add pre-commit

terraform-modules · Aug 12, 2025 · 032ec08 · 032ec08
1 parent f024b6d
commit 032ec08
Show file tree

Hide file tree

Showing 18 changed files with 253 additions and 187 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,20 +1,27 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.48.0
+  rev: v1.83.5
   hooks:
 #    - id: terraform_validate
     - id: terraform_fmt
-    - id: terraform_docs_replace
-      args: ['table']
-      exclude: common/*.tf
+#    - id: terraform_docs_replace
+#      args: ['table']
+#      exclude: common/*.tf
+#      exclude: version.tf
+#      exclude: examples
+    - id: terraform_docs
       exclude: version.tf
-      exclude: examples/
-    - id: terraform_tflint 
-      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
-      exclude: examples/
+      exclude: examples
+      args:
+        - --args=--config .terraform-docs.yml
+#    - id: terraform_tflint 
+#      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+#      exclude: examples
+
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.5.0
   hooks:
     - id: check-symlinks
     - id: detect-aws-credentials
+      args: [ "--allow-missing-credentials" ]
     - id: detect-private-key
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
@@ -0,0 +1,45 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+
+output:
+  file: README.md
+  mode: replace
+#   mode: inject
+#   template: |-
+#     <!-- BEGIN_TF_DOCS -->
+#     {{ .Content }}
+#     <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true
diff --git a/README.md b/README.md
diff --git a/base.tf b/base.tf
@@ -1,4 +1,4 @@
 module "base" {
-  source   = "git@github.e.it.census.gov:terraform-modules/boc-nts//base-label"
-#  filename = format("%v/%v", path.module, "base.yml")
+  source = "git@github.e.it.census.gov:terraform-modules/boc-nts//base-label"
+  #  filename = format("%v/%v", path.module, "base.yml")
 }
diff --git a/eventbridge.guardduty.tf b/eventbridge.guardduty.tf
@@ -42,7 +42,7 @@ resource "aws_cloudwatch_log_resource_policy" "guardduty_event_log" {
 }
 
 module "eventbridge_guardduty" {
-  source = "terraform-aws-modules/eventbridge/aws"
+  source    = "terraform-aws-modules/eventbridge/aws"
   role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "in", "guardduty")
 
   append_rule_postfix = false

diff --git a/eventbridge.s3.tf b/eventbridge.s3.tf
@@ -1,5 +1,5 @@
 module "eventbridge_s3" {
-  source = "terraform-aws-modules/eventbridge/aws"
+  source    = "terraform-aws-modules/eventbridge/aws"
   role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "clean", "s3")
 
   append_rule_postfix = false

diff --git a/lambda.layer.tf b/lambda.layer.tf
@@ -1,15 +1,15 @@
 module "lambda_layer" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_layer   = true
-#  create_package = true
+  create_layer = true
+  #  create_package = true
   create_package = false
 
   layer_name          = format("%v-common", var.input_resource_label)
   description         = "DAHRTS DAPPS common code"
   compatible_runtimes = [format("python%v", var.python_runtime)]
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-guardduty-move.package.zip")
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-guardduty-move.package.zip")
   source_path = [
     {
       path = "${path.root}/code/packages",

diff --git a/lambda.move.tf b/lambda.move.tf
@@ -30,21 +30,21 @@ module "lambda_move" {
   tracing_mode                   = "PassThrough"
   reserved_concurrent_executions = -1
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-guardduty-move.zip")
-  source_path = "${path.root}/code/darhts-guardduty-move.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-guardduty-move.zip")
+  source_path            = "${path.root}/code/darhts-guardduty-move.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
   ]
 
   environment_variables = merge(
     {
-      Enabled                          = true
-      GUARDDUTY_MOVE_VERBOSE           = false
+      Enabled                          = local.settings["guardduty-move"].enabled
+      GUARDDUTY_MOVE_VERBOSE           = local.settings["guardduty-move"].verbose
       GUARDDUTY_MOVE_BUCKET_IN         = module.files_in.s3_bucket_id
       GUARDDUTY_MOVE_BUCKET_CLEAN      = module.files_clean.s3_bucket_id
       GUARDDUTY_MOVE_BUCKET_QUARANTINE = module.files_quarantine.s3_bucket_id
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      POWERTOOLS_LOG_LEVEL             = local.settings["guardduty-move"].log_level
     },
     var.lambda_environment_variables_override,
   )

diff --git a/lambda.notify.tf b/lambda.notify.tf
@@ -1,8 +1,8 @@
 module "lambda_notify" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_function           = true
-#  create_package            = true
+  create_function = true
+  #  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -33,23 +33,23 @@ module "lambda_notify" {
   dead_letter_target_arn         = module.lambda_notify_failure.queue_arn
 
