From 6772d92e22f0a3f2dc45df4adc66c1c8d77a3a8b Mon Sep 17 00:00:00 2001
From: Steven Black <genseb7@gmail.com>
Date: Tue, 7 Dec 2021 17:37:13 -0500
Subject: [PATCH 1/3] tf v 0.13

---
 .terraform-version | 2 +-
 common/common.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.terraform-version b/.terraform-version
index 421e954..ebf55b3 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-0.12.24
+0.13.6
diff --git a/common/common.tf b/common/common.tf
index c58ac4a..4a53677 100644
--- a/common/common.tf
+++ b/common/common.tf
@@ -8,7 +8,7 @@ provider "aws" {
 terraform {
   backend "s3" {}
 
-  required_version = ">= 0.12.0"
+  required_version = ">= 0.13.0"
 }
 
 # Intentionally throws an error if the workspace doesn't match the env

From bf58c44aaebcde81dfadf26b51057df73fdcb044 Mon Sep 17 00:00:00 2001
From: Steven Black <genseb7@gmail.com>
Date: Tue, 7 Dec 2021 17:44:25 -0500
Subject: [PATCH 2/3] optimistic versions, restore files

---
 account/Makefile   |   1 +
 account/README.md  |  12 ++---
 account/main.tf    |  22 +++++---
 bin/new-project.sh | 124 +++++++++++++++++++++++++++++++++++++++++++++
 bin/setup.sh       |  20 ++++++++
 network/README.md  |   6 +--
 network/main.tf    |   4 +-
 7 files changed, 172 insertions(+), 17 deletions(-)
 create mode 100644 account/Makefile
 create mode 100644 bin/new-project.sh
 create mode 100644 bin/setup.sh

diff --git a/account/Makefile b/account/Makefile
new file mode 100644
index 0000000..bb69e69
--- /dev/null
+++ b/account/Makefile
@@ -0,0 +1 @@
+include ../Makefile
diff --git a/account/README.md b/account/README.md
index e4fee98..481af84 100644
--- a/account/README.md
+++ b/account/README.md
@@ -5,7 +5,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 
 ## Providers
 
@@ -16,13 +16,13 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_backend"></a> [backend](#module\_backend) | rhythmictech/backend/aws | 2.1.0 |
-| <a name="module_cloudtrail_bucket"></a> [cloudtrail\_bucket](#module\_cloudtrail\_bucket) | rhythmictech/cloudtrail-bucket/aws | 1.2.0 |
-| <a name="module_cloudtrail_logging"></a> [cloudtrail\_logging](#module\_cloudtrail\_logging) | rhythmictech/cloudtrail-logging/aws | 1.1.0 |
+| <a name="module_cloudtrail_bucket"></a> [cloudtrail\_bucket](#module\_cloudtrail\_bucket) | rhythmictech/cloudtrail-bucket/aws | ~> 1.2.0 |
+| <a name="module_cloudtrail_logging"></a> [cloudtrail\_logging](#module\_cloudtrail\_logging) | rhythmictech/cloudtrail-logging/aws | ~> 1.1.0 |
 | <a name="module_does_workspace_match_env"></a> [does\_workspace\_match\_env](#module\_does\_workspace\_match\_env) | rhythmictech/errorcheck/terraform | ~> 1.0.0 |
 | <a name="module_iam_password_policy"></a> [iam\_password\_policy](#module\_iam\_password\_policy) | rhythmictech/iam-password-policy/aws | 1.0.0 |
-| <a name="module_rhythmic_iam_roles"></a> [rhythmic\_iam\_roles](#module\_rhythmic\_iam\_roles) | rhythmictech/rhythmic-iam-roles/aws | 1.1.0 |
-| <a name="module_s3logging_bucket"></a> [s3logging\_bucket](#module\_s3logging\_bucket) | rhythmictech/s3logging-bucket/aws | 1.0.1 |
-| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | 1.1.0 |
+| <a name="module_rhythmic_iam_roles"></a> [rhythmic\_iam\_roles](#module\_rhythmic\_iam\_roles) | rhythmictech/rhythmic-iam-roles/aws | ~> 1.1.0 |
+| <a name="module_s3logging_bucket"></a> [s3logging\_bucket](#module\_s3logging\_bucket) | rhythmictech/s3logging-bucket/aws | ~> 1.0.1 |
+| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 |
 
 ## Resources
 
diff --git a/account/main.tf b/account/main.tf
index 1b68226..539f231 100644
--- a/account/main.tf
+++ b/account/main.tf
@@ -1,6 +1,6 @@
 module "tags" {
   source  = "rhythmictech/tags/terraform"
-  version = "1.1.0"
+  version = "~> 1.1.0"
 
   names = [
     "account",
@@ -17,22 +17,32 @@ module "tags" {
 
 module "rhythmic_iam_roles" {
   source         = "rhythmictech/rhythmic-iam-roles/aws"
-  version        = "1.1.0"
+  version        = "~> 1.1.0"
   role_prefix    = var.iam_role_prefix
   master_account = var.iam_master_account
 }
 
 module "s3logging_bucket" {
-  source        = "rhythmictech/s3logging-bucket/aws"
-  version       = "1.0.1"
+  source  = "rhythmictech/s3logging-bucket/aws"
+  version = "~> 1.0.1"
+
   bucket_suffix = "account"
   region        = var.region
   tags          = module.tags.tags_no_name
+
+  # store for 1 yr
+  lifecycle_rules = [{
+    id                            = "expire"
+    enabled                       = true
+    prefix                        = null
+    expiration                    = 365
+    noncurrent_version_expiration = 365
+  }]
 }
 
 module "cloudtrail_bucket" {
   source         = "rhythmictech/cloudtrail-bucket/aws"
-  version        = "1.2.0"
+  version        = "~> 1.2.0"
   logging_bucket = module.s3logging_bucket.s3logging_bucket_name
   region         = var.region
   tags           = module.tags.tags_no_name
@@ -40,7 +50,7 @@ module "cloudtrail_bucket" {
 
 module "cloudtrail_logging" {
   source            = "rhythmictech/cloudtrail-logging/aws"
-  version           = "1.1.0"
+  version           = "~> 1.1.0"
   region            = var.region
   cloudtrail_bucket = module.cloudtrail_bucket.s3_bucket_name
   kms_key_id        = module.cloudtrail_bucket.kms_key_id
diff --git a/bin/new-project.sh b/bin/new-project.sh
new file mode 100644
index 0000000..1a496ab
--- /dev/null
+++ b/bin/new-project.sh
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash -e
+
+#
+# this script is used for bootstraping a new project in your AWS account
+#
+
+new_folder=$1
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+# authoritative backend file
+backend_file="account/backend.auto.tfvars"
+
+# remote state variables
+tfstate_bucket=""
+region="us-east-1"
+dynamodb_table="tf-locktable"
+
+
+function usage() {
+    cat <<EOF
+Usage: bin/new-project.sh FOLDER_NAME
+
+Creates new folder with common files for another cloud component defined in terraform.
+
+EOF
+}
+
+function check_for_errors() {
+    if [ -z $new_folder ]; then
+        echo "ERROR: no new folder specified"
+        usage
+        exit 1
+    fi
+    if [ -d $new_folder ]; then
+        echo "ERROR: $new_folder already exits"
+        usage
+        exit 1
+    fi
+}
+
+function get_backend_variables() {
+    echo "Getting backend variables from $backend_file"
+    while read line; do
+        key=$(echo $line | sed -E 's/([a-zAZ_]*)([ =]*)(.*)/\1/')
+        value=$(echo $line | sed -E 's/([a-zAZ_]*)([ =]*)(.*)/\3/')
+        case $key in
+            bucket)
+                tfstate_bucket=$value
+                ;;
+            region)
+                region=$value
+                ;;
+            dynamodb_table)
+                dynamodb_table=$value
+                ;;
+            *)
+                ;;
+        esac
+
+    done <$backend_file
+}
+
+function create_new_folder() {
+    echo "creating new folder, $new_folder"
+    mkdir $new_folder
+
+    cd $new_folder
+
+    echo "symlinking common files"
+    ln -s ../common/* .
+    echo "done creating new folder"
+}
+
+function create_backend_file() {
+    new_backend="backend.auto.tfvars"
+    touch $new_backend
+    echo "bucket         = $tfstate_bucket" >> $new_backend
+    echo "key            = \"$new_folder.tfstate\"" >> $new_backend
+    echo "dynamodb_table = $dynamodb_table" >> $new_backend
+    echo "region         = $region" >> $new_backend
+}
+
+function create_readme() {
+    echo "# $new_folder" > README.md
+cat <<EOT >> README.md
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+EOT
+
+}
+
+function create_terraform_files() {
+    create_readme
+
+    echo "include ../Makefile" > Makefile
+
+    touch main.tf
+    touch variables.tf
+    touch outputs.tf
+
+    create_backend_file
+}
+
+function main() {
+    check_for_errors
+    get_backend_variables
+    create_new_folder
+    create_terraform_files
+
+    echo 'done'
+}
+
+main "$@"
diff --git a/bin/setup.sh b/bin/setup.sh
new file mode 100644
index 0000000..e77cb8e
--- /dev/null
+++ b/bin/setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash -e
+
+#
+# this script is used for bootstraping the project base infrastructure
+#
+
+# create base infra
+echo "Initializing tfstate"
+cd account/setup
+terraform init
+terraform apply -auto-approve
+cd ../..
+
+# migrate local state to the remote with the s3 bucket and dynamodb table
+echo "Migrating tfstate to bucket"
+cd account
+cp setup/terraform.tfstate .
+terraform init -backend-config=backend.auto.tfvars
+rm terraform.tfstate
+cd ..
diff --git a/network/README.md b/network/README.md
index 4b43e02..61f8b2d 100644
--- a/network/README.md
+++ b/network/README.md
@@ -5,7 +5,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 
 ## Providers
 
