From 07cbb1a17b3066b0d34b7752c53c29418d5cac45 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 15:15:12 -0600 Subject: [PATCH 01/16] install tflint --- aqua.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aqua.yaml b/aqua.yaml index 264e850..2ed96cf 100644 --- a/aqua.yaml +++ b/aqua.yaml @@ -15,3 +15,5 @@ packages: tags: [terraform] - name: opentofu/opentofu@v1.9.1 tags: [tofu] + - name: terraform-linters/tflint@v0.57.0 + tags: [tflint] From 1dbd0270e611a63f3d4bc64759f1c2db9570aadd Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 15:41:22 -0600 Subject: [PATCH 02/16] ignore cursor --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 9636abe..0f95997 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ # IDE/Editor settings **/.idea **/*.iml +.cursor/ .vscode/ *.orig *.draft @@ -43,4 +44,4 @@ backend.tf.json **/*.temp **/*.bak **/*.*swp -**/.DS_Store +**/.DS_Store \ No newline at end of file From 5c3df24e33f393e9389f4d6430c13a450bbd9aa7 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 16:41:31 -0600 Subject: [PATCH 03/16] feat(INT-83): setup tflint via trunk --- .github/workflows/lint.yaml | 4 +++ .trunk/configs/.tflint.hcl | 27 +++++++++++++++++ .trunk/trunk.yaml | 7 ++++- README.md | 54 ++++++++++++++++++++++++++++------ examples/complete/variables.tf | 3 ++ 5 files changed, 85 insertions(+), 10 deletions(-) create mode 100644 .trunk/configs/.tflint.hcl diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2bbb389..e489cb7 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -20,6 +20,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} conventional-title: runs-on: ubuntu-latest diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl new file mode 100644 index 0000000..cd52e76 --- /dev/null +++ b/.trunk/configs/.tflint.hcl @@ -0,0 +1,27 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +# Allow variables to exist in more files than ONLY variables.tf +# Example use cases where we prefer for variables to exist in context, +# - context.tf (applicable to the null-label module) +# - providers.tf (when passing in secret keys from SOPs - example, github provider) +# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md +rule "terraform_standard_module_structure" { + enabled = false +} + +# installing the aws ruleset from GitHub requires setting a GITHUB_TOKEN +# environment variable. Without it, you'll get an error like this: +# +# Installing "aws" plugin... +# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] +# +# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 +# +plugin "aws" { + enabled = true + version = "0.39.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 94de5a3..ceb9a94 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -27,10 +27,15 @@ lint: - git-diff-check - markdownlint@0.44.0 - prettier@3.5.3 - - tflint@0.56.0 + - tflint@0.57.0 - trivy@0.61.1 - trufflehog@3.88.26 - yamllint@1.37.0 + definitions: + - name: tflint + environment: + - name: TFLINT_CONFIG_FILE + value: ${workspace}/.trunk/configs/.tflint.hcl ignore: - linters: [tofu] paths: diff --git a/README.md b/README.md index 3542e60..5ab998b 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,26 @@ ## Purpose and Functionality -This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module development. It's designed to ensure consistency and our best practices across Terraform projects. +This repository serves as a template for creating Terraform modules, +providing a standardized structure and essential files for efficient module +development. It's designed to ensure consistency and our best practices across +Terraform projects. + +It comes pre-packaged with Masterpoint's standard Open Source tool set that our +team uses to operate effectively while when writing terraform + open tofu. + +- trunk: Trunk CLI for managing code quality and automation (linters and pre-commit actions) +- tflint: Terraform linter for best practices and errors +- renovate: Automated dependency updates +- tofu: OpenTofu linter for Terraform alternative +- actionlint: Linter for GitHub Actions workflows +- checkov: Infrastructure as Code (IaC) security scanner +- git-diff-check: Checks for issues in git diffs +- markdownlint: Linter for Markdown files +- prettier: Code formatter for consistent style +- trivy: Vulnerability scanner for containers and other artifacts +- trufflehog: Secret and sensitive data scanner +- yamllint: Linter for YAML files ## Usage @@ -83,7 +102,8 @@ TODO ## Built By -Powered by the [Masterpoint team](https://masterpoint.io/who-we-are/) and driven forward by contributions from the community ❤️ +Powered by the [Masterpoint team](https://masterpoint.io/who-we-are/) and driven +forward by