Terraform 1.x support

.github/workflows/validate.yaml

@@ -9,56 +9,6 @@ on:
       - main
 
 jobs:
-  ## TODO: Enable this once the repo is totally formatted to standard.
-  # lint-style:
-  #   name: Linting and Styling
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: Checkout Source
-  #       uses: actions/checkout@v3
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Setup Dependencies
-  #       uses: './.github/actions/dep-setup'
-  #       with:
-  #         python-version: '3.10'
-
-  #     - name: Run Styling Enforcement
-  #       shell: bash
-  #       run: poetry poe check
-
-  #     # TODO: As soon as the repo is in a state to enable this, we'll do so.
-  #     - name: Run Style Linting Enforcement
-  #       shell: bash
-  #       run: poetry poe lint
-
-  ## TODO: Enable unit tests via GH Actions when unit tests are fixed and migrated to pytest.
-  # unit-tests:
-  #   name: Run Unit Tests
-  #   strategy:
-  #     matrix:
-  #       version: ['3.7', '3.8', '3.9', '3.10', '3.11']
-  #       os: [ubuntu-latest]
-  #   runs-on: ${{ matrix.os }}
-  #   steps:
-  #     - name: Checkout Source
-  #       uses: actions/checkout@v3
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Setup Dependencies
-  #       uses: './.github/actions/dep-setup'
-  #       with:
-  #         python-version: '${{ matrix.version }}'
-
-  #     - name: Run Tests
-  #       shell: bash
-  #       run: poetry poe test
-
-  #     - name: Codecov
-  #       uses: codecov/codecov-action@v3
-
   security:
     name: Run Security Checks
     runs-on: ubuntu-latest

.gitignore

@@ -127,9 +127,15 @@ API_GW_NOT_EDGE_OPTIMISED/
 
 manageTest/
 
-football/
+football*/
 
+terraform.tfvars
+**/.terraform
+.terraform.lock.hcl
 .infracost
 
 # For testing guard rule functionality
-myguardrule/
+myguardrule/
+
+# TF exports
+terraform_rdk_rules

README.md

@@ -212,6 +212,10 @@ Config deploy complete.
 
 The exact output will vary depending on Lambda runtime. You can use the `--all` flag to deploy all of the rules in your working directory. This command uses `PutOrganizationConfigRule` API for the rule deployment. If a new account joins an organization, the rule is deployed to that account. When an account leaves an organization, the rule is removed. Deployment of existing organizational AWS Config Rules will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.
 
+### Export Rule for Terraform Deployment
+
+As of v0.18.0, RDK now supports using the `rdk export` command to create Terraform 1.x code that can be used to deploy your RDK rules. For more details, see the [export](https://aws-config-rdk.readthedocs.io/en/master/commands/export/) documentation.
+
 ### View Logs For Deployed Rule
 
 Once the Rule has been deployed to AWS you can get the CloudWatch logs associated with your Lambda function using the `logs` command.

docs/commands/export.md

@@ -1,19 +1,53 @@
 # Export
 
-This command will export the specified Rule(s) to the terraform file, it
-supports the terraform versions 0.11 and 0.12.
-
-The `--format` flag can be used to specify export format, currently it
-supports only terraform. The `--version` flag can be used to specify the
-terraform version. The `--rdklib-layer-arn` flag can be used for
-attaching Lambda Layer ARN that contains the desired rdklib. Note that
-Lambda Layers are region-specific. The `--lambda-role-arn` flag can be
-used for assigning existing iam role to all Lambda functions created for
-Custom Config Rules. The `--lambda-layers` flag can be used for
-attaching a comma-separated list of Lambda Layer ARNs to deploy with
-your Lambda function(s). The `--lambda-subnets` flag can be used for
-attaching a comma-separated list of Subnets to deploy your Lambda
-function(s). The `--lambda-security-groups` flag can be used for
-attaching a comma-separated list of Security Groups to deploy with your
-Lambda function(s). The `--lambda-timeout` flag can be used for
-specifying the timeout associated to the lambda function
+This command will export the specified Rule(s) to Terraform (1.x and later) manifest(s).
+
+In order to reduce repeated code, the exported rule will reference a source module, by default `../rdk_module` (or `../rdk_organization_module` for Org Config rules). Running `rdk export` will create `rdk_module` in the current working directory if it does not exist already, by copying RDK's version of the module from `rdk/template/terraform/1.x/rdk_module` (or `rdk_organization_module`).
+
+The `export` command will create a Terraform manifest file per rule (eg. `myrule.tf`) and place it in a `terraform_rdk_rules` folder, over-writing any TF file of the same name.
+
+Users can also specify `--backend-bucket` and `--add-provider-manifest` to create `backend.tf` and `provider.tf` files in these repositories, with opinionated defaults. This should only be needed once.
+
+## Example Usage - Single Rule
+
+```bash
+cd rdk_source
+#  rdk_source
+#  └─my_rule
+#    ├──parameters.json
+#    ├──rule.py
+#    └──rule_test.py
+TF_STATE_BUCKET=my-bucket
+rdk export my_rule # Creates a TF manifest and adds it to the terraform_rdk_rules folder
+cd terraform_rdk_rules
+terraform plan
+```
+
+## Example Usage - All Rules
+
+```bash
+# assume your cwd is the parent folder of many RDK rules.
+cd rdk_source
+TF_STATE_BUCKET=my-bucket
+REGION=us-west-2
+# You could run this manually and commit it or include `rdk export` as a step in a CI/CD pipeline.
+rdk export -a --backend-bucket $TF_STATE_BUCKET --provider-region $REGION # Creates a TF manifest for each rule in the directory and adds to terraform_rdk_rules. Also adds a backend and provider manifest to terraform_rdk_rules.
+cd terraform_rdk_rules
+terraform plan
+```
+
+# Arguments
+
+- The `--format` flag can be used to specify export format, currently it supports only `terraform`.
+- The `--output-version` flag can be used to specify the Terraform major version. Currently, only `1.x` is supported.
+- The `--rdklib-layer-arn` flag can be used for attaching Lambda Layer ARN that contains the desired `rdklib` layer. Note that Lambda Layers are region-specific.
+- The `--lambda-role-arn` flag can be used for assigning existing iam role to all Lambda functions created for Custom Config Rules.
+- The `--lambda-layers` flag can be used for attaching a comma-separated list of Lambda Layer ARNs to deploy with your Lambda function(s).
+- The `--lambda-subnets` flag can be used for attaching a comma-separated list of Subnets to deploy your Lambda function(s).
+- The `--lambda-security-groups` flag can be used for attaching a comma-separated list of Security Groups to deploy with your Lambda function(s).
+- The `--lambda-timeout` flag can be used for specifying the timeout associated to the lambda function
+- The `--copy-terraform-module` flag will copy the `rdk_module` folder into your rule directory.
+- The `custom-module-source-location` flag will set the exported TF module invocation to be sourced from the location you specify. This is useful if you modify the module or want to source it from a central location. For example, you could pass the module call to a source that deploys an Config Organization rule.
+- The `--backend-bucket-name` argument will create a `backend.tf` file in the `terraform_rdk_rules` directory, pointing to the specified backend S3 bucket. The key for the state file will be `rdk_modules/<rule name>`. 
+- The `--add-provider-manifest` argument will create a `provider.tf` file in the `terraform_rdk_rules` directory, ensuring that the rules are deployed in the right region. `export` does not currently natively support multi-region deployment.
+- The `add-terragrunt-file` flag will create a `terragrunt.hcl` file in the rule directory. This is used to indicate to `terragrunt` that the module should be included in `terragrunt` automations like `run-all`.