Keep it clean, tflint 🧹 (#47)

* add tflint workflow for all terraform directories

* resolve linting issues, add required provider versions, update utility scripts

.github/workflows/tflint.yaml

@@ -0,0 +1,47 @@
+name: Terraform Linting
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        dirs: [terraform/modules/oidc, terraform/modules/tfstate, terraform/implementation/setup, terraform/implementation/ecs]
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: actions/cache@v4
+        name: Cache plugin dir
+        with:
+          path: ~/.tflint.d/plugins
+          key: ${{ matrix.dirs }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.52.0
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable
+        # env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          # GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        working-directory: ${{ github.workspace }}/${{matrix.dirs}}
+        run: tflint -f compact

terraform/implementation/ecs/README.md

@@ -3,43 +3,36 @@
 
 | Name | Version |
 |------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | =5.56.1 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | =5.56.1 |
+No providers.
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ecs"></a> [ecs](#module\_ecs) | ../../modules/ecs | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | n/a |
+| <a name="module_ecs"></a> [ecs](#module\_ecs) | CDCgov/dibbs-ecr-viewer/aws | 0.1.2 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.16.0 |
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/data-sources/caller_identity) | data source |
+No resources.
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
-| <a name="input_ecr_viewer_database_schema"></a> [ecr\_viewer\_database\_schema](#input\_ecr\_viewer\_database\_schema) | The database schema used for the eCR data tables | `string` | `"core"` | no |
-| <a name="input_ecr_viewer_database_type"></a> [ecr\_viewer\_database\_type](#input\_ecr\_viewer\_database\_type) | The SQL variant used for the eCR data tables | `string` | `"postgres"` | no |
-| <a name="input_ecs_alb_sg"></a> [ecs\_alb\_sg](#input\_ecs\_alb\_sg) | The security group for the Application Load Balancer | `string` | `"ecs-albsg"` | no |
 | <a name="input_internal"></a> [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
-| <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.4.4"` | no |
+| <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.6.9"` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br>  "176.24.1.0/24",<br>  "176.24.3.0/24"<br>]</pre> | no |
 | <a name="input_project"></a> [project](#input\_project) | The project name | `string` | `"dibbs"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | The public subnets | `list(string)` | <pre>[<br>  "176.24.2.0/24",<br>  "176.24.4.0/24"<br>]</pre> | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
-| <a name="input_vpc"></a> [vpc](#input\_vpc) | The name of the VPC | `string` | `"ecs-vpc"` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | `"176.24.0.0/16"` | no |
 
 ## Outputs

terraform/implementation/ecs/_variable.tf

@@ -10,12 +10,6 @@ variable "internal" {
   default     = true
 }
 
-variable "ecs_alb_sg" {
-  description = "The security group for the Application Load Balancer"
-  type        = string
-  default     = "ecs-albsg"
-}
-
 variable "owner" {
   description = "The owner of the infrastructure"
   type        = string
@@ -26,7 +20,7 @@ variable "owner" {
 variable "phdi_version" {
   description = "PHDI container image version"
   type        = string
-  default     = "v1.4.4"
+  default     = "v1.6.9"
 }
 
 variable "private_subnets" {
@@ -53,12 +47,6 @@ variable "region" {
   default     = "us-east-1"
 }
 
-variable "vpc" {
-  description = "The name of the VPC"
-  type        = string
-  default     = "ecs-vpc"
-}
-
 variable "vpc_cidr" {
   description = "The CIDR block for the VPC"
   type        = string

terraform/implementation/ecs/main.tf

@@ -1,5 +1,6 @@
 module "vpc" {
-  source = "terraform-aws-modules/vpc/aws"
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.16.0"
 
   name            = local.vpc_name
   cidr            = var.vpc_cidr
@@ -22,9 +23,10 @@ module "ecs" {
   vpc_id             = module.vpc.vpc_id
   region             = var.region
 
-  owner   = var.owner
-  project = var.project
-  tags    = local.tags
+  owner        = var.owner
+  project      = var.project
+  tags         = local.tags
+  phdi_version = var.phdi_version
 
   # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
   # disable_ecr = true

terraform/implementation/ecs/provider.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 1.9.0"
+}

terraform/implementation/setup/README.md

@@ -3,7 +3,11 @@
 
 | Name | Version |
 |------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | =5.70.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.56.1 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.5.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.6.3 |
 
 ## Providers
 

terraform/implementation/setup/main.tf

@@ -9,7 +9,6 @@ module "tfstate" {
   identifier = random_string.setup.result
   owner      = var.owner
   project    = var.project
-  region     = var.region
 }
 