contributions from the community ❤️ [![Contributors][contributors-image]][contributors-url] @@ -93,25 +113,41 @@ Contributions are welcome and appreciated! Found an issue or want to request a feature? [Open an issue][issues-url] -Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR — we'll check it out. +Want to fix a bug you found or add some functionality? Fork, clone, commit, +push, and PR — we'll check it out. ## Who We Are 𐦂𖨆𐀪𖠋 -Established in 2016, Masterpoint is a team of experienced software and platform engineers specializing in Infrastructure as Code (IaC). We provide expert guidance to organizations of all sizes, helping them leverage the latest IaC practices to accelerate their engineering teams. +Established in 2016, Masterpoint is a team of experienced software and platform +engineers specializing in Infrastructure as Code (IaC). We provide expert +guidance to organizations of all sizes, helping them leverage the latest IaC +practices to accelerate their engineering teams. ### Our Mission -Our mission is to simplify cloud infrastructure so developers can innovate faster, safer, and with greater confidence. By open-sourcing tools and modules that we use internally, we aim to contribute back to the community, promoting consistency, quality, and security. +Our mission is to simplify cloud infrastructure so developers can innovate +faster, safer, and with greater confidence. By open-sourcing tools and modules +that we use internally, we aim to contribute back to the community, promoting +consistency, quality, and security. ### Our Commitments -- 🌟 **Open Source**: We live and breathe open source, contributing to and maintaining hundreds of projects across multiple organizations. -- 🌎 **1% for the Planet**: Demonstrating our commitment to environmental sustainability, we are proud members of [1% for the Planet](https://www.onepercentfortheplanet.org), pledging to donate 1% of our annual sales to environmental nonprofits. -- 🇺🇦 **1% Towards Ukraine**: With team members and friends affected by the ongoing [Russo-Ukrainian war](https://en.wikipedia.org/wiki/Russo-Ukrainian_War), we donate 1% of our annual revenue to invasion relief efforts, supporting organizations providing aid to those in need. [Here's how you can help Ukraine with just a few clicks](https://masterpoint.io/updates/supporting-ukraine/). +- 🌟 **Open Source**: We live and breathe open source, contributing to and + maintaining hundreds of projects across multiple organizations. +- 🌎 **1% for the Planet**: Demonstrating our commitment to environmental + sustainability, we are proud members of [1% for the Planet](https://www.onepercentfortheplanet.org), + pledging to donate 1% of our annual sales to environmental nonprofits. +- 🇺🇦 **1% Towards Ukraine**: With team members and friends affected by the + ongoing [Russo-Ukrainian war](https://en.wikipedia.org/wiki/Russo-Ukrainian_War), + we donate 1% of our annual revenue to invasion relief efforts, supporting + organizations providing aid to those in need. [Here's how you can help Ukraine + with just a few clicks](https://masterpoint.io/updates/supporting-ukraine/). ## Connect With Us -We're active members of the community and are always publishing content, giving talks, and sharing our hard earned expertise. Here are a few ways you can see what we're up to: +We're active members of the community and are always publishing content, giving +talks, and sharing our hard earned expertise. Here are a few ways you can see +what we're up to: [![LinkedIn][linkedin-badge]][linkedin-url] [![Newsletter][newsletter-badge]][newsletter-url] [![Blog][blog-badge]][blog-url] [![YouTube][youtube-badge]][youtube-url] diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index f9d23f1..588a5c2 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1 +1,4 @@ # complete.tf +terraform { + required_version = ">= 1.0.0" +} From 1fd088588536f484d83de78efd602705c7766866 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 16:42:11 -0600 Subject: [PATCH 04/16] install tflint via trunk, not aqua --- aqua.