Init

.github/workflows/main.yml

@@ -0,0 +1,121 @@
+name: Terraform validation
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+env:
+  TERRAFORM_DOCS_VERSION: "v0.16.0"
+  TFLINT_VERSION: "v0.35.0"
+  TFSEC_VERSION: "v1.6.2"
+
+jobs:
+  terraform-validation:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/setup-python@v2
+        name: "SETUP: Python"
+
+      - uses: actions/[email protected]
+        id: cache-terraform-docs
+        name: "CACHE: terraform-docs"
+        with:
+          path: |
+            ~/terraform-docs/bin/
+          key: ${{ runner.os }}-terraform_docs-${{ env.TERRAFORM_DOCS_VERSION }}
+          restore-keys: |
+            ${{ runner.os}}-terraform_docs-
+
+      - shell: bash
+        name: "INSTALL: terraform-docs"
+        if: steps.cache-terraform-docs.output.cache-hit != 'true'
+        run: |
+          wget https://github.com/terraform-docs/terraform-docs/releases/download/${{ env.TERRAFORM_DOCS_VERSION }}/terraform-docs-${{ env.TERRAFORM_DOCS_VERSION }}-linux-amd64.tar.gz
+          tar xvzf terraform-docs-${{ env.TERRAFORM_DOCS_VERSION }}-linux-amd64.tar.gz
+          mkdir -p ~/terraform-docs/bin/
+          install terraform-docs ~/terraform-docs/bin/
+
+      - shell: bash
+        name: "SETUP: terraform-docs path"
+        run: echo '~/terraform-docs/bin/' >> $GITHUB_PATH
+
+      - uses: actions/checkout@v2
+        name: Checkout source code
+
+      - uses: actions/cache@v2
+        id: cache-pre-commit-dependencies
+        name: "CACHE: pip and pre-commit dependencies"
+        with:
+          path: |
+            ~/.cache/pre-commit
+            ~/.cache/pip
+          key: ${{ runner.os }}-pip-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-pre-commit-
+
+      - uses: actions/cache@v2
+        id: cache-tflint
+        name: "CACHE: tflint"
+        with:
+          path: |
+            ~/tflint/bin/
+          key: ${{ runner.os }}-tflint-${{ env.TFLINT_VERSION }}
+          restore-keys: |
+            ${{ runner.os }}-tflint-
+
+      - shell: bash
+        name: "INSTALL: detect-secrets"
+        run: |
+          pip install detect-secrets
+
+      - shell: bash
+        name: "INSTALL: checkov"
+        run: |
+          pip install checkov
+
+      - shell: bash
+        name: "INSTALL: tflint"
+        if: steps.cache-tflint.outputs.cache-hit != 'true'
+        run: |
+          wget https://github.com/terraform-linters/tflint/releases/download/${{ env.TFLINT_VERSION }}/tflint_linux_amd64.zip
+          unzip tflint_linux_amd64.zip
+          mkdir -p ~/tflint/bin/
+          install tflint ~/tflint/bin/
+
+      - shell: bash
+        name: "SETUP: tflint path"
+        run: echo '~/tflint/bin/' >> $GITHUB_PATH
+
+      - shell: bash
+        name: "INIT: TFLint"
+        run: tflint --init
+
+      - uses: actions/cache@v2
+        id: cache-tfsec
+        name: "CACHE: tfsec"
+        with:
+          path: |
+            ~/tfsec/bin/
+          key: ${{ runner.os }}-tfsec-${{ env.TFSEC_VERSION }}
+          restore-keys: |
+            ${{ runner.os }}-tfsec-
+
+      - shell: bash
+        name: "INSTALL: tfsec"
+        if: steps.cache-tfsec.outputs.cache-hit != 'true'
+        run: |
+          wget https://github.com/tfsec/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-linux-amd64
+          mkdir -p ~/tfsec/bin/
+          install tfsec-linux-amd64 ~/tfsec/bin/
+
+      - shell: bash
+        name: "SETUP: tfsec path"
+        run: echo '~/tfsec/bin/' >> $GITHUB_PATH
+
+      - uses: pre-commit/[email protected]
+        name: "RUN: pre-commit"
+        env:
+          AWS_DEFAULT_REGION: "eu-central-1"

.gitignore

@@ -0,0 +1,36 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.terraform.lock.hcl

.pre-commit-config.yaml

@@ -0,0 +1,33 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: trailing-whitespace
+      - id: check-merge-conflict
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+      - id: detect-private-key
+      - id: end-of-file-fixer
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.64.1
+    hooks:
+    - id: terraform_fmt
+    - id: terraform_tflint
+    - id: terraform_validate
+    - id: checkov
+    - id: terraform_docs
+      args:
+        - '--args=--hide providers --sort-by required'
+
+  - repo: https://github.com/pecigonzalo/pre-commit-terraform-vars
+    rev: v1.0.0
+    hooks:
+    - id: terraform-vars
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.2.0
+    hooks:
+      - id: detect-secrets
+        args: ['--baseline', '.secrets.baseline']
+        exclude: terraform.tfstate

.secrets.baseline

@@ -0,0 +1,67 @@
+{
+  "custom_plugin_paths": [],
+  "exclude": {
+    "files": null,
+    "lines": null
+  },
+  "generated_at": "2020-09-21T15:31:24Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.14.3",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}

.tflint.hcl

@@ -0,0 +1,5 @@
+plugin "aws" {
+  enabled = true
+  version = "0.13.2"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}