diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..231c9a6 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# These owners will be the default owners for everything in the repo. +* @anmolnagpal @clouddrove/approvers @clouddrove-ci diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..e414e28 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,12 @@ +## what +* Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) +* Use bullet points to be concise and to the point. + +## why +* Provide the justifications for the changes (e.g. business case). +* Describe why these changes were made (e.g. why do these commits fix the problem?) +* Use bullet points to be concise and to the point. + +## references +* Link to any supporting jira issues or helpful documentation to add some context (e.g. stackoverflow). +* Use `closes #123`, if this PR closes a Jira issue `#123` diff --git a/.github/workflows/auto_assignee.yml b/.github/workflows/auto_assignee.yml new file mode 100644 index 0000000..f8b8bcd --- /dev/null +++ b/.github/workflows/auto_assignee.yml @@ -0,0 +1,14 @@ +name: Auto Assign PRs + +on: + pull_request: + types: [opened, reopened] + + workflow_dispatch: +jobs: + assignee: + uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@master + secrets: + GITHUB: ${{ secrets.GITHUB }} + with: + assignees: 'clouddrove-ci' diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 4b735f5..1ee6f78 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -10,4 +10,4 @@ jobs: uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@master secrets: inherit with: - branch: 'master' \ No newline at end of file + branch: 'master' diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml index ed5baca..9961649 100644 --- a/.github/workflows/readme.yml +++ b/.github/workflows/readme.yml @@ -5,15 +5,15 @@ on: - master jobs: - readme-create: + readme: name: 'readme-create' runs-on: ubuntu-latest steps: - name: 'Checkout' - uses: actions/checkout@v2.3.4 + uses: actions/checkout@master - name: 'Set up Python 3.7' - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: '3.x' @@ -21,17 +21,17 @@ jobs: uses: 'clouddrove/github-actions@v9.0.2' with: actions_subcommand: 'readme' - github_token: '${{ secrets.GITHUB}}' + github_token: '${{ secrets.GITHUB }}' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: 'pre-commit check errors' - uses: pre-commit/action@v2.0.0 + uses: pre-commit/action@v3.0.0 continue-on-error: true - - name: 'pre-commit fix errors' - uses: pre-commit/action@v2.0.0 + - name: 'pre-commit fix erros' + uses: pre-commit/action@v3.0.0 continue-on-error: true - name: 'push readme' @@ -40,7 +40,7 @@ jobs: with: actions_subcommand: 'push' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: 'Slack Notification' uses: clouddrove/action-slack@v2 @@ -51,4 +51,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() \ No newline at end of file + if: always() diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml deleted file mode 100644 index bd20d90..0000000 --- a/.github/workflows/terraform.yml +++ /dev/null @@ -1,84 +0,0 @@ -name: static-checks - -on: - pull_request: - -jobs: - versionExtract: - name: Get min/max versions - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@main - outputs: - minVersion: ${{ steps.minMax.outputs.minVersion }} - maxVersion: ${{ steps.minMax.outputs.maxVersion }} - - - versionEvaluate: - name: Evaluate Terraform versions - runs-on: ubuntu-latest - needs: versionExtract - strategy: - fail-fast: false - matrix: - version: - - ${{ needs.versionExtract.outputs.minVersion }} - - ${{ needs.versionExtract.outputs.maxVersion }} - directory: - - _example/ - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Install Terraform v${{ matrix.version }} - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: ${{ matrix.version }} - - - name: 'Configure AWS Credentials' - uses: clouddrove/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }} - aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }} - aws-region: us-east-2 - - - name: Init & validate v${{ matrix.version }} - run: | - cd ${{ matrix.directory }} - terraform init - terraform validate - - - - name: tflint - uses: reviewdog/action-tflint@master - with: - tflint_version: v0.29.0 - github_token: ${{ secrets.GITHUB }} - working_directory: ${{ matrix.directory }} - fail_on_error: 'true' - filter_mode: 'nofilter' - flags: '--module' - - format: - name: Check code format - runs-on: ubuntu-latest - needs: versionExtract - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }} - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: ${{ needs.versionExtract.outputs.maxVersion }} - - - name: Check Terraform format changes - run: terraform fmt --recursive \ No newline at end of file diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml deleted file mode 100644 index a043a42..0000000 --- a/.github/workflows/terratest.