feat(iam): Align IAM permissions with documentation

.github/workflows/pre-commit.yml

@@ -13,7 +13,7 @@ on:
 env:
   PYTHON_VERSION: "3.10"
   TERRAFORM_DOCS_VERSION: "v0.16.0"
-  TFLINT_VERSION: "v0.40.1"
+  TFLINT_VERSION: "v0.48.0"
 
 jobs:
   pre-commit:

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: trailing-whitespace
       - id: check-merge-conflict
@@ -10,18 +10,22 @@ repos:
       - id: end-of-file-fixer
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.75.0
+    rev: v1.83.1
     hooks:
-      - id: terraform_fmt
-      - id: terraform_tflint
-      - id: terraform_validate
-      - id: terraform_checkov
-      - id: terraform_docs
-        args:
-          - '--args=--config=.terraform-docs.yml'
+    - id: terraform_fmt
+    - id: terraform_tflint
+      args:
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+    - id: terraform_validate
+    - id: terraform_checkov
+      args:
+        - '--args=--skip-check CKV_TF_1' #CKV_TF_1: "Ensure Terraform module sources use a commit hash"
+    - id: terraform_docs
+      args:
+        - '--args=--config=.terraform-docs.yml'
 
   - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.3.0
+    rev: v1.4.0
     hooks:
       - id: detect-secrets
         args: ['--baseline', '.secrets.baseline']

.tflint.hcl

@@ -1,11 +1,12 @@
 plugin "terraform" {
   enabled = true
-  version = "0.1.1"
+  version = "0.4.0"
   source  = "github.com/terraform-linters/tflint-ruleset-terraform"
   preset  = "recommended"
 }
+
 plugin "aws" {
   enabled = true
-  version = "0.17.0"
+  version = "0.26.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [2020] [Labyrinth Labs]
+   Copyright [2022] [Labyrinth Labs]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -11,7 +11,7 @@ We help companies build, run, deploy and scale software and infrastructure by em
 
 ## Description
 
-A terraform module to deploy the Cluster Autoscaler on Amazon EKS cluster.
+A Terraform module to deploy the Cluster Autoscaler on Amazon EKS cluster.
 
 ## Related Projects
 
@@ -96,7 +96,9 @@ No modules.
 | <a name="input_argo_helm_enabled"></a> [argo\_helm\_enabled](#input\_argo\_helm\_enabled) | If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info | `bool` | `false` | no |
 | <a name="input_argo_helm_values"></a> [argo\_helm\_values](#input\_argo\_helm\_values) | Value overrides to use when deploying argo application object with helm | `string` | `""` | no |
 | <a name="input_argo_helm_wait_backoff_limit"></a> [argo\_helm\_wait\_backoff\_limit](#input\_argo\_helm\_wait\_backoff\_limit) | Backoff limit for ArgoCD Application Helm release wait job | `number` | `6` | no |
+| <a name="input_argo_helm_wait_node_selector"></a> [argo\_helm\_wait\_node\_selector](#input\_argo\_helm\_wait\_node\_selector) | Node selector for ArgoCD Application Helm release wait job | `map(string)` | `{}` | no |
 | <a name="input_argo_helm_wait_timeout"></a> [argo\_helm\_wait\_timeout](#input\_argo\_helm\_wait\_timeout) | Timeout for ArgoCD Application Helm release wait job | `string` | `"10m"` | no |
+| <a name="input_argo_helm_wait_tolerations"></a> [argo\_helm\_wait\_tolerations](#input\_argo\_helm\_wait\_tolerations) | Tolerations for ArgoCD Application Helm release wait job | `list(any)` | `[]` | no |
 | <a name="input_argo_info"></a> [argo\_info](#input\_argo\_info) | ArgoCD info manifest parameter | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | <pre>[<br>  {<br>    "name": "terraform",<br>    "value": "true"<br>  }<br>]</pre> | no |
 | <a name="input_argo_kubernetes_manifest_computed_fields"></a> [argo\_kubernetes\_manifest\_computed\_fields](#input\_argo\_kubernetes\_manifest\_computed\_fields) | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. | `list(string)` | <pre>[<br>  "metadata.labels",<br>  "metadata.annotations",<br>  "metadata.finalizers"<br>]</pre> | no |
 | <a name="input_argo_kubernetes_manifest_field_manager_force_conflicts"></a> [argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts](#input\_argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts) | Forcibly override any field manager conflicts when applying the kubernetes manifest resource | `bool` | `false` | no |

