Skip to content

Latest commit

 

History

History
199 lines (151 loc) · 7.29 KB

doc.md

File metadata and controls

199 lines (151 loc) · 7.29 KB

Simple Template Terraform

terraform aws pre-commit GitHub tag (latest SemVer) GitHub Release Date GitHub

This repo is a simple terraform template to fast track the creation of Terraform repos. It contains various pre-populated config files and a number of .tf files that you will definitely use. Especially helpful for creation of Terraform modules.

There are some sample providers, input variables and outputs in order to properly exhibit the documentation generation.

README file is autogenerated using terraform-docs!

Support

If you like my work, please consider supporting it!

buy-me-coffee liberapay Support with Bitcoin Support with Ethereum

Cheers!

Dependencies

Purpose Name Reference
Documentation terraform-docs https://github.com/terraform-docs/terraform-docs
Code Formatting terraform fmt https://www.terraform.io/docs/commands/fmt.html
Validation terraform validate https://www.terraform.io/docs/commands/validate.html
Linting tflint https://github.com/terraform-linters/tflint
Security tfsec https://github.com/tfsec/tfsec https://www.tfsec.dev/docs/home/
Static code analysis checkov https://github.com/bridgecrewio/checkov

Makefile

Targets

In order to speed up your work, there are a number of Makefile targets. You can see the list by executing make or make help.

$ make help
help:  Show this help
init:  Initializes the Terraform configuration
fmt:  Formats the Terraform configuration
validate:  Validates the Terraform configuration
docs:  Generates the documentation. Creates a README.md file
lint:  Runs the dockerized version of tflint
security:  Runs the dockerized version of tfsec
checkov:  Runs the dockerized version of checkov

Every target runs a dockerized version of the dependency so there is no need to have the dependencies installed on your local machine. You just need docker!

Variables

Below, you can see the variables you can pass to the Makefile and their default values.

DOCKER_TF_VERSION      ?= latest
DOCKER_TFLINT_VERSION  ?= latest
DOCKER_TFSEC_VERSION   ?= latest
DOCKER_TFDOCS_VERSION  ?= latest
DOCKER_CHECKOV_VERSION ?= latest
OPTIONS		           ?=		 # The options to be passed to the executed command

Examples

fmt

resource "aws_instance" "foo" {
  ami = "ami-0ff8a91507f77f867"
  instance_type = "t1.2xlarge" # invalid type!
}
$ OPTIONS="--diff" make fmt
data/main.tf
--- old/data/main.tf
+++ new/data/main.tf
@@ -1,4 +1,4 @@
 resource "aws_instance" "foo" {
-  ami = "ami-0ff8a91507f77f867"
+  ami           = "ami-0ff8a91507f77f867"
   instance_type = "t1.2xlarge" # invalid type!
 }

By passing the --diff option to the fmt target, it will also print the fmt difference.

tflint

You can configure the behavior in the .tflint.hcl configuration file.

resource "aws_instance" "foo" {
  ami           = "ami-0ff8a91507f77f867"
  instance_type = "t1.2xlarge" # invalid type! This is going to make the tflint complain!
}

resource "aws_instance" "web" {
  ami                  = "ami-b73b63a0"
  instance_type        = "t1.micro" # previous instance type!
  iam_instance_profile = "app-service"

  tags {
    Name = "HelloWorld"
  }
}
$ make lint
2 issue(s) found:

Error: "t1.2xlarge" is an invalid value as instance_type (aws_instance_invalid_type)

  on main.tf line 9:
   9:   instance_type = "t1.2xlarge" # invalid type! This is going to make the tflint complain!

Warning: "t1.micro" is previous generation instance type. (aws_instance_previous_type)

  on main.tf line 14:
  14:   instance_type        = "t1.micro" # previous instance type!

Reference: https://github.com/terraform-linters/tflint/blob/v0.20.2/docs/rules/aws_instance_previous_type.md

make: *** [Makefile:29: lint] Error 3

tfsec

resource "aws_security_group_rule" "my-rule" {
  type        = "ingress"
  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}
$ make security
1 potential problems detected:

Problem 1

  [AWS018][ERROR] Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes.
  /data/main.tf:21-24

      18 |     Name = "HelloWorld"
      19 |   }
      20 | }
      21 | resource "aws_security_group_rule" "my-rule" {
      22 |   type        = "ingress"
      23 |   cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
      24 | }

  See https://github.com/liamg/tfsec/wiki/AWS018 for more information.

make: *** [Makefile:32: security] Error 1

checkov

Checkov is a static code analysis tool for infrastructure-as-code.

It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.

resource "aws_s3_bucket" "foo-bucket" {
  region        = "us-east-1"
  bucket        = "test"
  force_destroy = true
  acl           = "public-read"
}
Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
        FAILED for resource: aws_s3_bucket.foo-bucket
        File: /main.tf:7-12
        Guide: https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone

                7  | resource "aws_s3_bucket" "foo-bucket" {
                8  |   region        = "us-east-1"
                9  |   bucket        = "test"
                10 |   force_destroy = true
                11 |   acl           = "public-read"
                12 | }

terraform-docs

You can configure the behavior in the .terraform-docs.yml configuration file. Just empty the contents of this file and you are good to go!

Automation

You can use all the above makefile targets as precommit hooks. The only dependency is the pre-commit tool. You can also install it so that it runs automatically on every git commit. The configuration file is here.

Terraform documentation