From 765b2a857aac8a6b69b78a952aa2dd80fc89bf5b Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Wed, 30 Apr 2025 17:43:27 +0300 Subject: [PATCH 1/3] chore: sync with template --- .coderabbit.yaml | 13 +- .editorconfig | 11 -- .github/CODEOWNERS | 2 +- .github/PULL_REQUEST_TEMPLATE.md | 16 +- .github/renovate.json5 | 56 +++++++ .github/workflows/lint.yaml | 15 +- .github/workflows/release-please.yaml | 3 +- .github/workflows/test.yaml | 45 ++++++ .github/workflows/trunk-upgrade.yaml | 27 ++-- .gitignore | 71 ++++---- .pre-commit-config.yaml | 9 -- .terraform-docs.yaml | 16 ++ .trunk/configs/.markdownlint.yaml | 5 + .trunk/configs/.prettierignore | 4 - .trunk/configs/.yamllint.yaml | 3 - .trunk/trunk.yaml | 26 ++- LICENSE | 223 +++++++++++++++++++++++--- README.md | 84 +++++++++- aqua.yaml | 12 +- 19 files changed, 510 insertions(+), 131 deletions(-) create mode 100644 .github/renovate.json5 create mode 100644 .github/workflows/test.yaml delete mode 100644 .pre-commit-config.yaml create mode 100644 .terraform-docs.yaml delete mode 100644 .trunk/configs/.prettierignore diff --git a/.coderabbit.yaml b/.coderabbit.yaml index e279a6f..39f44bd 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -7,6 +7,7 @@ language: en tone_instructions: | Provide feedback in a professional, friendly, constructive, and concise tone. Offer clear, specific suggestions and best practices to help enhance the code quality and promote learning. + Be concise and only comment on significant issues. early_access: true @@ -26,21 +27,25 @@ knowledge_base: reviews: profile: chill auto_review: - # Ignore reviewing if the title of the pull request contains any of these keywords (case-insensitive) + # Disable incremental code review on each push + auto_incremental_review: false + # The keywords are case-insensitive ignore_title_keywords: - wip - draft - test - # Set the commit status to 'pending' when the review is in progress and 'success' when it is complete. commit_status: false - # Post review details on each review. Additionally, post a review status when a review is skipped in certain cases. - review_status: false path_instructions: - path: "**/*.tf" instructions: | You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/. You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions. As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines. + changed_files_summary: false + poem: false + # Don't post review details on each review. + review_status: false + sequence_diagrams: false tools: # By default, all tools are enabled. # Masterpoint uses Trunk (https://trunk.io) so we do not need a lot of this feedback due to overlap. diff --git a/.editorconfig b/.editorconfig index 8207150..3df0e9f 100644 --- a/.editorconfig +++ b/.editorconfig @@ -7,19 +7,8 @@ indent_style = space insert_final_newline = true trim_trailing_whitespace = true -[*.{tf,tfvars}] -indent_size = 2 -indent_style = space - [*.md] max_line_length = 0 -trim_trailing_whitespace = false - -# Override for Makefile -[{Makefile, makefile, GNUmakefile, Makefile.*}] -tab_width = 2 -indent_style = tab -indent_size = 4 [COMMIT_EDITMSG] max_line_length = 0 diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 5b161c9..51080ca 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,4 +4,4 @@ # Order is important: the last matching pattern takes the most precedence # These owners will be the default owners for everything -* @masterpointio/masterpoint-internal +* @masterpointio/masterpoint-open-source \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 4b8f32d..c713685 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,13 +1,15 @@ ## what -* Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) -* Use bullet points to be concise and to the point. + +- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) +- Use bullet points to be concise and to the point. ## why -* Provide the justifications for the changes (e.g. business case). -* Describe why these changes were made (e.g. why do these commits fix the problem?) -* Use bullet points to be concise and to the point. + +- Provide the justifications for the changes (e.g. business case). +- Describe why these changes were made (e.g. why do these commits fix the problem?) +- Use bullet points to be concise and to the point. ## references -* Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow). -* Use `closes #123`, if this PR closes a GitHub issue `#123` +- Link to any supporting GitHub issues or helpful documentation to add some context (e.g. Stackoverflow). +- Use `closes #123`, if this PR closes a GitHub issue `#123` diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 0000000..b4c3ecf --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,56 @@ +{ + "extends": [ + "config:best-practices", + "github>aquaproj/aqua-renovate-config#2.7.5" + ], + "schedule": [ + "after 9am on the first day of the month" + ], + "assigneesFromCodeOwners": true, + "dependencyDashboardAutoclose": true, + "addLabels": [ + "auto-upgrade" + ], + "enabledManagers": [ + "terraform" + ], + "terraform": { + "ignorePaths": [ + "**/context.tf" // Mixin file https://github.com/cloudposse/terraform-null-label/blob/main/exports/context.tf + ], + "fileMatch": [ + "\\.tf$", + "\\.tofu$" + ] + }, + "packageRules": [ + { + "matchDepTypes": [ + "optionalDependencies" + ], + // Allow auto merge if it's not a major version update + "matchUpdateTypes": [ + "minor", + "patch", + "pin", + "digest" + ], + "automerge": true + }, + { + "matchFileNames": ["**/*.tofu", "**/*.tf"], + "matchDatasources": ["terraform-provider", "terraform-module"], + "registryUrls": ["https://registry.opentofu.org"] + }, + { + "matchFileNames": ["**/*.tofu"], + "matchDepTypes": ["required_version"], + "registryUrls": ["https://registry.opentofu.org"] + }, + { + "matchFileNames": ["**/*.tf"], + "matchDepTypes": ["required_version"], + "registryUrls": ["https://registry.terraform.io"] + } + ] +} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 4f0b538..092d215 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,9 +1,5 @@ name: Lint -concurrency: - group: lint-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - on: pull_request permissions: @@ -13,17 +9,10 @@ permissions: pull-requests: read jobs: - trunk-check: + lint: runs-on: ubuntu-latest steps: - name: Check out Git repository uses: actions/checkout@v4 - name: Trunk Check - uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 - - conventional-title: - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: trunk-io/trunk-action@v1 diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index 7e86a44..e9e712a 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -8,11 +8,12 @@ on: permissions: contents: write pull-requests: write + issues: write jobs: release-please: runs-on: ubuntu-latest steps: - - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 with: release-type: terraform-module diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..af8e017 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,45 @@ +name: TF Test + +on: + push: + branches: + - main + pull_request: + +permissions: + actions: read + checks: write + contents: read + id-token: write + pull-requests: read + +jobs: + tf-test: + name: πŸ§ͺ ${{ matrix.tf }} test + runs-on: ubuntu-latest + strategy: + matrix: + tf: [tofu, terraform] + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Aqua Cache + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing + with: + path: ~/.local/share/aquaproj-aqua + key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}} + restore-keys: | + v1-aqua-installer-${{runner.os}}-${{runner.arch}}- + + - name: Install Aqua + uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1 + with: + aqua_version: v2.48.1 + + - name: Aqua Install + shell: bash + run: aqua install --tags ${{ matrix.tf }} + + - run: ${{ matrix.tf }} init + - run: ${{ matrix.tf }} test diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index 1f3270e..e116e8f 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -1,25 +1,34 @@ -name: Monthly Trunk Upgrade +name: Trunk Upgrade + on: schedule: # On the first day of every month @ 8am - cron: 0 8 1 * * - # Allows us to manually run the workflow from Actions UI workflow_dispatch: {} + permissions: read-all + jobs: - trunk_upgrade: - name: Upgrade Trunk + trunk-upgrade: runs-on: ubuntu-latest permissions: - contents: write # For trunk to create PRs - pull-requests: write # For trunk to create PRs + # For trunk to create PRs + contents: write + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Create Token for MasterpointBot App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.MP_BOT_APP_ID }} + private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} - - name: Trunk Upgrade + - name: Upgrade uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 with: - base: main + github-token: ${{ steps.generate-token.outputs.token }} reviewers: "@masterpointio/masterpoint-internal" prefix: "chore: " diff --git a/.gitignore b/.gitignore index e7a8d5c..9636abe 100644 --- a/.gitignore +++ b/.gitignore @@ -1,39 +1,46 @@ -# Local .terraform directories -**/.terraform/* +# Ignore override files as they are usually used to override resources locally +*override.tf +*override.tf.json # .tfstate files *.tfstate *.tfstate.* -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* -*.plan - -# Ignore IntelliJ configuration -/.idea/ +# Local .terraform directories +**/.terraform/* -# Ignore lock files +# Ignore the root .terraform.lock.hcl file (Child modules don't want this) .terraform.lock.hcl - -# Random -*.DS_Store +!examples/**/.terraform.lock.hcl + +# IDE/Editor settings +**/.idea +**/*.iml +.vscode/ +*.orig +*.draft +*~ + +# Build Harness https://github.com/cloudposse/build-harness +**/.build-harness +**/build-harness + +# Log files +*.log + +# Output from other tools that might be used alongside Terraform/OpenTofu +*.tfvars.json +backend.tf.json + +# Taskit files +.taskit/ +.task/ +.env.taskit-secrets + +# Other +**/*.backup +***/*.tmp +**/*.temp +**/*.bak +**/*.*swp +**/.DS_Store diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index fba6baa..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# To use: -# brew install pre-commit gawk terraform-docs tflint coreutils -repos: - - repo: https:///github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 - hooks: - - id: terraform_fmt - - id: terraform_validate - - id: terraform_docs diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml new file mode 100644 index 0000000..710c102 --- /dev/null +++ b/.terraform-docs.yaml @@ -0,0 +1,16 @@ +version: 0.20.0 +formatter: markdown table + +recursive: + enabled: false + +settings: + lockfile: false + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + diff --git a/.trunk/configs/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml index c97ae62..33a98b8 100644 --- a/.trunk/configs/.markdownlint.yaml +++ b/.trunk/configs/.markdownlint.yaml @@ -12,3 +12,8 @@ whitespace: false # Ignore MD041/first-line-heading/first-line-h1 # Error: First line in a file should be a top-level heading MD041: false + +# Ignore MD013/line-length +MD013: + strict: false + line_length: 350 diff --git a/.trunk/configs/.prettierignore b/.trunk/configs/.prettierignore deleted file mode 100644 index 2d0b6b1..0000000 --- a/.trunk/configs/.prettierignore +++ /dev/null @@ -1,4 +0,0 @@ -# `release-please` doesn't generate prettier compliant output, see relevant issues: -# https://github.com/googleapis/release-please/issues/1902 -# https://github.com/googleapis/release-please/issues/1802 -CHANGELOG.md diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml index 4d44466..184e251 100644 --- a/.trunk/configs/.yamllint.yaml +++ b/.trunk/configs/.yamllint.yaml @@ -2,9 +2,6 @@ rules: quoted-strings: required: only-when-needed extra-allowed: ["{|}"] - empty-values: - forbid-in-block-mappings: true - forbid-in-flow-mappings: true key-duplicates: {} octal-values: forbid-implicit-octal: true diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 0dc88f6..c76391f 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,12 +2,12 @@ # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml version: 0.1 cli: - version: 1.22.11 + version: 1.22.12 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) plugins: sources: - id: trunk - ref: v1.6.7 + ref: v1.6.8 uri: https://github.com/trunk-io/plugins # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) runtimes: @@ -16,18 +16,32 @@ runtimes: - python@3.10.8 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) lint: + disabled: + # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331 + - terrascan enabled: - - tofu@1.9.0 - - terraform@1.1.0 - - checkov@3.2.394 + - renovate@39.263.0 + - tofu@1.9.1 + - actionlint@1.7.7 + - checkov@3.2.412 - git-diff-check - markdownlint@0.44.0 - prettier@3.5.3 - tflint@0.56.0 - - trufflehog@3.88.20 + - trivy@0.61.1 + - trufflehog@3.88.25 - yamllint@1.37.0 + ignore: + - linters: [tofu] + paths: + - "**/backend.tf.json" + # Ignore CHANGELOG.md as release-please manages this file + - linters: [ALL] + paths: + - "**/CHANGELOG.md" actions: enabled: + - terraform-docs - trunk-announce - trunk-check-pre-push - trunk-fmt-pre-commit diff --git a/LICENSE b/LICENSE index a0f747a..6b571c5 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,202 @@ -MIT License - -Copyright (c) 2020 Matt Gowie - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2024 Masterpoint + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index 396cada..8ba3d78 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,13 @@ -[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io) - -[![Release](https://img.shields.io/github/v/release/masterpointio/terraform-aws-ssm-agent.svg)](https://github.com/masterpointio/terraform-aws-ssm-agent/releases/latest) +[![Banner][banner-image]](https://masterpoint.io/) # terraform-aws-ssm-agent +[![Release][release-badge]][latest-release] + +πŸ’‘ Learn more about Masterpoint [below](#who-we-are-𐦂𖨆π€ͺπ– ‹). + +## Purpose and Functionality + A Terraform Module to create a simple, autoscaled SSM Agent EC2 instance along with its corresponding IAM instance profile. This is intended to be used with SSM Session Manager and other SSM functionality to replace the need for a Bastion host and further secure your cloud environment. This includes an SSM document to enable session logging to S3 and CloudWatch for auditing purposes. Big shout out to the following projects which this project uses/depends on/mentions: @@ -20,7 +24,7 @@ Big shout out to the following projects which this project uses/depends on/menti ## Usage -### Module Usage: +### Module Usage ```hcl module "ssm_agent" { @@ -58,7 +62,7 @@ module "subnets" { } ``` -### Connecting to your new SSM Agent: +### Connecting to your new SSM Agent ```bash INSTANCE_ID=$(aws autoscaling describe-auto-scaling-instances | jq --raw-output ".AutoScalingInstances | .[0] | .InstanceId") @@ -69,6 +73,8 @@ OR Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm). + + ## Requirements @@ -184,3 +190,71 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm). | [session_logging_bucket_id](#output_session_logging_bucket_id) | The ID of the SSM Agent Session Logging S3 Bucket. | + + + +## Built By + +Powered by the [Masterpoint team](https://masterpoint.io/who-we-are/) and driven forward by contributions from the community ❀️ + +[![Contributors][contributors-image]][contributors-url] + +## Contribution Guidelines + +Contributions are welcome and appreciated! + +Found an issue or want to request a feature? [Open an issue][issues-url] + +Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR β€” we'll check it out. + +## Who We Are 𐦂𖨆π€ͺπ– ‹ + +Established in 2016, Masterpoint is a team of experienced software and platform engineers specializing in Infrastructure as Code (IaC). We provide expert guidance to organizations of all sizes, helping them leverage the latest IaC practices to accelerate their engineering teams. + +### Our Mission + +Our mission is to simplify cloud infrastructure so developers can innovate faster, safer, and with greater confidence. By open-sourcing tools and modules that we use internally, we aim to contribute back to the community, promoting consistency, quality, and security. + +### Our Commitments + +- 🌟 **Open Source**: We live and breathe open source, contributing to and maintaining hundreds of projects across multiple organizations. +- 🌎 **1% for the Planet**: Demonstrating our commitment to environmental sustainability, we are proud members of [1% for the Planet](https://www.onepercentfortheplanet.org), pledging to donate 1% of our annual sales to environmental nonprofits. +- πŸ‡ΊπŸ‡¦ **1% Towards Ukraine**: With team members and friends affected by the ongoing [Russo-Ukrainian war](https://en.wikipedia.org/wiki/Russo-Ukrainian_War), we donate 1% of our annual revenue to invasion relief efforts, supporting organizations providing aid to those in need. [Here's how you can help Ukraine with just a few clicks](https://masterpoint.io/updates/supporting-ukraine/). + +## Connect With Us + +We're active members of the community and are always publishing content, giving talks, and sharing our hard earned expertise. Here are a few ways you can see what we're up to: + +[![LinkedIn][linkedin-badge]][linkedin-url] [![Newsletter][newsletter-badge]][newsletter-url] [![Blog][blog-badge]][blog-url] [![YouTube][youtube-badge]][youtube-url] + +... and be sure to connect with our founder, [Matt Gowie](https://www.linkedin.com/in/gowiem/). + +## License + +[Apache License, Version 2.0][license-url]. + +[![Open Source Initiative][osi-image]][license-url] + +Copyright Β© 2016-2025 [Masterpoint Consulting LLC](https://masterpoint.io/) + + + +[banner-image]: https://masterpoint-public.s3.us-west-2.amazonaws.com/v2/standard-long-fullcolor.png +[license-url]: https://opensource.org/license/apache-2-0 +[osi-image]: https://i0.wp.com/opensource.org/wp-content/uploads/2023/03/cropped-OSI-horizontal-large.png?fit=250%2C229&ssl=1 +[linkedin-badge]: https://img.shields.io/badge/LinkedIn-Follow-0A66C2?style=for-the-badge&logoColor=white +[linkedin-url]: https://www.linkedin.com/company/masterpoint-consulting +[blog-badge]: https://img.shields.io/badge/Blog-IaC_Insights-55C1B4?style=for-the-badge&logoColor=white +[blog-url]: https://masterpoint.io/updates/ +[newsletter-badge]: https://img.shields.io/badge/Newsletter-Subscribe-ECE295?style=for-the-badge&logoColor=222222 +[newsletter-url]: https://newsletter.masterpoint.io/ +[youtube-badge]: https://img.shields.io/badge/YouTube-Subscribe-D191BF?style=for-the-badge&logo=youtube&logoColor=white +[youtube-url]: https://www.youtube.com/channel/UCeeDaO2NREVlPy9Plqx-9JQ + + + +[release-badge]: https://img.shields.io/github/v/release/masterpointio/terraform-aws-ssm-agent?color=0E383A&label=Release&style=for-the-badge&logo=github&logoColor=white +[latest-release]: https://github.com/masterpointio/terraform-aws-ssm-agent/releases/latest +[contributors-image]: https://contrib.rocks/image?repo=masterpointio/terraform-aws-ssm-agent +[contributors-url]: https://github.com/masterpointio/terraform-aws-ssm-agent/graphs/contributors +[issues-url]: https://github.com/masterpointio/terraform-aws-ssm-agent/issues diff --git a/aqua.yaml b/aqua.yaml index d160725..264e850 100644 --- a/aqua.yaml +++ b/aqua.yaml @@ -7,9 +7,11 @@ # supported_envs: # - all registries: -- type: standard - ref: v4.144.0 # renovate: depName=aquaproj/aqua-registry + - type: standard + ref: v4.355.0 # renovate: depName=aquaproj/aqua-registry packages: -- name: terraform-docs/terraform-docs@v0.17.0 -- name: hashicorp/terraform@v1.7.4 -- name: opentofu/opentofu@v1.6.2 + - name: terraform-docs/terraform-docs@v0.20.0 + - name: hashicorp/terraform@v1.11.4 + tags: [terraform] + - name: opentofu/opentofu@v1.9.1 + tags: [tofu] From cf631c514968bb4d11b53e9ab9082f8bd9a6f25e Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Wed, 30 Apr 2025 17:45:13 +0300 Subject: [PATCH 2/3] chore: update with the latest template state --- .github/workflows/lint.yaml | 4 +- README.md | 194 ++++++++++++++++++------------------ 2 files changed, 99 insertions(+), 99 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 092d215..dd5e030 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Trunk Check - uses: trunk-io/trunk-action@v1 + uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 #v1.1.19 diff --git a/README.md b/README.md index 8ba3d78..8e99277 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,9 @@ ## Purpose and Functionality -A Terraform Module to create a simple, autoscaled SSM Agent EC2 instance along with its corresponding IAM instance profile. This is intended to be used with SSM Session Manager and other SSM functionality to replace the need for a Bastion host and further secure your cloud environment. This includes an SSM document to enable session logging to S3 and CloudWatch for auditing purposes. +A Terraform Module to create a simple, autoscaled SSM Agent EC2 instance along with its corresponding IAM instance profile. + +This is intended to be used with SSM Session Manager and other SSM functionality to replace the need for a Bastion host and further secure your cloud environment. This includes an SSM document to enable session logging to S3 and CloudWatch for auditing purposes. Big shout out to the following projects which this project uses/depends on/mentions: @@ -76,119 +78,117 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm). - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | ------- | -| [terraform](#requirement_terraform) | >= 1.0 | -| [aws](#requirement_aws) | >= 5.0 | -| [null](#requirement_null) | >= 3.2 | -| [time](#requirement_time) | >= 0.7 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 5.0 | +| [null](#requirement\_null) | >= 3.2 | +| [time](#requirement\_time) | >= 0.7 | ## Providers -| Name | Version | -| --------------------------------------------------- | ------- | -| [aws](#provider_aws) | 5.82.2 | -| [null](#provider_null) | 3.2.3 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.0 | +| [null](#provider\_null) | >= 3.2 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | ------------------------ | ------- | -| [kms_key](#module_kms_key) | cloudposse/kms-key/aws | 0.12.1 | -| [logs_bucket](#module_logs_bucket) | cloudposse/s3-bucket/aws | 3.1.2 | -| [logs_label](#module_logs_label) | cloudposse/label/null | 0.25.0 | -| [role_label](#module_role_label) | cloudposse/label/null | 0.25.0 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [kms\_key](#module\_kms\_key) | cloudposse/kms-key/aws | 0.12.1 | +| [logs\_bucket](#module\_logs\_bucket) | cloudposse/s3-bucket/aws | 3.1.2 | +| [logs\_label](#module\_logs\_label) | cloudposse/label/null | 0.25.0 | +| [role\_label](#module\_role\_label) | cloudposse/label/null | 0.25.0 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| [aws_autoscaling_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource | -| [aws_cloudwatch_log_group.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_launch_template.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | -| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_security_group_rule.allow_all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_ssm_document.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource | -| [null_resource.validate_instance_type](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [aws_ami.amazon_linux_2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | +| Name | Type | +|------|------| +| [aws_autoscaling_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource | +| [aws_cloudwatch_log_group.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_launch_template.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | +| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.allow_all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_ssm_document.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource | +| [null_resource.validate_instance_type](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_ami.amazon_linux_2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_security_group_ids](#input_additional_security_group_ids) | Security groups that will be attached to the app instances | `list(string)` | `[]` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [ami](#input_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no | -| [architecture](#input_architecture) | The architecture of the AMI (e.g., x86_64, arm64) | `string` | `"arm64"` | no | -| [associate_public_ip_address](#input_associate_public_ip_address) | Associate public IP address | `bool` | `null` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [cloudwatch_retention_in_days](#input_cloudwatch_retention_in_days) | The number of days to retain session logs in CloudWatch. This is only relevant if the session_logging_enabled variable is `true`. | `number` | `365` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | -| [create_run_shell_document](#input_create_run_shell_document) | Whether or not to create the SSM-SessionManagerRunShell SSM Document. | `bool` | `true` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [desired_capacity](#input_desired_capacity) | Desired number of instances in the Auto Scaling Group | `number` | `1` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [instance_type](#input_instance_type) | The instance type to use for the SSM Agent EC2 instance. | `string` | `"t4g.nano"` | no | -| [key_pair_name](#input_key_pair_name) | The name of the key-pair to associate with the SSM Agent instances. This can be (and probably should) left empty unless you specifically plan to use `AWS-StartSSHSession`. | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
 "default"
]
| no | -| [max_size](#input_max_size) | Maximum number of instances in the Auto Scaling Group | `number` | `2` | no | -| [metadata_http_endpoint_enabled](#input_metadata_http_endpoint_enabled) | Whether or not to enable the metadata http endpoint | `bool` | `true` | no | -| [metadata_http_protocol_ipv6_enabled](#input_metadata_http_protocol_ipv6_enabled) | Enable IPv6 metadata endpoint | `bool` | `false` | no | -| [metadata_imdsv2_enabled](#input_metadata_imdsv2_enabled) | Whether or not the metadata service requires session tokens,
also referred to as Instance Metadata Service Version 2 (IMDSv2). | `bool` | `true` | no | -| [min_size](#input_min_size) | Minimum number of instances in the Auto Scaling Group | `number` | `1` | no | -| [monitoring_enabled](#input_monitoring_enabled) | Enable detailed monitoring of instance | `bool` | `true` | no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [permissions_boundary](#input_permissions_boundary) | The ARN of the permissions boundary that will be applied to the SSM Agent role. | `string` | `""` | no | -| [protect_from_scale_in](#input_protect_from_scale_in) | Allows setting instance protection for scale in actions on the ASG. | `bool` | `false` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | The region to deploy the S3 bucket for session logs. If not supplied, the module will use the current region. | `string` | `""` | no | -| [scale_in_protected_instances](#input_scale_in_protected_instances) | Behavior when encountering instances protected from scale in are found. Available behaviors are Refresh, Ignore, and Wait. Default is Ignore. | `string` | `"Ignore"` | no | -| [session_logging_bucket_name](#input_session_logging_bucket_name) | The name of the S3 Bucket to ship session logs to. This will remove creation of an independent session logging bucket. This is only relevant if the session_logging_enabled variable is `true`. | `string` | `""` | no | -| [session_logging_enabled](#input_session_logging_enabled) | To enable CloudWatch and S3 session logging or not. Note this does not apply to SSH sessions as AWS cannot log those sessions. | `bool` | `true` | no | -| [session_logging_encryption_enabled](#input_session_logging_encryption_enabled) | To enable CloudWatch and S3 session logging encryption or not. | `bool` | `true` | no | -| [session_logging_kms_key_alias](#input_session_logging_kms_key_alias) | Alias name for `session_logging` KMS Key. This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset, (2) `session_logging_encryption_enabled` = true. | `string` | `"alias/session_logging"` | no | -| [session_logging_kms_key_arn](#input_session_logging_kms_key_arn) | BYO KMS Key instead of using the created KMS Key. The session_logging_encryption_enabled variable must still be `true` for this to be applied. | `string` | `""` | no | -| [session_logging_ssm_document_name](#input_session_logging_ssm_document_name) | Name for `session_logging` SSM document. This is only applied if 2 conditions are met: (1) `session_logging_enabled` = true, (2) `create_run_shell_document` = true. | `string` | `"SSM-SessionManagerRunShell"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnet_ids](#input_subnet_ids) | The Subnet IDs which the SSM Agent will run in. These _should_ be private subnets. | `list(string)` | n/a | yes | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [user_data](#input_user_data) | The user_data to use for the SSM Agent EC2 instance. You can use this to automate installation of psql or other required command line tools. | `string` | `"#!/bin/bash\n# NOTE: Since we're using a latest Amazon Linux AMI, we shouldn't need this,\n# but we'll update it to be sure.\ncd /tmp\nsudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpmnsudo systemctl enable amazon-ssm-agent\nsudo systemctl start amazon-ssm-agent\n"` | no | -| [volume_size](#input_volume_size) | The size of the volume in gigabytes. | `number` | `null` | no | -| [vpc_id](#input_vpc_id) | The ID of the VPC which the EC2 Instance will run in. | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | Security groups that will be attached to the app instances | `list(string)` | `[]` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no | +| [architecture](#input\_architecture) | The architecture of the AMI (e.g., x86\_64, arm64) | `string` | `"arm64"` | no | +| [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | Associate public IP address | `bool` | `null` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | The number of days to retain session logs in CloudWatch. This is only relevant if the session\_logging\_enabled variable is `true`. | `number` | `365` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [create\_run\_shell\_document](#input\_create\_run\_shell\_document) | Whether or not to create the SSM-SessionManagerRunShell SSM Document. | `bool` | `true` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [desired\_capacity](#input\_desired\_capacity) | Desired number of instances in the Auto Scaling Group | `number` | `1` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [instance\_type](#input\_instance\_type) | The instance type to use for the SSM Agent EC2 instance. | `string` | `"t4g.nano"` | no | +| [key\_pair\_name](#input\_key\_pair\_name) | The name of the key-pair to associate with the SSM Agent instances. This can be (and probably should) left empty unless you specifically plan to use `AWS-StartSSHSession`. | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | +| [max\_size](#input\_max\_size) | Maximum number of instances in the Auto Scaling Group | `number` | `2` | no | +| [metadata\_http\_endpoint\_enabled](#input\_metadata\_http\_endpoint\_enabled) | Whether or not to enable the metadata http endpoint | `bool` | `true` | no | +| [metadata\_http\_protocol\_ipv6\_enabled](#input\_metadata\_http\_protocol\_ipv6\_enabled) | Enable IPv6 metadata endpoint | `bool` | `false` | no | +| [metadata\_imdsv2\_enabled](#input\_metadata\_imdsv2\_enabled) | Whether or not the metadata service requires session tokens,
also referred to as Instance Metadata Service Version 2 (IMDSv2). | `bool` | `true` | no | +| [min\_size](#input\_min\_size) | Minimum number of instances in the Auto Scaling Group | `number` | `1` | no | +| [monitoring\_enabled](#input\_monitoring\_enabled) | Enable detailed monitoring of instance | `bool` | `true` | no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the permissions boundary that will be applied to the SSM Agent role. | `string` | `""` | no | +| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Allows setting instance protection for scale in actions on the ASG. | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | The region to deploy the S3 bucket for session logs. If not supplied, the module will use the current region. | `string` | `""` | no | +| [scale\_in\_protected\_instances](#input\_scale\_in\_protected\_instances) | Behavior when encountering instances protected from scale in are found. Available behaviors are Refresh, Ignore, and Wait. Default is Ignore. | `string` | `"Ignore"` | no | +| [session\_logging\_bucket\_name](#input\_session\_logging\_bucket\_name) | The name of the S3 Bucket to ship session logs to. This will remove creation of an independent session logging bucket. This is only relevant if the session\_logging\_enabled variable is `true`. | `string` | `""` | no | +| [session\_logging\_enabled](#input\_session\_logging\_enabled) | To enable CloudWatch and S3 session logging or not. Note this does not apply to SSH sessions as AWS cannot log those sessions. | `bool` | `true` | no | +| [session\_logging\_encryption\_enabled](#input\_session\_logging\_encryption\_enabled) | To enable CloudWatch and S3 session logging encryption or not. | `bool` | `true` | no | +| [session\_logging\_kms\_key\_alias](#input\_session\_logging\_kms\_key\_alias) | Alias