configure precommit ci (#6)

* Adding pre-commit config

* Adding markdown files

* [pre-commit.ci lite] apply automatic fixes

* Fix lint

* Remove unused code

---------

Co-authored-by: pre-commit-ci-lite[bot] <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>

.github/workflows/pre-commit.yaml

@@ -0,0 +1,47 @@
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  pre_commit:
+    name: Run pre-commit and commit any autocorrections
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.6.6
+    - name: Setup Terragrunt
+      uses: autero1/action-terragrunt@v1.1.0
+      with:
+        terragrunt_version: 0.54.8
+        # To avoid rate-limiting
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - uses: terraform-linters/setup-tflint@v3
+      name: TFLint - Setup
+      with:
+        tflint_version: latest
+
+    - name: TFLint - Init
+      run: tflint --init
+      env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: TFLint - Show version
+      run: tflint --version
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Terraform Docs - Install
+      run: |
+        curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.17.0/terraform-docs-v0.17.0-$(uname)-amd64.tar.gz
+        tar -xzf terraform-docs.tar.gz -- terraform-docs
+        chmod +x terraform-docs
+        echo $PATH
+        mv terraform-docs /usr/local/bin/terraform-docs
+        terraform-docs --version
+    - uses: pre-commit/action@v3.0.0
+    - uses: pre-commit-ci/lite-action@v1.0.1
+      if: always()

.gitignore

@@ -1 +1,2 @@
 terraform.tfstate*
+.terraform

.pre-commit-config.yaml

@@ -2,18 +2,30 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
     -   id: trailing-whitespace
     -   id: end-of-file-fixer
     -   id: check-yaml
         args: ["--allow-multiple-documents"]
     -   id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt     #  args: ["--enable require-variable-braces,deprecate-which"]
       - id: terraform_tflint
-        exclude: .*
+        args:
+          - "--args=--fix"
       - id: terragrunt_fmt
       - id: terraform_docs
+ci:
+    autofix_commit_msg: |
+        [pre-commit.ci] auto fixes from pre-commit.com hooks
+
+        for more information, see https://pre-commit.ci
+    autofix_prs: true
+    autoupdate_branch: ''
+    autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
+    autoupdate_schedule: weekly
+    skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs]
+    submodules: false

LICENSE.md

@@ -0,0 +1,34 @@
+# License
+
+As a work of the [United States government](https://www.usa.gov/), this project
+is in the public domain within the United States of America.
+
+Additionally, we waive copyright and related rights in the work worldwide
+through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full
+text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to the
+public domain by waiving all of their rights to the work worldwide under
+copyright law, including all related and neighboring rights, to the extent
+allowed by law.
+
+You can copy, modify, distribute, and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0, nor
+are the rights that other persons may have in the work or in how the work is
+used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with this
+deed makes no warranties about the work, and disclaims liability for all uses
+of the work, to the fullest extent permitted by applicable law. When using or
+citing the work, you should not imply endorsement by the author or the
+affirmer.

