feat: Add Terragrunt wrapper support

Author: bryantbiggs

.pre-commit-config.yaml

@@ -3,7 +3,7 @@ repos:
     rev: v1.81.0
     hooks:
       - id: terraform_fmt
-      - id: terraform_validate
+      - id: terraform_wrapper_module_for_each
       - id: terraform_docs
         args:
           - '--args=--lockfile=false'
@@ -22,6 +22,7 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
+      - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.4.0
     hooks:

wrappers/README.md

@@ -0,0 +1,100 @@
+# Wrapper for the root module
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/network-firewall/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-network-firewall.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/network-firewall/aws//wrappers"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/firewall/README.md

@@ -0,0 +1,100 @@
+# Wrapper for module: `modules/firewall`
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/network-firewall/aws//wrappers/firewall"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-network-firewall.git//wrappers/firewall?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/network-firewall/aws//wrappers/firewall"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/firewall/main.tf

@@ -0,0 +1,19 @@
+module "wrapper" {
+  source = "../../modules/firewall"
+
+  for_each = var.items
+
+  create                                   = try(each.value.create, var.defaults.create, true)
+  tags                                     = try(each.value.tags, var.defaults.tags, {})
+  delete_protection                        = try(each.value.delete_protection, var.defaults.delete_protection, true)
+  description                              = try(each.value.description, var.defaults.description, "")
+  encryption_configuration                 = try(each.value.encryption_configuration, var.defaults.encryption_configuration, {})
+  firewall_policy_arn                      = try(each.value.firewall_policy_arn, var.defaults.firewall_policy_arn, "")
+  firewall_policy_change_protection        = try(each.value.firewall_policy_change_protection, var.defaults.firewall_policy_change_protection, null)
+  name                                     = try(each.value.name, var.defaults.name, "")
+  subnet_change_protection                 = try(each.value.subnet_change_protection, var.defaults.subnet_change_protection, true)
+  subnet_mapping                           = try(each.value.subnet_mapping, var.defaults.subnet_mapping, {})
+  vpc_id                                   = try(each.value.vpc_id, var.defaults.vpc_id, "")
+  create_logging_configuration             = try(each.value.create_logging_configuration, var.defaults.create_logging_configuration, false)
+  logging_configuration_destination_config = try(each.value.logging_configuration_destination_config, var.defaults.logging_configuration_destination_config, [])
+}

wrappers/firewall/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}

wrappers/firewall/variables.tf

@@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}

wrappers/firewall/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.13.1"
+}

wrappers/main.tf

@@ -0,0 +1,37 @@
+module "wrapper" {
+  source = "../"
+
+  for_each = var.items
+
+  create                                    = try(each.value.create, var.defaults.create, true)
+  tags                                      = try(each.value.tags, var.defaults.tags, {})
+  delete_protection                         = try(each.value.delete_protection, var.defaults.delete_protection, true)
+  description                               = try(each.value.description, var.defaults.description, "")
+  encryption_configuration                  = try(each.value.encryption_configuration, var.defaults.encryption_configuration, {})
+  firewall_policy_arn                       = try(each.value.firewall_policy_arn, var.defaults.firewall_policy_arn, "")
+  firewall_policy_change_protection         = try(each.value.firewall_policy_change_protection, var.defaults.firewall_policy_change_protection, null)
+  name                                      = try(each.value.name, var.defaults.name, "")
+  subnet_change_protection                  = try(each.value.subnet_change_protection, var.defaults.subnet_change_protection, true)
+  subnet_mapping                            = try(each.value.subnet_mapping, var.defaults.subnet_mapping, {})
+  vpc_id                                    = try(each.value.vpc_id, var.defaults.vpc_id, "")
+  create_logging_configuration              = try(each.value.create_logging_configuration, var.defaults.create_logging_configuration, false)
+  logging_configuration_destination_config  = try(each.value.logging_configuration_destination_config, var.defaults.logging_configuration_destination_config, [])
+  create_policy                             = try(each.value.create_policy, var.defaults.create_policy, true)
+  policy_description                        = try(each.value.policy_description, var.defaults.policy_description, null)
+  policy_encryption_configuration           = try(each.value.policy_encryption_configuration, var.defaults.policy_encryption_configuration, {})
+  policy_stateful_default_actions           = try(each.value.policy_stateful_default_actions, var.defaults.policy_stateful_default_actions, [])
+  policy_stateful_engine_options            = try(each.value.policy_stateful_engine_options, var.defaults.policy_stateful_engine_options, {})
+  policy_stateful_rule_group_reference      = try(each.value.policy_stateful_rule_group_reference, var.defaults.policy_stateful_rule_group_reference, {})
+  policy_stateless_custom_action            = try(each.value.policy_stateless_custom_action, var.defaults.policy_stateless_custom_action, {})
+  policy_stateless_default_actions          = try(each.value.policy_stateless_default_actions, var.defaults.policy_stateless_default_actions, ["aws:pass"])
+  policy_stateless_fragment_default_actions = try(each.value.policy_stateless_fragment_default_actions, var.defaults.policy_stateless_fragment_default_actions, ["aws:pass"])
+  policy_stateless_rule_group_reference     = try(each.value.policy_stateless_rule_group_reference, var.defaults.policy_stateless_rule_group_reference, {})
+  policy_name                               = try(each.value.policy_name, var.defaults.policy_name, "")
+  policy_tags                               = try(each.value.policy_tags, var.defaults.policy_tags, {})
+  create_policy_resource_policy             = try(each.value.create_policy_resource_policy, var.defaults.create_policy_resource_policy, false)
+  policy_resource_policy_actions            = try(each.value.policy_resource_policy_actions, var.defaults.policy_resource_policy_actions, [])
+  policy_resource_policy_principals         = try(each.value.policy_resource_policy_principals, var.defaults.policy_resource_policy_principals, [])
+  policy_attach_resource_policy             = try(each.value.policy_attach_resource_policy, var.defaults.policy_attach_resource_policy, false)
+  policy_resource_policy                    = try(each.value.policy_resource_policy, var.defaults.policy_resource_policy, "")
+  policy_ram_resource_associations          = try(each.value.policy_ram_resource_associations, var.defaults.policy_ram_resource_associations, {})
+}

wrappers/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}