Initial commit

Author: drewmullen

.gitignore

@@ -0,0 +1,42 @@
+build/
+plan.out
+plan.out.json
+
+# Local .terraform directories
+.terraform/
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+
+go.mod
+go.sum

.header.md

@@ -0,0 +1,57 @@
+# Creating modules for AWS I&A Organization
+
+This repo template is used to seed Terraform Module templates for the [AWS I&A GitHub organization](https://github.com/aws-ia). Usage of this template is allowed per included license. PRs to this template will be considered but are not guaranteed to be included. Consider creating an issue to discuss a feature you want to include before taking the time to create a PR.
+### TL;DR
+
+1. [install pre-commit](https://pre-commit.com/)
+2. configure pre-commit: `pre-commit install`
+3. install required tools
+    - [tflint](https://github.com/terraform-linters/tflint)
+    - [tfsec](https://aquasecurity.github.io/tfsec/v1.0.11/)
+    - [terraform-docs](https://github.com/terraform-docs/terraform-docs)
+    - [golang](https://go.dev/doc/install) (for macos you can use `brew`)
+    - [coreutils](https://www.gnu.org/software/coreutils/)
+
+Write code according to [I&A module standards](https://aws-ia.github.io/standards-terraform/)
+
+## Module Documentation
+
+**Do not manually update README.md**. `terraform-docs` is used to generate README files. For any instructions an content, please update [.header.md](./.header.md) then simply run `terraform-docs ./` or allow the `pre-commit` to do so.
+
+## Terratest
+
+Please include tests to validate your examples/<> root modules, at a minimum. This can be accomplished with usually only slight modifications to the [boilerplate test provided in this template](./test/examples_basic_test.go)
+
+### Configure and run Terratest
+
+1. Install
+
+    [golang](https://go.dev/doc/install) (for macos you can use `brew`)
+2. Change directory into the test folder.
+    
+    `cd test`
+3. Initialize your test
+    
+    go mod init github.com/[github org]/[repository]
+
+    `go mod init github.com/aws-ia/terraform-aws-vpc`
+4. Run tidy
+
+    `git mod tidy`
+5. Install Terratest
+
+    `go get github.com/gruntwork-io/terratest/modules/terraform`
+6. Run test (You can have multiple test files).
+    - Run all tests
+
+        `go test`
+    - Run a specific test with a timeout
+
+        `go test -run examples_basic_test.go -timeout 45m`
+## Module Standards
+
+For best practices and information on developing with Terraform, see the [I&A Module Standards](https://aws-ia.github.io/standards-terraform/)
+
+## Continuous Integration
+
+The I&A team uses AWS CodeBuild to perform continuous integration (CI) within the organization. Our CI uses the a repo's `.pre-commit-config.yaml` file as well as some other checks. All PRs with other CI will be rejected. See our [FAQ](https://aws-ia.github.io/standards-terraform/faq/#are-modules-protected-by-ci-automation) for more details.

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+---
+fail_fast: false
+minimum_pre_commit_version: "2.6.0"
+repos:
+  -
+    repo: https://github.com/aws-ia/pre-commit-configs
+    # To update run:
+    # pre-commit autoupdate --freeze
+    rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932  # frozen: v1.5.0
+    hooks:
+      - id: aws-ia-meta-hook

.terraform-docs.yaml

@@ -0,0 +1,20 @@
+formatter: markdown
+header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace

.tflint.hcl

@@ -0,0 +1,66 @@
+# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
+# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
+
+plugin "aws" {
+  enabled = true
+  version = "0.14.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  module = true
+  force  = false
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}

.tfsec/launch_configuration_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS002",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.tfsec/launch_template_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS001",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_template"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.tfsec/no_launch_config_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS003",
+      "description": "Use `aws_launch_template` over `aws_launch_configuration",
+      "impact": "Launch configurations are not capable of versions",
+      "resolution": "Convert resource type and attributes to `aws_launch_template`",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "image_id"
+        },
+
+      "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.tfsec/sg_no_embedded_egress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS005",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "egress"
+        },
+
+      "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

.tfsec/sg_no_embedded_ingress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS004",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "ingress"
+        },
+
+      "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

CODEOWNERS

@@ -0,0 +1 @@
+* @aws-ia/aws-ia