chore: pre-commit for static terraform checks (aws-solutions#195)

[skip ci]

.github/dependabot.yml

@@ -1,4 +1,5 @@
 version: 2
+
 updates:
   # Enable version updates for npm
   - package-ecosystem: "npm"
@@ -15,3 +16,10 @@ updates:
       interval: "weekly"
     reviewers:
       - "stroeer/teams/buzz-end"
+
+  - package-ecosystem: "terraform"
+    directory: "/source/image-handler/terraform"
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "stroeer/teams/buzz-end"

.github/workflows/pr.yml

@@ -2,6 +2,8 @@ name: pr
 
 on:
   pull_request:
+    paths-ignore:
+      - "**.tf"
 
 jobs:
   build:

.pre-commit-config.yaml

@@ -0,0 +1,21 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.77.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+        args:
+          - --init-args=-backend=false
+          - --init-args=-lockfile=readonly
+      - id: terraform_tflint
+        args:
+          - --args=--module
+      - id: terraform_tfsec
+        args:
+          - --args=--minimum-severity HIGH --exclude-downloaded-modules
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+      - id: check-merge-conflict

Makefile

@@ -2,6 +2,7 @@ SERVICE := image-handler
 TF_VAR_region ?= eu-west-1
 TF_VAR_app_suffix ?=
 MODE ?= plan
+DO_TF_UPGRADE ?= false
 
 ACCOUNT 			= $(eval ACCOUNT := $(shell aws --output text sts get-caller-identity --query "Account"))$(ACCOUNT)
 VERSION 			= $(eval VERSION := $$(shell git rev-parse --short HEAD))$(VERSION)
@@ -27,8 +28,10 @@ build ::
 export TF_VAR_region
 export TF_VAR_app_suffix
 tf ::
-	terraform -chdir=$(WORK_DIR)/terraform/ init -reconfigure -upgrade=true $(TF_BACKEND_CFG)
-	terraform -chdir=$(WORK_DIR)/terraform/ $(MODE)
+	rm -f $(WORK_DIR)/terraform/.terraform/terraform.tfstate || true
+	if [ "true" == "$(DO_TF_UPGRADE)" ]; then terraform -chdir=$(WORK_DIR)/terraform providers lock -platform=darwin_amd64 -platform=linux_amd64; fi
+	terraform -chdir=$(WORK_DIR)/terraform init -reconfigure -upgrade=$(DO_TF_UPGRADE) $(TF_BACKEND_CFG)
+	terraform -chdir=$(WORK_DIR)/terraform $(MODE)
 
 invoke :: # invoke the running docker lambda by posting a sample API-GW-Event
 

source/image-handler/terraform/cross_account_access.tf

@@ -44,7 +44,7 @@ resource "aws_iam_policy" "s3_org_access" {
     Version = "2012-10-17"
     Statement = [
       {
-        Action   = ["s3:*Object"]
+        Action   = ["s3:*Object"] # FIXME (MaNa, buzz-end): can we restrict this to concrete actions?  https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
         Effect   = "Allow"
         Resource = "${aws_s3_bucket.images.arn}/${each.key}/*"
         Sid : "ImageWriteAssetsAccessTeam${replace(title(each.key), "-", "")}"

source/image-handler/terraform/data.tf

@@ -4,21 +4,11 @@ data "aws_caller_identity" "current" {}
 data "aws_lambda_function" "log_streaming" {
   function_name = "lambda-logs-to-opensearch"
 }
+
 data "aws_sns_topic" "notifications" {
   name = "codestar-notifications"
 }
 
-data "aws_route53_zone" "external" {
-  name = "stroeer.engineering"
-}
-data "aws_iam_role" "code_build" {
-  name = "codebuild_role"
-}
-
-data "aws_iam_role" "code_pipeline" {
-  name = "codepipeline_role"
-}
-
 data "aws_s3_bucket" "pipeline_artifacts" {
   bucket = "codepipeline-bucket-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
 }

source/image-handler/terraform/iam.tf

@@ -1,16 +1,19 @@
 data "aws_iam_policy_document" "rekognition" {
   statement {
-    actions   = [
+    actions = [
       "rekognition:DetectFaces"
     ]
     resources = [
       "*"
     ]
   }
+
   statement {
-    actions   = [
+    # FIXME (MaNa, buzz-end): can we restrict this to concrete actions?  https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
+    actions = [
       "s3:*"
     ]
+
     resources = [
       aws_s3_bucket.images.arn,
       "${aws_s3_bucket.images.arn}/*"

source/image-handler/terraform/main.tf

@@ -15,7 +15,7 @@ module "lambda" {
   description                        = "provider of cute kitty pics."
   function_name                      = local.function_name
   ignore_external_function_updates   = true
-  layers                             = [
+  layers = [
     "arn:aws:lambda:${data.aws_region.current.name}:580247275435:layer:LambdaInsightsExtension:16"
   ]
   memory_size       = 1024

source/image-handler/terraform/s3.tf

@@ -15,6 +15,7 @@ resource "aws_s3_bucket_versioning" "images" {
   }
 }
 
+#tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket_server_side_encryption_configuration" "images" {
   bucket = aws_s3_bucket.images.bucket
   rule {
@@ -38,10 +39,6 @@ resource "aws_s3_bucket_policy" "this" {
   policy = data.aws_iam_policy_document.deny_insecure_transport.json
 }
 
-data "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.images.id
-}
-
 data "aws_iam_policy_document" "deny_insecure_transport" {
   statement {
     sid    = "denyInsecureTransport"

source/image-handler/terraform/variables.tf

@@ -1,4 +1,6 @@
 variable "region" {
+  type = string
+
   validation {
     condition     = var.region == "eu-west-1"
     error_message = "Only Ireland region is currently supported."
@@ -7,4 +9,5 @@ variable "region" {
 
 variable "app_suffix" {
   description = "Deployment variant"
+  type        = string
 }