diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
new file mode 100644
index 0000000..5dbd054
--- /dev/null
+++ b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,47 @@
+on:
+ pull_request:
+ push:
+ branches: [main]
+
+jobs:
+ pre_commit:
+ name: Run pre-commit and commit any autocorrections
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: 1.6.6
+ - name: Setup Terragrunt
+ uses: autero1/action-terragrunt@v1.1.0
+ with:
+ terragrunt_version: 0.54.8
+ # To avoid rate-limiting
+ token: ${{ secrets.GITHUB_TOKEN }}
+ - uses: terraform-linters/setup-tflint@v3
+ name: TFLint - Setup
+ with:
+ tflint_version: latest
+
+ - name: TFLint - Init
+ run: tflint --init
+ env:
+ # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+ GITHUB_TOKEN: ${{ github.token }}
+ - name: TFLint - Show version
+ run: tflint --version
+ - uses: actions/setup-python@v4
+ with:
+ python-version: 3.x
+ - name: Terraform Docs - Install
+ run: |
+ curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.17.0/terraform-docs-v0.17.0-$(uname)-amd64.tar.gz
+ tar -xzf terraform-docs.tar.gz -- terraform-docs
+ chmod +x terraform-docs
+ echo $PATH
+ mv terraform-docs /usr/local/bin/terraform-docs
+ terraform-docs --version
+ - uses: pre-commit/action@v3.0.0
+ - uses: pre-commit-ci/lite-action@v1.0.1
+ if: always()
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 11d16c9..ab25c67 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.4.0
+ rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
@@ -10,10 +10,22 @@ repos:
args: ["--allow-multiple-documents"]
- id: check-added-large-files
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+ rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt # args: ["--enable require-variable-braces,deprecate-which"]
- id: terraform_tflint
- exclude: .*
+ args:
+ - "--args=--fix"
- id: terragrunt_fmt
- id: terraform_docs
+ci:
+ autofix_commit_msg: |
+ [pre-commit.ci] auto fixes from pre-commit.com hooks
+
+ for more information, see https://pre-commit.ci
+ autofix_prs: true
+ autoupdate_branch: ''
+ autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
+ autoupdate_schedule: weekly
+ skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs]
+ submodules: false
diff --git a/LICENSE.md b/LICENSE.md
new file mode 100644
index 0000000..f2a0872
--- /dev/null
+++ b/LICENSE.md
@@ -0,0 +1,34 @@
+# License
+
+As a work of the [United States government](https://www.usa.gov/), this project
+is in the public domain within the United States of America.
+
+Additionally, we waive copyright and related rights in the work worldwide
+through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full
+text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to the
+public domain by waiving all of their rights to the work worldwide under
+copyright law, including all related and neighboring rights, to the extent
+allowed by law.
+
+You can copy, modify, distribute, and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0, nor
+are the rights that other persons may have in the work or in how the work is
+used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with this
+deed makes no warranties about the work, and disclaims liability for all uses
+of the work, to the fullest extent permitted by applicable law. When using or
+citing the work, you should not imply endorsement by the author or the
+affirmer.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ee5f43a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,88 @@
+# batcave-tf-vpc
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.2 |
+| [aws](#requirement\_aws) | >= 4.61.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 4.61.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_ec2_managed_prefix_list.cmscloud_public_pl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.cmscloud_security_tools](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.cmscloud_shared_services_pl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.vpn_prefix_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.zscaler_pl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_eips.nat_gateways](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eips) | data source |
+| [aws_route_table.all_non_public_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
+| [aws_subnet.container](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnets.container](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_vpc.batcave_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_region](#input\_aws\_region) | n/a | `string` | `"us-east-1"` | no |
+| [create\_s3\_vpc\_endpoint](#input\_create\_s3\_vpc\_endpoint) | toggle on/off the creation of s3 vpc endpoint | `bool` | `true` | no |
+| [data\_subnets\_exist](#input\_data\_subnets\_exist) | Data subnets are used to house resources intended to access services inside CMS's data plane | `bool` | `false` | no |
+| [env](#input\_env) | n/a | `string` | `"dev"` | no |
+| [nat\_gateways\_lookup\_overrides](#input\_nat\_gateways\_lookup\_overrides) | Some nat gateways don't follow standard naming conventions. Use this map to override the query used for looking up Subnets. Ex: { private = "foo-west-nonpublic-*" } | `string` | `""` | no |
+| [project](#input\_project) | n/a | `string` | `"batcave"` | no |
+| [public\_pl\_exists](#input\_public\_pl\_exists) | The public PL is a work in progress (as of 2022-05-27) by the network team. It will eventually be rolled out everywhere, but is not yet. For now, it defaults to false, but can eventually be removed when every ADO VPC has it | `bool` | `false` | no |
+| [shared\_subnets\_exist](#input\_shared\_subnets\_exist) | Shared subnets are used to house resources intended to be shared across ALL CMS Cloud systems via the transit gateway | `bool` | `false` | no |
+| [subnet\_lookup\_overrides](#input\_subnet\_lookup\_overrides) | Some Subnets don't follow standard naming conventions. Use this map to override the query used for looking up Subnets. Ex: { private = "foo-west-nonpublic-*" } | `map(string)` | `{}` | no |
