CMS-Enterprise · pre-commit-ci · Sep 23, 2024 · Sep 23, 2024
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,15 +2,15 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.6.0
     hooks:
     -   id: trailing-whitespace
     -   id: end-of-file-fixer
     -   id: check-yaml
         args: ["--allow-multiple-documents"]
     -   id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.96.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt     #  args: ["--enable require-variable-braces,deprecate-which"]
       - id: terraform_tflint

diff --git a/account_alias/README.md b/account_alias/README.md
@@ -2,4 +2,4 @@
 
 Sets the account alias for an AWS account. https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html
 
-Variable account_alias will be set for the account, e.g. "batcave-dev". Queryable with [ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)
+Variable account_alias will be set for the account, e.g. "batcave-dev". Queryable with [ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)
diff --git a/account_alias/main.tf b/account_alias/main.tf
@@ -9,4 +9,4 @@ variable "alias_name" {
     condition     = length(var.alias_name) >= 3 && length(var.alias_name) <= 63
     error_message = "Account Alias must have between 3 and 63 characters."
   }
-}
+}
diff --git a/role/main.tf b/role/main.tf
@@ -10,7 +10,7 @@ resource "aws_iam_role" "api-service-role" {
   permissions_boundary = var.permissions_boundary
   tags = var.tags
   assume_role_policy = <<-EOF
-  { 
+  {
     "Version": "2012-10-17",
     "Statement": [
       {
@@ -39,7 +39,7 @@ resource "aws_iam_role" "job-scheduler-service-role" {
   permissions_boundary = var.permissions_boundary
   tags = var.tags
   assume_role_policy = <<-EOF
-  { 
+  {
     "Version": "2012-10-17",
     "Statement": [
     {
@@ -70,7 +70,7 @@ resource "aws_iam_role" "cms-cloud-s3-snowflake-role" {
   assume_role_policy = <<-EOF
   {
     "Version": "2012-10-17",
-    "Statement": 
+    "Statement":
     [
       {
         "Effect": "Allow",
@@ -84,10 +84,10 @@ resource "aws_iam_role" "cms-cloud-s3-snowflake-role" {
           "StringEquals": {
             "sts:ExternalId": "${var.SDLExternalId}"
             }
-          }  
+          }
       }
     ]
-  }                  
+  }
   EOF
 }
 

diff --git a/role/variables.tf b/role/variables.tf
@@ -61,4 +61,4 @@ variable "tags" {
   description = "A mapping of tags to assign to all resources"
   type        = map(string)
   default     = {}
-}
+}
diff --git a/sdl_logs/README.md b/sdl_logs/README.md
@@ -1,4 +1,3 @@
 # SDL logs
 
 Sends all object create events on the logging bucket to eventbridge, a trigger to SNS, and connection to the Panther SQS queue for ingestion.
-
diff --git a/sdl_logs/eventbridge.tf b/sdl_logs/eventbridge.tf
@@ -42,9 +42,9 @@ resource "aws_cloudwatch_event_target" "target" {
             "awsRegion":<region>,
             "eventTime":<time>,
             "eventName":"PutObject",
-            "s3":{  
+            "s3":{
                 "s3SchemaVersion":"1.0",
-                "bucket":{  
+                "bucket":{
                     "name":"${data.aws_s3_bucket.cms_logging_bucket.id}",
                     "arn":"${data.aws_s3_bucket.cms_logging_bucket.arn}"
                 },
@@ -55,4 +55,4 @@ resource "aws_cloudwatch_event_target" "target" {
 }
 EOF
   }
-}
+}
diff --git a/sdl_logs/guardduty.tf b/sdl_logs/guardduty.tf
@@ -9,4 +9,4 @@ resource "aws_guardduty_publishing_destination" "s3-export" {
 resource "aws_s3_object" "guardduty_directory" {
   bucket = aws_s3_bucket.gd_export_s3_bucket.id
   key    = "guardduty/"
-}
+}
diff --git a/sdl_logs/kms.tf b/sdl_logs/kms.tf
@@ -91,4 +91,4 @@ resource "aws_kms_key" "kms_key" {
 resource "aws_kms_alias" "kms_key" {
   name          = "alias/batcave-panther"
   target_key_id = aws_kms_key.kms_key.id
-}
+}
diff --git a/sdl_logs/main.tf b/sdl_logs/main.tf
@@ -88,4 +88,3 @@ resource "aws_iam_role_policy" "kms_decryption" {
     ]
   })
 }
-
diff --git a/sdl_logs/s3.tf b/sdl_logs/s3.tf
@@ -3,7 +3,7 @@ data "aws_s3_bucket" "cms_logging_bucket" {
 }
 
