diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..04ac7c1 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,10 @@ +# Lines starting with '#' are comments. +# Each line is a file pattern followed by one or more owners. + +# Order is important. The last matching pattern has the most precedence. +# So if a pull request only matches a later pattern, only those later code +# owners will be requested for a review. +# Add language specific code owners if it becomes relevant + +# All PRs must be approved by a member of infra +* @deandreJones @cameroncaci @josiahzimmerman-caci diff --git a/.github/workflows/fmt_and_validate.yml b/.github/workflows/fmt_and_validate.yml new file mode 100644 index 0000000..c746c51 --- /dev/null +++ b/.github/workflows/fmt_and_validate.yml @@ -0,0 +1,74 @@ +name: Automatic Docs Generation, Formatting, Validation, and Pre-commit + +on: + pull_request: + +jobs: + docs_fmt_validation_pre_commit: + name: docs_fmt_validation_pre_commit + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Render Terraform Docs inside README.md and push changes back to PR branch + env: + GH_TOKEN: ${{ secrets.ROBOT_MYMOVE_TOKEN }} + uses: terraform-docs/gh-actions@v1.0.0 + with: + working-dir: . + fail-on-diff: true + template: |- + + {{ .Content }} + + + - name: Run Terraform fmt + uses: dflook/terraform-fmt-check@v1 + + - name: Spell check + if: ${{ github.actor != 'robot-mymove' && github.event.issue.user.login != 'dependabot[bot]' }} + uses: rojopolis/spellcheck-github-actions@0.30.0 + + - name: Validate JSON + if: ${{ github.actor != 'robot-mymove' && github.event.issue.user.login != 'dependabot[bot]' }} + uses: limitusus/json-syntax-check@v2 + with: + pattern: "\\.json$" + + - name: Run YAML lint + if: ${{ github.actor != 'robot-mymove' && github.event.issue.user.login != 'dependabot[bot]' }} + uses: karancode/yamllint-github-action@v2.1.1 + with: + yamllint_config_datapath: yamllint-config.yml + + - name: Run tfsec + if: ${{ github.actor != 'robot-mymove' && github.event.issue.user.login != 'dependabot[bot]' }} + uses: aquasecurity/tfsec-action@v1.0.0 + with: + additional_args: --exclude-downloaded-modules --no-module-downloads + + - name: Set up Python for pre-commit + uses: actions/setup-python@v3 + with: + python-version: 3.9 + + - uses: actions/cache@v3 + with: + path: ${{ env.pythonLocation }} + key: ${{ env.pythonLocation }}-pip-pre-commit-2.20.0 + + - uses: actions/cache@v3 + with: + path: ~/.cache/pre-commit + key: ${{ runner.os }}-pre-commit-${{ hashFiles('**/.pre-commit-config.yaml') }} + + - name: Run pre-commit + env: + SKIP: terraform_docs,terraform_fmt,terraform_tfsec + run: | + pip install pre-commit==2.20.0 + pre-commit run --all-files diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml new file mode 100644 index 0000000..96c4341 --- /dev/null +++ b/.github/workflows/pre-commit-autoupdate.yml @@ -0,0 +1,39 @@ +name: pre-commit auto-update + +on: + schedule: + - cron: '0 0 * * *' + +jobs: + auto-update: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + with: + token: ${{ secrets.ROBOT_MYMOVE_TOKEN }} + - name: install python + uses: actions/setup-python@v2 + with: + python-version: 3.x + - name: install pre-commit + run: pip install pre-commit + - name: run pre-commit autoupdate + run: pre-commit autoupdate + - name: set up Git + env: + GITHUB_TOKEN: ${{ secrets.ROBOT_MYMOVE_TOKEN }} + GITHUB_ACTOR_NAME: "robot-mymove" + GITHUB_ACTOR_EMAIL: "milmovesysadmins@caci.com" + run: | + git config --global user.name "${GITHUB_ACTOR_NAME}" + git config --global user.email "${GITHUB_ACTOR_EMAIL}" + - name: create pull request + uses: peter-evans/create-pull-request@v3 + with: + token: ${{ secrets.ROBOT_MYMOVE_TOKEN }} + branch: update/pre-commit-autoupdate + title: update pre-commit hooks + commit-message: update pre-commit hooks + body: update pre-commit hooks + labels: dependencies + team-reviewers: Truss-InfraSec diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml deleted file mode 100644 index 705a013..0000000 --- a/.github/workflows/validate.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: validate-tf - -on: - push: - branches: - - main - pull_request: - branches: - - main - -jobs: - validate-tf: - uses: trussworks/shared-actions/.github/workflows/validate-tf.yml@main diff --git a/.markdownlintrc b/.markdownlintrc index 83eb43d..c4c0182 100644 --- a/.markdownlintrc +++ b/.markdownlintrc @@ -4,5 +4,13 @@ "first-line-h1": false, "line_length": false, "no-multiple-blanks": false, - "no-inline-html": false -} + "MD024": { + "siblings_only": true + }, + "MD014": false, + "MD033": false, + "MD046": { + "style": "fenced" + }, + "single-trailing-newline": false +} \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bfd87bb..7706052 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,16 @@ repos: + + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.90.0 + hooks: + - id: terraform_docs + - id: terraform_fmt + - id: terraform_tfsec + args: + - --args=--exclude-downloaded-modules --no-module-downloads + - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.6.0 hooks: - id: check-json - id: check-merge-conflict @@ -9,32 +19,38 @@ repos: - id: pretty-format-json args: - --autofix + exclude: > + (?x)^( + package-lock.json| + ) - id: trailing-whitespace - - id: check-symlinks - - id: end-of-file-fixer - - id: mixed-line-ending - - - repo: https://github.com/executablebooks/mdformat - rev: 0.7.16 - hooks: - - id: mdformat - additional_dependencies: - - mdformat-gfm - - mdformat-toc - # mdformat fights with terraform_docs - exclude: README.m(ark)?d(own)? - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.33.0 + rev: v0.40.0 hooks: - id: markdownlint + entry: markdownlint --ignore .github/*.md - repo: https://github.com/detailyang/pre-commit-shell rev: 1.0.5 hooks: - id: shell-lint - - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + - repo: https://github.com/trussworks/pre-commit-hooks + rev: v1.1.1 hooks: - - id: terraform_fmt + - id: circleci-validate + - id: markdown-toc + - id: mdspell + exclude: > + (?x)^( + .terraform/| + ) + + - repo: local + hooks: + - id: spelling-sort + name: sort spelling doc + entry: /usr/bin/sort -u -o .spelling .spelling + language: script + pass_filenames: false \ No newline at end of file diff --git a/.spellcheck.yml b/.spellcheck.yml new file mode 100644 index 0000000..ec6cb71 --- /dev/null +++ b/.spellcheck.yml @@ -0,0 +1,11 @@ +matrix: +- name: Markdown + aspell: + lang: en + dictionary: + wordlists: + - .spelling + encoding: utf-8 + sources: + - '**/*.md' + default_encoding: utf-8 \ No newline at end of file diff --git a/.spelling b/.spelling new file mode 100644 index 0000000..72d257f --- /dev/null +++ b/.spelling @@ -0,0 +1,427 @@ +-PT1H +1Password +3pm +7bapp-client-tls-experimental +7d +858s +ADR-0005 +ADRs +AMIs +ARN +ARNs +AWS_PROFILE +Analyzer +BCAP +Balancers +Bixal +BucketsPublicAccess +C10.T5. +C3.T5 +CAA +CIDR +Chatbot +CircleCI +ClamAV +CloudFront +CloudTrail +CloudWatch +Cloudflare +Cloudwatch +Config +ConfigItem +CopyDBClusterSnapshot +CopyDBSnapshot +Cron +DB_PASSWORD +Darendranauth +DenyCreatingIAMUsers +DenyDeletingCloudwatchLogs +DenyDeletingKMSKeys +DenyDeletingRoute +DenyIncorrectEncryptionHeader +DenyLeavingOrgs +DenyRootAccount +DenyS +DenyUnEncryptedObjectUploads +DeployCount +Devlocal +DoD +DynamoDB +EIP +EIPs +Fargate +Golang +GovCloud +GuardDuty +HAProxy +HashiCorp +HostedZoneId +HostedZoneIds +IAM +IASAE +IAT +IPs +ISPs +ISSM +ISSO +InstanceTypes +Iyer +JIRA +KMS +Keychain +LICENSE.txt +LimitEC +LimitRegions +Linters +LockID +MFA +Makefile +Mangan +Metadata +MigrationCount +MilMove +Mishorich +ModifyDBSnapshot +ModifyDBSnapshotAttribute +Move.mil. +MyMove +MySQL +NGINX +NIPRNet +NPM +OU +OUs +Offboard +Offboarding +Onboard +Onboarding +OpenID +Openid +OrganizationAccountAccessRole +POCs +PagerDuty +Pingdom +PoLP +PostgreSQL +Postgres +Pre-set +ProtectIAMRoles +ProtectS +QEADA-D +README.md +Route53 +RuleGroupId +Runbooks +SCP +SCPs +SNS +SPs +SaaS +Sawh +SegementIO's +SegmentIO +Sev-1 +Sev-2 +Sev-3 +Sev-4 +Switts +TEH-C-C +TF +Tajalli +Terraform +Tetro +Tomica +Trussel +U.S. +URI +URIs +USTRANSCOM +Uptime +Urciuoli +Vishal +WAFs +Waksmunski +WebACL +YOUR_ROLE +YOUR_USER_NAME +YYYY-MM-DD +adc +admin-global +admin.move.mil +amazonaws +amazontrust +analyze +api +api.move.mil +app-devlocal +app-prod +arn +arns +assets.move.mil +atlantis-global +aws +aws-app-environment +aws-vault +awscli +awslogs +awstrust +az +ba +backend +balancer +bashrc +bb +bbd +bc +bcd +bcef +bde +behaviour +bool +bootstrapper +br +brainsik +caa +ccd +cd +cert +chrisgilmerproj +cidr +circleci +circleci-honeycomb +circleci-milmove-orders +circleci-mymove +cloudfront +cloudposse +cloudwatch +codebase +config +cpu +cron +css +ctrl-c +db_password +ddl +dev +devlocal +diagrams.net +direnv +dmarcian.com +dns +dns.tf +dod +dodm +dp +dp3-bat-team +dp3-engineering +dp3.us +dps +dps.move.mil +draw.io +dropdown +dynamike +e.g. +eb +ec +ecr +ecs +edis +ef +eg +eia +eip +eipalloc +elasticache +env +environment.go +envrc +esd +eval +exp +experimental.move.mil +expirations +failover +failover_us_east_1 +fargate +fb +fce +fd +ffe +fi +filename +find-guardduty-user +flipt +gb +generate-devlocal-cert +gex +gex.move.mil +ghc +github +glb +greyed +hangops +hashicorp +hcl +hoc +hostname +hostnames +html +http +https +i.e. +iam +iam.tf +infrasec +instages +integrations +io +ip +ips +ipset +issuances +jdoe +jdoe.org-root +json +k.o. +keypair +kms +lifecycle +linters +loadtest +login.gov +macOS +macOS's +main.go +main.tf +markdown-toc +md +mdspell +milmove +misconfiguration +move.mil +mtls +my.move.mil +mymove +mymove#217 +namespace +nat +nat-app-experimental +nat-app-prod +nat-app-staging +nat-orders-experimental +netcat +nipr +niprnet +nlb +nlbs +nonato +notif +offboard +offboarding +office.experimental.move.mil +office.move.mil +ok +onboard +onboarding +opensource +orders.move.mil +orgs +otel +ou +ous +pagerduty +pagerduty-global +pdf +pg_hba.conf +pgaudit +pingdom +pjdufour-truss +png +postgres +postgresql +ppp +prd +pre +pre-announcement +pre-commit +prereqs +priv +privs +psql +rds +re-architecting +readme +redis +repo +repos +requestor +roadmap +rollout +runbook +runbooks +runtime +ryan_lane +s3 +s3-private-bucket +scp +ses +sftp +sg +sid +snd +sns +ssm +stacktrace +staging.move.mil +statefile +stdin +stdout +stg +subdomain +subdomains +subnet +subnets +svg +tcp +telemetery +terraform +terraform.tfstate +tf +timestamp +tls +toc +tocstop +transcom +transcom-com-legacy +transcom-com-org-root +transcom-infrasec-com +transcom-infrasec-gov +transcom-infrasec-gov-nonato +transcom-ppp +transcom-ppp-third-party-artifacts +trdm +truss-aws-tools +trussel +trussworks +txt +uncomment +uncommented +unencrypted +unmerged +upsidetravel +uptime +url +urls +ustranscom +versioned +vpc +waf +wafregional +wafv +webhook +whitelisted +whitelisting +whitespace +whs +www +x509 diff --git a/README.md b/README.md index 6897f00..fb9434d 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ module "github_terraform_aws_ou_scp" { } ``` - + ## Requirements | Name | Version | @@ -128,6 +128,7 @@ No modules. | allowed\_ec2\_instance\_types | EC2 instances types allowed for use | `list(string)` | ```[ "" ]``` | no | | allowed\_regions | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | ```[ "" ]``` | no | | deny\_all | If false, create a combined policy. If true, deny all access | `bool` | `false` | no | +| deny\_creating\_iam\_only\_users | DenyCreatingIAMUsers Only in the OU policy. | `bool` | `false` | no | | deny\_creating\_iam\_users | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no | | deny\_deleting\_cloudwatch\_logs | DenyDeletingCloudwatchLogs in the OU policy. | `bool` | `false` | no | | deny\_deleting\_kms\_keys | DenyDeletingKMSKeys in the OU policy. | `bool` | `false` | no | @@ -149,7 +150,7 @@ No modules. ## Outputs No outputs. - + ## Developer Setup @@ -158,4 +159,4 @@ Install dependencies (macOS) ```shell brew install pre-commit go terraform terraform-docs pre-commit install --install-hooks -``` +``` \ No newline at end of file diff --git a/main.tf b/main.tf index a8e42d5..50df368 100644 --- a/main.tf +++ b/main.tf @@ -313,6 +313,11 @@ data "aws_iam_policy_document" "combined_policy_block" { variable = "s3:x-amz-server-side-encryption" values = ["AES256", "aws:kms"] } + condition { + test = "StringNotEqualsIfExists" + variable = "aws:PrincipalArn" + values = ["arn:aws-us-gov:iam::447641181206:role/transfer_usbank", "arn:aws-us-gov:iam::469892416004:role/transfer_usbank", "arn:aws-us-gov:iam::015681133840:role/transfer_usbank", "arn:aws-us-gov:iam::015932076428:role/transfer_usbank", "arn:aws-us-gov:iam::015533997236:role/transfer_usbank"] + } } } @@ -328,6 +333,11 @@ data "aws_iam_policy_document" "combined_policy_block" { variable = "s3:x-amz-server-side-encryption" values = [true] } + condition { + test = "StringNotEqualsIfExists" + variable = "aws:PrincipalArn" + values = ["arn:aws-us-gov:iam::447641181206:role/transfer_usbank", "arn:aws-us-gov:iam::469892416004:role/transfer_usbank", "arn:aws-us-gov:iam::015681133840:role/transfer_usbank", "arn:aws-us-gov:iam::015932076428:role/transfer_usbank", "arn:aws-us-gov:iam::015533997236:role/transfer_usbank"] + } } } } diff --git a/yamllint-config.yml b/yamllint-config.yml new file mode 100644 index 0000000..4688db3 --- /dev/null +++ b/yamllint-config.yml @@ -0,0 +1,8 @@ +rules: + document-start: + present: false + indentation: + spaces: consistent + indent-sequences: whatever + empty-lines: + max: 1 \ No newline at end of file