Skip to content

Commit a8492c2

Browse files
nitin-yadav-sqnitin-yadav-sq
committed
Merge branch 'qa' into 'main'
Stable branch See merge request sq-ia/aws/network!8
2 parents 285e9b3 + 19c8d3e commit a8492c2

29 files changed

+1658
-83
lines changed

.gitignore

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
*.tfstate
2+
*.tfstate.*
3+
.terraform*
4+
*.out
5+
*.lock
6+
*.tfvars
7+
*.pem
8+
vars
9+
**/.terraform/*
10+
override.tf
11+
override.tf.*
12+
*_override.tf
13+
*_override.tf.*
14+
terraform.rc
15+
*.txt

.pre-commit-config.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
repos:
2+
- repo: https://github.com/pre-commit/pre-commit-hooks
3+
rev: v4.1.0
4+
hooks:
5+
- id: trailing-whitespace
6+
args: ['--markdown-linebreak-ext=md']
7+
- id: end-of-file-fixer
8+
- id: check-merge-conflict
9+
- id: detect-private-key
10+
- id: detect-aws-credentials
11+
args: ['--allow-missing-credentials']
12+
- repo: https://github.com/antonbabenko/pre-commit-terraform
13+
rev: v1.77.0
14+
hooks:
15+
- id: terraform_fmt
16+
- id: terraform_docs
17+
args:
18+
- '--args=--lockfile=false'
19+
- id: terraform_tflint
20+
args:
21+
- --args=--config=.tflint.hcl
22+
- id: terraform_tfsec
23+
files: ^examples/ # only scan `examples/*` which are the implementation
24+
args:
25+
- --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml
26+
- --args=--concise-output

.tflint.hcl

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
plugin "aws" {
2+
enabled = true
3+
version = "0.14.0"
4+
source = "github.com/terraform-linters/tflint-ruleset-aws"
5+
}
6+
7+
config {
8+
#Enables module inspection
9+
module = false
10+
force = false
11+
}
12+
13+
# Required that all AWS resources have specified tags.
14+
rule "aws_resource_missing_tags" {
15+
enabled = true
16+
tags = [
17+
"Name",
18+
"Environment",
19+
]
20+
}
21+
22+
# Disallow deprecated (0.11-style) interpolation
23+
rule "terraform_deprecated_interpolation" {
24+
enabled = true
25+
}
26+
27+
# Disallow legacy dot index syntax.
28+
rule "terraform_deprecated_index" {
29+
enabled = true
30+
}
31+
32+
# Disallow variables, data sources, and locals that are declared but never used.
33+
rule "terraform_unused_declarations" {
34+
enabled = true
35+
}
36+
37+
# Disallow // comments in favor of #.
38+
rule "terraform_comment_syntax" {
39+
enabled = false
40+
}
41+
42+
# Disallow output declarations without description.
43+
rule "terraform_documented_outputs" {
44+
enabled = true
45+
}
46+
47+
# Disallow variable declarations without description.
48+
rule "terraform_documented_variables" {
49+
enabled = true
50+
}
51+
52+
# Disallow variable declarations without type.
53+
rule "terraform_typed_variables" {
54+
enabled = true
55+
}
56+
57+
# Disallow specifying a git or mercurial repository as a module source without pinning to a version.
58+
rule "terraform_module_pinned_source" {
59+
enabled = true
60+
}
61+
62+
# Enforces naming conventions
63+
rule "terraform_naming_convention" {
64+
enabled = true
65+
66+
#Require specific naming structure
67+
variable {
68+
format = "snake_case"
69+
}
70+
71+
locals {
72+
format = "snake_case"
73+
}
74+
75+
output {
76+
format = "snake_case"
77+
}
78+
79+
#Allow any format
80+
resource {
81+
format = "none"
82+
}
83+
84+
module {
85+
format = "none"
86+
}
87+
88+
data {
89+
format = "none"
90+
}
91+
92+
}
93+
94+
# Disallow terraform declarations without require_version.
95+
rule "terraform_required_version" {
96+
enabled = true
97+
}
98+
99+
# Require that all providers have version constraints through required_providers.
100+
rule "terraform_required_providers" {
101+
enabled = true
102+
}
103+
104+
# Ensure that a module complies with the Terraform Standard Module Structure
105+
rule "terraform_standard_module_structure" {
106+
enabled = true
107+
}
108+
109+
# terraform.workspace should not be used with a "remote" backend with remote execution.
110+
rule "terraform_workspace_remote" {
111+
enabled = true
112+
}

