diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ceb46444..2537f2f8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,9 +15,10 @@ # Cloud Posse must review any changes to standard context definition, # but some changes can be rubber-stamped. -**/context.tf @cloudposse/engineering @cloudposse/approvers -README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers -docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +**/*.tf @cloudposse/engineering @cloudposse/approvers +README.yaml @cloudposse/engineering @cloudposse/approvers +README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration .github/mergify.yml @cloudposse/admins diff --git a/.github/mergify.yml b/.github/mergify.yml index b0106567..ef15545e 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -56,3 +56,10 @@ pull_request_rules: changes_requested: true approved: true message: "This Pull Request has been updated, so we're dismissing all reviews." + +- name: "close Pull Requests without files changed" + conditions: + - "#files=0" + actions: + close: + message: "This pull request has been automatically closed by Mergify because there are no longer any changes." diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml index 990abed6..375d0fd4 100644 --- a/.github/workflows/auto-format.yml +++ b/.github/workflows/auto-format.yml @@ -6,7 +6,7 @@ on: jobs: auto-format: runs-on: ubuntu-latest - container: cloudposse/build-harness:slim-latest + container: cloudposse/build-harness:latest steps: # Checkout the pull request branch # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using @@ -29,6 +29,8 @@ jobs: - name: Auto Format if: github.event.pull_request.state == 'open' shell: bash + env: + GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host # Commit changes (if any) to the PR branch diff --git a/README.md b/README.md index d8da750e..10b05e76 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,25 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are +## Security & Compliance [](https://bridgecrew.io/) + +Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. + +| Benchmark | Description | +|--------|---------------| +| [![Infrastructure Security](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance | +| [![CIS KUBERNETES](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=CIS+KUBERNETES+V1.5) | Center for Internet Security, KUBERNETES Compliance | +| [![CIS AWS](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance | +| [![CIS AZURE](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=CIS+AZURE+V1.1) | Center for Internet Security, AZURE Compliance | +| [![PCI-DSS](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=PCI-DSS+V3.2) | Payment Card Industry Data Security Standards Compliance | +| [![NIST-800-53](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance | +| [![ISO27001](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance | +| [![SOC2](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=SOC2)| Service Organization Control 2 Compliance | +| [![CIS GCP](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=CIS+GCP+V1.1) | Center for Internet Security, GCP Compliance | +| [![HIPAA](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-ecs-web-app/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-ecs-web-app&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance | + + + ## Usage @@ -152,6 +171,26 @@ Available targets: |------|---------| | aws | >= 2.0 | +## Modules + +| Name | Source | Version | +|------|--------|---------| +| alb_ingress | cloudposse/alb-ingress/aws | 0.22.1 | +| alb_target_group_cloudwatch_sns_alarms | cloudposse/alb-target-group-cloudwatch-sns-alarms/aws | 0.13.0 | +| container_definition | cloudposse/ecs-container-definition/aws | 0.47.0 | +| ecr | cloudposse/ecr/aws | 0.29.2 | +| ecs_alb_service_task | cloudposse/ecs-alb-service-task/aws | 0.44.0 | +| ecs_cloudwatch_autoscaling | cloudposse/ecs-cloudwatch-autoscaling/aws | 0.5.1 | +| ecs_cloudwatch_sns_alarms | cloudposse/ecs-cloudwatch-sns-alarms/aws | 0.8.1 | +| ecs_codepipeline | cloudposse/ecs-codepipeline/aws | 0.19.0 | +| this | cloudposse/label/null | 0.22.1 | + +## Resources + +| Name | +|------| +| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | + ## Inputs | Name | Description | Type | Default | Required | @@ -186,7 +225,7 @@ Available targets: | alb\_target\_group\_alarms\_response\_time\_threshold | The maximum ALB Target Group response time | `number` | `0.5` | no | | assign\_public\_ip | Assign a public IP address to the ENI (Fargate launch type only). Valid values are `true` or `false`. Default `false` | `bool` | `false` | no | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| authentication\_cognito\_scope | Cognito scope | `list(string)` | `[]` | no | +| authentication\_cognito\_scope | Cognito scope | `string` | `null` | no | | authentication\_cognito\_user\_pool\_arn | Cognito User Pool ARN | `string` | `""` | no | | authentication\_cognito\_user\_pool\_client\_id | Cognito User Pool Client ID | `string` | `""` | no | | authentication\_cognito\_user\_pool\_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | `string` | `""` | no | @@ -194,7 +233,7 @@ Available targets: | authentication\_oidc\_client\_id | OIDC Client ID | `string` | `""` | no | | authentication\_oidc\_client\_secret | OIDC Client Secret | `string` | `""` | no | | authentication\_oidc\_issuer | OIDC Issuer | `string` | `""` | no | -| authentication\_oidc\_scope | OIDC scope | `list(string)` | `[]` | no | +| authentication\_oidc\_scope | OIDC scope | `string` | `null` | no | | authentication\_oidc\_token\_endpoint | OIDC Token Endpoint | `string` | `""` | no | | authentication\_oidc\_user\_info\_endpoint | OIDC User Info Endpoint | `string` | `""` | no | | authentication\_type | Authentication type. Supported values are `COGNITO` and `OIDC` | `string` | `""` | no | @@ -378,7 +417,6 @@ Available targets: | httpcode\_target\_5xx\_count\_cloudwatch\_metric\_alarm\_id | ALB Target Group 5xx count CloudWatch metric alarm ID | | target\_response\_time\_average\_cloudwatch\_metric\_alarm\_arn | ALB Target Group response time average CloudWatch metric alarm ARN | | target\_response\_time\_average\_cloudwatch\_metric\_alarm\_id | ALB Target Group response time average CloudWatch metric alarm ID | - diff --git a/context.tf b/context.tf index f5f27979..81f99b4e 100644 --- a/context.tf +++ b/context.tf @@ -20,7 +20,7 @@ module "this" { source = "cloudposse/label/null" - version = "0.22.1" // requires Terraform >= 0.12.26 + version = "0.24.1" # requires Terraform >= 0.13.0 enabled = var.enabled namespace = var.namespace @@ -34,6 +34,8 @@ module "this" { label_order = var.label_order regex_replace_chars = var.regex_replace_chars id_length_limit = var.id_length_limit + label_key_case = var.label_key_case + label_value_case = var.label_value_case context = var.context } @@ -41,20 +43,7 @@ module "this" { # Copy contents of cloudposse/terraform-null-label/variables.tf here variable "context" { - type = object({ - enabled = bool - namespace = string - environment = string - stage = string - name = string - delimiter = string - attributes = list(string) - tags = map(string) - additional_tag_map = map(string) - regex_replace_chars = string - label_order = list(string) - id_length_limit = number - }) + type = any default = { enabled = true namespace = null @@ -68,6 +57,8 @@ variable "context" { regex_replace_chars = null label_order = [] id_length_limit = null + label_key_case = null + label_value_case = null } description = <<-EOT Single object for setting entire context at once. @@ -76,6 +67,16 @@ variable "context" { Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. EOT + + validation { + condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`." + } + + validation { + condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } } variable "enabled" { @@ -158,11 +159,44 @@ variable "id_length_limit" { type = number default = null description = <<-EOT - Limit `id` to this many characters. + Limit `id` to this many characters (minimum 6). Set to `0` for unlimited length. Set to `null` for default, which is `0`. Does not affect `id_full`. EOT + validation { + condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 + error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." + } +} + +variable "label_key_case" { + type = string + default = null + description = <<-EOT + The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`. + Possible values: `lower`, `title`, `upper`. + Default value: `title`. + EOT + + validation { + condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) + error_message = "Allowed values: `lower`, `title`, `upper`." + } } +variable "label_value_case" { + type = string + default = null + description = <<-EOT + The letter case of output label values (also used in `tags` and `id`). + Possible values: `lower`, `title`, `upper` and `none` (no transformation). + Default value: `lower`. + EOT + + validation { + condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} #### End of copy of cloudposse/terraform-null-label/variables.tf diff --git a/docs/terraform.md b/docs/terraform.md index a979b14c..ea560fbf 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -15,6 +15,26 @@ |------|---------| | aws | >= 2.0 | +## Modules + +| Name | Source | Version | +|------|--------|---------| +| alb_ingress | cloudposse/alb-ingress/aws | 0.22.1 | +| alb_target_group_cloudwatch_sns_alarms | cloudposse/alb-target-group-cloudwatch-sns-alarms/aws | 0.13.0 | +| container_definition | cloudposse/ecs-container-definition/aws | 0.47.0 | +| ecr | cloudposse/ecr/aws | 0.29.2 | +| ecs_alb_service_task | cloudposse/ecs-alb-service-task/aws | 0.44.0 | +| ecs_cloudwatch_autoscaling | cloudposse/ecs-cloudwatch-autoscaling/aws | 0.5.1 | +| ecs_cloudwatch_sns_alarms | cloudposse/ecs-cloudwatch-sns-alarms/aws | 0.8.1 | +| ecs_codepipeline | cloudposse/ecs-codepipeline/aws | 0.19.0 | +| this | cloudposse/label/null | 0.22.1 | + +## Resources + +| Name | +|------| +| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | + ## Inputs | Name | Description | Type | Default | Required | @@ -49,7 +69,7 @@ | alb\_target\_group\_alarms\_response\_time\_threshold | The maximum ALB Target Group response time | `number` | `0.5` | no | | assign\_public\_ip | Assign a public IP address to the ENI (Fargate launch type only). Valid values are `true` or `false`. Default `false` | `bool` | `false` | no | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| authentication\_cognito\_scope | Cognito scope | `list(string)` | `[]` | no | +| authentication\_cognito\_scope | Cognito scope | `string` | `null` | no | | authentication\_cognito\_user\_pool\_arn | Cognito User Pool ARN | `string` | `""` | no | | authentication\_cognito\_user\_pool\_client\_id | Cognito User Pool Client ID | `string` | `""` | no | | authentication\_cognito\_user\_pool\_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | `string` | `""` | no | @@ -57,7 +77,7 @@ | authentication\_oidc\_client\_id | OIDC Client ID | `string` | `""` | no | | authentication\_oidc\_client\_secret | OIDC Client Secret | `string` | `""` | no | | authentication\_oidc\_issuer | OIDC Issuer | `string` | `""` | no | -| authentication\_oidc\_scope | OIDC scope | `list(string)` | `[]` | no | +| authentication\_oidc\_scope | OIDC scope | `string` | `null` | no | | authentication\_oidc\_token\_endpoint | OIDC Token Endpoint | `string` | `""` | no | | authentication\_oidc\_user\_info\_endpoint | OIDC User Info Endpoint | `string` | `""` | no | | authentication\_type | Authentication type. Supported values are `COGNITO` and `OIDC` | `string` | `""` | no | @@ -241,5 +261,4 @@ | httpcode\_target\_5xx\_count\_cloudwatch\_metric\_alarm\_id | ALB Target Group 5xx count CloudWatch metric alarm ID | | target\_response\_time\_average\_cloudwatch\_metric\_alarm\_arn | ALB Target Group response time average CloudWatch metric alarm ARN | | target\_response\_time\_average\_cloudwatch\_metric\_alarm\_id | ALB Target Group response time average CloudWatch metric alarm ID | - diff --git a/examples/complete/context.tf b/examples/complete/context.tf index f5f27979..81f99b4e 100644 --- a/examples/complete/context.tf +++ b/examples/complete/context.tf @@ -20,7 +20,7 @@ module "this" { source = "cloudposse/label/null" - version = "0.22.1" // requires Terraform >= 0.12.26 + version = "0.24.1" # requires Terraform >= 0.13.0 enabled = var.enabled namespace = var.namespace @@ -34,6 +34,8 @@ module "this" { label_order = var.label_order regex_replace_chars = var.regex_replace_chars id_length_limit = var.id_length_limit + label_key_case = var.label_key_case + label_value_case = var.label_value_case context = var.context } @@ -41,20 +43,7 @@ module "this" { # Copy contents of cloudposse/terraform-null-label/variables.tf here variable "context" { - type = object({ - enabled = bool - namespace = string - environment = string - stage = string - name = string - delimiter = string - attributes = list(string) - tags = map(string) - additional_tag_map = map(string) - regex_replace_chars = string - label_order = list(string) - id_length_limit = number - }) + type = any default = { enabled = true namespace = null @@ -68,6 +57,8 @@ variable "context" { regex_replace_chars = null label_order = [] id_length_limit = null + label_key_case = null + label_value_case = null } description = <<-EOT Single object for setting entire context at once. @@ -76,6 +67,16 @@ variable "context" { Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. EOT + + validation { + condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`." + } + + validation { + condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } } variable "enabled" { @@ -158,11 +159,44 @@ variable "id_length_limit" { type = number default = null description = <<-EOT - Limit `id` to this many characters. + Limit `id` to this many characters (minimum 6). Set to `0` for unlimited length. Set to `null` for default, which is `0`. Does not affect `id_full`. EOT + validation { + condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 + error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." + } +} + +variable "label_key_case" { + type = string + default = null + description = <<-EOT + The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`. + Possible values: `lower`, `title`, `upper`. + Default value: `title`. + EOT + + validation { + condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) + error_message = "Allowed values: `lower`, `title`, `upper`." + } } +variable "label_value_case" { + type = string + default = null + description = <<-EOT + The letter case of output label values (also used in `tags` and `id`). + Possible values: `lower`, `title`, `upper` and `none` (no transformation). + Default value: `lower`. + EOT + + validation { + condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} #### End of copy of cloudposse/terraform-null-label/variables.tf diff --git a/main.tf b/main.tf index bb6d6226..c0d3c0f6 100644 --- a/main.tf +++ b/main.tf @@ -19,7 +19,7 @@ resource "aws_cloudwatch_log_group" "app" { module "alb_ingress" { source = "cloudposse/alb-ingress/aws" - version = "0.16.1" + version = "0.22.1" vpc_id = var.vpc_id port = var.container_port diff --git a/variables.tf b/variables.tf index 79a8070e..2d309480 100644 --- a/variables.tf +++ b/variables.tf @@ -805,9 +805,9 @@ variable "authentication_cognito_user_pool_domain" { } variable "authentication_cognito_scope" { - type = list(string) + type = string description = "Cognito scope" - default = [] + default = null } variable "authentication_oidc_client_id" { @@ -847,9 +847,9 @@ variable "authentication_oidc_user_info_endpoint" { } variable "authentication_oidc_scope" { - type = list(string) + type = string description = "OIDC scope" - default = [] + default = null } variable "codepipeline_build_compute_type" {