Add Github action to lint terraform code

.github/workflows/lint.yml

@@ -0,0 +1,37 @@
+name: Lint
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        component: [core, data_services, fcrepo, solrcloud]
+
+    steps:
+    - uses: actions/checkout@v2
+      name: Checkout source code
+
+    - uses: actions/cache@v2
+      name: Cache plugin dir
+      with:
+        path: ~/.tflint.d/plugins
+        key: tflint-${{ hashFiles('.tflint.hcl') }}
+
+    - uses: terraform-linters/setup-tflint@v1
+      name: Setup tflint
+
+    - name: Show version
+      run: tflint --version
+
+    - name: Lint ${{ matrix.component }} component
+      run: |
+        terraform init -backend=false -input=false
+        tflint -c ../.tflint.hcl --init
+        tflint -c ../.tflint.hcl -f compact
+      working-directory: ./${{ matrix.component }}

.gitignore

@@ -1,3 +1,3 @@
-.terraform
+**/.terraform
 *.tfstate
 *.tfvars

.tflint.hcl

@@ -0,0 +1,20 @@
+config {
+  module = true
+}
+
+plugin "aws" {
+  enabled = true
+  version = "0.7.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+rule "aws_resource_missing_tags" {
+  enabled   = true
+  tags      = ["Component", "Environment", "Git", "Project"]
+}
+
+rule "terraform_module_pinned_source" {
+  enabled             = false
+  style               = "flexible"
+  default_branches    = ["master"]
+}

core/vpc.tf

@@ -1,5 +1,6 @@
 module "vpc" {
-  source = "terraform-aws-modules/vpc/aws"
+  source    = "terraform-aws-modules/vpc/aws"
+  version   = "3.7.0"
 
   name = "${local.namespace}-vpc"
   cidr = var.cidr_block
@@ -65,7 +66,8 @@ resource "aws_security_group" "internal_http" {
 }
 
 module "endpoints" {
-  source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  source    = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version   = "3.7.0"
 
   vpc_id             = module.vpc.vpc_id
   security_group_ids = [module.vpc.default_security_group_id, aws_security_group.endpoint_access.id]

data_services/elasticsearch.tf

@@ -1,5 +1,6 @@
 resource "aws_security_group" "elasticsearch" {
   name   = "${local.namespace}-elasticsearch"
+  tags   = local.tags
 }
 
 resource "aws_security_group_rule" "elasticsearch_egress" {
@@ -127,6 +128,7 @@ data "aws_iam_policy_document" "elasticsearch_read_access" {
 resource "aws_iam_policy" "elasticsearch_read_access" {
   name   = "${local.namespace}-elasticsearch-read"
   policy = data.aws_iam_policy_document.elasticsearch_read_access.json
+  tags   = local.tags
 }
 
 data "aws_iam_policy_document" "elasticsearch_full_access" {
@@ -143,4 +145,5 @@ data "aws_iam_policy_document" "elasticsearch_full_access" {
 resource "aws_iam_policy" "elasticsearch_full_access" {
   name   = "${local.namespace}-elasticsearch-full"
   policy = data.aws_iam_policy_document.elasticsearch_full_access.json
+  tags   = local.tags
 }

data_services/postgres.tf

@@ -10,6 +10,7 @@ resource "aws_security_group" "db" {
   name          = "${local.namespace}-db"
   description   = "RDS Security Group"
   vpc_id        = module.core.outputs.vpc.id
+  tags          = local.tags
 }
 
 resource "aws_security_group_rule" "db_egress" {
@@ -34,6 +35,7 @@ resource "aws_security_group" "db_client" {
   name          = "${local.namespace}-db-client"
   description   = "RDS Client Security Group"
   vpc_id        = module.core.outputs.vpc.id
+  tags          = local.tags
 }
 
 resource "aws_db_subnet_group" "db_subnet_group" {
@@ -43,9 +45,10 @@ resource "aws_db_subnet_group" "db_subnet_group" {
 }
 
 resource "aws_db_parameter_group" "db_parameter_group" {
-  name_prefix = "${local.namespace}-db-"
-  family = "postgres${element(split(".", var.postgres_version), 0)}"
-
+  name_prefix   = "${local.namespace}-db-"
+  family        = "postgres${element(split(".", var.postgres_version), 0)}"
+  tags          = local.tags
+
   parameter {
     name = "client_encoding"
     value = "UTF8"

data_services/redis.tf

@@ -40,7 +40,6 @@ resource "aws_elasticache_cluster" "redis" {
   node_type            = "cache.t2.small"
   num_cache_nodes      = 1
   engine_version       = "5.0.3"
-  parameter_group_name = "default.redis5.0"
   security_group_ids   = [aws_security_group.redis_service.id]
   subnet_group_name    = aws_elasticache_subnet_group.redis.name
   tags                 = local.tags

fcrepo/main.tf

@@ -78,6 +78,7 @@ resource "aws_s3_bucket" "fedora_binary_bucket" {
 resource "aws_iam_user" "fedora_binary_bucket_user" {
   name = "${local.namespace}-fcrepo"
   path = "/system/"
+  tags = local.tags
 }
 
 resource "aws_iam_access_key" "fedora_binary_bucket_access_key" {
@@ -118,6 +119,7 @@ data "aws_iam_policy_document" "fedora_binary_bucket_access" {
 resource "aws_iam_policy" "fedora_binary_bucket_policy" {
   name   = "${local.namespace}-fcrepo-s3-bucket-access"
   policy = data.aws_iam_policy_document.fedora_binary_bucket_access.json
+  tags   = local.tags
 }
 
 resource "aws_iam_user_policy_attachment" "fedora_binary_bucket_user_access" {
@@ -249,6 +251,8 @@ resource "aws_service_discovery_service" "fcrepo" {
 
     routing_policy = "MULTIVALUE"
   }
+
+  tags = local.tags
 }
 
 resource "aws_ecs_service" "fcrepo" {

solrcloud/solr.tf

@@ -156,6 +156,8 @@ resource "aws_service_discovery_service" "solr" {
 
     routing_policy = "MULTIVALUE"
   }
+
+  tags = local.tags
 }
 
 resource "aws_ecs_service" "solr" {

solrcloud/zookeeper.tf

@@ -135,6 +135,8 @@ resource "aws_service_discovery_service" "zookeeper" {
 
     routing_policy = "MULTIVALUE"
   }
+
+  tags = local.tags
 }
 
 resource "aws_ecs_service" "zookeeper" {