argo-helm.tf

@@ -91,7 +91,7 @@ resource "kubernetes_job" "helm_argo_application_wait" {
   count = local.helm_argo_application_wait_enabled ? 1 : 0
 
   metadata {
-    generate_name = "${var.helm_release_name}-argo-application-wait"
+    generate_name = "${var.helm_release_name}-argo-application-wait-"
     namespace     = var.argo_namespace
     labels        = local.argo_application_metadata.labels
     annotations   = local.argo_application_metadata.annotations
@@ -128,6 +128,19 @@ resource "kubernetes_job" "helm_argo_application_wait" {
           }
         }
 
+        node_selector = var.argo_helm_wait_node_selector
+
+        dynamic "toleration" {
+          for_each = var.argo_helm_wait_tolerations
+
+          content {
+            key      = try(toleration.value.key, null)
+            operator = try(toleration.value.operator, null)
+            value    = try(toleration.value.value, null)
+            effect   = try(toleration.value.effect, null)
+          }
+        }
+
         # ArgoCD Application status fields might not be available immediately after creation
         restart_policy = "OnFailure"
       }

examples/basic/README.md

@@ -8,7 +8,7 @@ The code in this example shows how to use the module with basic configuration an
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.19.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35.0, < 5.0.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.6.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.16.0 |
 

examples/basic/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.19.0"
+      version = ">= 4.35.0, < 5.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

iam.tf

@@ -12,15 +12,19 @@ data "aws_iam_policy_document" "this" {
       "autoscaling:DescribeAutoScalingGroups",
       "autoscaling:DescribeAutoScalingInstances",
       "autoscaling:DescribeLaunchConfigurations",
+      "autoscaling:DescribeScalingActivities",
       "autoscaling:DescribeTags",
+      "ec2:DescribeInstanceTypes",
+      "ec2:DescribeLaunchTemplateVersions",
       "autoscaling:SetDesiredCapacity",
       "autoscaling:TerminateInstanceInAutoScalingGroup",
-      "ec2:DescribeLaunchTemplateVersions",
-      "ec2:DescribeInstanceTypes",
+      "ec2:DescribeImages",
+      "ec2:GetInstanceTypesFromInstanceRequirements",
       "eks:DescribeNodegroup"
     ]
 
     #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+    #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
     resources = [
       "*",
     ]
@@ -47,7 +51,7 @@ data "aws_iam_policy_document" "this_assume" {
 resource "aws_iam_policy" "this" {
   count = local.irsa_role_create && (var.irsa_policy_enabled || var.irsa_assume_role_enabled) ? 1 : 0
 
-  name        = "${var.irsa_role_name_prefix}-${var.helm_chart_name}"
+  name        = "${var.irsa_role_name_prefix}-${var.helm_chart_name}" # tflint-ignore: aws_iam_policy_invalid_name
   path        = "/"
   description = "Policy for cluster-autoscaler service"
   policy      = var.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[0].json : data.aws_iam_policy_document.this[0].json
@@ -81,7 +85,7 @@ data "aws_iam_policy_document" "this_irsa" {
 
 resource "aws_iam_role" "this" {
   count              = local.irsa_role_create ? 1 : 0
-  name               = "${var.irsa_role_name_prefix}-${var.helm_chart_name}"
+  name               = "${var.irsa_role_name_prefix}-${var.helm_chart_name}" # tflint-ignore: aws_iam_role_invalid_name
   assume_role_policy = data.aws_iam_policy_document.this_irsa[0].json
   tags               = var.irsa_tags
 }

requirements.txt

@@ -1 +1 @@
-checkov==2.2.158
+checkov==2.4.25

variables.tf

@@ -155,6 +155,18 @@ variable "argo_helm_wait_timeout" {
   description = "Timeout for ArgoCD Application Helm release wait job"
 }
 
+variable "argo_helm_wait_node_selector" {
+  type        = map(string)
+  default     = {}
+  description = "Node selector for ArgoCD Application Helm release wait job"
+}
+
+variable "argo_helm_wait_tolerations" {
+  type        = list(any)
+  default     = []
+  description = "Tolerations for ArgoCD Application Helm release wait job"
+}
+
 variable "argo_helm_wait_backoff_limit" {
   type        = number
   default     = 6