add pre-commit

.pre-commit-config.yaml

@@ -1,20 +1,28 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.48.0
+  rev: v1.83.5
   hooks:
 #    - id: terraform_validate
     - id: terraform_fmt
-    - id: terraform_docs_replace
-      args: ['table']
+#    - id: terraform_docs_replace
+#      args: ['table']
+#      exclude: common/*.tf
+#      exclude: version.tf
+#      exclude: examples
+    - id: terraform_docs
       exclude: common/*.tf
       exclude: version.tf
-      exclude: examples/
-    - id: terraform_tflint 
-      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
-      exclude: examples/
+      exclude: examples
+      args:
+        - --args=--config=.terraform-docs.yml
+#    - id: terraform_tflint 
+#      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+#      exclude: examples
+
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.5.0
   hooks:
     - id: check-symlinks
     - id: detect-aws-credentials
+      args: [ "--allow-missing-credentials" ]
     - id: detect-private-key

.terraform-docs.yml

@@ -0,0 +1,45 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+
+output:
+  file: README.md
+  mode: replace
+#   mode: inject
+#   template: |-
+#     <!-- BEGIN_TF_DOCS -->
+#     {{ .Content }}
+#     <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true

CHANGELOG.md

@@ -1,5 +1,5 @@
 # Versions
 
-* v1.0.0 -- {{ yyyy-mm-dd }}
+* 1.0.0 -- 2024-01-02
   - initial creation
 

acm/certificate.tf

@@ -0,0 +1,24 @@
+locals {
+  cert_dns = lower(var.certificate_dns)
+  cert_san = distinct([for f in compact(concat([local.cert_dns], var.certificate_san)) : lower(f)])
+}
+
+#---
+# general purpose
+#---
+resource "aws_acm_certificate" "certificate" {
+  certificate_authority_arn = local.ca_longterm_settings.arn
+  domain_name               = local.cert_dns
+  subject_alternative_names = local.cert_san
+  #  early_renewal_duration    = "P60D"
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "boc:pki:mail" = var.contact_email },
+  )
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

acm/data.acmpca-parameters.tf

@@ -0,0 +1 @@
+../common//data.acmpca-parameters.tf

acm/data.tf

@@ -0,0 +1 @@
+../common/data.tf

acm/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

acm/locals.tf

@@ -0,0 +1,9 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}

acm/main.tf

@@ -0,0 +1,43 @@
+/* 
+* # About : aws-certificate/acm
+* 
+* This module creates and ACM certificate, using the general purpose (ca1) ACM-PCA in the local region. It will automatically
+* include the DNS name in the SAN.  You may add additonal SAN fully qualified domain names, but only DNS names are supported
+* in the SAN for an ACM certificate.
+* 
+* It returns the ACM ARN.
+*
+* # Usage
+* This shows the module call with how you would use it.
+*
+* ```hcl
+* module "cert" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acm"
+* 
+*   certificate_dns      = "test.domain.census.gov"
+*   contact_email        = "cio.engineering.alert.list@census.gov"
+*
+*   ## optional
+*   ## add additional names to SAN
+*   # certificate_san    = "otherdomain.domain.census.gov"
+* }
+*
+* # associating it with the ALB listener
+* resource "aws_lb_listener" "app_443" {
+*   count             = module.cert.certificate_arn != null ? 1 : 0
+*   load_balancer_arn = aws_lb.app.arn
+*   port              = 443
+*   protocol          = "HTTPS"
+*   ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+*   certificate_arn   = module.cert.certificate_arn 
+* 
+*   default_action {
+*     type             = "forward"
+*     target_group_arn = aws_lb_target_group.app.arn
+*   }
+* }
+* ```
+*
+* The output value to look at is `certificate_arn`.  This is null if the certificate is incomplete or failed to load into ACM, or
+* the ARN if completed.   You'll use the ARN for an AWS LB Listener.
+*/

acm/output.tf

@@ -0,0 +1,4 @@
+output "certificate_arn" {
+  description = "ARN of created ACM Certificate"
+  value       = aws_acm_certificate.certificate.arn
+}

acm/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

acm/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

acm/variables.tf

@@ -0,0 +1,15 @@
+variable "certificate_dns" {
+  description = "DNS Name to be used for the certificate.  For ACM certificate, the subject and CN may not be customized."
+  type        = string
+}
+
+variable "certificate_san" {
+  description = "The Subject Alternate Names (SAN), a list of FQDNs to include in the ACM Certificate. Only DNS names are supported.  See docs at https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html"
+  type        = list(string)
+  default     = []
+}
+
+variable "contact_email" {
+  description = "Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address."
+  type        = string
+}

acm/version.tf

@@ -0,0 +1 @@
+../common/version.tf

acm/versions.tf

@@ -0,0 +1 @@
+../common/versions.tf

common/data.acmpca-parameters.tf

@@ -0,0 +1,14 @@
+data "aws_ssm_parameter" "ca_longterm" {
+  name = "/enterprise/pki/ca1"
+}
+locals {
+  ca_longterm_settings = jsondecode(data.aws_ssm_parameter.ca_longterm.value)
+}
+
+data "aws_ssm_parameter" "ca_shortterm" {
+  name = "/enterprise/pki/ca2"
+}
+locals {
+  ca_shortterm_settings = jsondecode(data.aws_ssm_parameter.ca_shortterm.value)
+}
+

common/defaults.tf

@@ -1,4 +1,9 @@
 locals {
   _defaults = {
+    "certificate" = {
+      "c"  = "US",
+      "o"  = "U.S. Census Bureau",
+      "ou" = "Servers",
+    }
   }
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "0.0.0"
+  _module_version = "1.0.0"
 }

common/versions.tf

@@ -1,9 +1,25 @@
 terraform {
+  #  required_version = ">= 0.13"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.66.0"
+      version = ">= 5.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.1.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 2.1.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 3.1.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 2.1.0"
     }
   }
-#  required_version = ">= 0.13"
 }