add option for cross-account write access to helm repo

Author: smiller171

.github/workflows/pre-commit.yaml

@@ -19,7 +19,7 @@ jobs:
       - name: initialize Terraform
         run: terraform init --backend=false
       - name: pre-commit
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/[email protected].3
         env:
           AWS_DEFAULT_REGION: us-east-1
           # many of these are covered by better reviewdog linters below
@@ -28,12 +28,3 @@ jobs:
             no-commit-to-branch,
             terraform_tflint_nocreds,
             terraform_tfsec
-      - uses: stefanzweifel/git-auto-commit-action@v4
-        if: ${{ failure() }}
-        with:
-          commit_message: Apply automatic changes
-          commit_options: "--no-verify"
-          # Optional commit user and author settings
-          commit_user_name: Linter Bot
-          commit_user_email: [email protected]
-          commit_author: Linter Bot <[email protected]>

.github/workflows/pullRequest.yaml

@@ -37,10 +37,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: setup Terraform
-        uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 0.12.26
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
       - name: Terraform init
         run: terraform init --backend=false
       - name: tflint
@@ -55,10 +53,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: setup Terraform
-        uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 0.12.26
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
       - name: Terraform init
         run: terraform init --backend=false
       - name: tfsec

.github/workflows/tflint.yaml

@@ -13,10 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: setup Terraform
-        uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 0.12.26
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
       - name: Terraform init
         run: terraform init --backend=false
       - name: tflint

.github/workflows/tfsec.yaml

@@ -13,10 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: setup Terraform
-        uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 0.12.26
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
       - name: Terraform init
         run: terraform init --backend=false
       - name: tfsec

.pre-commit-config.yaml

@@ -1,17 +1,13 @@
+exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.31.0
+    rev: v1.50.0
     hooks:
       - id: terraform_docs
         always_run: true
         args:
           - --args=--sort-by-required
       - id: terraform_fmt
-      - id: terraform_tflint
-        alias: terraform_tflint_deep
-        name: terraform_tflint_deep
-        args:
-          - --args=--deep
       - id: terraform_tflint
         alias: terraform_tflint_nocreds
         name: terraform_tflint_nocreds
@@ -33,14 +29,15 @@ repos:
               cd $(dirname "$FILE")
               terraform init --backend=false
               terraform validate .
+              cd ..
             done
           '
         language: system
         verbose: true
         files: \.tf(vars)?$
         exclude: examples
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.0.0
+    rev: v3.4.0
     hooks:
       - id: check-case-conflict
       - id: check-json

.terraform-version

@@ -0,0 +1 @@
+latest:^0.13

.tflint.hcl

@@ -1,6 +1,5 @@
 config {
   module     = true
-  deep_check = false
 }
 
 rule "terraform_deprecated_interpolation" {

README.md

@@ -20,29 +20,45 @@ module {
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.19 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.19 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| allowed\_account\_ids | List of AWS account IDs to grant read-only access to the repo. Due to how policies are constructed, there's effectively a limit of about 9 accounts. | `list(string)` | `[]` | no |
-| logging\_bucket | S3 bucket name to log bucket access requests to (optional) | `string` | `null` | no |
-| logging\_bucket\_prefix | S3 bucket prefix to log bucket access requests to (optional). If blank but a `logging_bucket` is specified, this will be set to the name of the bucket | `string` | `null` | no |
-| name | Bucket name for the helm repo. Specify to control the exact name of the bucket, otherwise use `name_suffix` | `string` | `null` | no |
-| name\_suffix | Bucket suffix for the repo (bucket will be named `[ACCOUNT_ID]-[REGION]-[name_suffix]`, not used if `name` is specified) | `string` | `"helmrepo"` | no |
-| tags | Tags to add to supported resources | `map(string)` | `{}` | no |
+| <a name="input_allow_cross_account_write"></a> [allow\_cross\_account\_write](#input\_allow\_cross\_account\_write) | Allow write access to helm repo from `allowed_account_ids` | `bool` | `false` | no |
+| <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of AWS account IDs to grant read-only access to the repo. Due to how policies are constructed, there's effectively a limit of about 9 accounts. | `list(string)` | `[]` | no |
+| <a name="input_logging_bucket"></a> [logging\_bucket](#input\_logging\_bucket) | S3 bucket name to log bucket access requests to (optional) | `string` | `null` | no |
+| <a name="input_logging_bucket_prefix"></a> [logging\_bucket\_prefix](#input\_logging\_bucket\_prefix) | S3 bucket prefix to log bucket access requests to (optional). If blank but a `logging_bucket` is specified, this will be set to the name of the bucket | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Bucket name for the helm repo. Specify to control the exact name of the bucket, otherwise use `name_suffix` | `string` | `null` | no |
+| <a name="input_name_suffix"></a> [name\_suffix](#input\_name\_suffix) | Bucket suffix for the repo (bucket will be named `[ACCOUNT_ID]-[REGION]-[name_suffix]`, not used if `name` is specified) | `string` | `"helmrepo"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to supported resources | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| s3\_bucket | Bucket name of the repo |
-
+| <a name="output_s3_bucket"></a> [s3\_bucket](#output\_s3\_bucket) | Bucket name of the repo |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

bin/install-macos.sh

@@ -14,5 +14,4 @@ git config --global init.templateDir ~/.git-template
 pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
-tfenv install min-required
-tfenv use min-required
+tfenv install

bin/install-ubuntu.sh

@@ -3,8 +3,9 @@
 echo 'installing dependencies'
 sudo apt install python3-pip gawk &&\
 pip3 install pre-commit
-curl -L "$(curl -s https://api.github.com/repos/segmentio/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64")" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
-curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+tfdocs_latest_dl_url=$(curl -sL https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64" | tail -n1)
+curl -L "$tfdocs_latest_dl_url" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+curl -L "$(curl -sL https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
 env GO111MODULE=on go get -u github.com/liamg/tfsec/cmd/tfsec
 git clone https://github.com/tfutils/tfenv.git ~/.tfenv || true
 mkdir -p ~/.local/bin/
@@ -19,5 +20,4 @@ git config --global init.templateDir ~/.git-template
 pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
-tfenv install min-required
-tfenv use min-required
+tfenv install