adds Module Code (#1)

* adds module code and documentation

* adds basic example and documentation

Author: ksatirli

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @ksatirli @drewmullen

.github/workflows/snyk.yml

@@ -0,0 +1,51 @@
+---
+name: "Security Scan: Snyk IaC"
+
+on:
+  pull_request:
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+
+    strategy:
+      # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast
+      fail-fast: false
+      matrix:
+        # The Snyk IaC GitHub Action currently only supports single files (via the `file` attribute in `with`).
+        # To work around this, a GitHub Actions Strategy is used to provide the files that should be tested.
+        terraform_files:
+          - iam.tf
+          - main.tf
+          - networking.tf
+          - outputs.tf
+          - storage.tf
+          - terraform.tf
+          - variables.tf
+          - examples/basic/main.tf
+          - examples/basic/providers.tf
+          - examples/basic/terraform.tf
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+
+      # see https://github.com/snyk/actions/tree/master/iac
+      - name: Lint Code with Snyk
+        uses: snyk/actions/iac@master
+        env:
+          # see https://github.com/snyk/actions#getting-your-snyk-token
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          file: ${{ matrix.terraform_files }}
+          # see https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code/iac-ignores-using-the-.snyk-policy-file#policy-flags-and-policy-file-notes
+          args: --policy-path=.snyk --org=${{ secrets.SNYK_ORG }}
+          sarif: true
+
+      # see https://github.com/github/codeql-action/tree/main/upload-sarif
+      - name: Upload Snyk IaC results to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: snyk.sarif

.github/workflows/superlinter.yml

@@ -0,0 +1,28 @@
+---
+name: "Code Quality: Super-Linter"
+
+on:
+  pull_request:
+
+jobs:
+  superlinter:
+    name: Super-Linter
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      - name: Lint Code with Super-Linter
+        uses: github/super-linter@v4
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          DEFAULT_BRANCH: "main"
+          DISABLE_ERRORS: false
+          TERRAFORM_TFLINT_CONFIG_FILE: ".tflint.hcl"
+          VALIDATE_BASH: true
+          VALIDATE_JSON: true
+          VALIDATE_MD: true
+          VALIDATE_TERRAFORM: true

.github/workflows/terraform-docs.yml

@@ -0,0 +1,28 @@
+---
+name: "Documentation: terraform-docs"
+
+on:
+  pull_request:
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Render documentation for Module and push changes back to branch
+        uses: terraform-docs/[email protected]
+        with:
+          config-file: ".terraform-docs.yml"
+          output-file: "README.md"
+          git-push: true
+
+      - name: Render documentation for `basic` example and push changes back to branch
+        uses: terraform-docs/[email protected]
+        with:
+          config-file: "../../.terraform-docs.yml"
+          output-file: "README.md"
+          git-push: true
+          working-dir: "./examples/basic"

.github/workflows/tfsec.yml

@@ -0,0 +1,28 @@
+---
+name: "Security Scan: tfsec"
+
+on:
+  pull_request:
+
+jobs:
+  tfsec:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+
+      # see https://aquasecurity.github.io/tfsec/v0.63.1/getting-started/configuration/github-actions/github-action/
+      - name: Lint Code with tfsec
+        uses: aquasecurity/tfsec-sarif-action@master
+        with:
+          config_file: tfsec.yml
+          sarif_file: tfsec.sarif
+
+      # see https://github.com/github/codeql-action/tree/main/upload-sarif
+      - name: Upload tfsec results to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: tfsec.sarif