@@ -20,8 +20,8 @@
 |------|--------|---------|
 | <a name="module_does_workspace_match_env"></a> [does\_workspace\_match\_env](#module\_does\_workspace\_match\_env) | rhythmictech/errorcheck/terraform | ~> 1.0.0 |
 | <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.44.0 |
-| <a name="module_vpcflowlogs"></a> [vpcflowlogs](#module\_vpcflowlogs) | rhythmictech/vpcflowlogs/aws | 1.1.2 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2.44.0 |
+| <a name="module_vpcflowlogs"></a> [vpcflowlogs](#module\_vpcflowlogs) | rhythmictech/vpcflowlogs/aws | ~> 1.1.2 |
 
 ## Resources
 
diff --git a/network/main.tf b/network/main.tf
index b288cd2..20289a2 100644
--- a/network/main.tf
+++ b/network/main.tf
@@ -36,7 +36,7 @@ module "tags" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "2.44.0"
+  version = "~> 2.44.0"
 
   name               = module.tags.name
   azs                = var.availability_zones
@@ -49,7 +49,7 @@ module "vpc" {
 
 module "vpcflowlogs" {
   source  = "rhythmictech/vpcflowlogs/aws"
-  version = "1.1.2"
+  version = "~> 1.1.2"
 
   create_bucket  = true
   create_kms_key = true

From c4d4e9a842dffd0094bf577249f1637c91080fbe Mon Sep 17 00:00:00 2001
From: Steven Black <genseb7@gmail.com>
Date: Tue, 7 Dec 2021 17:46:55 -0500
Subject: [PATCH 3/3] ignore low lvl tfsec errs

---
 account/setup/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/account/setup/main.tf b/account/setup/main.tf
index 92f0945..9a4e624 100644
--- a/account/setup/main.tf
+++ b/account/setup/main.tf
@@ -1,4 +1,5 @@
 
+#tfsec:ignore:aws-dynamodb-table-customer-key,aws-dynamodb-enable-recovery
 module "backend" {
   source  = "rhythmictech/backend/aws"
   version = "2.1.0"