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/aqua.yaml b/aqua.yaml index 2ed96cf..264e850 100644 --- a/aqua.yaml +++ b/aqua.yaml @@ -15,5 +15,3 @@ packages: tags: [terraform] - name: opentofu/opentofu@v1.9.1 tags: [tofu] - - name: terraform-linters/tflint@v0.57.0 - tags: [tflint] From bca14cdb514c1ff4bc6af1b69d2cd69dac51c0a0 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 16:49:00 -0600 Subject: [PATCH 05/16] add tflints from https://gist.github.com/RoseSecurity/9b65fdb960bed18ed61f28e8309f6209 --- .trunk/configs/.tflint.hcl | 87 ++++++++++++++++++++++++++++++++++---- 1 file changed, 79 insertions(+), 8 deletions(-) diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl index cd52e76..edd89b4 100644 --- a/.trunk/configs/.tflint.hcl +++ b/.trunk/configs/.tflint.hcl @@ -3,13 +3,11 @@ plugin "terraform" { preset = "all" } -# Allow variables to exist in more files than ONLY variables.tf -# Example use cases where we prefer for variables to exist in context, -# - context.tf (applicable to the null-label module) -# - providers.tf (when passing in secret keys from SOPs - example, github provider) -# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md -rule "terraform_standard_module_structure" { - enabled = false +config { + format = "compact" + call_module_type = "local" + force = false + disabled_by_default = false } # installing the aws ruleset from GitHub requires setting a GITHUB_TOKEN @@ -18,10 +16,83 @@ rule "terraform_standard_module_structure" { # Installing "aws" plugin... # Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] # +# The solution is to provide a github PAT via a GITHUB_TOKEN env var, # export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 -# plugin "aws" { enabled = true version = "0.39.0" source = "github.com/terraform-linters/tflint-ruleset-aws" + deep_check = false +} + + +rule "terraform_comment_syntax" { + # Disallow `//` comments in favor of `#` + enabled = true +} +rule "terraform_deprecated_index" { + # Disallow legacy dot index syntax + enabled = true +} +rule "terraform_deprecated_interpolation" { + # Disallow deprecated (0.11-style) interpolation + # Enabled by default + enabled = true +} +rule "terraform_documented_outputs" { + # Disallow output declarations without description + enabled = true +} +rule "terraform_documented_variables" { + # Disallow variable declarations without description + enabled = true +} +rule "terraform_module_pinned_source" { + # Disallow specifying a git or mercurial repository as a module source without pinning to a version + # Enabled by default + enabled = true +} +rule "terraform_module_version" { + # Checks that Terraform modules sourced from a registry specify a version + # Enabled by default + enabled = true +} +rule "terraform_naming_convention" { + # Enforces naming conventions for resources, data sources, etc + enabled = true +} +rule "terraform_required_providers" { + # Require that all providers have version constraints through required_providers + enabled = true +} +rule "terraform_required_version" { + # Disallow terraform declarations without require_version + enabled = true +} + +# Allow variables to exist in more files than ONLY variables.tf +# Example use cases where we prefer for variables to exist in context, +# - context.tf (applicable to the null-label module) +# - providers.tf (when passing in secret keys from SOPs - example, github provider) +# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md +rule "terraform_standard_module_structure" { + enabled = false +} + +rule "terraform_typed_variables" { + # Disallow variable declarations without type + enabled = true +} +rule "terraform_unused_declarations" { + # Disallow variables, data sources, and locals that are declared but never used + enabled = true +} +rule "terraform_unused_required_providers" { + # Check that all required_providers are used in the module + enabled = true } +rule "terraform_workspace_remote" { + # terraform.workspace should not be used with a "remote" backend with remote execution. + # Enabled by default + enabled = true +} \ No newline at end of file From 5e5054286692a9c8efad2f9454e9e1c683cc120e Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 16:59:44 -0600 Subject: [PATCH 06/16] run grammar, clear communication, and formatting prompts --- README.md | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 5ab998b..826b878 100644 --- a/README.md +++ b/README.md @@ -10,24 +10,25 @@ This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module -development. It's designed to ensure consistency and our best practices across -Terraform projects. - -It comes pre-packaged with Masterpoint's standard Open Source tool set that our -team uses to operate effectively while when writing terraform + open tofu. - -- trunk: Trunk CLI for managing code quality and automation (linters and pre-commit actions) -- tflint: Terraform linter for best practices and errors -- renovate: Automated dependency updates -- tofu: OpenTofu linter for Terraform alternative -- actionlint: Linter for GitHub Actions workflows -- checkov: Infrastructure as Code (IaC) security scanner -- git-diff-check: Checks for issues in git diffs -- markdownlint: Linter for Markdown files -- prettier: Code formatter for consistent style -- trivy: Vulnerability scanner