+| [transport\_subnets\_exist](#input\_transport\_subnets\_exist) | Transport subnets are used to house the NLB in situations where a service is required to be exposed to VDI users | `bool` | `false` | no |
+| [vpc\_endpoint\_lookup\_overrides](#input\_vpc\_endpoint\_lookup\_overrides) | Some vpc endpoints don't follow standard naming conventions. Use this map to override the query used for looking up Subnets. Ex: { private = "foo-west-nonpublic-*" } | `string` | `""` | no |
+| [vpc\_lookup\_override](#input\_vpc\_lookup\_override) | Some VPCs don't follow standard naming conventions. Use this to override the query used to lookup VPC names. Accepts wildcard in form of '*' | `string` | `""` | no |
+| [zscaler\_pl\_exists](#input\_zscaler\_pl\_exists) | The zscaler PL is a work in progress (as of 2022-07-08) by the network team. It will eventually be rolled out everywhere, but is not yet. For now, it defaults to false, but can eventually be removed when every ADO VPC has it | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [cms\_public\_ip\_cidrs](#output\_cms\_public\_ip\_cidrs) | n/a |
+| [cmscloud\_public\_pl](#output\_cmscloud\_public\_pl) | Prefix list of cmscloud public |
+| [cmscloud\_security\_tools\_pl](#output\_cmscloud\_security\_tools\_pl) | n/a |
+| [cmscloud\_shared\_services\_pl](#output\_cmscloud\_shared\_services\_pl) | n/a |
+| [cmscloud\_vpn\_pl](#output\_cmscloud\_vpn\_pl) | Prefix list of cmscloud vpn |
+| [container\_subnets](#output\_container\_subnets) | List of IDs of container subnets |
+| [container\_subnets\_by\_zone](#output\_container\_subnets\_by\_zone) | map of AZs to container subnet ids |
+| [nat\_gateway\_public\_ip\_cidrs](#output\_nat\_gateway\_public\_ip\_cidrs) | n/a |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [private\_subnets\_by\_zone](#output\_private\_subnets\_by\_zone) | map of AZs to private subnet ids |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [subnets](#output\_subnets) | n/a |
+| [transport\_subnet\_cidr\_blocks](#output\_transport\_subnet\_cidr\_blocks) | map of IDs to transport subnet cidrs |
+| [transport\_subnets](#output\_transport\_subnets) | List of IDs of transport subnets |
+| [transport\_subnets\_by\_zone](#output\_transport\_subnets\_by\_zone) | map of AZs to transport subnet ids |
+| [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC |
+| [vpc\_cidr\_blocks](#output\_vpc\_cidr\_blocks) | # VPC Data |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| [zscaler\_pl](#output\_zscaler\_pl) | Prefix list of zscaler |
+
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..90e23aa
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security and Responsible Disclosure Policy
+
+*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
+email or via GitHub Issues. Please use our website to submit vulnerabilities at
+[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
+HHS maintains an acknowledgements page to recognize your efforts on behalf of
+the American public, but you are also welcome to submit anonymously.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.
+
+If you have other cybersecurity related questions, please contact us at
+[csirc@hhs.gov.](mailto:csirc@hhs.gov).
diff --git a/main.tf b/main.tf
index 047815d..52f6e4e 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,13 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.61.0"
+ }
+ }
+ required_version = ">= 1.2"
+}
+
# vpc id
data "aws_vpc" "batcave_vpc" {
tags = {
@@ -122,11 +132,6 @@ data "aws_ec2_managed_prefix_list" "zscaler_pl" {
}
-data "aws_route_table" "shared" {
- for_each = toset(try(data.aws_subnets.shared[0].ids, []))
- subnet_id = each.key
-}
-
data "aws_route_table" "all_non_public_route_tables" {
for_each = toset(local.all_non_public_subnet_ids)
subnet_id = each.key
@@ -134,13 +139,6 @@ data "aws_route_table" "all_non_public_route_tables" {
locals {
- # shared subnet route table ids
- shared_subnet_route_tables = [for rt in data.aws_route_table.shared : rt.route_table_id]
- # Map of routes and CIDRs
- shared_subnet_additional_routes = { for each in setproduct(local.shared_subnet_route_tables, var.shared_subnets_additional_tgw_routes)
- : "${each[0]}_${each[1]}" =>
- { route_table_id = each[0], cidr = each[1] }
- }
}
## Commenting out while we determine if these routes are necessary at all. 2023-01-26
diff --git a/outputs.tf b/outputs.tf
index 16e3b6c..42b7993 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,6 +1,6 @@
## VPC Data
output "vpc_cidr_blocks" {
- value = data.aws_vpc.batcave_vpc.cidr_block_associations.*.cidr_block
+ value = data.aws_vpc.batcave_vpc.cidr_block_associations[*].cidr_block
}
output "vpc_id" {
diff --git a/variables.tf b/variables.tf
index b28434f..aed52a4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,13 +1,16 @@
variable "env" {
default = "dev"
+ type = string
}
variable "project" {
default = "batcave"
+ type = string
}
variable "aws_region" {
default = "us-east-1"
+ type = string
}
variable "transport_subnets_exist" {
@@ -28,12 +31,6 @@ variable "data_subnets_exist" {
type = bool
}
-variable "shared_subnets_additional_tgw_routes" {
- description = "These CIDR blocks will be added to the shared subnet route tables and routed to the transit gateway"
- default = []
- type = list(any)
-}
-
variable "public_pl_exists" {
description = "The public PL is a work in progress (as of 2022-05-27) by the network team. It will eventually be rolled out everywhere, but is not yet. For now, it defaults to false, but can eventually be removed when every ADO VPC has it"
default = false
@@ -74,4 +71,4 @@ variable "nat_gateways_lookup_overrides" {
description = "Some nat gateways don't follow standard naming conventions. Use this map to override the query used for looking up Subnets. Ex: { private = \"foo-west-nonpublic-*\" }"
default = ""
type = string
-}
\ No newline at end of file
+}