrypted by default
+AVD-AWS-0087
+AVD-AWS-0088
+AVD-AWS-0089
+AVD-AWS-0091
+AVD-AWS-0093
+AVD-AWS-0094
+AVD-AWS-0132
+
+# Ignore warnings about missing security group descriptions
+AVD-AWS-0124
+
+# Ignore warnings about encrypting SNS topics with KMS
+AVD-AWS-0136
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ The running instances can be accessed via SSM for debugging purposes.
 ```hcl
 module "squid_proxy" {
   source = "git@github.com:digorgonzola/squid_proxy.git?ref=v1.0.0"
-  
+
   private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"]
   public_subnet_ids  = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"]
   vpc_id             = "vpc-1eb7bfbe312f068e1"