Merge branch 'main' into dependabot/github_actions/clowdhaus/terrafor…

…m-composite-actions-1.11.1
lifeofguenter · Nov 6, 2024 · 3f947f0 · 3f947f0
2 parents 337242c + e226924
commit 3f947f0
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 11 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -52,4 +52,5 @@ jobs:
         uses: clowdhaus/terraform-composite-actions/[email protected]
         with:
           terraform-version: ${{ matrix.version }}
+          terraform-docs-version: v0.19.0
           args: "--all-files --color always --show-diff-on-failure"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@
 
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform.git
-    rev: v1.81.0
+    rev: v1.96.2
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ module "service" {
 }
 ```
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -54,7 +54,7 @@ module "service" {
 | Name | Version |
 |------|---------|
 | <a name="provider_docker"></a> [docker](#provider\_docker) | 3.0.2 |
-| <a name="provider_time"></a> [time](#provider\_time) | 0.12.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | 0.12.1 |
 
 ## Resources
 
@@ -79,7 +79,8 @@ module "service" {
 | <a name="input_deregistration_delay"></a> [deregistration\_delay](#input\_deregistration\_delay) | Amount of seconds to wait for open connections to drain before stopping the container. | `number` | `60` | no |
 | <a name="input_entrypoint"></a> [entrypoint](#input\_entrypoint) | The command to use as the Entrypoint for the container. | `list(string)` | `[]` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment variables to pass to a container. | `map(string)` | `{}` | no |
-| <a name="input_healthcheck"></a> [healthcheck](#input\_healthcheck) | The container health check command and associated configuration parameters for the container. | <pre>object({<br>    command      = list(string)<br>    interval     = optional(number, 30)<br>    timeout      = optional(number, 30)<br>    start_period = optional(number, 0)<br>    retries      = optional(number, 3)<br>  })</pre> | `null` | no |
+| <a name="input_header_sts"></a> [header\_sts](#input\_header\_sts) | Add the Strict-Transport-Security header to the response. | <pre>object({<br/>    seconds            = optional(number, 0)<br/>    include_subdomains = optional(bool, false)<br/>    preload            = optional(bool, false)<br/>  })</pre> | `null` | no |
+| <a name="input_healthcheck"></a> [healthcheck](#input\_healthcheck) | The container health check command and associated configuration parameters for the container. | <pre>object({<br/>    command      = list(string)<br/>    interval     = optional(number, 30)<br/>    timeout      = optional(number, 30)<br/>    start_period = optional(number, 0)<br/>    retries      = optional(number, 3)<br/>  })</pre> | `null` | no |
 | <a name="input_http_entrypoints"></a> [http\_entrypoints](#input\_http\_entrypoints) | List of HTTP entrypoints. | `list(string)` | `[]` | no |
 | <a name="input_http_middlewares"></a> [http\_middlewares](#input\_http\_middlewares) | List of HTTP middlewares. | `list(string)` | `[]` | no |
 | <a name="input_https_entrypoints"></a> [https\_entrypoints](#input\_https\_entrypoints) | List of HTTPS entrypoints. | `list(string)` | `[]` | no |
@@ -88,21 +89,21 @@ module "service" {
 | <a name="input_labels"></a> [labels](#input\_labels) | Additional lables to set. | `map(string)` | `{}` | no |
 | <a name="input_listener_rule"></a> [listener\_rule](#input\_listener\_rule) | Sets the routing rule. | `string` | n/a | yes |
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount (in MiB) of memory to present to the container. | `number` | n/a | yes |
-| <a name="input_mounts"></a> [mounts](#input\_mounts) | List for mounts to be added to containers created as part of the service. | <pre>list(object({<br>    type      = string<br>    target    = string<br>    source    = optional(string, null)<br>    read_only = optional(bool, false)<br>  }))</pre> | `[]` | no |
+| <a name="input_mounts"></a> [mounts](#input\_mounts) | List for mounts to be added to containers created as part of the service. | <pre>list(object({<br/>    type      = string<br/>    target    = string<br/>    source    = optional(string, null)<br/>    read_only = optional(bool, false)<br/>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the service. | `string` | n/a | yes |
