Merge pull request #2 from aws-ia/2022-02-13-checkov-skip-check-for-a…

…pi-groups fix: Adding `checkov` ignore rule `CKV_K8S_49` for `kubernetes_role` on main.tf
aws-ia · Feb 14, 2023 · 12a1438 · 12a1438
2 parents ecb9a99 + 1fb24e9
commit 12a1438
Show file tree

Hide file tree

Showing 16 changed files with 45 additions and 334 deletions.
diff --git a/.gitignore b/.gitignore
@@ -41,4 +41,4 @@ terraform.rc
 go.mod
 go.sum
 
-.DS_Store
+.DS_Store
diff --git a/.header.md b/.header.md
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,11 +1,38 @@
----
-fail_fast: false
-minimum_pre_commit_version: "2.6.0"
 repos:
-  -
-    repo: https://github.com/aws-ia/pre-commit-configs
-    # To update run:
-    # pre-commit autoupdate --freeze
-    rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932  # frozen: v1.5.0
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
     hooks:
-      - id: aws-ia-meta-hook
+      - id: trailing-whitespace
+        args: ['--markdown-linebreak-ext=md']
+      - id: end-of-file-fixer
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.77.1
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - '--args=--lockfile=false'
+      - id: terraform_tflint
+        args:
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'
+      - id: terraform_validate
+        exclude: deploy
+      - id: terraform_tfsec
+        args:
+          - --args=--concise-output
diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml
diff --git a/.tflint.hcl b/.tflint.hcl
diff --git a/.tfsec/launch_configuration_imdsv2_tfchecks.json b/.tfsec/launch_configuration_imdsv2_tfchecks.json
diff --git a/.tfsec/launch_template_imdsv2_tfchecks.json b/.tfsec/launch_template_imdsv2_tfchecks.json
diff --git a/.tfsec/no_launch_config_tfchecks.json b/.tfsec/no_launch_config_tfchecks.json
diff --git a/.tfsec/sg_no_embedded_egress_rules_tfchecks.json b/.tfsec/sg_no_embedded_egress_rules_tfchecks.json
diff --git a/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json b/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1 +1 @@
-* @aws-ia/aws-ia
+* @aws-ia/aws-ia
diff --git a/README.md b/README.md
@@ -120,6 +120,7 @@ Make sure to replace the `${eks_cluster_id}`, `${AWS_REGION}` and `${TEAM_ROLE_A
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
+| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.24.0 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.14 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
 

diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -26,4 +26,4 @@ No inputs.
 ## Outputs
 
 No outputs.
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
@@ -82,6 +82,7 @@ resource "kubernetes_cluster_role_binding" "team" {
 
 resource "kubernetes_role" "team" {
   for_each = var.application_teams
+  #checkov:skip=CKV_K8S_49:API Groups access required for first deployment.
   metadata {
     name      = "${each.key}-role"
     namespace = kubernetes_namespace.team[each.key].metadata[0].name
-Original file line number
+Diff line change
@@ Expand Up / @@ -41,4 +41,4 @@ terraform.rc @@
     go.mod
     go.sum
-    .DS_Store
+    .DS_Store