Merge https://github.com/cisagov/skeleton-tf-module into lineage/skeleton

jsf9k · jsf9k · commit 0443a097fda4 · 2026-03-17T01:05:50.000Z
# Conflicts:
#	README.md
#	examples/basic_usage/README.md
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,6 +5,8 @@ on:  # yamllint disable-line rule:truthy
   merge_group:
     types:
       - checks_requested
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
   push:
   repository_dispatch:
@@ -23,7 +25,7 @@ env:
   PIP_CACHE_DIR: ~/.cache/pip
   PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
-  TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
+  TERRAFORM_DOCS_REPO_BRANCH_NAME: cisagov
   TERRAFORM_DOCS_REPO_DEPTH: 1
   TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git
 
@@ -118,18 +120,20 @@ jobs:
         name: Lookup Go cache directory
         run: |
           echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         env:
-          BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\
-            py${{ steps.setup-python.outputs.python-version }}-\
-            go${{ steps.setup-go.outputs.go-version }}-\
-            packer${{ steps.setup-env.outputs.packer-version }}-\
-            tf${{ steps.setup-env.outputs.terraform-version }}-
+          BASE_CACHE_KEY: >-
+            ${{ github.job }}-${{ runner.os
+            }}-py${{ steps.setup-python.outputs.python-version
+            }}-go${{ steps.setup-go.outputs.go-version
+            }}-packer${{ steps.setup-env.outputs.packer-version
+            }}-tf${{ steps.setup-env.outputs.terraform-version }}-
         with:
-          key: ${{ env.BASE_CACHE_KEY }}\
-            ${{ hashFiles('**/requirements-test.txt') }}-\
-            ${{ hashFiles('**/requirements.txt') }}-\
-            ${{ hashFiles('**/.pre-commit-config.yaml') }}
+          key: >-
+            ${{ env.BASE_CACHE_KEY }}${{
+            hashFiles('**/requirements-test.txt') }}-${{
+            hashFiles('**/requirements.txt') }}-${{
+            hashFiles('**/.pre-commit-config.yaml') }}
           # Note that the .terraform directory IS NOT included in the
           # cache because if we were caching, then we would need to use
           # the `-upgrade=true` option. This option blindly pulls down the
@@ -169,10 +173,13 @@ jobs:
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       # TODO: https://github.com/cisagov/skeleton-generic/issues/165
-      # We are temporarily using @mcdonnnj's forked branch of terraform-docs
-      # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
-      # is approved. This temporary fix will allow for ATX header support when
-      # terraform-docs is run during linting.
+      # We are temporarily using a branch of @mcdonnnj's fork of terraform-docs that
+      # groups changes from his PRs until they are approved and merged:
+      # https://github.com/terraform-docs/terraform-docs/pull/745
+      # https://github.com/terraform-docs/terraform-docs/pull/901
+      # This temporary fix will allow for ATX header support when terraform-docs is run
+      # during linting and output delimiter rows with cell spacing that passes
+      # Markdownlint's MD060/table-column-style rule.
       - name: Clone ATX headers branch from terraform-docs fork
         run: |
           git clone \
@@ -187,7 +194,7 @@ jobs:
           -o $(go env GOPATH)/bin/terraform-docs
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip setuptools wheel
+          python -m pip install --upgrade pip setuptools
           pip install --upgrade --requirement requirements-test.txt
       - name: Set up pre-commit hook environments
         run: pre-commit install-hooks
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -12,6 +12,8 @@ on:
   merge_group:
     types:
       - checks_requested
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
     # The branches here must be a subset of the ones in the push key
     branches:
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -5,6 +5,8 @@ on:  # yamllint disable-line rule:truthy
   merge_group:
     types:
       - checks_requested
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
 
 # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml
@@ -2,11 +2,9 @@
 name: Label pull requests
 
 on:  # yamllint disable-line rule:truthy
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
-    types:
-      - edited
-      - opened
-      - synchronize
 
 # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
 # nounset, errexit, and pipefail. The `-x` will print all commands as they are
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -45,32 +45,32 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.45.0
+    rev: v0.47.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/rbubley/mirrors-prettier
-    rev: v3.6.2
+    rev: v3.8.1
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.37.1
+    rev: v1.38.0
     hooks:
       - id: yamllint
         args:
           - --strict
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.35.0
+    rev: 0.36.2
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v4.4.0
+    rev: v4.5.1
     hooks:
       - id: validate_manifest
 
@@ -129,13 +129,13 @@ repos:
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.9.1
+    rev: 1.9.3
     hooks:
       - id: bandit
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.11.0
+    rev: 26.1.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -145,15 +145,15 @@ repos:
         additional_dependencies:
           - flake8-docstrings==1.7.0
   - repo: https://github.com/PyCQA/isort
-    rev: 7.0.0
+    rev: 8.0.0
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.18.2
+    rev: v1.19.1
     hooks:
       - id: mypy
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.9.0
+    rev: v2.10.0
     hooks:
       - id: pip-audit
         args:
@@ -165,7 +165,7 @@ repos:
           - --requirement
           - requirements.txt
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.21.1
+    rev: v3.21.2
     hooks:
       - id: pyupgrade
         args:
@@ -177,7 +177,7 @@ repos:
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.11.1
+    rev: v26.1.1
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -203,7 +203,7 @@ repos:
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.103.0
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/README.md b/README.md
@@ -76,14 +76,14 @@ This meta-role requires a permission policy similar to the following:
 ## Requirements ##
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | terraform | >= 1.1 |
 | aws | >= 4.9 |
 
