diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml index 07d4722..115bd8d 100644 --- a/.github/workflows/pr-title.yaml +++ b/.github/workflows/pr-title.yaml @@ -22,6 +22,7 @@ jobs: docs ci chore + refactor requireScope: false # Configure additional validation for the subject based on a regex. # This example ensures the subject doesn't start with an uppercase character. diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml deleted file mode 100644 index 524719e..0000000 --- a/.github/workflows/static-analysis.yaml +++ /dev/null @@ -1,98 +0,0 @@ -name: static analysis - -on: - pull_request: - branches: - - main - push: - branches: - - main - -permissions: - contents: read - pull-requests: write - -jobs: - fmt: - runs-on: ubuntu-latest - strategy: - matrix: - terraform: [ 1.5.7, latest ] - steps: - - uses: actions/checkout@v5 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ matrix.terraform }} - - - run: make fmt - - validate: - runs-on: ubuntu-latest - strategy: - matrix: - terraform: [ 1.5.7, latest ] - steps: - - uses: actions/checkout@v5 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ matrix.terraform }} - - - run: make validate - - tflint: - runs-on: ubuntu-latest - strategy: - matrix: - terraform: [ 1.5.7, latest ] - steps: - - uses: actions/checkout@v5 - - - uses: actions/cache@v4 - with: - path: ~/.tflint.d/plugins - key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ matrix.terraform }} - - - uses: terraform-linters/setup-tflint@v5 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - - run: make tflint - - trivy: - runs-on: ubuntu-latest - strategy: - matrix: - terraform: [ 1.5.7, latest ] - steps: - - uses: actions/checkout@v5 - - - name: config - run: | - cat >> ./trivy.yaml << EOF - # see https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ for reference - exit-code: 1 - exit-on-eol: 1 - misconfiguration: - terraform: - exclude-downloaded-modules: true - severity: - - HIGH - - CRITICAL - scan: - skip-dirs: - - "**/.terraform/**/*" - EOF - - cat ./trivy.yaml - - - uses: aquasecurity/trivy-action@0.33.1 - with: - scan-type: 'config' - hide-progress: false - trivy-config: trivy.yaml diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml new file mode 100644 index 0000000..38d17b0 --- /dev/null +++ b/.github/workflows/static-checks.yaml @@ -0,0 +1,58 @@ +name: static checks + +on: + pull_request: + branches: + - main + push: + branches: + - main + +permissions: + contents: read + pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + terraformVersions: + name: get min/max Terraform versions + runs-on: ubuntu-latest + outputs: + minVersion: ${{ steps.minMax.outputs.minVersion }} + maxVersion: ${{ steps.minMax.outputs.maxVersion }} + + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Get Terraform version + uses: clowdhaus/terraform-min-max@04440fe3b2a1e64eb5ad115f8f7c57c4d6a54333 #v1.4.1 + id: minMax + with: + directory: . + + pre_commit: + name: pre-commit + needs: terraformVersions + runs-on: ubuntu-latest + + strategy: + matrix: + version: + - ${{ needs.terraformVersions.outputs.minVersion }} + - ${{ needs.terraformVersions.outputs.maxVersion }} + + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: pre-commit ${{ matrix.version }} + uses: clowdhaus/terraform-composite-actions/pre-commit@26118b78561fb44052ce9ab6c5ab850df70b9aa0 #v1.13.0 + with: + terraform-version: ${{ matrix.version }} + install-trivy: true + trivy-version: '0.67.0' + args: '--all-files --color always --show-diff-on-failure --verbose' diff --git a/.gitignore b/.gitignore index 6bb093d..4de82a6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ .terraform* terraform.tfstate terraform.tfstate.backup +**/*.zip bin/ .idea -lambda.zip +**/.DS_Store diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3c2b08e..6a7dfd2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,16 +1,16 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.100.0 + rev: v1.101.0 hooks: - id: terraform_fmt - id: terraform_validate args: ['--envs=AWS_REGION="eu-west-1"'] - id: terraform_tflint + args: + - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl - id: terraform_trivy args: - - --args=--tf-exclude-downloaded-modules - - --args=--skip-dirs "**/.terraform/**/*" - - --args=--severity=HIGH,CRITICAL + - --args=--config=__GIT_WORKING_DIR__/trivy.yaml - id: terraform_docs args: - '--args=--lockfile=false' diff --git a/Makefile b/Makefile index 4f8c583..8da32d2 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,6 @@ MAJOR := $(word 1,$(VERSION_PARTS)) MINOR := $(word 2,$(VERSION_PARTS)) PATCH := $(word 3,$(VERSION_PARTS)) -BUMP ?= patch ifeq ($(BUMP), major) NEXT_VERSION := $(shell echo $$(($(MAJOR)+1)).0.0) else ifeq ($(BUMP), minor) @@ -21,51 +20,17 @@ NEXT_VERSION := $(shell echo $(MAJOR).$(MINOR).$$(($(PATCH)+1))) endif NEXT_TAG := v$(NEXT_VERSION) -STACKS = $(shell find . -not -path "*/\.