diff --git a/.gitignore b/.gitignore
index 3406448..52167fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,4 +41,4 @@ terraform.rc
go.mod
go.sum
-.DS_Store
\ No newline at end of file
+.DS_Store
diff --git a/.header.md b/.header.md
deleted file mode 100644
index 4cd153d..0000000
--- a/.header.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Creating modules for AWS I&A Organization
-
-This repo template is used to seed Terraform Module templates for the [AWS I&A GitHub organization](https://github.com/aws-ia). Usage of this template is allowed per included license. PRs to this template will be considered but are not guaranteed to be included. Consider creating an issue to discuss a feature you want to include before taking the time to create a PR.
-
-
-### TL;DR
-
-1. [install pre-commit](https://pre-commit.com/#install)
- - Prerequisites:
- - [Python](https://docs.python.org/3/using/index.html)
- - [Pip](https://pip.pypa.io/en/stable/installation/)
-2. configure pre-commit: `pre-commit install`
-3. install required tools
- - [tflint](https://github.com/terraform-linters/tflint)
- - [tfsec](https://aquasecurity.github.io/tfsec/v1.0.11/)
- - [terraform-docs](https://github.com/terraform-docs/terraform-docs)
- - [golang](https://go.dev/doc/install) (for macos you can use `brew`)
- - [coreutils](https://www.gnu.org/software/coreutils/)
-
-Write code according to [I&A module standards](https://aws-ia.github.io/standards-terraform/)
-
-## Module Documentation
-
-**Do not manually update README.md**. README.md is automatically generated by pulling in content from other files. For instructions, including a fill-in-the-blank content template, see [Create readmes for Terraform-based Partner Solutions.](https://aws-ia-us-west-2.s3.us-west-2.amazonaws.com/docs/content/index.html#/lessons/8rpYWWL59M7dcS-NsjYmaISUu-L_UqEv)
-
-## Terratest
-
-Please include tests to validate your examples/<> root modules, at a minimum. This can be accomplished with usually only slight modifications to the [boilerplate test provided in this template](./test/examples_basic_test.go)
-
-### Configure and run Terratest
-
-1. Install
-
- [golang](https://go.dev/doc/install) (for macos you can use `brew`)
-2. Change directory into the test folder.
-
- `cd test`
-3. Initialize your test
-
- go mod init github.com/[github org]/[repository]
-
- `go mod init github.com/aws-ia/terraform-aws-vpc`
-4. Run tidy
-
- `go mod tidy`
-5. Install Terratest
-
- `go get github.com/gruntwork-io/terratest/modules/terraform`
-6. Run test (You can have multiple test files).
- - Run all tests
-
- `go test`
- - Run a specific test with a timeout
-
- `go test -run TestExamplesBasic -timeout 45m`
-
-## Module Standards
-
-For best practices and information on developing with Terraform, see the [I&A Module Standards](https://aws-ia.github.io/standards-terraform/)
-
-## Continuous Integration
-
-The I&A team uses AWS CodeBuild to perform continuous integration (CI) within the organization. Our CI uses the a repo's `.pre-commit-config.yaml` file as well as some other checks. All PRs with other CI will be rejected. See our [FAQ](https://aws-ia.github.io/standards-terraform/faq/#are-modules-protected-by-ci-automation) for more details.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cbafa4b..29eff7d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,11 +1,38 @@
----
-fail_fast: false
-minimum_pre_commit_version: "2.6.0"
repos:
- -
- repo: https://github.com/aws-ia/pre-commit-configs
- # To update run:
- # pre-commit autoupdate --freeze
- rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932 # frozen: v1.5.0
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.4.0
hooks:
- - id: aws-ia-meta-hook
+ - id: trailing-whitespace
+ args: ['--markdown-linebreak-ext=md']
+ - id: end-of-file-fixer
+ - id: check-merge-conflict
+ - id: detect-private-key
+ - id: detect-aws-credentials
+ args: ['--allow-missing-credentials']
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.77.1
+ hooks:
+ - id: terraform_fmt
+ - id: terraform_docs
+ args:
+ - '--args=--lockfile=false'
+ - id: terraform_tflint
+ args:
+ - '--args=--only=terraform_deprecated_interpolation'
+ - '--args=--only=terraform_deprecated_index'
+ - '--args=--only=terraform_unused_declarations'
+ - '--args=--only=terraform_comment_syntax'
+ - '--args=--only=terraform_documented_outputs'