IAM.md

Lines changed: 203 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,203 @@
1+
2+
## IAM Permission
3+
4+
<!-- BEGINNING OF PRE-COMMIT-PIKE DOCS HOOK -->
5+
The Policy required to deploy this module is:
6+
7+
```json
8+
{
9+
"Version": "2012-10-17",
10+
"Statement": [
11+
{
12+
"Sid": "VisualEditor0",
13+
"Effect": "Allow",
14+
"Action": [
15+
"ec2:AllocateAddress",
16+
"ec2:AssociateAddress",
17+
"ec2:AssociateRouteTable",
18+
"ec2:AttachInternetGateway",
19+
"ec2:AttachVolume",
20+
"ec2:AttachVpnGateway",
21+
"ec2:AuthorizeSecurityGroupEgress",
22+
"ec2:AuthorizeSecurityGroupIngress",
23+
"ec2:CreateFlowLogs",
24+
"ec2:CreateInternetGateway",
25+
"ec2:CreateKeyPair",
26+
"ec2:CreateNatGateway",
27+
"ec2:CreateNetworkAcl",
28+
"ec2:CreateNetworkAclEntry",
29+
"ec2:CreateNetworkInterface",
30+
"ec2:CreatePlacementGroup",
31+
"ec2:CreateRoute",
32+
"ec2:CreateRouteTable",
33+
"ec2:CreateSecurityGroup",
34+
"ec2:CreateSubnet",
35+
"ec2:CreateTags",
36+
"ec2:CreateVPC",
37+
"ec2:CreateVolume",
38+
"ec2:CreateVpcEndpoint",
39+
"ec2:CreateVpnGateway",
40+
"ec2:DeleteFlowLogs",
41+
"ec2:DeleteInternetGateway",
42+
"ec2:DeleteKeyPair",
43+
"ec2:DeleteNatGateway",
44+
"ec2:DeleteNetworkAcl",
45+
"ec2:DeleteNetworkAclEntry",
46+
"ec2:DeleteNetworkInterface",
47+
"ec2:DeletePlacementGroup",
48+
"ec2:DeleteRoute",
49+
"ec2:DeleteRouteTable",
50+
"ec2:DeleteSecurityGroup",
51+
"ec2:DeleteSubnet",
52+
"ec2:DeleteTags",
53+
"ec2:DeleteVPC",
54+
"ec2:DeleteVolume",
55+
"ec2:DeleteVpcEndpoints",
56+
"ec2:DeleteVpnGateway",
57+
"ec2:DescribeAccountAttributes",
58+
"ec2:DescribeAddresses",
59+
"ec2:DescribeAvailabilityZones",
60+
"ec2:DescribeFlowLogs",
61+
"ec2:DescribeImages",
62+
"ec2:DescribeInstanceAttribute",
63+
"ec2:DescribeInstanceCreditSpecifications",
64+
"ec2:DescribeInstanceTypes",
65+
"ec2:DescribeInstances",
66+
"ec2:DescribeInternetGateways",
67+
"ec2:DescribeKeyPairs",
68+
"ec2:DescribeNatGateways",
69+
"ec2:DescribeNetworkAcls",
70+
"ec2:DescribeNetworkInterfaces",
71+
"ec2:DescribePlacementGroups",
72+
"ec2:DescribePrefixLists",
73+
"ec2:DescribeRouteTables",
74+
"ec2:DescribeSecurityGroups",
75+
"ec2:DescribeSubnets",
76+
"ec2:DescribeTags",
77+
"ec2:DescribeVolumes",
78+
"ec2:DescribeVpcAttribute",
79+
"ec2:DescribeVpcEndpoints",
80+
"ec2:DescribeVpcs",
81+
"ec2:DescribeVpnGateways",
82+
"ec2:DetachInternetGateway",
83+
"ec2:DetachVolume",
84+
"ec2:DetachVpnGateway",
85+
"ec2:DisassociateAddress",
86+
"ec2:DisassociateRouteTable",
87+
"ec2:ImportKeyPair",
88+
"ec2:ModifyInstanceAttribute",
89+
"ec2:ModifyVolume",
90+
"ec2:ModifyVpcEndpoint",
91+
"ec2:MonitorInstances",
92+
"ec2:ReleaseAddress",
93+
"ec2:RevokeSecurityGroupEgress",
