Merge pull request #1 from tjtharrison/initial-commit

feat: Initial module commit

.github/dependabot.yaml

@@ -0,0 +1,25 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:
+      - dependency-name: "*"
+        update-types: [
+          "version-update:semver-patch"
+        ]
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    ignore:
+    - dependency-name: "*"
+      update-types: [
+        "version-update:semver-patch"
+      ]

.github/workflows/main-release.yaml

@@ -0,0 +1,56 @@
+name: Module release
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  issues: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  generate-matrix:
+    name: Generate matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+    steps:
+      - name: Get matrix
+        id: get-matrix
+        uses: hellofresh/action-changed-files@v3
+        with:
+          pattern: modules/(?P<module>[^/]+)
+  release-module:
+    needs: generate-matrix
+    name: Release
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    if: ${{ fromJson(needs.generate-matrix.outputs.matrix).include[0] }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 'lts/*'
+      - name: Setup Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.10'
+      - name: Install dependencies
+        run: |
+          cd modules/${{ matrix.module }}
+          python3 "${GITHUB_WORKSPACE}"/scripts/prep_module.py
+          npm install
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd modules/${{ matrix.module }}
+          # shellcheck disable=SC2016
+          npx semantic-release -t ${{ matrix.module }}/'${version}'

.github/workflows/pr-actionlint.yaml

@@ -0,0 +1,23 @@
+name: Action Linting
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - ".github/workflows/**"
+
+permissions: read-all
+
+jobs:
+  actionlint:
+    name: Action Linting
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash

.github/workflows/pr-checkov.yaml

@@ -0,0 +1,22 @@
+name: Checkov
+on:
+  pull_request:
+    branches:
+      - "main"
+
+permissions: read-all
+
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/[email protected]
+        with:
+          directory: .
+          skip_check: CKV_OPENAPI_5,CKV_OPENAPI_4 # Demo swagger file

.github/workflows/pr-terraform-docs.yaml

@@ -0,0 +1,40 @@
+name: Tf Docs
+on:
+  pull_request:
+    branches:
+      - "main"
+
+permissions:
+  contents: write
+
+jobs:
+  generate-matrix:
+    name: Generate matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+    steps:
+      - name: Get matrix
+        id: get-matrix
+        uses: hellofresh/action-changed-files@v3
+        with:
+          pattern: modules/(?P<module>[^/]+)
+  write-docs:
+    runs-on: ubuntu-latest
+    needs: generate-matrix
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    if: ${{ fromJson(needs.generate-matrix.outputs.matrix).include[0] }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: modules/${{ matrix.module }}
+          output-file: README.md
+          output-method: inject
+          git-push: "true"
+          git-commit-message: "docs: update README.md with terraform-docs"

.gitignore

@@ -0,0 +1 @@
+.idea

README.md

@@ -1,2 +1,4 @@
 # demo-multiple-terraform-modules
 Demo repository containing multiple Terraform modules
+
+Used for an article on [Medium](https://tjtharrison.medium.com)

modules/ec2/README.md

@@ -0,0 +1,36 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_instance.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_security_group.allow_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_my_ip"></a> [my\_ip](#input\_my\_ip) | The IP address to allow SSH access from | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The name of the instance | `string` | `"my-terraform-instance"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_public_ip"></a> [public\_ip](#output\_public\_ip) | n/a |
+<!-- END_TF_DOCS -->

modules/ec2/main.tf

@@ -0,0 +1,39 @@
+# aws_instance terraform resource
+resource "aws_instance" "example" {
+  #checkov:skip=CKV2_AWS_41: "This is a test instance, role not required"
+  #checkov:skip=CKV_AWS_126: "This is a test instance, detailed monitoring not required"
+  ami           = "ami-0786f5bc3943ad52d"
+  instance_type = "t2.micro"
+  tags = {
+    Name = var.name
+  }
+  security_groups = [aws_security_group.allow_ssh.name]
+  ebs_optimized   = true
+  root_block_device {
+    encrypted = true
+  }
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+}
+
+# Lookup default vpc
+data "aws_vpc" "default" {
+  default = true
+}
+
+# Add security group
+resource "aws_security_group" "allow_ssh" {
+  name        = "allow_ssh"
+  description = "Allow SSH inbound traffic"
+  vpc_id      = data.aws_vpc.default.id
+
+  ingress {
+    description = "SSH from everywhere"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = [var.my_ip]
+  }
+}

modules/ec2/outputs.tf

@@ -0,0 +1,3 @@
+output "public_ip" {
+  value = aws_instance.example.public_ip
+}

modules/ec2/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "tjth-ec2-instance",
+  "description": "A terraform module for creating an ec2 instance"
+}

modules/ec2/variables.tf

@@ -0,0 +1,10 @@
+variable "name" {
+  description = "The name of the instance"
+  default     = "my-terraform-instance"
+  type        = string
+}
+
+variable "my_ip" {
+  description = "The IP address to allow SSH access from"
+  type        = string
+}

modules/s3/README.md

@@ -0,0 +1,46 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_logging"></a> [access\_logging](#input\_access\_logging) | Whether or not to enable access logging on the bucket | `bool` | `true` | no |
+| <a name="input_access_logging_bucket"></a> [access\_logging\_bucket](#input\_access\_logging\_bucket) | Destination for access logging | `string` | `""` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Enable public acl block | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Enable block\_public\_policy | `bool` | `true` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name to be assigned to bucket and resources | `any` | n/a | yes |
+| <a name="input_bucket_public_acl"></a> [bucket\_public\_acl](#input\_bucket\_public\_acl) | Whether or not bucket should have a publicly accessible ACL | `string` | `"private"` | no |
+| <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Whether or not to enable object versioning | `bool` | `true` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Enable ignore\_public\_acls | `bool` | `true` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Enable restrict\_public\_buckets | `bool` | `true` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/s3/bucket.tf

@@ -0,0 +1,16 @@
+resource "aws_s3_bucket" "this" {
+  #checkov:skip=CKV2_AWS_61: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_62: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_144: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_145: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_21: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_6: "This is a demo bucket"
+  bucket = var.bucket_name
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.id
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}

modules/s3/bucket_logging.tf

@@ -0,0 +1,19 @@
+resource "aws_s3_bucket_logging" "example" {
+  count  = var.access_logging ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+
+  # If bucket specified, otherwise use created
+  target_bucket = var.access_logging_bucket == null ? aws_s3_bucket.access_logs[0].id : var.access_logging_bucket
+  target_prefix = "log/${var.bucket_name}"
+}
+
+resource "aws_s3_bucket" "access_logs" {
+  #checkov:skip=CKV2_AWS_61: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_62: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_144: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_145: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_21: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_6: "This is a demo bucket"
+  count  = var.access_logging ? var.access_logging_bucket == null ? 1 : 0 : 0
+  bucket = var.access_logging_bucket
+}

modules/s3/bucket_policy.tf

@@ -0,0 +1,14 @@
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = jsonencode({
+    Statement = [
+      merge({
+        Actions   = "*"
+        Effect    = "Allow"
+        Principal = "*"
+        Resource  = "*"
+      })
+    ]
+    Version = "2012-10-17"
+  })
+}