diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..42e189d --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,33 @@ +name: CI + +on: + pull_request: + types: ['opened', 'reopened', 'synchronize', 'ready_for_review'] + paths: + - '**/*.tf' + +jobs: + validate: + name: Validate + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - uses: terraform-linters/setup-tflint@v6 + name: Setup + with: + tflint_version: v0.52.0 + cache: true + + - name: init + run: tflint --init + env: + GITHUB_TOKEN: ${{ github.token }} + + - name: lint + run: | + for dir in $(find . -type f -name "*.tf" -exec dirname {} \; | sort -u); do + echo "Linting $dir" + tflint --chdir "$dir" -f compact + done diff --git a/lambda-function/README.md b/lambda-function/README.md index dac8447..7d31a1a 100644 --- a/lambda-function/README.md +++ b/lambda-function/README.md @@ -62,7 +62,7 @@ module "static_site" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } } ``` diff --git a/lambda-function/providers.tf b/lambda-function/providers.tf index 17b446f..6dfd123 100644 --- a/lambda-function/providers.tf +++ b/lambda-function/providers.tf @@ -1,8 +1,15 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" version = "~> 6" } + + archive = { + source = "hashicorp/archive" + version = ">= 2.0.0, < 3.0.0" + } } } diff --git a/lambda-layer/README.md b/lambda-layer/README.md index da5a9c7..608c262 100644 --- a/lambda-layer/README.md +++ b/lambda-layer/README.md @@ -23,7 +23,7 @@ module "static_site" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } } ``` diff --git a/lambda-layer/providers.tf b/lambda-layer/providers.tf index 17b446f..91978e7 100644 --- a/lambda-layer/providers.tf +++ b/lambda-layer/providers.tf @@ -1,8 +1,20 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" version = "~> 6" } + + null = { + source = "hashicorp/null" + version = ">= 3.0.0, < 4.0.0" + } + + archive = { + source = "hashicorp/archive" + version = ">= 2.0.0, < 3.0.0" + } } } diff --git a/oidc-github-actions-iam-role/README.md b/oidc-github-actions-iam-role/README.md deleted file mode 100644 index c162661..0000000 --- a/oidc-github-actions-iam-role/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# OIDC GitHub IAM Role - -## About - -This module allows you to setup an IAM role for GitHub OIDC: - -- IAM role with trust policy - -## Assumptions - -## Usage - -See `variables.tf` for the full argument reference. diff --git a/oidc-github-actions-iam-role/outputs.tf b/oidc-github-actions-iam-role/outputs.tf deleted file mode 100644 index ac1f327..0000000 --- a/oidc-github-actions-iam-role/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "role" { - value = { - arn = aws_iam_role.role.arn - id = aws_iam_role.role.id - name = aws_iam_role.role.name - } -} - -output "policy" { - value = { - arn = aws_iam_role_policy.policy.name - id = aws_iam_role_policy.policy.id - } -} \ No newline at end of file diff --git a/oidc-github-iam-role/README.md b/oidc-github-iam-role/README.md new file mode 100644 index 0000000..46fdc9c --- /dev/null +++ b/oidc-github-iam-role/README.md @@ -0,0 +1,53 @@ +# OIDC GitHub IAM Role + +## About + +This module allows you to setup an IAM role for GitHub OIDC. + +- IAM role with trust policy with `sub` pattern restrictions + +## Assumptions + +## Usage + +See `variables.tf` for the full argument reference. + +```hcl +module "oidc_github_iam_role" { + source = "github.com/script47/aws-tf-modules/oidc-github-iam-role" + + role_name = "my-role" + + policy_name = "my-policy-name" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "FullAccess" + Effect = "Allow" + Action = ["s3:*"] + Resource = ["*"] + }, + { + Sid = "DenyCustomerBucket" + Effect = "Deny" + Action = ["s3:*"] + Resource = [ + "arn:aws:s3:::customer", + "arn:aws:s3:::customer/*" + ] + } + ] + }) + + policy_arns = [ + "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" + ] + + tags = { + Project = "my-project" + Service = "my-service" + Environment = "production" + } +} +``` diff --git a/oidc-github-actions-iam-role/data.tf b/oidc-github-iam-role/data.tf similarity index 94% rename from oidc-github-actions-iam-role/data.tf rename to oidc-github-iam-role/data.tf index bf55dd4..bdc1855 100644 --- a/oidc-github-actions-iam-role/data.tf +++ b/oidc-github-iam-role/data.tf @@ -22,7 +22,7 @@ data "aws_iam_policy_document" "assume_role_policy" { condition { test = "StringLike" variable = "token.actions.githubusercontent.com:sub" - values = ["repo:${var.repo}"] + values = ["repo:${var.sub}"] } } } \ No newline at end of file diff --git a/oidc-github-actions-iam-role/iam.tf b/oidc-github-iam-role/iam.tf similarity index 62% rename from oidc-github-actions-iam-role/iam.tf rename to oidc-github-iam-role/iam.tf index bcb9952..b083eb4 100644 --- a/oidc-github-actions-iam-role/iam.tf +++ b/oidc-github-iam-role/iam.tf @@ -5,7 +5,16 @@ resource "aws_iam_role" "role" { } resource "aws_iam_role_policy" "policy" { + count = var.policy != null ? 