Dependency Updates

cabutlermit · cabutlermit · commit fb17f36b33b9 · 2024-08-09T13:40:25.000-04:00
Why these changes are being introduced:
Add pre-commit configuration along with version updates for the main
repo as well as the embedded module.

How this addresses that need:
* Add pre-commit configuration files
* Update Terraform and AWS Provider versions in the embedded module
* Update the Terraform and AWS Provider versions in the main code
* Update terraform.lock.hcl file with `terraform init -upgrade`
* Update the shared workflow for pre-commit configurations

Side effects of this change:
None.
diff --git a/.github/workflows/tf-shared-workflows.yml b/.github/workflows/tf-shared-workflows.yml
@@ -10,6 +10,8 @@ on:
     paths:
       - '**/*.tf'
 
+permissions: read-all
+
 jobs:
   validate:
     name: Validate Terraform
@@ -19,6 +21,6 @@ jobs:
     name: Checkov Tests
     uses: mitlibraries/.github/.github/workflows/tf-checkov-shared.yml@main
 
-  docs-update:
-    name: Update README
-    uses: mitlibraries/.github/.github/workflows/tf-docs-gen-shared.yml@main
+  docs:
+    name: Terraform Docs
+    uses: mitlibraries/.github/.github/workflows/tf-docs-shared.yml@main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,19 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: "v1.92.1"
+    hooks:
+      - id: terraform_fmt
+        args:
+          - --args=-recursive
+      - id: terraform_validate
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.18.0"
+    hooks:
+      - id: terraform-docs-go
+        args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: '3.2.219'
+    hooks:
+      - id: checkov
+        language_version: python3.11
+        verbose: false
diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml
@@ -0,0 +1,5 @@
+formatter: "" # this is required
+
+settings:
+  anchor: false
+  html: false
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -10,6 +10,41 @@ This repo builds the ECR (Elastic Container Registry) repositories for container
 
 The only dependency is the ARN of the OpenID Connect Provider (placed in Parameter Store by the [mitlib-tf-workloads-init](https://github.com/MITLibraries/mitlib-tf-workloads-init) repo).
 
+### Pre-Commit Hooks
+
+For proper linting and checking, this repo uses pre-commit hooks. The following should be installed in the local workstation
+
+* [pre-commit](https://pre-commit.com/)
+* [terraform cli](https://developer.hashicorp.com/terraform/downloads)
+* [terraform-docs](https://terraform-docs.io/)
+* [checkov](https://github.com/bridgecrewio/checkov)
+
+After the first checkout locally, run the following command to initialize the pre-commit hooks.
+
+```bash
+pre-commit install  --hook-type pre-push
+```
+
+It is possible to run the pre-commit hooks manually. To run all the pre-commit hooks for this repo, run
+
+```bash
+pre-commit run --all-files
+```
+
+To run just the checkov checker, run
+
+```bash
+pre-commit run checkov
+```
+
+To run just the `terraform-docs` hook to update the README, run
+
+```bash
+pre-commit run terraform-docs-go
+```
+
+See [.pre-commit-config.yaml](./.pre-commit-config.yaml) for other pre-commit hooks that can be run.
+
 ## Usage
 
 There is a tight relationship between ECR repositories created here and the associated application repositories in GitHub due to the use of OIDC in the GitHub Actions in those application repositories. Make sure to coordinate any new ECR repositories with the developers building the applications that will be published there.
@@ -61,14 +96,14 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 1.2 |
-| aws | ~> 4.0 |
+| terraform | ~> 1.5 |
+| aws | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | 4.37.0 |
+| aws | 5.62.0 |
 
 ## Modules
 
@@ -85,6 +120,7 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | ecr\_patronload | ./modules/ecr | n/a |
 | ecr\_ppod | ./modules/ecr | n/a |
 | ecr\_sapinvoices | ./modules/ecr | n/a |
+| ecr\_sapinvoices\_ui | ./modules/ecr | n/a |
 | ecr\_timdex\_browsertrix | ./modules/ecr | n/a |
 | ecr\_timdex\_geo | ./modules/ecr | n/a |
 | ecr\_timdex\_lambdas | ./modules/ecr | n/a |
@@ -170,6 +206,10 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | sapinvoices\_makefile | Full contents of the Makefile for the alma-sapinvoices repo (allows devs to push to Dev account only) |
 | sapinvoices\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices repo |
 | sapinvoices\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-sapinvoices repo |
+| sapinvoices\_ui\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-sapinvoices-ui repo |
+| sapinvoices\_ui\_makefile | Full contents of the Makefile for the alma-sapinvoices-ui repo (allows devs to push to Dev account only) |
+| sapinvoices\_ui\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices-ui repo |
+| sapinvoices\_ui\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-sapinvoices-ui repo |
 | tim\_dev\_build\_workflow | Full contents of the dev-build.yml for the timdex-index-manager repo |
 | tim\_makefile | Full contents of the Makefile for the timdex-index-manager repo (allows devs to push to Dev account only) |
 | tim\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the timdex-index-manager repo |
diff --git a/modules/ecr/.terraform.lock.hcl b/modules/ecr/.terraform.lock.hcl
diff --git a/modules/ecr/README.md b/modules/ecr/README.md
@@ -0,0 +1,55 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 1.5 |
+| aws | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | 5.62.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ecr_lifecycle_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
+| [aws_ecr_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
+| [aws_iam_policy.rw_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.gha_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.gha_ecr_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.gha_ecr_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_ssm_parameter.ecr_repository_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.ecr_repository_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.gha_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_iam_policy_document.gh_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.rw_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| environment | The environment (dev, stage, or prod) | `string` | n/a | yes |
+| gh\_organization | The name of the GitHub Organization. | `string` | `"MITLibraries"` | no |
+| login\_policy\_arn | The ARN of the shared ECR login policy | `string` | n/a | yes |
+| oidc\_arn | The ARN of the OIDC profile | `string` | n/a | yes |
+| repo\_name | The name used for part of the ECR repo name - should be same as app repo name | `string` | n/a | yes |
+| tags | The additional app-repo name | `map(any)` | n/a | yes |
+| tfoutput\_ssm\_path | The Parameter Store output path loaded in the root module | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| gha\_role | Github action role used to update the ECR repository |
+| repo\_name | The repo\_name that was passed in to the module for naming purposes |
+| repository\_name | The name of the ECR repository |
+| repository\_url | The URL of the ECR repository |
+<!-- END_TF_DOCS -->
diff --git a/modules/ecr/versions.tf b/modules/ecr/versions.tf
@@ -3,12 +3,12 @@
 # Providers themselves are set in the `providers.tf` file.
 
 terraform {
-  required_version = "~> 1.2"
+  required_version = "~> 1.5"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/versions.tf b/versions.tf
@@ -3,12 +3,12 @@
 # Providers themselves are set in the `providers.tf` file.
 
 terraform {
-  required_version = "~> 1.2"
+  required_version = "~> 1.5"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,12 @@`
`3`	`3`	# Providers themselves are set in the `providers.tf` file.
`4`	`4`
`5`	`5`	`terraform {`
`6`		`- required_version = "~> 1.2"`
	`6`	`+ required_version = "~> 1.5"`
`7`	`7`
`8`	`8`	`required_providers {`
`9`	`9`	`aws = {`
`10`	`10`	`source = "hashicorp/aws"`
`11`		`- version = "~> 4.0"`
	`11`	`+ version = "~> 5.0"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`