 
-# Bucket notifications are managed as a single resource by AWS. 
+# Bucket notifications are managed as a single resource by AWS.
 # If an organizational change is made from cms cloud, our notifications will be overwritten, and if we
 # make a change, we overwrite their settings, so this became a last resort
 # This local-exec requires aws cli on the local machine
@@ -80,4 +80,4 @@ resource "aws_s3_bucket_notification" "panther_bucket_notifications" {
     topic_arn = aws_sns_topic.panther_topic.arn
     events    = ["s3:ObjectCreated:*"]
   }
-}
+}
diff --git a/sdl_logs/sns.tf b/sdl_logs/sns.tf
@@ -106,4 +106,4 @@ resource "aws_sns_topic_subscription" "panther" {
   topic_arn = aws_sns_topic.panther_topic.arn
   protocol  = "sqs"
   endpoint  = "arn:aws:sqs:us-east-1:${var.panther_aws_account_id}:panther-input-data-notifications-queue"
-}
+}
diff --git a/security-alerts/cloudwatch.tf b/security-alerts/cloudwatch.tf
@@ -41,4 +41,4 @@ resource "aws_cloudwatch_metric_alarm" "sechub_statemachine_alarm" {
   dimensions = {
     StateMachineArn = aws_sfn_state_machine.sechub_state_machine.arn
   }
-}
+}
diff --git a/security-alerts/code/sechub_transform.py b/security-alerts/code/sechub_transform.py
@@ -1,12 +1,12 @@
 import os
 
 def handler(event, context):
-    
+
     account_name = os.environ.get("ACCOUNT_NAME")
     try:
         event['detail']['findings'][0]['AwsAccountId'] = account_name
     except Exception as e:
         print('Error encountered during parsing of event for AwsAccountId')
         print(e)
         return event
-    return event
+    return event
diff --git a/security-alerts/data.tf b/security-alerts/data.tf
@@ -1 +1 @@
-data "aws_region" "current" {}
+data "aws_region" "current" {}
diff --git a/security-alerts/events.tf b/security-alerts/events.tf
@@ -65,4 +65,4 @@ resource "aws_cloudwatch_event_target" "target" {
 #   target_id = aws_cloudwatch_event_rule.nessus.name
 #   arn       = aws_sfn_state_machine.sechub_state_machine.arn
 #   role_arn  = aws_iam_role.sfn_target_role.arn
-# }
+# }
diff --git a/security-alerts/iam.tf b/security-alerts/iam.tf
@@ -206,4 +206,4 @@ resource "aws_iam_policy" "sfn_target_policy" {
   description = "Allows Eventbridge Rules to invoke the SecHub findings state machine"
 
   policy = data.aws_iam_policy_document.sfn_target_policy.json
-}
+}
diff --git a/security-alerts/lambda.tf b/security-alerts/lambda.tf
@@ -62,4 +62,4 @@ resource "aws_lambda_function" "transform-lambda" {
       ACCOUNT_NAME = var.account_name
     }
   }
-}
+}
diff --git a/security-alerts/step_function.tf b/security-alerts/step_function.tf
@@ -74,4 +74,4 @@ resource "aws_sfn_state_machine" "sechub_state_machine" {
       }
     }
   })
-}
+}
diff --git a/security-alerts/variables.tf b/security-alerts/variables.tf
@@ -30,4 +30,4 @@ variable "account_name" {
 variable "slack_channel_id" {
   type    = string
   default = "C036GQ3E9D1"
-}
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		Sets the account alias for an AWS account. https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html

		Variable account_alias will be set for the account, e.g. "batcave-dev". Queryable with [ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)
		Variable account_alias will be set for the account, e.g. "batcave-dev". Queryable with [ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,4 +9,4 @@ variable "alias_name" { @@
         condition     = length(var.alias_name) >= 3 && length(var.alias_name) <= 63
         error_message = "Account Alias must have between 3 and 63 characters."
       }
-    }
+    }
Original file line number	Diff line number	Diff line change
		@@ -1,4 +1,3 @@
		# SDL logs

		Sends all object create events on the logging bucket to eventbridge, a trigger to SNS, and connection to the Panther SQS queue for ingestion.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -88,4 +88,3 @@ resource "aws_iam_role_policy" "kms_decryption" {
		]
		})
		}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		data "aws_region" "current" {}
		data "aws_region" "current" {}