diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 9736514..9ed5d6e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -20,6 +20,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} conventional-title: runs-on: ubuntu-latest diff --git a/.gitignore b/.gitignore index 9636abe..0f95997 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ # IDE/Editor settings **/.idea **/*.iml +.cursor/ .vscode/ *.orig *.draft @@ -43,4 +44,4 @@ backend.tf.json **/*.temp **/*.bak **/*.*swp -**/.DS_Store +**/.DS_Store \ No newline at end of file diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl new file mode 100644 index 0000000..f01f0f6 --- /dev/null +++ b/.trunk/configs/.tflint.hcl @@ -0,0 +1,42 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +config { + format = "compact" + + # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module. + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md + call_module_type = "all" + + # default values but keeping them here for clarity + disabled_by_default = false + force = false +} + +# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN +# environment variable. Without it, you'll get an error like this: +# $ tflint --init +# Installing "aws" plugin... +# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] +# +# The solution is to provide a github PAT via a GITHUB_TOKEN env var, +# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 +# +# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting +plugin "aws" { + enabled = true + version = "0.39.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" + deep_check = false +} + +# Allow variables to exist in more files than ONLY variables.tf +# Example use cases where we prefer for variables to exist in context, +# - context.tf (applicable to the null-label module) +# - providers.tf (when passing in secret keys from SOPs - example, github provider) +# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md +rule "terraform_standard_module_structure" { + enabled = false +} \ No newline at end of file diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 35c1009..472353f 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -31,6 +31,13 @@ lint: - trivy@0.63.0 - trufflehog@3.88.35 - yamllint@1.37.1 + # NOTE(tflint): specific override required so it uses .tflint.hcl file in .trunk/configs directory + # https://github.com/trunk-io/plugins/tree/main/linters/tflint + definitions: + - name: tflint + environment: + - name: TFLINT_CONFIG_FILE + value: ${workspace}/.trunk/configs/.tflint.hcl ignore: - linters: [tofu] paths: diff --git a/README.md b/README.md index 3542e60..9b45980 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,24 @@ ## Purpose and Functionality -This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module development. It's designed to ensure consistency and our best practices across Terraform projects. +This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module development. It is designed to ensure consistency and promote our best practices across all Terraform projects. + +It comes pre-configured with Masterpoint's curation of open source tools, which our team uses to operate more effectively within Terraform and OpenTofu codebases. + +- [**aqua**](https://aquaproj.github.io/): Declarative CLI tool verison manager +- **tofu + terraform test workflows**: For continuously testing our TF code +- [**terraform-docs**](https://terraform-docs.io/): Easily add terraform docs to the README +- [**trunk**](https://docs.trunk.io/references/cli/getting-started): Trunk CLI for managing code quality (linters + checks) + - **actionlint**: Linter for GitHub Actions workflows + - **checkov**: Infrastructure as Code (IaC) security scanner + - **git-diff-check**: Checks for issues in git diffs + - **markdownlint**: Linter for Markdown files + - **prettier**: Code formatter for consistent style + - **renovate**: Automated dependency updates + - **tflint**: Terraform linter for best practices and error detection + - **trivy**: Scans containers and artifacts for vulnerabilities + - **trufflehog**: Secret and sensitive data scanner + - **yamllint**: Linter for YAML files ## Usage diff --git a/examples/complete/main.tf b/examples/complete/main.tf index f9d23f1..89e3a7a 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1 +1 @@ -# complete.tf +# complete/main.tf diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index f9d23f1..6fa8b90 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1 +1 @@ -# complete.tf +# complete/outputs.tf diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index f9d23f1..75f690f 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1 +1 @@ -# complete.tf +# complete/variables.tf diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf new file mode 100644 index 0000000..5048e59 --- /dev/null +++ b/examples/complete/versions.tf @@ -0,0 +1,5 @@ +# complete/versions.tf + +terraform { + required_version = ">= 1.0.0" +}