feat: 6764: pre-commit

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform  #Follow the instructions as on the page to install dependencies
+  rev: v1.64.0
+  hooks:
+  - id: terraform_fmt
+  - id: terraform_docs
+  - id: terraform_tflint
+  - id: terraform_tfsec
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.1.0
+  hooks:
+  - id: check-merge-conflict
+  - id: detect-private-key
+- repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
+  rev: v2.3.0
+  hooks:
+  - id: pretty-format-yaml
+    args: [--autofix, --indent, '2']

logs_monitoring.tf

@@ -18,6 +18,7 @@ resource "aws_cloudformation_stack" "datadog-forwarder" {
   }
 }
 
+#tfsec:ignore:aws-ssm-secret-use-customer-key
 resource "aws_secretsmanager_secret" "datadog_api_key" {
   name_prefix = "${local.stack_prefix}datadog-api-key"
   description = "Datadog API Key"

logs_monitoring_elb.tf

@@ -20,14 +20,14 @@ resource "aws_s3_bucket_notification" "elblog-notification-dd-log" {
 }
 
 data "aws_elb_service_account" "main" {
-  
+
 }
 
 locals {
   elb_logs_s3_bucket = "${var.elb_logs_bucket_prefix}-${var.namespace}-${var.env}-elb-logs"
 }
 
-data aws_iam_policy_document "elb_logs" {
+data "aws_iam_policy_document" "elb_logs" {
   statement {
     actions = [
       "s3:PutObject"
@@ -43,9 +43,22 @@ data aws_iam_policy_document "elb_logs" {
   }
 }
 
+#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-specify-public-access-block tfsec:ignore:aws-s3-no-public-buckets  tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-block-public-acls
 resource "aws_s3_bucket" "elb_logs" {
   count  = var.create_elb_logs_bucket ? 1 : 0
   bucket = local.elb_logs_s3_bucket
+  acl    = "private"
+  versioning {
+    enabled = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "elb_logs" {
+  bucket                  = aws_s3_bucket.elb_logs[0].id
+  restrict_public_buckets = true
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
 }
 
 resource "aws_s3_bucket_policy" "elb_logs" {
@@ -84,6 +97,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "elb_logs" {
   }
 }
 
+#tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket_server_side_encryption_configuration" "elb_logs" {
   count  = var.create_elb_logs_bucket ? 1 : 0
   bucket = aws_s3_bucket.elb_logs[0].id

main.tf

@@ -11,7 +11,7 @@ resource "datadog_integration_aws" "core" {
   excluded_regions                 = var.excluded_regions
   filter_tags                      = var.filter_tags
   resource_collection_enabled      = var.resource_collection_enabled
-  metrics_collection_enabled       = var.metrics_collection_enabled 
+  metrics_collection_enabled       = var.metrics_collection_enabled
   cspm_resource_collection_enabled = var.cspm_resource_collection_enabled
 }
 
@@ -56,6 +56,7 @@ data "aws_iam_policy" "securityAudit" {
   arn = "arn:aws:iam::aws:policy/SecurityAudit"
 }
 
+#tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_policy" "datadog-core" {
   count       = var.enable_datadog_aws_integration ? 1 : 0
   name        = "datadog-core-integration"