*" -iname "*.tf" | sed -E "s|/[^/]+$$||" | sort --unique) -ROOT_DIR := $(shell pwd) - -all: fmt validate tflint trivy - -.PHONY: fmt -fmt: ## Rewrites Terraform files to canonical format - @echo "+ $@" - @terraform fmt -check=true -recursive - -.PHONY: validate -validate: ## Validates the Terraform files - @echo "+ $@" - @for s in $(STACKS); do \ - echo "validating $$s"; \ - terraform -chdir=$$s init -backend=false > /dev/null; \ - terraform -chdir=$$s validate || exit 1 ;\ - done; - -.PHONY: tflint -tflint: ## Runs tflint on all Terraform files +.PHONY: check +check: ## Runs pre-commit hooks against all files @echo "+ $@" - @tflint --init - @for s in $(STACKS); do \ - echo "tflint $$s"; \ - terraform -chdir=$$s init -backend=false > /dev/null; \ - tflint -chdir=$$s -f compact --config $(ROOT_DIR)/.tflint.hcl || exit 1; \ - done; - -trivy: ## Runs trivy on all Terraform files - @echo "+ $@" - @trivy config --exit-code 1 --severity HIGH --tf-exclude-downloaded-modules . - -.PHONY: providers -providers: ## Upgrades all providers and platform independent dependency locks (slow) - @echo "+ $@" - @for s in $(STACKS) ; do \ - echo upgrading: $$s ;\ - terraform -chdir=$$s init -upgrade=true -backend=false > /dev/null; \ - terraform -chdir=$$s providers lock -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64 ;\ - done + @command -v pre-commit >/dev/null 2>&1 || { \ + echo "pre-commit not installed. Install via 'pip install pre-commit' or 'brew install pre-commit'."; \ + exit 1; \ + } + @pre-commit run --all-files .PHONY: bump-version -BUMP ?= patch -bump-version: ## Bumps the version of this module. Set BUMP to [ patch | major | minor ]. +bump-version: check-bump ## Bumps the version of this module. Set BUMP to [ major | minor | patch ]. @echo bumping version from $(VERSION_TAG) to $(NEXT_TAG) @echo "Updating links in README.md" @sed -i '' s/$(subst v,,$(VERSION))/$(subst v,,$(NEXT_VERSION))/g README.md @@ -81,6 +46,20 @@ check-git-branch: check-git-clean git fetch --all --tags --prune git checkout main +.PHONY: check-bump +check-bump: + @echo "+ $@" + @if [ -z "$(BUMP)" ]; then \ + echo "Error: BUMP variable must be specified for release."; \ + echo "Usage: make release BUMP=major|minor|patch"; \ + exit 1; \ + fi + @if [ "$(BUMP)" != "major" ] && [ "$(BUMP)" != "minor" ] && [ "$(BUMP)" != "patch" ]; then \ + echo "Error: BUMP must be one of: major, minor, patch"; \ + echo "Usage: make release BUMP=major|minor|patch"; \ + exit 1; \ + fi + release: check-git-branch bump-version ## Releases a new module version @echo "+ $@" git add README.md diff --git a/README.md b/README.md index fe5d663..587cb7b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # AWS Lambda Terraform module -![](https://github.com/moritzzimmer/terraform-aws-lambda/workflows/static%20analysis/badge.svg) [![Terraform Module Registry](https://img.shields.io/badge/Terraform%20Module%20Registry-8.4.0-blue.svg)](https://registry.terraform.io/modules/moritzzimmer/lambda/aws/8.4.0) ![Terraform Version](https://img.shields.io/badge/Terraform-0.12+-green.svg) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) +![](https://github.com/moritzzimmer/terraform-aws-lambda/workflows/static%20checks/badge.svg) [![Terraform Module Registry](https://img.shields.io/badge/Terraform%20Module%20Registry-8.4.0-blue.svg)](https://registry.terraform.io/modules/moritzzimmer/lambda/aws/8.4.0) ![Terraform Version](https://img.shields.io/badge/Terraform-1.5.7+-green.svg) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) Terraform module to create AWS [Lambda](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) and accompanying resources for an efficient and secure development of Lambda functions like: @@ -17,8 +17,7 @@ development of Lambda functions like: - inline declaration of [SNS Topic Subscriptions](https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html) including required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) (see [example](examples/with-sns-subscriptions)) - inline declaration of [CloudWatch Event Rules](https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html) including required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) (see [example](examples/with-cloudwatch-event-rules)) - IAM permissions for read access to parameters from [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html) -- [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) Log group configuration including retention time and [subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html) with required permissions -to stream logs to other Lambda functions (e.g. forwarding logs to Elasticsearch) +- [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) Logs configuration like retention time or [subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html) with all required IAM permissions (see [example](examples/cloudwatch-logs)) - Lambda@Edge support fulfilling [requirements for CloudFront triggers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-cloudfront-triggers). Functions need to be deployed to US East (N. Virginia) region (`us-east-1`) - configuration for [Amazon CloudWatch Lambda Insights](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-insights.html) including required @@ -346,8 +345,8 @@ see [examples](examples/deployment) for details. - [complete](examples/complete) - [container-image](examples/container-image) - [deployment](examples/deployment) +- [cloudwatch-logs](examples/cloudwatch-logs) - [with-cloudwatch-event-rules](examples/with-cloudwatch-event-rules) -- [with-cloudwatch-logs-subscription](examples/cloudwatch-logs) - [with-event-source-mappings](examples/with-event-source-mappings) - [with-sns-subscriptions](examples/with-sns-subscriptions) - [with-vpc](examples/with-vpc) diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..c075b60 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,16 @@ +# see https://trivy.dev/latest/docs/references/configuration/config-file/ + +exit-code: 1 +exit-on-eol: 1 + +misconfiguration: + terraform: + exclude-downloaded-modules: true + +severity: + - HIGH + - CRITICAL + +scan: + skip-dirs: + - "**/.terraform/**/*"