refactor: terraform fmt (#54)

* refactor: terraform fmt

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: bzarboni1

modules/github-aws-oidc/README.md

@@ -27,6 +27,7 @@ No modules.
 | [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_resourcegroups_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
 | [aws_s3_bucket.state_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.state_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.state_bucket_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.state_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 

modules/github-aws-oidc/oidc.tf

@@ -1,97 +1,102 @@
 resource "aws_iam_openid_connect_provider" "oidc_provider_entry" {
   url = "https://token.actions.githubusercontent.com"
 
-  client_id_list = [ "sts.amazonaws.com" ]
+  client_id_list = ["sts.amazonaws.com"]
 
   thumbprint_list = var.github_thumbprints
 
   tags = local.rg_tags
 }
 
 resource "aws_iam_role" "organizations_role" {
-    name = var.organizations_role_name
+  name = var.organizations_role_name
 
-    assume_role_policy = jsonencode({
+  assume_role_policy = jsonencode({
     "Version" = "2012-10-17",
     "Statement" = [
-        {
-            "Effect" = "Allow",
-            "Action" = "sts:AssumeRoleWithWebIdentity",
-            "Principal" = {
-                "Federated" = aws_iam_openid_connect_provider.oidc_provider_entry.arn
-            },
-            "Condition" = {
-                "StringEquals" = {
-                    "token.actions.githubusercontent.com:aud" = [
-                        "sts.amazonaws.com"
-                    ]
-                },
-                "StringLike" = {
-                    "token.actions.githubusercontent.com:sub": [
-                        "repo:${var.github_foundations_organization_name}/${var.organizations_repo_name}:*"
-                    ]
-                }
-            }
+      {
+        "Effect" = "Allow",
+        "Action" = "sts:AssumeRoleWithWebIdentity",
+        "Principal" = {
+          "Federated" = aws_iam_openid_connect_provider.oidc_provider_entry.arn
+        },
+        "Condition" = {
+          "StringEquals" = {
+            "token.actions.githubusercontent.com:aud" = [
+              "sts.amazonaws.com"
+            ]
+          },
+          "StringLike" = {
+            "token.actions.githubusercontent.com:sub" : [
+              "repo:${var.github_foundations_organization_name}/${var.organizations_repo_name}:*"
+            ]
+          }
         }
+      }
     ]
-})
+  })
 
-    tags = local.rg_tags
+  tags = local.rg_tags
 }
 
+# Ignote avd-aws-0057 - we need the user to be able to set
+# whatever secret names they want to use (restricted by tagging them).
+#trivy:ignore:avd-aws-0057
 resource "aws_iam_role_policy" "organizations_role_policy" {
-    name = "organizations-tf-state-management-policy"
-    role = aws_iam_role.organizations_role.id
+  name = "organizations-tf-state-management-policy"
+  role = aws_iam_role.organizations_role.id
 
-    policy = jsonencode({
-        Version = "2012-10-17"
-        Statement = [
-            {
-                Sid = "StateBucketFullAccess"
-                Action = [
-                    "s3:*"
-                ]
-                Effect = "Allow"
-                Resource = [
-                    aws_s3_bucket.state_bucket.arn,
-                    "${aws_s3_bucket.sate_bucket.arn}/*"    
-                ]
-            },
-            {
-                Sid = "StateBucketDeleteDeny"
-                Action = [
-                    "s3:DeleteBucket"
-                ]
-                Effect = "Deny"
-                Resource = [aws_s3_bucket.state_bucket.arn]
-            },
-            {
-                Sid = "AllowSecretRead"
-                Action = [
-                    "secretsmanager:GetSecretValue",
-                    "secretsmanager:DescribeSecret",
-                    "secretsmanager:GetResourcePolicy"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid = "StateBucketFullAccess"
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        Effect = "Allow"
+        Resource = [
+          aws_s3_bucket.state_bucket.arn,
+          "${aws_s3_bucket.state_bucket.arn}/*"
+        ]
+      },
+      {
+        Sid = "StateBucketDeleteDeny"
+        Action = [
+          "s3:DeleteBucket"
+        ]
+        Effect   = "Deny"
+        Resource = [aws_s3_bucket.state_bucket.arn]
+      },
+      {
+        Sid = "AllowSecretRead"
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:GetResourcePolicy"
 
-                ]
-                Effect = "Allow"
-                Resource = "*"
-                Condition = {
-                    StringEquals = {
-                        "secretsmanager:ResourceTag/Purpose" = local.rg_tags["Purpose"]
-                    }
-                }
-            },
-            {
-                Sid = "AllowDynamoDBActionsOnLockTable"
-                Effect = "Allow",
-                Action = [
-                    "dynamodb:DescribeTable",
-                    "dynamodb:GetItem",
-                    "dynamodb:PutItem",
-                    "dynamodb:DeleteItem"
-                ],
-                Resource = [ aws_dynamodb_table.state_lock_table.arn ]
-            }
         ]
-    })
-}
+        Effect   = "Allow"
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "secretsmanager:ResourceTag/Purpose" = local.rg_tags["Purpose"]
+          }
+        }
+      },
+      {
+        Sid    = "AllowDynamoDBActionsOnLockTable"
+        Effect = "Allow",
+        Action = [
+          "dynamodb:DescribeTable",
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:DeleteItem"
+        ],
+        Resource = [aws_dynamodb_table.state_lock_table.arn]
+      }
+    ]
+  })
+}