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: 'Terratest GitHub Actions' -on: - pull_request: - branches: - - master - types: [labeled] - -jobs: - Terratest: - name: 'terratest' - runs-on: ubuntu-latest - steps: - - - name: 'Checkout' - uses: actions/checkout@v2.3.4 - - - name: 'Configure AWS Credentials' - uses: clouddrove/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }} - aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }} - aws-region: us-east-2 - - - name: 'terratest' - uses: 'clouddrove/github-actions@v9.0.2' - with: - actions_subcommand: 'terratest' - if: ${{ github.event.label.name == 'terratest' }} - tf_actions_working_dir: '_test' - - - name: 'Slack Notification' - uses: clouddrove/action-slack@v2 - with: - status: ${{ job.status }} - fields: repo,author - author_name: 'CloudDrove' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml new file mode 100644 index 0000000..0f02313 --- /dev/null +++ b/.github/workflows/tf-checks.yml @@ -0,0 +1,11 @@ +name: tf-checks +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + example: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master + with: + working_directory: './_example/' \ No newline at end of file diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml new file mode 100644 index 0000000..5b8aa91 --- /dev/null +++ b/.github/workflows/tflint.yml @@ -0,0 +1,11 @@ +name: tf-lint +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + tflint: + uses: clouddrove/test-tfsec/.github/workflows/tflint.yaml@master + secrets: + GITHUB: ${{ secrets.GITHUB }} diff --git a/README.yaml b/README.yaml index ec0d411..fc84ed8 100644 --- a/README.yaml +++ b/README.yaml @@ -16,22 +16,17 @@ github_repo: clouddrove/terraform-aws-vpn # Badges to display badges: - - name: "Terraform" - image: "https://img.shields.io/badge/Terraform-v1.1.7-green" - url: "https://www.terraform.io" - - name: "Licence" - image: "https://img.shields.io/badge/License-APACHE-blue.svg" - url: "LICENSE.md" + - name: "Latest Release" + image: "https://img.shields.io/github/release/clouddrove/terraform-aws-vpn.svg" + url: "https://github.com/clouddrove/terraform-aws-vpn/releases/latest" - name: "tfsec" image: "https://github.com/clouddrove/terraform-aws-vpn/actions/workflows/tfsec.yml/badge.svg" url: "https://github.com/clouddrove/terraform-aws-vpn/actions/workflows/tfsec.yml" - - name: "static-checks" - image: "https://github.com/clouddrove/terraform-aws-vpn/actions/workflows/terraform.yml/badge.svg" - url: "https://github.com/clouddrove/terraform-aws-vpn/actions/workflows/terraform.yml" + - name: "Licence" + image: "https://img.shields.io/badge/License-APACHE-blue.svg" + url: "LICENSE.md" # description of this project -# yamllint disable rule:line-length - description: |- Terraform module is used to create VPN resource on AWS for network connectivity.. @@ -40,7 +35,7 @@ include: - "terraform.md" # How to use this project -# yamllint disable rule:line-length +# How to use this project usage: |- ### Simple Example Here is an example of how you can use this module in your inventory structure: diff --git a/_example/.terraform.lock.hcl b/_example/.terraform.lock.hcl new file mode 100644 index 0000000..76ea2e2 --- /dev/null +++ b/_example/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.10.0" + constraints = ">= 5.1.0, >= 5.9.0" + hashes = [ + "h1:AgF54/79Nb/oQjbAMMewENSIa1PEScMn20Xa91hZR2g=", + "zh:24f8b40ba25521ec809906623ce1387542f3da848952167bc960663583a7b2c7", + "zh:3c12afbda4e8ed44ab8315d16bbba4329ef3f18ffe3c0d5ea456dd05472fa610", + "zh:4da2de97535c7fb51ede8ef9b6bd45c790005aec36daac4317a6175d2ff632fd", + "zh:5631fd3c02c5abe5e51a73bd77ddeaaf97b2d508845ea03bc1e5955b52d94706", + "zh:5bdef27b4e5b2dcd0661125fcc1e70826d545903b1e19bb8d28d2a0c812468d5", + "zh:7b7f6b3e00ad4b7bfaa9872388f7b8014d8c9a1fe5c3f9f57865535865727633", + "zh:935f7a599a3f55f69052b096491262d59787625ce5d52f729080328e5088e823", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a451a24f6675f8ad643a9b218cdb54c2af75a53d6a712daff46f64b81ec61032", + "zh:a5bcf820baefdc9f455222878f276a7f406a1092ac7b4c0cdbd6e588bff84847", + "zh:c9ab7b838a75bbcacc298658c1a04d1f0ee5935a928d821afcbe08c98cca7c5f", + "zh:d83855b6d66aaa03b1e66e03b7d0a4d1c9f992fce06f00011edde2a6ad6d91d6", + "zh:f1793e9a1e3ced98ca301ef1a294f46c06f77f6eb10f4d67ffef87ea60835421", + "zh:f366c99ddb16d75e07a687a60c015e8e2e0cdb593dea902385629571bd604859", + "zh:fb3ec60ea72144f480f495634c6d3e7a7638d7061a77c228a30768c1ae0b91f6", + ] +} diff --git a/_example/example.tf b/_example/example.tf index 0a7f609..3b448ff 100644 --- a/_example/example.tf +++ b/_example/example.tf @@ -10,7 +10,7 @@ provider "aws" { ##----------------------------------------------------------------------------- module "vpc" { source = "clouddrove/vpc/aws" - version = "1.3.1" + version = "2.0.0" name = "vpc" environment = "Dev" label_order = ["name", "environment"] @@ -23,7 +23,7 @@ module "vpc" { ##----------------------------------------------------- module "public_subnets" { source = "clouddrove/subnet/aws" - version = "1.3.0" + version = "2.0.0" name = "public-subnet" environment = "Dev" diff --git a/_example/versions.tf b/_example/versions.tf new file mode 100644 index 0000000..5a227cd --- /dev/null +++ b/_example/versions.tf @@ -0,0 +1,11 @@ +# Terraform version +terraform { + required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.9.0" + } + } +} \ No newline at end of file diff --git a/_test/vpn_test.go b/_test/vpn_test.go deleted file mode 100644 index 96b8dc2..0000000 --- a/_test/vpn_test.go +++ /dev/null @@ -1,32 +0,0 @@ -// Managed By : CloudDrove -// Description : This Terratest is used to test the Terraform VPN module. -// Copyright @ CloudDrove. All Right Reserved. -package test - -import ( - "testing" - "github.com/gruntwork-io/terratest/modules/terraform" - "github.com/stretchr/testify/assert" -) - -func Test(t *testing.T) { - t.Parallel() - - terraformOptions := &terraform.Options{ - // Source path of Terraform directory. - TerraformDir: "../_example", - } - - // This will run 'terraform init' and 'terraform application' and will fail the test if any errors occur - terraform.InitAndApply(t, terraformOptions) - - // To clean up any resources that have been created, run 'terraform destroy' towards the end of the test - defer terraform.Destroy(t, terraformOptions) - - // To get the value of an output variable, run 'terraform output' - Tags := terraform.OutputMap(t, terraformOptions, "tags") - - // Check that we get back the outputs that we expect - assert.Equal(t, "test-vpn", Tags["Name"]) - -} diff --git a/main.tf b/main.tf index a2fad7c..2cc04d9 100644 --- a/main.tf +++ b/main.tf @@ -11,16 +11,12 @@ module "labels" { managedby = var.managedby } - locals { - preshared_key_provided = length(var.tunnel1_preshared_key) > 0 && length(var.tunnel2_preshared_key) > 0 - preshared_key_not_provided = false == local.preshared_key_provided - internal_cidr_provided = length(var.tunnel1_inside_cidr) > 0 && length(var.tunnel2_inside_cidr) > 0 - internal_cidr_not_provided = false == local.internal_cidr_provided - tunnel_details_not_specified = local.internal_cidr_not_provided && local.preshared_key_not_provided - tunnel_details_specified = local.internal_cidr_provided && local.preshared_key_provided - enable_tunner_with_internal_cidr_only = local.internal_cidr_provided && local.preshared_key_not_provided - enable_tunner_with_preshared_key_only = local.internal_cidr_not_provided && local.preshared_key_provided + preshared_key_provided = length(var.tunnel1_preshared_key) > 0 && length(var.tunnel2_preshared_key) > 0 + preshared_key_not_provided = false == local.preshared_key_provided + internal_cidr_provided = length(var.tunnel1_inside_cidr) > 0 && length(var.tunnel2_inside_cidr) > 0 + internal_cidr_not_provided = false == local.internal_cidr_provided + tunnel_details_not_specified = local.internal_cidr_not_provided && local.preshared_key_not_provided } ##----------------------------------------------------------------------------- @@ -29,8 +25,8 @@ locals { resource "aws_vpn_connection" "default" { count = var.enable_vpn_connection && local.tunnel_details_not_specified ? 1 : 0 - vpn_gateway_id = join("", aws_vpn_gateway.vpn.*.id) - customer_gateway_id = join("", aws_customer_gateway.main.*.id) + vpn_gateway_id = join("", aws_vpn_gateway.vpn[*].id) + customer_gateway_id = join("", aws_customer_gateway.main[*].id) type = "ipsec.1" static_routes_only = var.vpn_connection_static_routes_only local_ipv4_network_cidr = var.local_ipv4_network_cidr @@ -55,7 +51,7 @@ resource "aws_vpn_connection" "default" { resource "aws_vpn_gateway_attachment" "default" { count = var.enable_vpn_connection && var.enable_vpn_gateway_attachment ? 1 : 0 vpc_id = var.vpc_id - vpn_gateway_id = join("", aws_vpn_gateway.vpn.*.id) + vpn_gateway_id = join("", aws_vpn_gateway.vpn[*].id) } ##----------------------------------------------------------------------------- @@ -63,7 +59,7 @@ resource "aws_vpn_gateway_attachment" "default" { ##----------------------------------------------------------------------------- resource "aws_vpn_gateway_route_propagation" "private_subnets_vpn_routing" { count = var.enable_vpn_connection ? var.vpc_subnet_route_table_count : 0 - vpn_gateway_id = join("", aws_vpn_gateway.vpn.