configure precommit ci (#18)

* Adding pre-commit config * Adding markdown files * terraform-docs: automated action * [pre-commit.ci lite] apply automatic fixes * terraform-docs: automated action --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: pre-commit-ci-lite[bot] <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
CMS-Enterprise · Dec 21, 2023 · bef4210 · bef4210
1 parent 6312712
commit bef4210
Show file tree

Hide file tree

Showing 7 changed files with 170 additions and 31 deletions.
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,56 @@
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  tf_docs:
+    name: Render Terraform Docs
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - name: Render terraform docs inside the README.md and push changes back to PR branch
+      uses: terraform-docs/gh-actions@v1.0.0
+      with:
+        working-dir: .
+        output-file: README.md
+        output-method: inject
+        git-push: "true"
+  pre_commit:
+    name: Run pre-commit and commit any autocorrections
+    # Depends on tf_docs to avoid conflicts when changes are being written by both tf_docs and pre-commit
+    needs: tf_docs
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.6.6
+    - name: Setup Terragrunt
+      uses: autero1/action-terragrunt@v1.1.0
+      with:
+        terragrunt_version: 0.54.8
+        # To avoid rate-limiting
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - uses: terraform-linters/setup-tflint@v3
+      name: TFLint - Setup
+      with:
+        tflint_version: latest
+
+    - name: TFLint - Init
+      run: tflint --init
+      env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: TFLint - Show version
+      run: tflint --version
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - uses: pre-commit/action@v3.0.0
+    - uses: pre-commit-ci/lite-action@v1.0.1
+      if: always()
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,2 @@
 .terraform.lock.hcl
-.terraform/
+.terraform/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,18 +2,30 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
     -   id: trailing-whitespace
     -   id: end-of-file-fixer
     -   id: check-yaml
         args: ["--allow-multiple-documents"]
     -   id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt     #  args: ["--enable require-variable-braces,deprecate-which"]
       - id: terraform_tflint
-        exclude: .*
+        args:
+          - "--args=--fix"
       - id: terragrunt_fmt
-      - id: terraform_docs
+      #- id: terraform_docs
+ci:
+    autofix_commit_msg: |
+        [pre-commit.ci] auto fixes from pre-commit.com hooks
+
+        for more information, see https://pre-commit.ci
+    autofix_prs: true
+    autoupdate_branch: ''
+    autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
+    autoupdate_schedule: weekly
+    skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs]
+    submodules: false
diff --git a/LICENSE.md b/LICENSE.md
@@ -0,0 +1,34 @@
+# License
+
+As a work of the [United States government](https://www.usa.gov/), this project
+is in the public domain within the United States of America.
+
+Additionally, we waive copyright and related rights in the work worldwide
+through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full
+text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to the
+public domain by waiving all of their rights to the work worldwide under
+copyright law, including all related and neighboring rights, to the extent
+allowed by law.
+
+You can copy, modify, distribute, and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0, nor
+are the rights that other persons may have in the work or in how the work is
+used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with this
+deed makes no warranties about the work, and disclaims liability for all uses
+of the work, to the fullest extent permitted by applicable law. When using or
+citing the work, you should not imply endorsement by the author or the
+affirmer.
diff --git a/README.md b/README.md
@@ -1,4 +1,6 @@
 # batcave-tf-efs
+
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 No requirements.
@@ -9,6 +11,7 @@ No requirements.
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | n/a |
+| <a name="provider_time"></a> [time](#provider\_time) | n/a |
 
 ## Modules
 
@@ -20,42 +23,68 @@ No requirements.
 
