Merge https://github.com/cisagov/skeleton-tf-module into lineage/skel…

…eton

# Conflicts:
#	.github/dependabot.yml
#	README.md
#	examples/basic_usage/README.md
#	examples/basic_usage/versions.tf

.bandit.yml

@@ -3,7 +3,7 @@
 # https://bandit.readthedocs.io/en/latest/config.html
 
 # Tests are first included by `tests`, and then excluded by `skips`.
-# If `tests` is empty, all tests are are considered included.
+# If `tests` is empty, all tests are considered included.
 
 tests:
 # - B101

.github/dependabot.yml

@@ -5,30 +5,49 @@
 # these updates when the pull request(s) in the appropriate skeleton are merged
 # and Lineage processes these changes.
 
-version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
+  - directory: /
     ignore:
       # Managed by cisagov/skeleton-generic
       - dependency-name: actions/cache
       - dependency-name: actions/checkout
       - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
+      - dependency-name: crazy-max/ghaction-dump-context
+      - dependency-name: crazy-max/ghaction-github-labeler
+      - dependency-name: crazy-max/ghaction-github-status
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
-
-  - package-ecosystem: "pip"
-    directory: "/"
+      - dependency-name: step-security/harden-runner
+    package-ecosystem: github-actions
     schedule:
-      interval: "weekly"
+      interval: weekly
 
-  - package-ecosystem: "terraform"
-    directory: "/"
+  - directory: /
+    package-ecosystem: pip
     schedule:
+<<<<<<< HEAD
       interval: "weekly"
     # Managed by cisagov/skeleton-tf-module
     ignore:
       - dependency-name: "hashicorp/aws"
+=======
+      interval: weekly
+
+  - directory: /
+    # ignore:
+    #   # Managed by cisagov/skeleton-tf-module
+    #   - dependency-name: hashicorp/aws
+    package-ecosystem: terraform
+    schedule:
+      interval: weekly
+
+  - directory: /examples/basic_usage
+    # ignore:
+    #   # Managed by cisagov/skeleton-tf-module
+    #   - dependency-name: hashicorp/aws
+    package-ecosystem: terraform
+    schedule:
+      interval: weekly
+version: 2
+>>>>>>> ca595f9c79703822f1dd9879155f33b1167d15cb

.github/workflows/build.yml

@@ -14,12 +14,36 @@ env:
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
 
 jobs:
+  diagnostics:
+    name: Run diagnostics
+    runs-on: ubuntu-latest
+    steps:
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: github-status
+        name: Check GitHub status
+        uses: crazy-max/ghaction-github-status@v3
+      - id: dump-context
+        name: Dump context
+        uses: crazy-max/ghaction-dump-context@v2
   lint:
+    needs:
+      - diagnostics
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - id: setup-env
         uses: cisagov/setup-env-github-action@develop
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:
@@ -80,11 +104,26 @@ jobs:
       - uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
+      - name: Install go-critic
+        env:
+          PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
+      - name: Install gosec
+        env:
+          PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install shfmt
         env:
           PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
+      - name: Install staticcheck
+        env:
+          PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install Terraform-docs
         env:
           PACKAGE_URL: github.com/terraform-docs/terraform-docs

.github/workflows/sync-labels.yml

@@ -19,10 +19,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Sync repository labels
         if: success()
-        uses: crazy-max/ghaction-github-labeler@v4
+        uses: crazy-max/ghaction-github-labeler@v5
         with:
           # This is a hideous ternary equivalent so we only do a dry run unless
           # this workflow is triggered by the develop branch.

.pre-commit-config.yaml

@@ -31,13 +31,13 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.34.0
+    rev: v0.36.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.9-for-vscode
+    rev: v3.0.3
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
@@ -49,14 +49,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.23.1
+    rev: 0.26.3
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.3.2
+    rev: v3.4.0
     hooks:
       - id: validate_manifest
 
@@ -79,6 +79,12 @@ repos:
       # GoSec
       - id: go-sec-repo-mod
 
+  # Nix hooks
+  - repo: https://github.com/nix-community/nixpkgs-fmt
+    rev: v1.3.0
+    hooks:
+      - id: nixpkgs-fmt
+
   # Shell script hooks
   - repo: https://github.com/cisagov/pre-commit-shfmt
     rev: v0.0.2
@@ -106,12 +112,12 @@ repos:
       - id: bandit
         args:
           - --config=.bandit.yml
-  - repo: https://github.com/psf/black
-    rev: 23.3.0
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 23.9.1
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
-    rev: 6.0.0
+    rev: 6.1.0
     hooks:
       - id: flake8
         additional_dependencies:
@@ -121,24 +127,24 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.3.0
+    rev: v1.5.1
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.4.0
+    rev: v3.10.1
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
-  - repo: https://github.com/ansible-community/ansible-lint
-    rev: v6.17.0
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v6.19.0
     hooks:
       - id: ansible-lint
       # files: molecule/default/playbook.yml
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.80.0
+    rev: v1.83.2
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