+ - '--args=--only=terraform_documented_variables'
+ - '--args=--only=terraform_typed_variables'
+ - '--args=--only=terraform_module_pinned_source'
+ - '--args=--only=terraform_naming_convention'
+ - '--args=--only=terraform_required_version'
+ - '--args=--only=terraform_required_providers'
+ - '--args=--only=terraform_standard_module_structure'
+ - '--args=--only=terraform_workspace_remote'
+ - id: terraform_validate
+ exclude: deploy
+ - id: terraform_tfsec
+ args:
+ - --args=--concise-output
diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml
deleted file mode 100644
index 6dc99de..0000000
--- a/.terraform-docs.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-formatter: markdown
-header-from: .header.md
-settings:
- anchor: true
- color: true
- default: true
- escape: true
- html: true
- indent: 2
- required: true
- sensitive: true
- type: true
- lockfile: false
-
-sort:
- enabled: true
- by: required
-
-output:
- file: README.md
- mode: replace
diff --git a/.tflint.hcl b/.tflint.hcl
deleted file mode 100644
index 0e31ba5..0000000
--- a/.tflint.hcl
+++ /dev/null
@@ -1,66 +0,0 @@
-# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
-# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
-
-plugin "aws" {
- enabled = true
- version = "0.14.0"
- source = "github.com/terraform-linters/tflint-ruleset-aws"
-}
-
-config {
- module = true
- force = false
-}
-
-rule "terraform_required_providers" {
- enabled = true
-}
-
-rule "terraform_required_version" {
- enabled = true
-}
-
-rule "terraform_naming_convention" {
- enabled = true
- format = "snake_case"
-}
-
-rule "terraform_typed_variables" {
- enabled = true
-}
-
-rule "terraform_unused_declarations" {
- enabled = true
-}
-
-rule "terraform_comment_syntax" {
- enabled = true
-}
-
-rule "terraform_deprecated_index" {
- enabled = true
-}
-
-rule "terraform_deprecated_interpolation" {
- enabled = true
-}
-
-rule "terraform_documented_outputs" {
- enabled = true
-}
-
-rule "terraform_documented_variables" {
- enabled = true
-}
-
-rule "terraform_module_pinned_source" {
- enabled = true
-}
-
-rule "terraform_standard_module_structure" {
- enabled = true
-}
-
-rule "terraform_workspace_remote" {
- enabled = true
-}
diff --git a/.tfsec/launch_configuration_imdsv2_tfchecks.json b/.tfsec/launch_configuration_imdsv2_tfchecks.json
deleted file mode 100644
index 308ef01..0000000
--- a/.tfsec/launch_configuration_imdsv2_tfchecks.json
+++ /dev/null
@@ -1,39 +0,0 @@
-{
- "checks": [
- {
- "code": "CUS002",
- "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
- "impact": "Instance metadata service can be interacted with freely",
- "resolution": "Enable HTTP token requirement for IMDS",
- "requiredTypes": [
- "resource"
- ],
- "requiredLabels": [
- "aws_launch_configuration"
- ],
- "severity": "CRITICAL",
- "matchSpec": {
- "action": "isPresent",
- "name": "metadata_options",
- "subMatch": {
- "action": "and",
- "predicateMatchSpec": [
- {
- "action": "equals",
- "name": "http_tokens",
- "value": "required"
-
- }
- ]
- }
- },
-
- "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
- "relatedLinks": [
- "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options",
- "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
- ]
- }
- ]
-}
diff --git a/.tfsec/launch_template_imdsv2_tfchecks.json b/.tfsec/launch_template_imdsv2_tfchecks.json
deleted file mode 100644
index e1f1aa7..0000000
--- a/.tfsec/launch_template_imdsv2_tfchecks.json
+++ /dev/null
@@ -1,39 +0,0 @@
-{
- "checks": [
- {
- "code": "CUS001",
- "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
- "impact": "Instance metadata service can be interacted with freely",
- "resolution": "Enable HTTP token requirement for IMDS",
- "requiredTypes": [
- "resource"
- ],
- "requiredLabels": [
- "aws_launch_template"
- ],
- "severity": "CRITICAL",
- "matchSpec": {
- "action": "isPresent",
- "name": "metadata_options",
- "subMatch": {
- "action": "and",
- "predicateMatchSpec": [
- {
- "action": "equals",
- "name": "http_tokens",
- "value": "required"
-
- }
- ]
- }
- },
-
- "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
- "relatedLinks": [
- "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
- "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
- ]
- }
- ]
-}
diff --git a/.tfsec/no_launch_config_tfchecks.json b/.tfsec/no_launch_config_tfchecks.json
deleted file mode 100644