1 : 0 + name = var.policy_name role = aws_iam_role.role.id policy = var.policy +} + +resource "aws_iam_role_policy_attachment" "policies" { + for_each = var.policy_arns + + role = aws_iam_role.role.name + policy_arn = each.value } \ No newline at end of file diff --git a/oidc-github-iam-role/outputs.tf b/oidc-github-iam-role/outputs.tf new file mode 100644 index 0000000..ee07185 --- /dev/null +++ b/oidc-github-iam-role/outputs.tf @@ -0,0 +1,14 @@ +output "role" { + value = { + arn = aws_iam_role.role.arn + id = aws_iam_role.role.id + name = aws_iam_role.role.name + } +} + +output "policy" { + value = length(aws_iam_role_policy.policy) > 0 ? { + id = aws_iam_role_policy.policy[0].id + name = aws_iam_role_policy.policy[0].name + } : null +} \ No newline at end of file diff --git a/oidc-github-actions-provider/providers.tf b/oidc-github-iam-role/providers.tf similarity index 78% rename from oidc-github-actions-provider/providers.tf rename to oidc-github-iam-role/providers.tf index 17b446f..5ec6724 100644 --- a/oidc-github-actions-provider/providers.tf +++ b/oidc-github-iam-role/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" diff --git a/oidc-github-actions-iam-role/variables.tf b/oidc-github-iam-role/variables.tf similarity index 56% rename from oidc-github-actions-iam-role/variables.tf rename to oidc-github-iam-role/variables.tf index 2a4e4df..a54785b 100644 --- a/oidc-github-actions-iam-role/variables.tf +++ b/oidc-github-iam-role/variables.tf @@ -13,15 +13,22 @@ variable "policy_name" { variable "policy" { type = string description = "The IAM role policy in JSON format" + default = null +} + +variable "policy_arns" { + type = set(string) + description = "Set of IAM policy ARNs to attach to the role" + default = [] } -variable "repo" { +variable "sub" { type = string - description = "The GitHub repository path (e.g. org/repo:ref:refs/heads/master)" + description = "The sub pattern for the assume role policy (e.g. org/repo:ref:refs/heads/master)" } variable "tags" { - type = map(string) + type = map(string) description = "The tags to apply to all resources created" - default = {} + default = {} } \ No newline at end of file diff --git a/oidc-github-provider/README.md b/oidc-github-provider/README.md new file mode 100644 index 0000000..4b3244e --- /dev/null +++ b/oidc-github-provider/README.md @@ -0,0 +1,23 @@ +# OIDC GitHub Provider + +## About + +This module allows you to setup the provider for GitHub OIDC. + +## Usage + +See `variables.tf` for the full argument reference. + +```hcl +module "oidc_github_provider" { + source = "github.com/script47/aws-tf-modules/oidc-github-provider" + + thumbprints = [] + + tags = { + Project = "my-project" + Service = "my-service" + Environment = "production" + } +} +``` diff --git a/oidc-github-actions-provider/oidc.tf b/oidc-github-provider/oidc.tf similarity index 100% rename from oidc-github-actions-provider/oidc.tf rename to oidc-github-provider/oidc.tf diff --git a/oidc-github-actions-iam-role/providers.tf b/oidc-github-provider/providers.tf similarity index 78% rename from oidc-github-actions-iam-role/providers.tf rename to oidc-github-provider/providers.tf index 17b446f..5ec6724 100644 --- a/oidc-github-actions-iam-role/providers.tf +++ b/oidc-github-provider/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" diff --git a/oidc-github-actions-provider/variables.tf b/oidc-github-provider/variables.tf similarity index 100% rename from oidc-github-actions-provider/variables.tf rename to oidc-github-provider/variables.tf diff --git a/sqs/README.md b/sqs/README.md index 09d2909..70b9d32 100644 --- a/sqs/README.md +++ b/sqs/README.md @@ -38,7 +38,7 @@ module "my_queue" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } } ``` @@ -46,7 +46,7 @@ module "my_queue" { ## Outputs | Name | Description | -|--------|---------------------------------------------------------------------------------------| +| ------ | ------------------------------------------------------------------------------------- | | `arn` | ARN of the primary SQS queue | | `name` | Name of the primary SQS queue | | `url` | URL of the primary SQS queue | @@ -54,7 +54,7 @@ module "my_queue" { ## Resources -| Resources | -|--------------------------------| +| Resources | +| ------------------------------ | | `aws_sqs_queue` | -| `aws_sqs_queue_redrive_policy` | \ No newline at end of file +| `aws_sqs_queue_redrive_policy` | diff --git a/sqs/providers.tf b/sqs/providers.tf index 17b446f..5ec6724 100644 --- a/sqs/providers.tf +++ b/sqs/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" diff --git a/static-site/README.md b/static-site/README.md index 94e3dbe..12d1d3b 100644 --- a/static-site/README.md +++ b/static-site/README.md @@ -36,7 +36,7 @@ module "static_site" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } providers = { diff --git a/static-site/providers.tf b/static-site/providers.tf index 906b6f9..981800f 100644 --- a/static-site/providers.tf +++ b/static-site/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws"