diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
index 398767c..daf3160 100644
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@@ -3,6 +3,7 @@ name: pre-commit-check
on:
push:
branches:
+ - main
- master
- prod
- develop
diff --git a/.github/workflows/pullRequest.yaml b/.github/workflows/pullRequest.yaml
index 8f1eba5..101b621 100644
--- a/.github/workflows/pullRequest.yaml
+++ b/.github/workflows/pullRequest.yaml
@@ -24,7 +24,7 @@ jobs:
terraform_tflint_deep,
no-commit-to-branch,
terraform_tflint_nocreds,
- terraform_tfsec
+ terraform_trivy
tflint:
runs-on: ubuntu-latest
steps:
@@ -41,7 +41,7 @@ jobs:
filter_mode: added
flags: --module
level: error
- tfsec:
+ trivy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
new file mode 100644
index 0000000..a2df833
--- /dev/null
+++ b/.github/workflows/terraform.yaml
@@ -0,0 +1,17 @@
+---
+name: Terraform Composite Action
+on:
+ push:
+
+jobs:
+ terraform-composite:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install prerequisites
+ run: ./bin/install-ubuntu.sh
+ - name: Terraform init
+ run: terraform init --backend=false
+ - name: actions-terraform-composite
+ uses: rhythmictech/actions-terraform-composite@master
+
diff --git a/.github/workflows/tfsec.yaml b/.github/workflows/tfsec.yaml
deleted file mode 100644
index 2f75a3e..0000000
--- a/.github/workflows/tfsec.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-name: tfsec
-on:
- push:
- branches:
- - main
- - master
- - prod
- - develop
-
-jobs:
- tfsec:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: Install prerequisites
- run: ./bin/install-ubuntu.sh
- - name: Terraform init
- run: terraform init --backend=false
- - name: tfsec
- uses: reviewdog/action-tfsec@master
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- reporter: github-check
- filter_mode: nofilter
- level: error
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 0000000..53a9d16
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,31 @@
+---
+name: trivy
+on:
+ push:
+ branches:
+ - master
+
+jobs:
+ trivy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install prerequisites
+ run: ./bin/install-ubuntu.sh
+ - name: Terraform init
+ run: terraform init --backend=false
+ - name: Trivy scan
+ uses: aquasecurity/trivy-action@master
+ with:
+ scan-type: 'config'
+ hide-progress: false
+ format: 'sarif'
+ output: 'trivy-results.sarif'
+ exit-code: '1'
+ ignore-unfixed: true
+ severity: 'CRITICAL,HIGH'
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: 'trivy-results.sarif'
diff --git a/.gitignore b/.gitignore
index 74c83e8..371d818 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,5 +13,3 @@
# temp folders
tmp
-
-.terraform.lock.hcl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0b856e7..f209b71 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,63 +1,27 @@
exclude: ".terraform"
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.92.1
+ rev: v1.92.2
hooks:
- id: terraform_docs
always_run: true
- id: terraform_fmt
+ - id: terraform_validate
+ args:
+ - --hook-config=--retry-once-with-cleanup=true
+ exclude: ^examples
- id: terraform_tflint
alias: terraform_tflint_nocreds
+ exclude: ^examples
name: terraform_tflint_nocreds
- - id: terraform_tfsec
- - repo: local
- hooks:
- - id: terraform_validate
- name: terraform_validate
- entry: |
- bash -c '
- AWS_DEFAULT_REGION=us-east-1
- declare -a DIRS
- for FILE in "$@"
- do
- DIRS+=($(dirname "$FILE"))
- done
- for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
- do
- cd $(dirname "$FILE")
- terraform init --backend=false
- terraform validate .
- cd ..
- done
- '
- language: system
- verbose: true
- files: \.tf(vars)?$
- exclude: examples
- - id: tflock
- name: provider_locks
- entry: |
- bash -c '
- AWS_DEFAULT_REGION=us-east-1
- declare -a DIRS
- for FILE in "$@"
- do
- DIRS+=($(dirname "$FILE"))
- done
- for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
- do
- cd $(dirname "$FILE")
- terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
- cd ..
- done
- '
- language: system
- verbose: true
- files: \.tf(vars)?$
- exclude: examples
+ - id: terraform_trivy
+ args:
+ - --args=--skip-dirs="**/.terraform,examples/*"
+ - id: terraform_providers_lock
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
+ - id: check-added-large-files
- id: check-case-conflict
- id: check-json
- id: check-merge-conflict
@@ -65,6 +29,7 @@ repos:
- id: check-yaml
args:
- --unsafe
+ - id: detect-private-key
- id: end-of-file-fixer
- id: mixed-line-ending
args:
@@ -86,4 +51,4 @@ repos:
- --markdown-linebreak-ext=md
exclude: README.md
ci:
- skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock]
+ skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock]
diff --git a/.terraform-version b/.terraform-version
index 4f20ea7..5a13b33 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-latest:^1.1
+latest:^1.6
diff --git a/.tflint.hcl b/.tflint.hcl
index 854fb92..c700b79 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -2,6 +2,12 @@ config {
module = true
}
+plugin "aws" {
+ enabled = true
+ version = "0.30.0"
+ source = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
rule "terraform_deprecated_interpolation" {
enabled = true
}
diff --git a/LICENSE b/LICENSE
index 3fe5c34..9f1b0ba 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
MIT License
-Copyright (c) 2020 Rhythmic Technologies, Inc.
+Copyright (c) 2024 Rhythmic Technologies, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index e693e78..168691f 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
Template repository for terraform modules. Good for any cloud and any provider.
[](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
-[](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
+[](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
@@ -32,7 +32,7 @@ No providers.
| Name | Source | Version |
|------|--------|---------|
-| [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 |
+| [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1 |
## Resources
diff --git a/bin/install-macos.sh b/bin/install-macos.sh
index 3800165..349bb9d 100755
--- a/bin/install-macos.sh
+++ b/bin/install-macos.sh
@@ -2,9 +2,8 @@
echo 'installing brew packages'
brew update
-brew tap liamg/tfsec
-brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
-brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
+brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
+brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
echo 'installing pre-commit hooks'
pre-commit install
diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh
index 670d0b9..331e45b 100755
--- a/bin/install-ubuntu.sh
+++ b/bin/install-ubuntu.sh
@@ -7,7 +7,7 @@ pip3 install pre-commit
# terraform docs
mkdir tmp
cd tmp
-curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz
tar -xzf terraform-docs.tar.gz
chmod +x terraform-docs
sudo mv terraform-docs /usr/bin/
@@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template
echo 'installing terraform with tfenv'
tfenv install
+
+wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb
+sudo dpkg -i trivy_0.54.1_Linux-64bit.deb
diff --git a/main.tf b/main.tf
index b0bc3ba..6b99d12 100644
--- a/main.tf
+++ b/main.tf
@@ -1,7 +1,7 @@
module "tags" {
source = "rhythmictech/tags/terraform"
- version = "~> 1.1.0"
+ version = "~> 1.1"
enforce_case = "UPPER"
names = [var.name]