name for `session_logging` KMS Key. This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset, (2) `session_logging_encryption_enabled` = true. | `string` | `"alias/session_logging"` | no | +| [session\_logging\_kms\_key\_arn](#input\_session\_logging\_kms\_key\_arn) | BYO KMS Key instead of using the created KMS Key. The session\_logging\_encryption\_enabled variable must still be `true` for this to be applied. | `string` | `""` | no | +| [session\_logging\_ssm\_document\_name](#input\_session\_logging\_ssm\_document\_name) | Name for `session_logging` SSM document. This is only applied if 2 conditions are met: (1) `session_logging_enabled` = true, (2) `create_run_shell_document` = true. | `string` | `"SSM-SessionManagerRunShell"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [subnet\_ids](#input\_subnet\_ids) | The Subnet IDs which the SSM Agent will run in. These *should* be private subnets. | `list(string)` | n/a | yes | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [user\_data](#input\_user\_data) | The user\_data to use for the SSM Agent EC2 instance. You can use this to automate installation of psql or other required command line tools. | `string` | `"#!/bin/bash\n# NOTE: Since we're using a latest Amazon Linux AMI, we shouldn't need this,\n# but we'll update it to be sure.\ncd /tmp\nsudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpmnsudo systemctl enable amazon-ssm-agent\nsudo systemctl start amazon-ssm-agent\n"` | no | +| [volume\_size](#input\_volume\_size) | The size of the volume in gigabytes. | `number` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | The ID of the VPC which the EC2 Instance will run in. | `string` | n/a | yes | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | -| [autoscaling_group_id](#output_autoscaling_group_id) | The ID of the SSM Agent Autoscaling Group. | -| [instance_name](#output_instance_name) | The name tag value of the Bastion instance. | -| [launch_template_id](#output_launch_template_id) | The ID of the SSM Agent Launch Template. | -| [role_id](#output_role_id) | The ID of the SSM Agent Role. | -| [security_group_id](#output_security_group_id) | The ID of the SSM Agent Security Group. | -| [session_logging_bucket_arn](#output_session_logging_bucket_arn) | The ARN of the SSM Agent Session Logging S3 Bucket. | -| [session_logging_bucket_id](#output_session_logging_bucket_id) | The ID of the SSM Agent Session Logging S3 Bucket. | - +| Name | Description | +|------|-------------| +| [autoscaling\_group\_id](#output\_autoscaling\_group\_id) | The ID of the SSM Agent Autoscaling Group. | +| [instance\_name](#output\_instance\_name) | The name tag value of the Bastion instance. | +| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the SSM Agent Launch Template. | +| [role\_id](#output\_role\_id) | The ID of the SSM Agent Role. | +| [security\_group\_id](#output\_security\_group\_id) | The ID of the SSM Agent Security Group. | +| [session\_logging\_bucket\_arn](#output\_session\_logging\_bucket\_arn) | The ARN of the SSM Agent Session Logging S3 Bucket. | +| [session\_logging\_bucket\_id](#output\_session\_logging\_bucket\_id) | The ID of the SSM Agent Session Logging S3 Bucket. | From 82327ce7a41945d310874444270195000b6aaadf Mon Sep 17 00:00:00 2001 From: oycyc Date: Wed, 30 Apr 2025 11:36:26 -0400 Subject: [PATCH 3/3] update to use the new test GHA from the terraform-module-template --- .github/workflows/test.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index af8e017..31600a3 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,6 +13,9 @@ permissions: id-token: write pull-requests: read +env: + AWS_REGION: us-east-1 + jobs: tf-test: name: πŸ§ͺ ${{ matrix.tf }} test @@ -41,5 +44,26 @@ jobs: shell: bash run: aqua install --tags ${{ matrix.tf }} + - name: Check if TF AWS provider is used + id: check_aws_provider + run: | + if grep -q "aws" $(find . -name "versions.tf" -o -name "versions.tofu" -type f); then + echo "Found aws in versions.tf or versions.tofu files" + echo "contains_hashicorp=true" >> $GITHUB_OUTPUT + else + echo "No versions.tf or versions.tofu files contain aws" + echo "contains_hashicorp=false" >> $GITHUB_OUTPUT + fi + + # Assume into the `masterpoint-testing` AWS account with OIDC for testing ONLY if the AWS provider is used + # Not needed for modules that don't use the AWS provider, for example, exclusive Spacelift modules + - name: Configure AWS Credentials on `masterpoint-testing` AWS Account + if: steps.check_aws_provider.outputs.contains_hashicorp == 'true' + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: arn:aws:iam::115843287071:role/mp-ue1-testing-oidc-github + role-session-name: GitHubActionsOIDC-MP-Infra-Repo + aws-region: ${{ env.AWS_REGION }} + - run: ${{ matrix.tf }} init - run: ${{ matrix.tf }} test