 ## Providers ##
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | aws | >= 4.9 |
 
 ## Modules ##
@@ -93,17 +93,25 @@ No modules.
 ## Resources ##
 
 | Name | Type |
+<<<<<<< HEAD
 |------|------|
 | [aws_iam_policy.ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ssm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ssm_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+=======
+| ---- | ---- |
+| [aws_instance.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_ami.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_default_tags.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
+>>>>>>> a56d4c99f2984eba574de97a36018d4a612181cf
 
 ## Inputs ##
 
 | Name | Description | Type | Default | Required |
+<<<<<<< HEAD
 |------|-------------|------|---------|:--------:|
 | account\_ids | AWS account IDs that are allowed to assume the role. | `list(string)` | `[]` | no |
 | entity\_name | The name of the entity that the role is being created for (e.g. "test-user" or "host.example.com"). | `string` | n/a | yes |
@@ -112,13 +120,29 @@ No modules.
 | role\_name | The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the specified SSM Parameter Store parameters.  Note that the "%s" in this value will get replaced with the entity\_name variable.  If there are no instances of "%s" present in this value, no replacement will be made and the value will be used as is.  Including more than one instance of "%s" in this value will result in a Terraform error, so don't do that.  If the role name is longer than the current AWS limit of 64 characters (either as-is or after entity\_name replacement), the role name will be truncated to the first 64 characters. | `string` | `"ParameterStoreReadOnly-%s"` | no |
 | ssm\_names | A list of SSM Parameter Store parameters that the created role will be allowed to access. | `list(string)` | n/a | yes |
 | ssm\_regions | AWS regions of target SSMs (e.g. ["us-east-1", "us-east-2"]).  If not provided, defaults to all regions. | `list(string)` | ```[ "*" ]``` | no |
+=======
+| ---- | ----------- | ---- | ------- | :------: |
+| ami\_owner\_account\_id | The ID of the AWS account that owns the Example AMI, or "self" if the AMI is owned by the same account as the provisioner. | `string` | `"self"` | no |
+| aws\_availability\_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.). | `string` | `"a"` | no |
+| aws\_region | The AWS region to deploy into (e.g. us-east-1). | `string` | `"us-east-1"` | no |
+| subnet\_id | The ID of the AWS subnet to deploy into (e.g. subnet-0123456789abcdef0). | `string` | n/a | yes |
+>>>>>>> a56d4c99f2984eba574de97a36018d4a612181cf
 
 ## Outputs ##
 
 | Name | Description |
+<<<<<<< HEAD
 |------|-------------|
 | policy | The IAM policy that can read the specified SSM Parameter Store parameters. |
 | role | The IAM role that can read the specified SSM Parameter Store parameters. |
+=======
+| ---- | ----------- |
+| arn | The EC2 instance ARN. |
+| availability\_zone | The AZ where the EC2 instance is deployed. |
+| id | The EC2 instance ID. |
+| private\_ip | The private IP of the EC2 instance. |
+| subnet\_id | The ID of the subnet where the EC2 instance is deployed. |
+>>>>>>> a56d4c99f2984eba574de97a36018d4a612181cf
 <!-- END_TF_DOCS -->
 
 ## Notes ##
diff --git a/examples/basic_usage/.terraform.lock.hcl b/examples/basic_usage/.terraform.lock.hcl
diff --git a/examples/basic_usage/README.md b/examples/basic_usage/README.md
@@ -12,17 +12,24 @@ Note that this example may create resources which cost money. Run
 ## Requirements ##
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | terraform | ~> 1.1 |
 | aws | ~> 6.7 |
 
 ## Providers ##
 
+<<<<<<< HEAD
 No providers.
+=======
+| Name | Version |
+| ---- | ------- |
+| aws | ~> 6.7 |
+>>>>>>> a56d4c99f2984eba574de97a36018d4a612181cf
 
 ## Modules ##
 
 | Name | Source | Version |
+<<<<<<< HEAD
 |------|--------|---------|
 | ssm\_role | ../../ | n/a |
 
@@ -33,11 +40,41 @@ No resources.
 ## Inputs ##
 
 No inputs.
+=======
+| ---- | ------ | ------- |
+| example | ../../ | n/a |
+
+## Resources ##
+
+| Name | Type |
+| ---- | ---- |
+| [aws_subnet.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_vpc.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+
+## Inputs ##
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| ami\_owner\_account\_id | The ID of the AWS account that owns the AMI, or "self" if the AMI is owned by the same account as the provisioner. | `string` | `"self"` | no |
+| aws\_availability\_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.). | `string` | `"a"` | no |
+| aws\_region | The AWS region to deploy into (e.g. us-east-1). | `string` | `"us-east-1"` | no |
+| tags | Tags to apply to all AWS resources created. | `map(string)` | ```{ "Testing": true }``` | no |
+| tf\_role\_arn | The ARN of the role that can terraform non-specialized resources. | `string` | n/a | yes |
+>>>>>>> a56d4c99f2984eba574de97a36018d4a612181cf
 
 ## Outputs ##
 
 | Name | Description |
+<<<<<<< HEAD
 |------|-------------|
 | policy | The IAM policy that can read the specified SSM Parameter Store parameters for site.example.com. |
 | role | The IAM role that can read the specified SSM Parameter Store parameters for site.example.com. |
+=======
+| ---- | ----------- |
+| arn | The EC2 instance ARN. |
+| availability\_zone | The AZ where the EC2 instance is deployed. |
+| id | The EC2 instance ID. |
+| private\_ip | The private IP of the EC2 instance. |
+| subnet\_id | The ID of the subnet where the EC2 instance is deployed. |
+>>>>>>> a56d4c99f2984eba574de97a36018d4a612181cf
 <!-- END_TF_DOCS -->
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1 @@
-setuptools
-wheel
+setuptools>=70.1
diff --git a/setup-env b/setup-env

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1 @@`
`1`		`-setuptools`
`2`		`-wheel`
	`1`	`+setuptools>=70.1`