modules/github-aws-oidc/outputs.tf

@@ -1,19 +1,19 @@
 output "s3_bucket_name" {
   description = "The name of the s3 bucket holding terraform state."
-  value = aws_s3_bucket.state_bucket.bucket
+  value       = aws_s3_bucket.state_bucket.bucket
 }
 
 output "s3_bucket_region" {
   description = "The region the s3 bucket holding terraform state was created in."
-  value = aws_s3_bucket.state_bucket.region
+  value       = aws_s3_bucket.state_bucket.region
 }
 
 output "dynamodb_table_name" {
   description = "The name of the dynamodb table that was created to store lock file ids."
-  value = aws_dynamodb_table.state_lock_table.name
+  value       = aws_dynamodb_table.state_lock_table.name
 }
 
 output "organizations_runner_role" {
   description = "The ARN of the role that the github action runner should assume for the organizations repo"
-  value = aws_iam_role.organizations_role.arn
-}
+  value       = aws_iam_role.organizations_role.arn
+}

modules/github-aws-oidc/resource_group.tf

@@ -4,18 +4,18 @@ locals {
   }
 }
 
-resource  "aws_resourcegroups_group" "github_foundations_rg" {
+resource "aws_resourcegroups_group" "github_foundations_rg" {
   name = var.rg_name
 
   resource_query {
     query = jsonencode({
-        "ResourceTypeFilters" = [ "AWS::AllSupported" ]
-        "TagFilters" = [
-            {
-                "Key"="Purpose"
-                "Values"=[ local.rg_tags.Purpose ]
-            }
-        ]
+      "ResourceTypeFilters" = ["AWS::AllSupported"]
+      "TagFilters" = [
+        {
+          "Key"    = "Purpose"
+          "Values" = [local.rg_tags.Purpose]
+        }
+      ]
     })
   }
 }

modules/github-aws-oidc/storage.tf

@@ -1,10 +1,12 @@
 resource "aws_kms_key" "encryption_key" {
   description             = "This key is used to encrypt state bucket objects"
   deletion_window_in_days = 10
-  
+  enable_key_rotation     = true
+
   tags = local.rg_tags
 }
 
+#trivy:ignore:s3-bucket-logging
 resource "aws_s3_bucket" "state_bucket" {
   bucket = var.bucket_name
 
@@ -29,12 +31,24 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encr
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "state_bucket_access" {
+  bucket                  = aws_s3_bucket.state_bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+#trivy:ignore:avd-aws-0025
 resource "aws_dynamodb_table" "state_lock_table" {
   name           = var.tflock_db_name
   read_capacity  = var.tflock_db_read_capacity
   write_capacity = var.tflock_db_write_capacity
   billing_mode   = var.tflock_db_billing_mode
   hash_key       = "LockID"
+  point_in_time_recovery {
+    enabled = true
+  }
 
   attribute {
     name = "LockID"

modules/github-aws-oidc/variables.tf

@@ -1,66 +1,66 @@
 # Resource Group Variables
 variable "rg_name" {
-  type = string
+  type        = string
   description = "The name of the AWS resource group to create for github foundation resources."
-  default = "GithubFoundationResources"
+  default     = "GithubFoundationResources"
 }
 
 # Bucket Variables
 variable "bucket_name" {
-  type = string
+  type        = string
   description = "The name of the s3 bucket that will store terraform state."
-  default = "GithubFoundationState"
+  default     = "GithubFoundationState"
 }
 
 # DynamoDB Variables
 variable "tflock_db_name" {
-  type = string
+  type        = string
   description = "The name of the dynamodb table that will store lock file ids."
-  default = "TFLockIds"
+  default     = "TFLockIds"
 }
 
 variable "tflock_db_read_capacity" {
-  type = number
+  type        = number
   description = "The read capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20."
-  default = 20
+  default     = 20
 }
 
 variable "tflock_db_write_capacity" {
-  type = number
+  type        = number
   description = "The write capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20."
-  default = 20
+  default     = 20
 }
 
 variable "tflock_db_billing_mode" {
-  type = string
+  type        = string
   description = "The billing mode to use for the dynamodb table storing lock file ids. Defaults to `PROVISIONED`."
-  default = "PROVISIONED"
+  default     = "PROVISIONED"
 }
 
 # IAM Variables
 
 variable "github_thumbprints" {
-  type = list(string)
+  type        = list(string)
   description = "A list of top intermediate certifact authority thumbprints to use for setting up an openid connect provider with github. Info on how to obtain thumbprints here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html"
   validation {
     error_message = "The list must be a minimum length of 1 and has a maximum length of 5"
-    condition = length(var.github_thumbprints) >=1 && length(var.github_thumbprints) <= 5
+    condition     = length(var.github_thumbprints) >= 1 && length(var.github_thumbprints) <= 5
   }
 }
 
 variable "organizations_role_name" {
-  type = string
+  type        = string
   description = "The name of the role that will be assummed by the github runner for the organizations repository."
-  default = "GhFoundationsOrganizationsAction"
+  default     = "GhFoundationsOrganizationsAction"
 }
 
 variable "github_foundations_organization_name" {
-  type = string
+  type        = string
   description = "The owner of the github foundations organizations repository. This value should be whatever github account you plan to make the repository under."
 }
 
 variable "organizations_repo_name" {
-  type = string
+  type        = string
   description = "The name of the github foundations organizations repository. Defaults to `organizations`"
-  default = "organizations"
-}
+  default     = "organizations"
+}