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-guardduty-notify.zip")
-  source_path = "${path.root}/code/darhts-guardduty-notify.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-guardduty-notify.zip")
+  source_path            = "${path.root}/code/darhts-guardduty-notify.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
   ]
 
   environment_variables = merge(
     {
-      Enabled                                 = true
-      GUARDDUTY_NOTIFY_VERBOSE                = false
+      Enabled                                 = local.settings["guardduty-notify"].enabled
+      GUARDDUTY_NOTIFY_VERBOSE                = local.settings["guardduty-notify"].verbose
       GUARDDUTY_NOTIFY_SECRET_NAME            = var.secret_name
-      GUARDDUTY_NOTIFY_ENVIRONMENT            = var.app_info.environment
-      GUARDDUTY_NOTIFY_AUTH_URL               = var.app_info.token_url
-      GUARDDUTY_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version
-      GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME    = "GuardDutyObjectScan__e"
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      GUARDDUTY_NOTIFY_ENVIRONMENT            = local.settings["guardduty-notify"].environment
+      GUARDDUTY_NOTIFY_AUTH_URL               = local.settings["guardduty-notify"].auth_url
+      GUARDDUTY_NOTIFY_SALESFORCE_API_VERSION = local.settings["guardduty-notify"].salesforce_api_version
+      GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME    = local.settings["guardduty-notify"].platform_event_name
+      POWERTOOLS_LOG_LEVEL                    = local.settings["guardduty-notify"].log_level
     },
     var.lambda_environment_variables_override,
   )

diff --git a/lambda.s3-tag.tf b/lambda.s3-tag.tf
@@ -1,8 +1,8 @@
 module "lambda_s3_tag" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_function           = true
-#  create_package            = true
+  create_function = true
+  #  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -33,26 +33,22 @@ module "lambda_s3_tag" {
   dead_letter_target_arn         = module.lambda_s3_tag_failure.queue_arn
 
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-s3-tag.zip")
-  source_path = "${path.root}/code/darhts-s3-tag.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-s3-tag.zip")
+  source_path            = "${path.root}/code/darhts-s3-tag.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
   ]
 
   environment_variables = merge(
     {
-      Enabled                 = true
-      S3_TAG_VERBOSE          = false
-      S3_TAG_ENVIRONMENT      = var.app_info.environment
+      Enabled                 = local.settings["s3-tag"].enabled
+      S3_TAG_VERBOSE          = local.settings["s3-tag"].verbose
+      S3_TAG_ENVIRONMENT      = local.settings["s3-tag"].environment
       S3_TAG_BUCKET_CLEAN_IN  = module.files_clean.s3_bucket_id
       S3_TAG_BUCKET_CLEAN_OUT = module.files_out_clean.s3_bucket_id
-      S3_TAG_TRIGGER_TAGS = jsonencode({
-        GuardDutyMalwareScanStatus = "NO_THREATS_FOUND"
-        darhts_certified           = "true"
-      })
-      # use DEBUG for debbuing, along with S3_MOVE_VERBOSE
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      S3_TAG_TRIGGER_TAGS     = jsonencode(local.settings["s3-tag"].trigger_tags)
+      POWERTOOLS_LOG_LEVEL    = local.settings["s3-tag"].log_level
     },
     var.lambda_environment_variables_override,
   )

diff --git a/lambda.s3.tf b/lambda.s3.tf
@@ -1,8 +1,8 @@
 module "lambda_s3" {
   source = "terraform-aws-modules/lambda/aws"
 
-  create_function           = true
-#  create_package            = true
+  create_function = true
+  #  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -33,23 +33,23 @@ module "lambda_s3" {
   dead_letter_target_arn         = module.lambda_s3_failure.queue_arn
 
 
-  local_existing_package = format("%v/%v/%v",path.module,"code","darhts-s3-notify.zip")
-  source_path = "${path.root}/code/darhts-s3-notify.py"
+  local_existing_package = format("%v/%v/%v", path.module, "code", "darhts-s3-notify.zip")
+  source_path            = "${path.root}/code/darhts-s3-notify.py"
 
   layers = [
     module.lambda_layer.lambda_layer_arn,
   ]
 