-| <a name="input_publish"></a> [publish](#input\_publish) | List of ports to publish. | <pre>list(object({<br>    internal = number<br>    external = number<br>    ip       = optional(string, null)<br>    protocol = optional(string, "tcp")<br>  }))</pre> | `[]` | no |
+| <a name="input_publish"></a> [publish](#input\_publish) | List of ports to publish. | <pre>list(object({<br/>    internal = number<br/>    external = number<br/>    ip       = optional(string, null)<br/>    protocol = optional(string, "tcp")<br/>  }))</pre> | `[]` | no |
 | <a name="input_revision"></a> [revision](#input\_revision) | Revision number of this service. | `number` | n/a | yes |
 | <a name="input_service_network"></a> [service\_network](#input\_service\_network) | Name of the service docker network. | `string` | `null` | no |
 | <a name="input_traefik_network"></a> [traefik\_network](#input\_traefik\_network) | Name of the Traefik docker network. | `string` | `null` | no |
-| <a name="input_volumes"></a> [volumes](#input\_volumes) | List for mounting volumes in the container. | <pre>list(object({<br>    container_path = optional(string, null)<br>    from_container = optional(string, null)<br>    host_path      = optional(string, null)<br>    read_only      = optional(bool, false)<br>    volume_name    = optional(string, null)<br>  }))</pre> | `[]` | no |
+| <a name="input_volumes"></a> [volumes](#input\_volumes) | List for mounting volumes in the container. | <pre>list(object({<br/>    container_path = optional(string, null)<br/>    from_container = optional(string, null)<br/>    host_path      = optional(string, null)<br/>    read_only      = optional(bool, false)<br/>    volume_name    = optional(string, null)<br/>  }))</pre> | `[]` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_docker_image_id"></a> [docker\_image\_id](#output\_docker\_image\_id) | The ID of the image. |
 | <a name="output_docker_image_name"></a> [docker\_image\_name](#output\_docker\_image\_name) | The name of the Docker image. |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 ## Contribute
 

diff --git a/service.tf b/service.tf
@@ -9,10 +9,12 @@ locals {
   sans_alts = length(var.cert_sans) > 1 ? join(",", slice(var.cert_sans, 1, length(var.cert_sans))) : ""
 
   basicauth_name       = format("%s_basicauth_%s", local.router_name, var.revision)
-  basicauth_middleware = length(var.basic_auth_users) > 0 ? "${local.basicauth_name}@docker" : ""
+  middleware_basicauth = length(var.basic_auth_users) > 0 ? "${local.basicauth_name}@docker" : ""
 
-  http_middlewares  = compact(concat(var.http_middlewares, [local.basicauth_middleware]))
-  https_middlewares = compact(concat(var.https_middlewares, [local.basicauth_middleware]))
+  middleware_sts = var.header_sts != null ? "sts@docker" : ""
+
+  http_middlewares  = compact(concat(var.http_middlewares, [local.middleware_basicauth], [local.middleware_sts]))
+  https_middlewares = compact(concat(var.https_middlewares, [local.middleware_basicauth], [local.middleware_sts]))
 }
 
 resource "docker_container" "main" {
@@ -178,6 +180,31 @@ resource "docker_container" "main" {
     }
   }
 
+  ### Headers: sts ###
+  dynamic "labels" {
+    for_each = var.header_sts != null ? [1] : []
+    content {
+      label = "traefik.http.middlewares.sts.headers.stsSeconds"
+      value = var.header_sts.seconds
+    }
+  }
+
+  dynamic "labels" {
+    for_each = var.header_sts != null ? [1] : []
+    content {
+      label = "traefik.http.middlewares.sts.headers.stsIncludeSubdomains"
+      value = var.header_sts.include_subdomains
+    }
+  }
+
+  dynamic "labels" {
+    for_each = var.header_sts != null ? [1] : []
+    content {
+      label = "traefik.http.middlewares.sts.headers.stsPreload"
+      value = var.header_sts.preload
+    }
+  }
+
   ### Additional labels ###
   dynamic "labels" {
     for_each = var.labels

diff --git a/variables.tf b/variables.tf
@@ -170,3 +170,13 @@ variable "publish" {
   }))
   default = []
 }
+
+variable "header_sts" {
+  description = "Add the Strict-Transport-Security header to the response."
+  type = object({
+    seconds            = optional(number, 0)
+    include_subdomains = optional(bool, false)
+    preload            = optional(bool, false)
+  })
+  default = null
+}