README.md

@@ -0,0 +1,66 @@
+# batcave-tf-serverless
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.61.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.61.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_alb"></a> [alb](#module\_alb) | terraform-aws-modules/alb/aws | ~> 6.0 |
+| <a name="module_lambda"></a> [lambda](#module\_lambda) | terraform-aws-modules/lambda/aws | ~> 3.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_lambda_permission.alb_to_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lb_target_group_attachment.alb_to_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
+| [aws_route53_record.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_security_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.https-ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_cidrs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_prefix_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_acm_certificate.acm_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source |
+| [aws_route53_zone.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alb_access_logs"></a> [alb\_access\_logs](#input\_alb\_access\_logs) | Map of aws\_lb access\_log config | `map(any)` | `{}` | no |
+| <a name="input_base_domain"></a> [base\_domain](#input\_base\_domain) | The base domain of the services the lambda should be requesting to.  eg: 'batcave.internal.cms.gov' | `string` | n/a | yes |
+| <a name="input_create_custom_domain"></a> [create\_custom\_domain](#input\_create\_custom\_domain) | Optionally create a custom domain for this serverless service | `bool` | `false` | no |
+| <a name="input_custom_subdomain"></a> [custom\_subdomain](#input\_custom\_subdomain) | Subdomain for the optionally created dns records | `string` | `"status"` | no |
+| <a name="input_frontend_subnets"></a> [frontend\_subnets](#input\_frontend\_subnets) | List of subnet ids to house the front-end of this lambda (such as Shared subnet or Transport subnet) | `list(any)` | n/a | yes |
+| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | n/a | `string` | `"/delegatedadmin/developer/"` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | n/a | `string` | `""` | no |
+| <a name="input_ingress_cidrs"></a> [ingress\_cidrs](#input\_ingress\_cidrs) | List of CIDR Blocks to attach to ALB Security Group | `list(any)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
+| <a name="input_ingress_prefix_lists"></a> [ingress\_prefix\_lists](#input\_ingress\_prefix\_lists) | List of prefix lists to attach to ALB Security Group | `list(any)` | `[]` | no |
+| <a name="input_ingress_sgs"></a> [ingress\_sgs](#input\_ingress\_sgs) | A list of security groups in which https ingress rules will be created | `list(string)` | `[]` | no |
+| <a name="input_lambda_environment"></a> [lambda\_environment](#input\_lambda\_environment) | Environment variables used by the lambda function. | `map(string)` | `null` | no |
+| <a name="input_lambda_handler"></a> [lambda\_handler](#input\_lambda\_handler) | The entry point of the lambda (i.e. the fully qualified name of the function to be invoked: file-or-module-name.function-name) | `string` | n/a | yes |
+| <a name="input_lambda_path"></a> [lambda\_path](#input\_lambda\_path) | Path to the lambda code | `string` | `"lambda"` | no |
+| <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | The runtime environment to use for this lambda (e.g. 'python3.9' or 'nodejs16.x') | `string` | `"nodejs16.x"` | no |
+| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | The number of seconds the lambda will be allowed to execute before timing out | `number` | `3` | no |
+| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | List of subnet ids where the lambda will execute | `list(any)` | n/a | yes |
+| <a name="input_route53_zone_type"></a> [route53\_zone\_type](#input\_route53\_zone\_type) | Optionally create DNS records, and lookup either 'private' or 'public' r53 zone | `string` | `"private"` | no |
+| <a name="input_service_name"></a> [service\_name](#input\_service\_name) | Name of the serverless service | `string` | `"batcave-status"` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID where the lambda will execute | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

SECURITY.md

@@ -0,0 +1,17 @@
+# Security and Responsible Disclosure Policy
+
+*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
+email or via GitHub Issues. Please use our website to submit vulnerabilities at
+[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
+HHS maintains an acknowledgements page to recognize your efforts on behalf of
+the American public, but you are also welcome to submit anonymously.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.
+
+If you have other cybersecurity related questions, please contact us at
+[csirc@hhs.gov.](mailto:csirc@hhs.gov).

acm.tf

@@ -4,4 +4,3 @@ data "aws_acm_certificate" "acm_certificate" {
   types       = ["AMAZON_ISSUED"]
   most_recent = true
 }
-

locals.tf

@@ -1,15 +1,6 @@
 # Local variables used around the module
 locals {
-  # Naming
-  service_name                  = var.service_name
-  stage                         = var.environment
-  resource_prefix               = "${local.stage}-${local.service_name}"
-  iam_role_path                 = var.iam_role_path
-  iam_role_permissions_boundary = var.iam_role_permissions_boundary
 
   # VPC
-  vpc_id  = var.vpc_id
-  subnets = var.private_subnets
+  vpc_id = var.vpc_id
 }
-
-data "aws_caller_identity" "current" {}

main.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.61.0"
+    }
+  }
+  required_version = ">= 1.2"
+}

security_group.tf

@@ -45,12 +45,12 @@ resource "aws_security_group_rule" "ingress_prefix_list" {
 }
 
 resource "aws_security_group_rule" "https-ingress" {
-  for_each = toset(var.ingress_sgs)
-  description = "allow ingress from lambda"
-  type = "ingress" 
-  to_port = 443
-  from_port = 443
-  protocol = "TCP"
-  security_group_id = each.key
+  for_each                 = toset(var.ingress_sgs)
+  description              = "allow ingress from lambda"
+  type                     = "ingress"
+  to_port                  = 443
+  from_port                = 443
+  protocol                 = "TCP"
+  security_group_id        = each.key
   source_security_group_id = aws_security_group.lambda.id
 }