.pre-commit-config.yaml

@@ -0,0 +1,72 @@
+---
+
+fail_fast: true
+minimum_pre_commit_version: "2.6.0"
+
+repos:
+  - # see https://github.com/pre-commit/pre-commit-hooks
+    repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: check-added-large-files
+        name: Check for accidentally added Large Files
+
+      - id: check-case-conflict
+        name: Check for cross-OS File Name Case Conflicts
+
+      - id: check-merge-conflict
+        name: Check for Git Merge Conflicts
+
+      - id: check-vcs-permalinks
+        name: Check VCS Permalinks
+
+      - id: check-json
+        name: Validate JSON files
+
+      - id: check-yaml
+        name: Validate YAML files
+
+  - # see https://github.com/antonbabenko/pre-commit-terraform
+    repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.64.0
+    hooks:
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_fmt
+      - id: terraform_fmt
+        name: Run `terraform fmt` recursively
+        args:
+          - --args=-recursive
+
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
+      - id: terraform_validate
+        name: Run `terraform validate` against `examples/basic`
+        files: examples/basic
+
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_docs
+      - id: terraform_docs
+        name: Render documentation for Module
+        args:
+          - "--args=--config=.terraform-docs.yml"
+
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_docs
+      - id: terraform_docs
+        name: Render documentation for `basic` example
+        files: examples/basic
+        args:
+          - "--args=--config=.terraform-docs.yml"
+
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_providers_lock
+      - id: terraform_providers_lock
+        name: Run `terraform init` and `terraform providers lock`
+
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_tflint
+      - id: terraform_tflint
+        name: Run `tflint`
+        args:
+          - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
+
+      # see https://github.com/antonbabenko/pre-commit-terraform#terraform_tfsec
+      - id: terraform_tfsec
+        name: Run `tfsec` against `examples/basic`
+        files: "examples/basic"
+        args:
+          - --args= --config-file=__GIT_WORKING_DIR__/tfsec.yml

.snyk

@@ -0,0 +1,35 @@
+version: v1.22.1
+
+# see https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code/iac-ignores-using-the-.snyk-policy-file
+ignore:
+  # see https://snyk.io/security-rules/SNYK-CC-TF-4
+  SNYK-CC-TF-4:
+    - 'storage.tf > input > resource > aws_s3_bucket[main]':
+        reason: Contents of S3 Bucket are meant for public consumption, encryption not required.
+
+  # see https://snyk.io/security-rules/SNYK-CC-TF-45
+  SNYK-CC-TF-45:
+    - 'storage.tf > input > resource > aws_s3_bucket[main] > logging':
+        reason: Contents of S3 Bucket are meant for public consumption, logging not required.
+
+  # see # see https://snyk.io/security-rules/SNYK-CC-TF-95
+  SNYK-CC-TF-95:
+    - 'storage.tf > resource > aws_s3_bucket_public_access_block[main] > block_public_acls':
+        reason: Contents of S3 Bucket are meant for public consumption, public access is intentional.
+
+  # see https://snyk.io/security-rules/SNYK-CC-TF-116
+  SNYK-CC-TF-116:
+    - 'iam.tf > resource > aws_iam_user_policy[main]':
+        reason: Policy is user-specific and therefore attached directly (increase of management overhead is negligible due to use of Terraform).
+
+  # see https://snyk.io/security-rules/SNYK-CC-TF-124
+  SNYK-CC-TF-124:
+    - 'storage.tf > resource > aws_s3_bucket[main] > versioning > enabled':
+        reason: Contents of S3 Bucket are meant for public consumption, versioning not required.
+
+  # see https://snyk.io/security-rules/SNYK-CC-TF-127
+  SNYK-CC-TF-127:
+    - 'storage.tf > resource > aws_s3_bucket[main] > versioning > mfa_delete':
+        reason: Contents of S3 Bucket are meant for public consumption, MFA-Delete not required (or supported by Dropshare.app).
+
+patch: {}

.terraform-docs.yml

@@ -0,0 +1,38 @@
+---
+
+# see https://terraform-docs.io/user-guide/configuration/formatter/
+formatter: "markdown table"
+
+# see https://terraform-docs.io/user-guide/configuration/output/
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+# see https://terraform-docs.io/user-guide/configuration/settings/
+settings:
+  anchor: false
+  color: true
+  default: true
+  escape: true
+  indent: 3
+  required: true
+  sensitive: true
+  type: true
+
+# see https://terraform-docs.io/user-guide/configuration/sort/
+sort:
+  enabled: true
+  by: required
+
+# see https://terraform-docs.io/user-guide/configuration/sections/
+sections:
+  show:
+    - inputs
+    - outputs
+
+# see https://terraform-docs.io/user-guide/configuration/version/
+version: ">= 0.16.0, < 1.0.0"

.tflint.hcl

@@ -0,0 +1,66 @@
+# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
+# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
+
+config {
+  module     = true
+  force      = false
+}
+
+plugin "aws" {
+  enabled = true
+  version = "0.12.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}