   environment_variables = merge(
     {
-      Enabled                          = true
-      S3_NOTIFY_VERBOSE                = false
+      Enabled                          = local.settings["s3"].enabled
+      S3_NOTIFY_VERBOSE                = local.settings["s3"].verbose
       S3_NOTIFY_SECRET_NAME            = var.secret_name
-      S3_NOTIFY_ENVIRONMENT            = var.app_info.environment
-      S3_NOTIFY_AUTH_URL               = var.app_info.token_url
-      S3_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version
-      S3_NOTIFY_PLATFORM_EVENT_NAME    = "DARHTSCleanCreateObjectEvent__e"
-      POWERTOOLS_LOG_LEVEL = "INFO"
+      S3_NOTIFY_ENVIRONMENT            = local.settings["s3"].environment
+      S3_NOTIFY_AUTH_URL               = local.settings["s3"].auth_url
+      S3_NOTIFY_SALESFORCE_API_VERSION = local.settings["s3"].salesforce_api_version
+      S3_NOTIFY_PLATFORM_EVENT_NAME    = local.settings["s3"].platform_event_name
+      POWERTOOLS_LOG_LEVEL             = local.settings["s3"].log_level
     },
     var.lambda_environment_variables_override,
   )

diff --git a/main.tf b/main.tf
@@ -1,13 +1,18 @@
+/*
+* # About aws-app-ditd-darhts-s3-transfer
+*
+*/
+
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   region              = data.aws_region.current.name
-  region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
-  iam_arn      = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+  iam_arn             = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
 
   base_tags = {
     "boc:created_by"        = "terraform"
     "boc:tf_module_version" = local._module_version
-    "boc:tf_module_name" = local._module_name
+    "boc:tf_module_name"    = local._module_name
   }
 }
diff --git a/outputs.tf b/outputs.tf
@@ -10,34 +10,34 @@
 output "s3_bucket_files_in" {
   description = "files-in bucket ARN and id"
   value = {
-    id  = module.files_in.s3_bucket_id
-    arn = module.files_in.s3_bucket_arn
+    id      = module.files_in.s3_bucket_id
+    arn     = module.files_in.s3_bucket_arn
     key_arn = module.files_in.kms_key_arn
   }
 }
 
 output "s3_bucket_files_quarantine" {
   description = "files-quarantine bucket ARN and id"
   value = {
-    id  = module.files_quarantine.s3_bucket_id
-    arn = module.files_quarantine.s3_bucket_arn
+    id      = module.files_quarantine.s3_bucket_id
+    arn     = module.files_quarantine.s3_bucket_arn
     key_arn = module.files_quarantine.kms_key_arn
   }
 }
 
 output "s3_bucket_files_clean" {
   description = "files-clean bucket ARN and id"
   value = {
-    id  = module.files_clean.s3_bucket_id
-    arn = module.files_clean.s3_bucket_arn
+    id      = module.files_clean.s3_bucket_id
+    arn     = module.files_clean.s3_bucket_arn
     key_arn = module.files_clean.kms_key_arn
   }
 }
 output "s3_bucket_files_out_clean" {
   description = "files-out-clean bucket ARN and id"
   value = {
-    id  = module.files_out_clean.s3_bucket_id
-    arn = module.files_out_clean.s3_bucket_arn
+    id      = module.files_out_clean.s3_bucket_id
+    arn     = module.files_out_clean.s3_bucket_arn
     key_arn = module.files_out_clean.kms_key_arn
   }
 }
diff --git a/secret.tf b/secret.tf
@@ -13,7 +13,7 @@ resource "aws_secretsmanager_secret" "app_secret" {
     local.base_tags,
     var.tags,
     local.input_finops_roles["secret"],
-    { Name = var.app_info.secret_name},
+    { Name = var.secret_name },
   )
 }
 
@@ -77,7 +77,7 @@ data "aws_iam_policy_document" "app_secret_key" {
 }
 
 resource "aws_kms_key" "app_secret" {
-  description         = format("KMS CMK %v in %v", var.app_info.key_name, local.region)
+  description         = format("KMS CMK %v in %v", var.secret_key_name, local.region)
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.app_secret_key.json
   multi_region        = false
@@ -86,11 +86,11 @@ resource "aws_kms_key" "app_secret" {
     local.base_tags,
     var.tags,
     local.input_finops_roles["kms"],
-    { Name = format("v-kms-%v", var.app_info.key_name) },
+    { Name = format("v-kms-%v", var.secret_key_name) },
   )
 }
 
 resource "aws_kms_alias" "app_secret" {
-  name          = format("alias/v-kms-%v", var.app_info.key_name)
+  name          = format("alias/v-kms-%v", var.secret_key_name)
   target_key_id = aws_kms_key.app_secret.key_id
 }
diff --git a/settings.tf b/settings.tf
@@ -1,11 +1,11 @@
 locals {
-  _settings = var.settings
+  _settings        = var.settings
   settings_default = yamldecode(file("${path.module}/settings.default.yml"))
-  settings = { for k in keys(var.settings_default): k => merge(
+  settings = { for k in keys(local.settings_default) : k => merge(
     local.settings_default["default"],
     local.settings_default[k],
     local._settings[k],
-  ) if k!="default" }
+  ) if k != "default" }
 }
 
 output "settings" {