for containers and other artifacts -- trufflehog: Secret and sensitive data scanner -- yamllint: Linter for YAML files +development. It is designed to ensure consistency and promote our best +practices across all Terraform projects. + +It comes pre-packaged with Masterpoint's standard open source toolset, which +our team uses to operate effectively when working with both Terraform and +OpenTofu. + +- **trunk**: Trunk CLI for managing code quality (linters + checks) +- **actionlint**: Linter for GitHub Actions workflows +- **checkov**: Infrastructure as Code (IaC) security scanner +- **git-diff-check**: Checks for issues in git diffs +- **markdownlint**: Linter for Markdown files +- **prettier**: Code formatter for consistent style +- **renovate**: Automated dependency updates +- **tofu**: OpenTofu linter (an alternative to Terraform) +- **tflint**: Terraform linter for best practices and error detection +- **trivy**: Vulnerability scanner for containers and other artifacts +- **trufflehog**: Secret and sensitive data scanner +- **yamllint**: Linter for YAML files ## Usage From 8a30de9eee66268dd7d8ed121f15c23c2f75d9f9 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Thu, 22 May 2025 17:14:43 -0600 Subject: [PATCH 07/16] ai feedback --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 826b878..a184282 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ OpenTofu. - **renovate**: Automated dependency updates - **tofu**: OpenTofu linter (an alternative to Terraform) - **tflint**: Terraform linter for best practices and error detection -- **trivy**: Vulnerability scanner for containers and other artifacts +- **trivy**: Scans containers and artifacts for vulnerabilities - **trufflehog**: Secret and sensitive data scanner - **yamllint**: Linter for YAML files From 3dbffd3f4680f7a167cd413fc4227f59ceebbb38 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 08:23:22 -0600 Subject: [PATCH 08/16] add terraform, tofu, aqua --- README.md | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index a184282..9df6e9a 100644 --- a/README.md +++ b/README.md @@ -13,22 +13,23 @@ providing a standardized structure and essential files for efficient module development. It is designed to ensure consistency and promote our best practices across all Terraform projects. -It comes pre-packaged with Masterpoint's standard open source toolset, which +It comes pre-configured with Masterpoint's standard open source toolset, which our team uses to operate effectively when working with both Terraform and OpenTofu. -- **trunk**: Trunk CLI for managing code quality (linters + checks) -- **actionlint**: Linter for GitHub Actions workflows -- **checkov**: Infrastructure as Code (IaC) security scanner -- **git-diff-check**: Checks for issues in git diffs -- **markdownlint**: Linter for Markdown files -- **prettier**: Code formatter for consistent style -- **renovate**: Automated dependency updates -- **tofu**: OpenTofu linter (an alternative to Terraform) -- **tflint**: Terraform linter for best practices and error detection -- **trivy**: Scans containers and artifacts for vulnerabilities -- **trufflehog**: Secret and sensitive data scanner -- **yamllint**: Linter for YAML files +- [**aqua**](https://aquaproj.github.io/): Declarative CLI tool verison manager +- **tofu + terraform test workflows**: For continuously testing our TF code +- [**trunk**](https://docs.trunk.io/references/cli/getting-started): Trunk CLI for managing code quality (linters + checks) + - **actionlint**: Linter for GitHub Actions workflows + - **checkov**: Infrastructure as Code (IaC) security scanner + - **git-diff-check**: Checks for issues in git diffs + - **markdownlint**: Linter for Markdown files + - **prettier**: Code formatter for consistent style + - **renovate**: Automated dependency updates + - **tflint**: Terraform linter for best practices and error detection + - **trivy**: Scans containers and artifacts for vulnerabilities + - **trufflehog**: Secret and sensitive data scanner + - **yamllint**: Linter for YAML files ## Usage From a4a07ed337a8ba9dface2f80aefddb5bc3f39673 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 08:23:43 -0600 Subject: [PATCH 09/16] fix: undo the 80 char line width --- README.md | 33 ++++++++------------------------- 1 file changed, 8 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 9df6e9a..0f54940 100644 --- a/README.md +++ b/README.md @@ -104,8 +104,7 @@ TODO ## Built By -Powered by the [Masterpoint team](https://masterpoint.io/who-we-are/) and driven -forward by contributions from the community ❤️ +Powered by the [Masterpoint team](https://masterpoint.io/who-we-are/) and driven forward by contributions