feat: migrate from terraform-aws-infra (#1)

- Import all terraform configurations for AWS infrastructure
- Use shared OpenTofu workflow from shared-workflows repo
- Update Makefile to use tofu with -no-color and plan output
- Update pre-commit-terraform to v1.104.0

Author: xnoto

.checkov.yml

@@ -0,0 +1,13 @@
+block-list-secret-scan: []
+compact: true
+directory:
+  - .
+download-external-modules: false
+evaluate-variables: true
+framework:
+  - all
+output:
+  - cli
+quiet: true
+soft-fail: true
+summary-position: top

.github/workflows/opentofu.yml

@@ -0,0 +1,19 @@
+name: OpenTofu
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  opentofu:
+    uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
+    secrets:
+      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}

.gitignore

@@ -0,0 +1,16 @@
+# vim swap files
+**/*.sw[po]
+
+# don't commit terraform state or lock. the repo code is the only state we care about.
+# the provider state cache is auto-upgraded by default to ensure compatibility with upstream cloud provider APIs
+**/.terraform.lock.hcl
+**/.terraform
+
+# IDE Folders
+**/.vscode
+
+# Mac Finder cache
+**/.DS_Store
+
+# Plan output
+plan-output.txt

.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: check-symlinks
+    - id: check-vcs-permalinks
+    - id: destroyed-symlinks
+    - id: detect-private-key
+    - id: mixed-line-ending
+    - id: trailing-whitespace
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.104.0
+  hooks:
+    - id: terraform_validate
+      args:
+        - --hook-config=--retry-once-with-cleanup=true
+        - --args=-no-color
+        - --tf-init-args=-reconfigure
+        - --tf-init-args=-upgrade
+    - id: terraform_tflint
+      args:
+        - --args=--minimum-failure-severity=error
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+    - id: terraform_checkov
+      args:
+        - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+    - id: terraform_fmt
+      args:
+        - --args=-no-color
+        - --args=-diff
+        - --args=-recursive
+    - id: terraform_docs
+      args:
+        - --args=--config=.terraform-docs.yml

.sops.yaml

@@ -0,0 +1,3 @@
+---
+creation_rules:
+  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l

.terraform-docs.yml

@@ -0,0 +1,18 @@
+formatter: "markdown"
+
+output:
+  file: "README.md"
+  mode: replace
+
+settings:
+  color: false
+  lockfile: false
+
+sort:
+  enabled: true
+  by: name
+
+# recursive can't be enabled until this bug is fixed:
+# https://github.com/terraform-docs/terraform-docs/issues/654
+recursive:
+  enabled: false

.tflint.hcl

@@ -0,0 +1,12 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+rule "terraform_required_providers" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}