94+
"ec2:RevokeSecurityGroupIngress",
95+
"ec2:RunInstances",
96+
"ec2:StartInstances",
97+
"ec2:StopInstances",
98+
"ec2:TerminateInstances",
99+
"ec2:UnmonitorInstances"
100+
],
101+
"Resource": "*"
102+
},
103+
{
104+
"Sid": "VisualEditor1",
105+
"Effect": "Allow",
106+
"Action": [
107+
"iam:AddRoleToInstanceProfile",
108+
"iam:AttachRolePolicy",
109+
"iam:CreateInstanceProfile",
110+
"iam:CreatePolicy",
111+
"iam:CreateRole",
112+
"iam:DeleteInstanceProfile",
113+
"iam:DeletePolicy",
114+
"iam:DeleteRole",
115+
"iam:DeleteRolePermissionsBoundary",
116+
"iam:DetachRolePolicy",
117+
"iam:GetInstanceProfile",
118+
"iam:GetPolicy",
119+
"iam:GetPolicyVersion",
120+
"iam:GetRole",
121+
"iam:ListAttachedRolePolicies",
122+
"iam:ListInstanceProfilesForRole",
123+
"iam:ListPolicies",
124+
"iam:ListPolicyVersions",
125+
"iam:ListRolePolicies",
126+
"iam:PassRole",
127+
"iam:PutRolePermissionsBoundary",
128+
"iam:RemoveRoleFromInstanceProfile",
129+
"iam:TagPolicy",
130+
"iam:TagRole",
131+
"iam:UntagPolicy"
132+
],
133+
"Resource": "*"
134+
},
135+
{
136+
"Sid": "VisualEditor2",
137+
"Effect": "Allow",
138+
"Action": [
139+
"kms:CreateKey",
140+
"kms:Decrypt",
141+
"kms:DescribeKey",
142+
"kms:GetKeyPolicy",
143+
"kms:GetKeyRotationStatus",
144+
"kms:ListResourceTags",
145+
"kms:ScheduleKeyDeletion"
146+
],
147+
"Resource": "*"
148+
},
149+
{
150+
"Sid": "VisualEditor3",
151+
"Effect": "Allow",
152+
"Action": [
153+
"logs:AssociateKmsKey",
154+
"logs:CreateLogGroup",
155+
"logs:DeleteLogGroup",
156+
"logs:DeleteRetentionPolicy",
157+
"logs:DescribeLogGroups",
158+
"logs:DisassociateKmsKey",
159+
"logs:ListTagsLogGroup",
160+
"logs:PutRetentionPolicy",
161+
"logs:TagLogGroup",
162+
"logs:UntagLogGroup"
163+
],
164+
"Resource": "*"
165+
},
166+
{
167+
"Sid": "VisualEditor4",
168+
"Effect": "Allow",
169+
"Action": [
170+
"rds:AddTagsToResource",
171+
"rds:CreateDBSubnetGroup",
172+
"rds:DeleteDBSubnetGroup",
173+
"rds:DescribeDBSubnetGroups",
174+
"rds:ListTagsForResource",
175+
"rds:RemoveTagsFromResource"
176+
],
177+
"Resource": "*"
178+
},
179+
{
180+
"Sid": "VisualEditor5",
181+
"Effect": "Allow",
182+
"Action": [
183+
"ssm:AddTagsToResource",
184+
"ssm:CreateDocument",
185+
"ssm:DeleteDocument",
186+
"ssm:DeleteParameter",
187+
"ssm:DescribeDocument",
188+
"ssm:DescribeDocumentPermission",
189+
"ssm:DescribeParameters",
190+
"ssm:GetDocument",
191+
"ssm:GetParameter",
192+
"ssm:GetParameters",
193+
"ssm:ListTagsForResource",
194+
"ssm:PutParameter",
195+
"ssm:UpdateDocument"
196+
],
197+
"Resource": "*"
198+
}
199+
]
200+
}
201+
202+
```
203+
<!-- END OF PRE-COMMIT-PIKE DOCS HOOK -->

0 commit comments

Comments
 (0)