 | Name | Type |
 |------|------|
+| [aws_backup_plan.daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
+| [aws_backup_selection.daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
+| [aws_backup_vault.daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_policy.efs_backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 | [aws_efs_backup_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_backup_policy) | resource |
 | [aws_efs_file_system.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
 | [aws_efs_mount_target.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
 | [aws_iam_policy.batcave_efscsidriver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.efs_kms_backup_restore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.efs_backup_restore_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.efs_backup_restore_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.service_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_security_group.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.efs_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [helm_release.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [time_sleep.iam_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_iam_policy_document.backup_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.backup_efs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.batcave_efscsidriver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.service_link](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.vault_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cluster_certificate_authority_data"></a> [cluster\_certificate\_authority\_data](#input\_cluster\_certificate\_authority\_data) | n/a | `any` | n/a | yes |
-| <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | n/a | `any` | n/a | yes |
-| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | n/a | `any` | n/a | yes |
-| <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | n/a | `any` | n/a | yes |
-| <a name="input_efsid"></a> [efsid](#input\_efsid) | n/a | `string` | `""` | no |
-| <a name="input_helm_name"></a> [helm\_name](#input\_helm\_name) | n/a | `string` | `"aws-efs-csi-driver"` | no |
-| <a name="input_helm_namespace"></a> [helm\_namespace](#input\_helm\_namespace) | ## Helm variables | `string` | `"kube-system"` | no |
-| <a name="input_iam_path"></a> [iam\_path](#input\_iam\_path) | n/a | `string` | `"/delegatedadmin/developer/"` | no |
-| <a name="input_imagerepo"></a> [imagerepo](#input\_imagerepo) | # Image repo | `string` | `"602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver"` | no |
-| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | n/a | `string` | `""` | no |
-| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | n/a | `string` | `""` | no |
+| <a name="input_backup_completion_window_minutes"></a> [backup\_completion\_window\_minutes](#input\_backup\_completion\_window\_minutes) | Amount of time (in minutes) a backup job can run before it is automatically canceled | `number` | `180` | no |
+| <a name="input_backup_restore_policy_name"></a> [backup\_restore\_policy\_name](#input\_backup\_restore\_policy\_name) | n/a | `string` | `"EFSBackupRestore"` | no |
+| <a name="input_backup_start_window_minutes"></a> [backup\_start\_window\_minutes](#input\_backup\_start\_window\_minutes) | Amount if time (in minutes) before starting a backup job | `number` | `60` | no |
+| <a name="input_cluster_certificate_authority_data"></a> [cluster\_certificate\_authority\_data](#input\_cluster\_certificate\_authority\_data) | CA certificate data for EKS cluster | `any` | n/a | yes |
+| <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for EKS cluster | `any` | n/a | yes |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of EKS cluster | `any` | n/a | yes |
+| <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | OIDC issuer URL for EKS cluster | `any` | n/a | yes |
+| <a name="input_daily_backup_days_to_retain"></a> [daily\_backup\_days\_to\_retain](#input\_daily\_backup\_days\_to\_retain) | Days to retain the backup vault backups | `string` | `"30"` | no |
+| <a name="input_daily_backup_force_destroy"></a> [daily\_backup\_force\_destroy](#input\_daily\_backup\_force\_destroy) | Force destroy the backup vault | `bool` | `false` | no |
+| <a name="input_daily_backup_tag_key"></a> [daily\_backup\_tag\_key](#input\_daily\_backup\_tag\_key) | Tag Key for backing up resources daily | `string` | `""` | no |
+| <a name="input_daily_backup_tag_value"></a> [daily\_backup\_tag\_value](#input\_daily\_backup\_tag\_value) | Tag Value for backing up resources daily | `string` | `""` | no |
+| <a name="input_directory_perms"></a> [directory\_perms](#input\_directory\_perms) | Storage Class directory permissions | `string` | `"700"` | no |
+| <a name="input_gid_range_end"></a> [gid\_range\_end](#input\_gid\_range\_end) | Storage Class directory permissions | `string` | `"2000"` | no |
+| <a name="input_gid_range_start"></a> [gid\_range\_start](#input\_gid\_range\_start) | Storage Class directory permissions | `string` | `"100"` | no |
+| <a name="input_helm_name"></a> [helm\_name](#input\_helm\_name) | Name for Helm release | `string` | `"aws-efs-csi-driver"` | no |
+| <a name="input_helm_namespace"></a> [helm\_namespace](#input\_helm\_namespace) | Namespace for Helm chart | `string` | `"kube-system"` | no |
+| <a name="input_iam_backup_restore_role_name"></a> [iam\_backup\_restore\_role\_name](#input\_iam\_backup\_restore\_role\_name) | n/a | `string` | `"EFSBackupRestoreRole"` | no |
+| <a name="input_iam_path"></a> [iam\_path](#input\_iam\_path) | Path for IAM roles | `string` | `"/delegatedadmin/developer/"` | no |
+| <a name="input_imagerepo"></a> [imagerepo](#input\_imagerepo) | ECR repository for container images | `string` | `"602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver"` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS key ID for secrets encryption | `string` | `""` | no |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | Permissions boundary for IAM roles | `string` | `""` | no |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | n/a | `list(any)` | `[]` | no |
-| <a name="input_toleration_effect"></a> [toleration\_effect](#input\_toleration\_effect) | toleration effect | `string` | `""` | no |
-| <a name="input_toleration_key"></a> [toleration\_key](#input\_toleration\_key) | toleration key | `string` | `""` | no |
-| <a name="input_toleration_operator"></a> [toleration\_operator](#input\_toleration\_operator) | toleration operator | `string` | `""` | no |
-| <a name="input_toleration_value"></a> [toleration\_value](#input\_toleration\_value) | toleration value | `string` | `""` | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Optional; Map of key-value tags to apply to applicable resources | `map(any)` | `{}` | no |
+| <a name="input_tags_backup_plan"></a> [tags\_backup\_plan](#input\_tags\_backup\_plan) | Optional; Map of key-value tags to apply to all backup plans | `map(any)` | `{}` | no |
+| <a name="input_tags_backup_vault"></a> [tags\_backup\_vault](#input\_tags\_backup\_vault) | Optional; Map of key-value tags to apply to all backup vaults | `map(any)` | `{}` | no |
+| <a name="input_tolerations"></a> [tolerations](#input\_tolerations) | ## Helm variables | `list(any)` | `[]` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID for EKS cluster | `any` | n/a | yes |
+| <a name="input_worker_security_group_id"></a> [worker\_security\_group\_id](#input\_worker\_security\_group\_id) | n/a | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_oidc_iam_role_arn"></a> [oidc\_iam\_role\_arn](#output\_oidc\_iam\_role\_arn) | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security and Responsible Disclosure Policy
+
+*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
+email or via GitHub Issues. Please use our website to submit vulnerabilities at
+[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
+HHS maintains an acknowledgements page to recognize your efforts on behalf of
+the American public, but you are also welcome to submit anonymously.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.
+
+If you have other cybersecurity related questions, please contact us at
+[csirc@hhs.gov.](mailto:csirc@hhs.gov).
diff --git a/variables.tf b/variables.tf
@@ -2,10 +2,6 @@ variable "cluster_name" {
   description = "Name of EKS cluster"
 }
 
-variable "account_id" {
-  description = "Account ID for the current AWS account"
-}
-
 variable "cluster_endpoint" {
   description = "Endpoint for EKS cluster"
 }
@@ -50,11 +46,6 @@ variable "imagerepo" {
   default     = "602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver"
 }
 
-variable "efsid" {
-  description = "EFS filesystem ID"
-  default     = ""
-}
-
 variable "helm_name" {
   description = "Name for Helm release"
   default     = "aws-efs-csi-driver"