.terraform-docs.yml

@@ -0,0 +1,13 @@
+---
+formatter: markdown table
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+settings:
+  anchor: false
+  html: false
+  lockfile: false

README.md

@@ -36,21 +36,26 @@ users allowed to provision assessment environments in the COOL.
 1. Run the command `terraform init`.
 1. Run the command `terraform apply -var-file=<workspace_name>.tfvars`.
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements ##
 
 | Name | Version |
 |------|---------|
 | terraform | ~> 1.0 |
-| aws | ~> 3.38 |
+| aws | ~> 4.9 |
 
 ## Providers ##
 
 | Name | Version |
 |------|---------|
+<<<<<<< HEAD
 | aws | ~> 3.38 |
 | aws.organizationsreadonly | ~> 3.38 |
 | aws.users | ~> 3.38 |
 | terraform | n/a |
+=======
+| aws | ~> 4.9 |
+>>>>>>> ca595f9c79703822f1dd9879155f33b1167d15cb
 
 ## Modules ##
 
@@ -94,8 +99,17 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+<<<<<<< HEAD
 | assessment\_provisioners\_group | The IAM group whose members are allowed to provision assessment environments. |
 | assessment\_provisioners\_policy | The IAM policy in the Users account that allows the assessment provisioners group to assume the provisioning role in assessment accounts. |
+=======
+| arn | The EC2 instance ARN. |
+| availability\_zone | The AZ where the EC2 instance is deployed. |
+| id | The EC2 instance ID. |
+| private\_ip | The private IP of the EC2 instance. |
+| subnet\_id | The ID of the subnet where the EC2 instance is deployed. |
+<!-- END_TF_DOCS -->
+>>>>>>> ca595f9c79703822f1dd9879155f33b1167d15cb
 
 ## Notes ##
 

examples/basic_usage/README.md

@@ -0,0 +1,55 @@
+# Launch an example EC2 instance in a new VPC #
+
+## Usage ##
+
+To run this example you need to execute the `terraform init` command
+followed by the `terraform apply` command.
+
+Note that this example may create resources which cost money. Run
+`terraform destroy` when you no longer need these resources.
+
+## Requirements ##
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 1.0 |
+| aws | ~> 4.9 |
+
+## Providers ##
+
+| Name | Version |
+|------|---------|
+| aws | ~> 4.9 |
+
+## Modules ##
+
+| Name | Source | Version |
+|------|--------|---------|
+| example | ../../ | n/a |
+
+## Resources ##
+
+| Name | Type |
+|------|------|
+| [aws_subnet.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_vpc.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+
+## Inputs ##
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| ami\_owner\_account\_id | The ID of the AWS account that owns the AMI, or "self" if the AMI is owned by the same account as the provisioner. | `string` | `"self"` | no |
+| aws\_availability\_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.). | `string` | `"a"` | no |
+| aws\_region | The AWS region to deploy into (e.g. us-east-1). | `string` | `"us-east-1"` | no |
+| tags | Tags to apply to all AWS resources created. | `map(string)` | ```{ "Testing": true }``` | no |
+| tf\_role\_arn | The ARN of the role that can terraform non-specialized resources. | `string` | n/a | yes |
+
+## Outputs ##
+
+| Name | Description |
+|------|-------------|
+| arn | The EC2 instance ARN. |
+| availability\_zone | The AZ where the EC2 instance is deployed. |
+| id | The EC2 instance ID. |
+| private\_ip | The private IP of the EC2 instance. |
+| subnet\_id | The ID of the subnet where the EC2 instance is deployed. |

examples/basic_usage/versions.tf

@@ -0,0 +1,23 @@
+terraform {
+  # We want to hold off on 1.1 or higher until we have tested it.
+  required_version = "~> 1.0"
+
+  # If you use any other providers you should also pin them to the
+  # major version currently being used.  This practice will help us
+  # avoid unwelcome surprises.
+  required_providers {
+    # Version 4.9 of the Terraform AWS provider made changes to the S3 bucket
+    # refactor that is in place for versions 4.0-4.8 of the provider. With v4.9
+    # only non-breaking changes and deprecation notices are introduced. Using
+    # this version will simplify migration to the new, broken out AWS S3 bucket
+    # configuration resources. Please see
+    # https://github.com/hashicorp/terraform-provider-aws/pull/23985
+    # for more information about the changes in v4.9 and
+    # https://www.hashicorp.com/blog/terraform-aws-provider-4-0-refactors-s3-bucket-resource
+    # for more information about the S3 bucket refactor.
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.9"
+    }
+  }
+}