initial commit

.github/workflows/pre-commit-check.yaml

@@ -4,19 +4,38 @@ on:
   push:
     branches:
       - master
+      - develop
   pull_request:
 
 jobs:
   build:
     runs-on: macOS-latest
     steps:
-    - uses: actions/checkout@v1
-
-    - name: Install prerequisites
-      run: |
-        brew install tfenv tflint terraform-docs pre-commit
-        pre-commit install
-        tfenv install
-    - name: pre-commit run all
-      run: |
-        pre-commit run -a
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.head_ref }}
+      - name: Install prerequisites
+        run: ./bin/install-macos.sh
+      - name: initialize Terraform
+        run: terraform init --backend=false
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit|${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            pre-commit
+      - name: pre-commit run all
+        run: |
+          pre-commit run -a
+        env:
+          AWS_DEFAULT_REGION: us-east-1
+          SKIP: terraform_tflint_deep
+      - uses: stefanzweifel/git-auto-commit-action@v4
+        if: ${{ failure() }}
+        with:
+          commit_message: Apply automatic changes
+          commit_options: "--no-verify"
+          # Optional commit user and author settings
+          commit_user_name: Linter Bot
+          commit_user_email: noreply@rhythmictech.com
+          commit_author: Linter Bot <actions@github.com>

.gitignore

@@ -7,3 +7,6 @@
 
 # .tfvars files
 *.tfvars
+
+*.zip
+tmp

.pre-commit-config.yaml

@@ -1,12 +1,67 @@
 repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.30.0
-  hooks:
-    - id: terraform_fmt
-    - id: terraform_docs
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.0.0
-  hooks:
-    - id: end-of-file-fixer
-    - id: trailing-whitespace
-    - id: no-commit-to-branch
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.31.0
+    hooks:
+      - id: terraform_docs
+        always_run: true
+        args:
+          - --args=--sort-by-required
+      - id: terraform_fmt
+      - id: terraform_tflint
+        alias: terraform_tflint_deep
+        name: terraform_tflint_deep
+        args:
+          - --args=--deep
+      - id: terraform_tflint
+        alias: terraform_tflint_nocreds
+        name: terraform_tflint_nocreds
+      - id: terraform_tfsec
+  - repo: local
+    hooks:
+      - id: terraform_validate
+        name: terraform_validate
+        entry: |
+          bash -c '
+            AWS_DEFAULT_REGION=us-east-1
+            declare -a DIRS
+            for FILE in "$@"
+            do
+              DIRS+=($(dirname "$FILE"))
+            done
+            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
+            do
+              cd $(dirname "$FILE")
+              terraform init --backend=false
+              terraform validate .
+            done
+          '
+        language: system
+        verbose: true
+        files: \.tf(vars)?$
+        exclude: examples
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.0.0
+    hooks:
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-yaml
+        args:
+          - --unsafe
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: mixed-line-ending
+        args:
+          - --fix=lf
+      - id: no-commit-to-branch
+      - id: pretty-format-json
+        args:
+          - --autofix
+          - --top-keys=name,Name
+      - id: trailing-whitespace
+        args:
+          - --markdown-linebreak-ext=md
+        exclude: README.md
+      - id: check-ast
+      - id: check-builtin-literals

README.md

@@ -1,43 +1,46 @@
-# terraform-anycloud-template [![](https://github.com/rhythmictech/terraform-anycloud-template/workflows/pre-commit-check/badge.svg)](https://github.com/rhythmictech/terraform-anycloud-template/actions) <a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=RhythmicTech" alt="follow on Twitter"></a>
-Template repository for terraform modules. Good for any cloud and any provider.
+# terraform-aws-cloudflare-restrictor [![](https://github.com/rhythmictech/terraform-aws-cloudflare-restrictor/workflows/pre-commit-check/badge.svg)](https://github.com/rhythmictech/terraform-aws-cloudflare-restrictor/actions) <a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=RhythmicTech" alt="follow on Twitter"></a>
+
+This module will automatically manage the ingress rules for any security groups that are appropriately tagged, only permitting CloudFlare IP addresses. The module will create a Lambda that runs once per day, using the public CloudFlare API for known IP addresses to pull the latest IPs and merge them into the security group.
+
+By default, the Lambda will update any security group with the tag key `CLOUDFLARE_MANAGED` set to `true`,
+though this can be customized. Any existing ingress rules will be removed when this tag key/value match. Since the Lambda only runs once per day, it is recommended that it be manually triggered whenever a new security group is added.
 
 ## Example
-Here's what using the module will look like
+Here's what using the module will look like:
+
 ```
-module "example" {
-  source = "rhythmictech/terraform-mycloud-mymodule
+module "cloudflare-restrictor" {
+  source = "rhythmictech/terraform-aws-cloudflare-restrictor"
 }
 ```
 
-## About
-A bit about this module
-
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12.19 |
 
 ## Providers
 
-No provider.
+| Name | Version |
+|------|---------|
+| archive | n/a |
+| aws | n/a |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| name | Moniker to apply to all resources in the module | `string` | n/a | yes |
+| allowed\_ports | Ports to allow traffic from CloudFlare on (recommended to only use 443) | `list(number)` | <pre>[<br>  443<br>]</pre> | no |
+| execution\_expression | cron expression for how frequently rules should be updated | `string` | `"rate(1 day)"` | no |
+| name | Moniker to apply to all resources in the module | `string` | `"cloudflare-restrictor"` | no |
+| tag\_key | Tag key to expect on security groups that will be managed by this module | `string` | `"CLOUDFLARE_MANAGED"` | no |
+| tag\_value | Tag value to expect on security groups that will be managed by this module | `string` | `"true"` | no |
 | tags | User-Defined tags | `map(string)` | `{}` | no |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| tags\_module | Tags Module in it's entirety |
+No output.
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
-## The Giants underneath this module
-- pre-commit.com/
-- terraform.io/
-- github.com/tfutils/tfenv
-- github.com/segmentio/terraform-docs

bin/install-macos.sh

@@ -1,10 +1,18 @@
 #!/bin/bash
 
 echo 'installing brew packages'
-brew install tfenv tflint terraform-docs pre-commit
+brew update
+brew tap liamg/tfsec
+brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
+brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
 
 echo 'installing pre-commit hooks'
 pre-commit install
 
+echo 'setting pre-commit hooks to auto-install on clone in the future'
+git config --global init.templateDir ~/.git-template
+pre-commit init-templatedir ~/.git-template
+
 echo 'installing terraform with tfenv'
-tfenv install
+tfenv install min-required
+tfenv use min-required