 # GitHub OIDC for prod

terraform/implementation/setup/provider.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.56.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6.3"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.5.0"
+    }
+  }
+  required_version = "~> 1.9.0"
+}

terraform/modules/oidc/README.md

@@ -0,0 +1,62 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.56.1 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.6.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.56.1 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.6.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.request_tags_create_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.resource_tags_delete_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.resource_tags_update_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.scoped_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.scoped_two](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [random_string.oidc](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.github_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.request_tags_create_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.resource_tags_delete_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.resource_tags_update_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.scoped_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.scoped_two](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dynamodb_table_arn"></a> [dynamodb\_table\_arn](#input\_dynamodb\_table\_arn) | The ARN of the DynamoDB table for state | `string` | `""` | no |
+| <a name="input_oidc_github_repo"></a> [oidc\_github\_repo](#input\_oidc\_github\_repo) | The GitHub repository for OIDC | `string` | `""` | no |
+| <a name="input_owner"></a> [owner](#input\_owner) | The owner of the project | `string` | `"skylight"` | no |
+| <a name="input_project"></a> [project](#input\_project) | The name of the project | `string` | `"dibbs"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region where resources are created | `string` | `""` | no |
+| <a name="input_state_bucket_arn"></a> [state\_bucket\_arn](#input\_state\_bucket\_arn) | The ARN of the S3 bucket for state | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | `""` | no |
+| <a name="input_workspace"></a> [workspace](#input\_workspace) | terraform workspace that OIDC will have permissions to | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role"></a> [role](#output\_role) | n/a |
+<!-- END_TF_DOCS -->

terraform/modules/oidc/_data.tf

@@ -38,9 +38,9 @@ data "aws_iam_policy_document" "storage" {
     ]
     resources = [
       "arn:aws:s3:::*",
-      "${var.state_bucket_arn}",
+      var.state_bucket_arn,
       "${var.state_bucket_arn}/*",
-      "${var.dynamodb_table_arn}",
+      var.dynamodb_table_arn,
     ]
   }
 }

terraform/modules/oidc/_local.tf

@@ -1,7 +1,6 @@
 locals {
   github_role_name        = "${var.project}-github-role-${var.owner}-${random_string.oidc.result}"
   project_owner_workspace = "${var.project}-${var.owner}-${var.workspace}"
-  workspace               = var.workspace
   wildcard                = "*"
   vpc_id                  = var.vpc_id == "" ? local.wildcard : var.vpc_id
 }

terraform/modules/oidc/provider.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.56.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6.3"
+    }
+  }
+  required_version = "~> 1.9.0"
+}

terraform/modules/tfstate/README.md

@@ -0,0 +1,43 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.56.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.56.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_dynamodb_table.tfstate_lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
+| [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_identifier"></a> [identifier](#input\_identifier) | n/a | `string` | `""` | no |
+| <a name="input_owner"></a> [owner](#input\_owner) | The owner of the project | `string` | `"skylight"` | no |
+| <a name="input_project"></a> [project](#input\_project) | The name of the project | `string` | `"dibbs"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dynamodb_table"></a> [dynamodb\_table](#output\_dynamodb\_table) | n/a |
+| <a name="output_state_bucket"></a> [state\_bucket](#output\_state\_bucket) | n/a |
+<!-- END_TF_DOCS -->

terraform/modules/tfstate/_variable.tf

@@ -14,16 +14,6 @@ variable "project" {
   default     = "dibbs"
 }
 
-variable "region" {
-  type        = string
-  description = "The AWS region where resources are created"
-  default     = ""
-  validation {
-    condition     = can(regex("^(us)-[[:alnum:]]{2,10}-[0-9]$", var.region))
-    error_message = "region must be a valid AWS region"
-  }
-}
-
 variable "identifier" {
   type    = string
   default = ""

terraform/modules/tfstate/provider.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.56.1"
+    }
+  }
+  required_version = "~> 1.9.0"
+}

terraform/utilities/generate_tf_docs.sh → terraform/utilities/tfdocs.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
-terraform-docs markdown table --output-file README.md --output-mode inject ../modules/ecs
+terraform-docs markdown table --output-file README.md --output-mode inject ../modules/oidc
+terraform-docs markdown table --output-file README.md --output-mode inject ../modules/tfstate
 terraform-docs markdown table --output-file README.md --output-mode inject ../implementation/ecs
 terraform-docs markdown table --output-file README.md --output-mode inject ../implementation/setup

terraform/utilities/tflint.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+tflint -f compact --chdir ../modules/oidc
+tflint -f compact --chdir ../modules/tfstate
+tflint -f compact --chdir ../implementation/setup
+tflint -f compact --chdir ../implementation/ecs