index 89b6328..0000000
--- a/.tfsec/no_launch_config_tfchecks.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
- "checks": [
- {
- "code": "CUS003",
- "description": "Use `aws_launch_template` over `aws_launch_configuration",
- "impact": "Launch configurations are not capable of versions",
- "resolution": "Convert resource type and attributes to `aws_launch_template`",
- "requiredTypes": [
- "resource"
- ],
- "requiredLabels": [
- "aws_launch_configuration"
- ],
- "severity": "MEDIUM",
- "matchSpec": {
- "action": "notPresent",
- "name": "image_id"
- },
-
- "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.",
- "relatedLinks": [
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template",
- "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
- ]
- }
- ]
-}
diff --git a/.tfsec/sg_no_embedded_egress_rules_tfchecks.json b/.tfsec/sg_no_embedded_egress_rules_tfchecks.json
deleted file mode 100644
index ce43e66..0000000
--- a/.tfsec/sg_no_embedded_egress_rules_tfchecks.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
- "checks": [
- {
- "code": "CUS005",
- "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
- "impact": "Embedded security group rules can cause issues during configuration updates.",
- "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
- "requiredTypes": [
- "resource"
- ],
- "requiredLabels": [
- "aws_security_group"
- ],
- "severity": "MEDIUM",
- "matchSpec": {
- "action": "notPresent",
- "name": "egress"
- },
-
- "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
- "relatedLinks": [
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
- ]
- }
- ]
-}
diff --git a/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json b/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json
deleted file mode 100644
index 333ebc5..0000000
--- a/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
- "checks": [
- {
- "code": "CUS004",
- "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
- "impact": "Embedded security group rules can cause issues during configuration updates.",
- "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
- "requiredTypes": [
- "resource"
- ],
- "requiredLabels": [
- "aws_security_group"
- ],
- "severity": "MEDIUM",
- "matchSpec": {
- "action": "notPresent",
- "name": "ingress"
- },
-
- "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
- "relatedLinks": [
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
- "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
- ]
- }
- ]
-}
diff --git a/CODEOWNERS b/CODEOWNERS
index 1006f66..b713cc0 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1 +1 @@
-* @aws-ia/aws-ia
\ No newline at end of file
+* @aws-ia/aws-ia
diff --git a/README.md b/README.md
index 87b49bf..c1aeeb3 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,7 @@ Make sure to replace the `${eks_cluster_id}`, `${AWS_REGION}` and `${TEAM_ROLE_A
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
| [aws](#requirement\_aws) | >= 3.72 |
+| [awscc](#requirement\_awscc) | >= 0.24.0 |
| [kubectl](#requirement\_kubectl) | >= 1.14 |
| [kubernetes](#requirement\_kubernetes) | >= 2.10 |
diff --git a/examples/basic/README.md b/examples/basic/README.md
index f53c234..6a963bc 100644
--- a/examples/basic/README.md
+++ b/examples/basic/README.md
@@ -26,4 +26,4 @@ No inputs.
## Outputs
No outputs.
-
\ No newline at end of file
+
diff --git a/main.tf b/main.tf
index 01478fc..8bbe09b 100644
--- a/main.tf
+++ b/main.tf
@@ -82,6 +82,7 @@ resource "kubernetes_cluster_role_binding" "team" {
resource "kubernetes_role" "team" {
for_each = var.application_teams
+ #checkov:skip=CKV_K8S_49:API Groups access required for first deployment.
metadata {
name = "${each.key}-role"
namespace = kubernetes_namespace.team[each.key].metadata[0].name
diff --git a/providers.tf b/providers.tf
deleted file mode 100644
index e492a2c..0000000
--- a/providers.tf
+++ /dev/null
@@ -1,13 +0,0 @@
-terraform {
- required_version = ">= 1.0.7"
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 4.0.0, < 5.0.0"
- }
- awscc = {
- source = "hashicorp/awscc"
- version = ">= 0.24.0"
- }
- }
-}
diff --git a/versions.tf b/versions.tf
index c91b6fb..eb6deab 100644
--- a/versions.tf
+++ b/versions.tf
@@ -14,5 +14,9 @@ terraform {
source = "gavinbunney/kubectl"
version = ">= 1.14"
}
+ awscc = {
+ source = "hashicorp/awscc"
+ version = ">= 0.24.0"
+ }
}
}