*.id) + vpn_gateway_id = join("", aws_vpn_gateway.vpn[*].id) route_table_id = element(var.vpc_subnet_route_table_ids, count.index) } @@ -72,7 +68,7 @@ resource "aws_vpn_gateway_route_propagation" "private_subnets_vpn_routing" { ##----------------------------------------------------------------------------- resource "aws_vpn_connection_route" "default" { count = var.enable_vpn_connection ? var.vpn_connection_static_routes_only ? length(var.vpn_connection_static_routes_destinations) : 0 : 0 - vpn_connection_id = element(split("", join("", aws_vpn_connection.default.*.id)), 0) + vpn_connection_id = element(split("", join("", aws_vpn_connection.default[*].id)), 0) destination_cidr_block = element(var.vpn_connection_static_routes_destinations, count.index) } @@ -104,4 +100,4 @@ resource "aws_vpn_gateway" "vpn" { "Name" = format("%s-vgw", module.labels.id) } ) -} +} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index 5baa0b7..a833d55 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,28 +3,28 @@ output "vpn_connection_id" { value = concat( - aws_vpn_connection.default.*.id + aws_vpn_connection.default[*].id )[0] description = "The ID of the VPN Connection." } output "gateway_attachment_id" { value = concat( - aws_vpn_gateway_attachment.default.*.id + aws_vpn_gateway_attachment.default[*].id )[0] description = "The ID of the Gateway Attachment." } output "customer_gateway_id" { value = concat( - aws_customer_gateway.main.*.id + aws_customer_gateway.main[*].id )[0] description = "The ID of the VPN Connection Route." } output "vpn_gateway_id" { value = concat( - aws_vpn_gateway.vpn.*.id + aws_vpn_gateway.vpn[*].id )[0] description = "The ID of the VPN gateway." } diff --git a/variables.tf b/variables.tf index aae705e..607f83a 100644 --- a/variables.tf +++ b/variables.tf @@ -6,13 +6,6 @@ variable "name" { description = "Name (e.g. `app` or `cluster`)." } - -variable "application" { - type = string - default = "" - description = "Application (e.g. `cd` or `clouddrove`)." -} - variable "certificate_arn" { type = string default = "" @@ -41,24 +34,6 @@ variable "label_order" { description = "Label order, e.g. `name`,`application`." } -variable "attributes" { - type = list(any) - default = [] - description = "Additional attributes (e.g. `1`)." -} - -variable "delimiter" { - type = string - default = "-" - description = "Delimiter to be used between `organization`, `environment`, `name` and `attributes`." -} - -variable "tags" { - type = map(any) - default = {} - description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)." -} - variable "managedby" { type = string default = "anmol@clouddrove.com" @@ -206,71 +181,4 @@ variable "enable_vpn_gateway_attachment" { type = bool default = true description = "Set to false to prevent attachment of the vGW to the VPC." -} - -variable "tunnel2_phase1_encryption_algorithms" { - type = list(string) - default = null - description = "(Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16." -} - -variable "tunnel2_phase2_encryption_algorithms" { - type = list(string) - default = null - description = "(Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16." -} - -variable "tunnel2_phase1_integrity_algorithms" { - type = list(string) - default = [""] - description = "(Optional) One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512." -} - -variable "tunnel2_phase2_integrity_algorithms" { - type = list(string) - default = [""] - description = "(Optional) One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512." -} - - -variable "tunnel2_phase1_dh_group_numbers" { - type = list(number) - default = null - description = "(Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24." -} - -variable "tunnel2_phase2_dh_group_numbers" { - type = list(number) - default = null - description = "(Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24." -} - -variable "tunnel2_ike_versions" { - type = list(string) - default = null - description = "(Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2." -} - -variable "tunnel2_dpd_timeout_action" { - type = string - default = "" - description = "(Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart." -} - -variable "tunnel2_startup_action" { - type = string - default = "" - description = "(Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart." -} - -variable "log_enabled" { - type = bool - default = true - description = "(Optional) Enable or disable VPN tunnel logging feature. The default is false.yy" -} - -variable "log_output_format" { - type = string - default = null - description = "(Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart." } \ No newline at end of file diff --git a/versions.tf b/versions.tf index c3cde87..5a227cd 100644 --- a/versions.tf +++ b/versions.tf @@ -1,11 +1,11 @@ # Terraform version terraform { - required_version = ">= 1.4.6" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.1.0" + version = ">= 5.9.0" } } -} +} \ No newline at end of file