from the community ❤️ [![Contributors][contributors-image]][contributors-url] @@ -115,41 +114,25 @@ Contributions are welcome and appreciated! Found an issue or want to request a feature? [Open an issue][issues-url] -Want to fix a bug you found or add some functionality? Fork, clone, commit, -push, and PR — we'll check it out. +Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR — we'll check it out. ## Who We Are 𐦂𖨆𐀪𖠋 -Established in 2016, Masterpoint is a team of experienced software and platform -engineers specializing in Infrastructure as Code (IaC). We provide expert -guidance to organizations of all sizes, helping them leverage the latest IaC -practices to accelerate their engineering teams. +Established in 2016, Masterpoint is a team of experienced software and platform engineers specializing in Infrastructure as Code (IaC). We provide expert guidance to organizations of all sizes, helping them leverage the latest IaC practices to accelerate their engineering teams. ### Our Mission -Our mission is to simplify cloud infrastructure so developers can innovate -faster, safer, and with greater confidence. By open-sourcing tools and modules -that we use internally, we aim to contribute back to the community, promoting -consistency, quality, and security. +Our mission is to simplify cloud infrastructure so developers can innovate faster, safer, and with greater confidence. By open-sourcing tools and modules that we use internally, we aim to contribute back to the community, promoting consistency, quality, and security. ### Our Commitments -- 🌟 **Open Source**: We live and breathe open source, contributing to and - maintaining hundreds of projects across multiple organizations. -- 🌎 **1% for the Planet**: Demonstrating our commitment to environmental - sustainability, we are proud members of [1% for the Planet](https://www.onepercentfortheplanet.org), - pledging to donate 1% of our annual sales to environmental nonprofits. -- 🇺🇦 **1% Towards Ukraine**: With team members and friends affected by the - ongoing [Russo-Ukrainian war](https://en.wikipedia.org/wiki/Russo-Ukrainian_War), - we donate 1% of our annual revenue to invasion relief efforts, supporting - organizations providing aid to those in need. [Here's how you can help Ukraine - with just a few clicks](https://masterpoint.io/updates/supporting-ukraine/). +- 🌟 **Open Source**: We live and breathe open source, contributing to and maintaining hundreds of projects across multiple organizations. +- 🌎 **1% for the Planet**: Demonstrating our commitment to environmental sustainability, we are proud members of [1% for the Planet](https://www.onepercentfortheplanet.org), pledging to donate 1% of our annual sales to environmental nonprofits. +- 🇺🇦 **1% Towards Ukraine**: With team members and friends affected by the ongoing [Russo-Ukrainian war](https://en.wikipedia.org/wiki/Russo-Ukrainian_War), we donate 1% of our annual revenue to invasion relief efforts, supporting organizations providing aid to those in need. [Here's how you can help Ukraine with just a few clicks](https://masterpoint.io/updates/supporting-ukraine/). ## Connect With Us -We're active members of the community and are always publishing content, giving -talks, and sharing our hard earned expertise. Here are a few ways you can see -what we're up to: +We're active members of the community and are always publishing content, giving talks, and sharing our hard earned expertise. Here are a few ways you can see what we're up to: [![LinkedIn][linkedin-badge]][linkedin-url] [![Newsletter][newsletter-badge]][newsletter-url] [![Blog][blog-badge]][blog-url] [![YouTube][youtube-badge]][youtube-url] From 4c3e4b572981d196dfbacd6fb5b89ba45b2465fa Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 08:27:11 -0600 Subject: [PATCH 10/16] fix: remove the enabled by default blocks --- .trunk/configs/.tflint.hcl | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl index edd89b4..2b250c4 100644 --- a/.trunk/configs/.tflint.hcl +++ b/.trunk/configs/.tflint.hcl @@ -34,11 +34,6 @@ rule "terraform_deprecated_index" { # Disallow legacy dot index syntax enabled = true } -rule "terraform_deprecated_interpolation" { - # Disallow deprecated (0.11-style) interpolation - # Enabled by default - enabled = true -} rule "terraform_documented_outputs" { # Disallow output declarations without description enabled = true @@ -47,16 +42,6 @@ rule "terraform_documented_variables" { # Disallow variable declarations without description enabled = true } -rule "terraform_module_pinned_source" { - # Disallow specifying a git or mercurial repository as a module source without pinning to a version - # Enabled by default - enabled = true -} -rule "terraform_module_version" { - # Checks that Terraform modules sourced from a registry specify a version - # Enabled by default - enabled = true -} rule "terraform_naming_convention" { # Enforces naming conventions for resources, data sources, etc enabled = true @@ -90,9 +75,4 @@ rule "terraform_unused_declarations" { rule "terraform_unused_required_providers" { # Check that all required_providers are used in the module enabled = true -} -rule "terraform_workspace_remote" { - # terraform.workspace should not be used with a "remote" backend with remote execution. - # Enabled by default - enabled = true } \ No newline at end of file From 45ec37b1368574323444aea8eaa47fbbc0603376 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 09:19:40 -0600 Subject: [PATCH 11/16] docs: more 80 char. add terraform-docs --- .trunk/trunk.yaml | 2 ++ README.md | 10 +++------- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index ceb9a94..7c25a17 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -31,6 +31,8 @@ lint: - trivy@0.61.1 - trufflehog@3.88.26 - yamllint@1.37.0 + # NOTE(tflint): specific override required so it uses .tflint.hcl file in .trunk/configs directory + # https://github.com/trunk-io/plugins/tree/main/linters/tflint definitions: - name: tflint environment: diff --git a/README.md b/README.md index 0f54940..af76b4d 100644 --- a/README.md +++ b/README.md @@ -8,17 +8,13 @@ ## Purpose and Functionality -This repository serves as a template for creating Terraform modules, -providing a standardized structure and essential files for efficient module -development. It is designed to ensure consistency and promote our best -practices across all Terraform projects. +This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module development. It is designed to ensure consistency and promote our best practices across all Terraform projects. -It comes pre-configured with Masterpoint's standard open source toolset, which -our team uses to operate effectively when working with both Terraform and -OpenTofu. +It comes pre-configured with Masterpoint's curation of open source tools, which our team uses to operate more effectively with Terraform and OpenTofu. - [**aqua**](https://aquaproj.github.io/): Declarative CLI tool verison manager - **tofu + terraform test workflows**: For continuously testing our TF code +- [**terraform-docs**](https://terraform-docs.io/): Easily add terraform docs to the README - [**trunk**](https://docs.trunk.io/references/cli/getting-started): Trunk CLI for managing code quality (linters + checks) - **actionlint**: Linter for GitHub Actions workflows - **checkov**: Infrastructure as Code (IaC) security scanner From a4640fa02d13cc96eb141719001d7922349a27da Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 09:21:17 -0600 Subject: [PATCH 12/16] examples: move to to versions --- examples/complete/main.tf | 2 +- examples/complete/outputs.tf | 2 +- examples/complete/variables.tf | 5 +---- examples/complete/versions.tf | 5 +++++ 4 files changed, 8 insertions(+), 6 deletions(-) create mode 100644 examples/complete/versions.tf diff --git a/examples/complete/main.tf b/examples/complete/main.tf index f9d23f1..89e3a7a 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1 +1 @@ -# complete.tf +# complete/main.tf diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index f9d23f1..6fa8b90 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1 +1 @@ -# complete.tf +# complete/outputs.tf diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 588a5c2..75f690f 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,4 +1 @@ -# complete.tf -terraform { - required_version = ">= 1.0.0" -} +# complete/variables.tf diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf new file mode 100644 index 0000000..5048e59 --- /dev/null +++ b/examples/complete/versions.tf @@ -0,0 +1,5 @@ +# complete/versions.tf + +terraform { + required_version = ">= 1.0.0" +} From 997bc51bb872c64914bdb872e8e41d97082257f4 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 09:24:18 -0600 Subject: [PATCH 13/16] docs: explain why we need a Github PAT --- .trunk/configs/.tflint.hcl | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl index 2b250c4..1b52a99 100644 --- a/.trunk/configs/.tflint.hcl +++ b/.trunk/configs/.tflint.hcl @@ -10,14 +10,16 @@ config { disabled_by_default = false } -# installing the aws ruleset from GitHub requires setting a GITHUB_TOKEN +# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN # environment variable. Without it, you'll get an error like this: -# -# Installing "aws" plugin... -# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] +# $ tflint --init +# Installing "aws" plugin... +# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] # # The solution is to provide a github PAT via a GITHUB_TOKEN env var, # export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 +# +# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting plugin "aws" { enabled = true version = "0.39.0" From 3c72adb4734b688b362080b0716a8b2d15bf457c Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 09:43:48 -0600 Subject: [PATCH 14/16] fix: adjust configs to introspect module blocks --- .trunk/configs/.tflint.hcl | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl index 1b52a99..b3bac37 100644 --- a/.trunk/configs/.tflint.hcl +++ b/.trunk/configs/.tflint.hcl @@ -5,8 +5,15 @@ plugin "terraform" { config { format = "compact" - call_module_type = "local" - force = false + + # Inspect variables passed into "module" blocks/calls. + # For example, lint the AMI value passed into an ec2 CloudPosse module + # Default value is "local" + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md + call_module_type = "all" + + # Disable all rules by default + # Default value is false disabled_by_default = false } From 5abce984cde2d68f1cdc568973ba517764358490 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 09:50:01 -0600 Subject: [PATCH 15/16] trim down wording --- .trunk/configs/.tflint.hcl | 51 +++----------------------------------- 1 file changed, 3 insertions(+), 48 deletions(-) diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl index b3bac37..f01f0f6 100644 --- a/.trunk/configs/.tflint.hcl +++ b/.trunk/configs/.tflint.hcl @@ -6,15 +6,13 @@ plugin "terraform" { config { format = "compact" - # Inspect variables passed into "module" blocks/calls. - # For example, lint the AMI value passed into an ec2 CloudPosse module - # Default value is "local" + # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module. # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md call_module_type = "all" - # Disable all rules by default - # Default value is false + # default values but keeping them here for clarity disabled_by_default = false + force = false } # Installing tflint rulesets from Github requires setting a GITHUB_TOKEN @@ -34,36 +32,6 @@ plugin "aws" { deep_check = false } - -rule "terraform_comment_syntax" { - # Disallow `//` comments in favor of `#` - enabled = true -} -rule "terraform_deprecated_index" { - # Disallow legacy dot index syntax - enabled = true -} -rule "terraform_documented_outputs" { - # Disallow output declarations without description - enabled = true -} -rule "terraform_documented_variables" { - # Disallow variable declarations without description - enabled = true -} -rule "terraform_naming_convention" { - # Enforces naming conventions for resources, data sources, etc - enabled = true -} -rule "terraform_required_providers" { - # Require that all providers have version constraints through required_providers - enabled = true -} -rule "terraform_required_version" { - # Disallow terraform declarations without require_version - enabled = true -} - # Allow variables to exist in more files than ONLY variables.tf # Example use cases where we prefer for variables to exist in context, # - context.tf (applicable to the null-label module) @@ -71,17 +39,4 @@ rule "terraform_required_version" { # https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md rule "terraform_standard_module_structure" { enabled = false -} - -rule "terraform_typed_variables" { - # Disallow variable declarations without type - enabled = true -} -rule "terraform_unused_declarations" { - # Disallow variables, data sources, and locals that are declared but never used - enabled = true -} -rule "terraform_unused_required_providers" { - # Check that all required_providers are used in the module - enabled = true } \ No newline at end of file From 2d144f74b536c5bc5723641992a74bd2fb0f6610 Mon Sep 17 00:00:00 2001 From: WestonPlatter Date: Fri, 23 May 2025 09:51:33 -0600 Subject: [PATCH 16/16] last polish --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index af76b4d..9b45980 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module development. It is designed to ensure consistency and promote our best practices across all Terraform projects. -It comes pre-configured with Masterpoint's curation of open source tools, which our team uses to operate more effectively with Terraform and OpenTofu. +It comes pre-configured with Masterpoint's curation of open source tools, which our team uses to operate more effectively within Terraform and OpenTofu codebases. - [**aqua**](https://aquaproj.github.io/): Declarative CLI tool verison manager - **tofu + terraform test workflows**: For continuously testing our TF code