Makefile

@@ -0,0 +1,79 @@
+SHELL         := /bin/bash
+TERRAFORM     := $(shell which tofu)
+S3_REGION     := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_region     | cut -d ' ' -f 2)
+S3_BUCKET     := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_bucket     | cut -d ' ' -f 2)
+S3_KEY        := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_key        | cut -d ' ' -f 2)
+S3_ACCESS_KEY := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_access_key | cut -d ' ' -f 2)
+S3_SECRET_KEY := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_secret_key | cut -d ' ' -f 2)
+
+.PHONY: help init plan apply migrate test pre-commit-check-deps pre-commit-install-hooks argcd-login
+
+help:
+	@echo "General targets"
+	@echo "----------------"
+	@echo
+	@echo "\thelp: show this help text"
+	@echo "\tclean: removes all .terraform directories"
+	@echo
+	@echo "Terraform targets"
+	@echo "-----------------"
+	@echo
+	@echo "\tinit: run 'terraform init'"
+	@echo "\ttest: run pre-commmit checks"
+	@echo "\tplan: run 'terraform plan'"
+	@echo "\tapply: run 'terraform apply'"
+	@echo "\tmigrate; run terraform init -migrate-state"
+	@echo
+	@echo "One-time repo init targets"
+	@echo "--------------------------"
+	@echo
+	@echo "\tpre-commit-install-hooks: install pre-commit hooks"
+	@echo "\tpre-commit-check-deps: check pre-commit dependencies"
+	@echo
+
+clean:
+	@find . -name .terraform -type d | xargs -I {} rm -rf {}
+
+init: clean .terraform/terraform.tfstate
+
+.terraform/terraform.tfstate:
+	@${TERRAFORM} init -reconfigure -upgrade -input=false -backend-config="key=${S3_KEY}" -backend-config="bucket=${S3_BUCKET}" -backend-config="region=${S3_REGION}" -backend-config="access_key=${S3_ACCESS_KEY}" -backend-config="secret_key=${S3_SECRET_KEY}"
+
+plan: init .terraform/plan
+
+.terraform/plan:
+	@${TERRAFORM} plan -compact-warnings -no-color -out tfplan.bin
+	@${TERRAFORM} show -no-color tfplan.bin | tee plan-output.txt
+	@rm -f tfplan.bin
+
+apply: init .terraform/apply
+
+.terraform/apply:
+	@${TERRAFORM} apply -auto-approve -compact-warnings
+
+migrate:
+	@echo "First use -make init- using the old S3 backend, then run -make migrate- to use the new one."
+	@${TERRAFORM} init -migrate-state -backend-config="key=${S3_KEY}" -backend-config="bucket=${S3_BUCKET}" -backend-config="region=${S3_REGION}" -backend-config="access_key=${S3_ACCESS_KEY}" -backend-config="secret_key=${S3_SECRET_KEY}"
+
+test: .git/hooks/pre-commit
+	@pre-commit run -a
+
+DEPS_PRE_COMMIT=$(shell which pre-commit || echo "pre-commit not found")
+DEPS_TERRAFORM_DOCS=$(shell which terraform-docs || echo "terraform-docs not found")
+DEPS_TFLINT=$(shell which tflint || echo "tflint not found,")
+DEPS_CHECKOV=$(shell which checkov || echo "checkov not found,")
+DEPS_JQ=$(shell which jq || echo "jq not found,")
+pre-commit-check-deps:
+	@echo "Checking for pre-commit and its dependencies:"
+	@echo "  pre-commit: ${DEPS_PRE_COMMIT}"
+	@echo "  terraform-docs: ${DEPS_TERRAFORM_DOCS}"
+	@echo "  tflint: ${DEPS_TFLINT}"
+	@echo "  checkov: ${DEPS_CHECKOV}"
+	@echo "  jq: ${DEPS_JQ}"
+	@echo ""
+
+pre-commit-install-hooks: .git/hooks/pre-commit
+
+.git/hooks/pre-commit: pre-commit-check-deps
+	@pre-commit install --install-hooks
+

aws-iam.tf

@@ -0,0 +1,19 @@
+resource "aws_iam_user" "admin" {
+  for_each      = local.admin_users
+  name          = each.value
+  force_destroy = false
+  tags = {
+    ManagedBy = "Terraform"
+  }
+}
+
+resource "aws_iam_user_policy_attachment" "admin_attach" {
+  for_each   = local.admin_users
+  user       = aws_iam_user.admin[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "aws_iam_access_key" "admin_key" {
+  for_each = local.admin_users
+  user     = aws_iam_user.admin[each.key].name
+}

aws-s3.tf

@@ -0,0 +1,107 @@
+resource "aws_s3_bucket" "private" {
+  for_each = local.s3_private_buckets
+  bucket   = each.value
+
+  tags = {
+    ManagedBy = "Terraform"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket" "public" {
+  for_each = local.s3_public_buckets
+  bucket   = each.value
+
+  tags = {
+    ManagedBy = "Terraform"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public" {
+  for_each                = aws_s3_bucket.public
+  bucket                  = each.value.id
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_policy" "public" {
+  for_each = aws_s3_bucket.public
+
+  bucket = each.value.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = "*"
+        Action = [
+          "s3:GetObject"
+        ]
+        Resource = "${each.value.arn}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket" "web" {
+  for_each = local.s3_web_buckets
+  bucket   = each.value
+
+  tags = {
+    ManagedBy = "Terraform"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# Make "web" buckets publicly accessible
+resource "aws_s3_bucket_public_access_block" "web" {
+  for_each                = aws_s3_bucket.web
+  bucket                  = each.value.id
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_policy" "web" {
+  for_each = aws_s3_bucket.web
+
+  bucket = each.value.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = "*"
+        Action = [
+          "s3:GetObject"
+        ]
+        Resource = "${each.value.arn}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_website_configuration" "web" {
+  for_each = aws_s3_bucket.web
+
+  bucket = each.value.id
+
+  index_document {
+    suffix = "index.html"
+  }
+}