[Bug] Advance Security Not Enabled

.gitignore

@@ -0,0 +1,3 @@
+# Ignore any paths with `.terraform/` folders
+**/.terraform/
+**/.terraform.lock.hcl

.pre-commit-config.yaml

@@ -12,7 +12,6 @@ repos:
     -   id: end-of-file-fixer
     -   id: check-added-large-files
     -   id: detect-private-key
-    exclude: .*/\.terraform/.*
 -   repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.88.1
     hooks:

modules/enterprise-organization/README.md

@@ -2,7 +2,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
 
 ## Providers

modules/enterprise-organization/versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.6"
   required_providers {
     github = {
       source  = "integrations/github"

modules/github-foundations/README.md

@@ -2,15 +2,16 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.5.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_github"></a> [github](#provider\_github) | ~> 6.0 |
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | ~> 2.5.1 |
 
 ## Modules
 
@@ -47,7 +48,7 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_bootstrap_repository_name"></a> [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no |
 | <a name="input_foundation_devs_team_name"></a> [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no |
-| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets = map(string)<br>      organization_variables = map(string)<br>      repository_secrets = map(map(string))<br>      repository_variables = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
+| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name             = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa             = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id               = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id               = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name               = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location               = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets   = map(string)<br>      organization_variables = map(string)<br>      repository_secrets     = map(map(string))<br>      repository_variables   = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
 | <a name="input_organizations_repository_name"></a> [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no |
 | <a name="input_readme_path"></a> [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |
 

modules/github-foundations/gcp-oidc-variables.tf

@@ -1,5 +1,5 @@
 resource "github_actions_secret" "organization_workload_identity_sa" {
-  count           = var.oidc_configuration.gcp != null ? 1 : 0
+  count = var.oidc_configuration.gcp != null ? 1 : 0
 
   repository      = github_repository.organizations_repo.name
   secret_name     = coalesce(var.oidc_configuration.gcp.organization_workload_identity_sa_secret_name, "GCP_SERVICE_ACCOUNT")

modules/github-foundations/variables.tf

@@ -26,32 +26,32 @@ variable "oidc_configuration" {
   type = object({
     gcp = optional(object({
       workload_identity_provider_name_secret_name = optional(string)
-      workload_identity_provider_name = string
+      workload_identity_provider_name             = string
 
       organization_workload_identity_sa_secret_name = optional(string)
-      organization_workload_identity_sa = string
+      organization_workload_identity_sa             = string
 
       gcp_secret_manager_project_id_variable_name = optional(string)
-      gcp_secret_manager_project_id = string
+      gcp_secret_manager_project_id               = string
 
       gcp_tf_state_bucket_project_id_variable_name = optional(string)
-      gcp_tf_state_bucket_project_id = string
+      gcp_tf_state_bucket_project_id               = string
 
       bucket_name_variable_name = optional(string)
-      bucket_name = string
+      bucket_name               = string
 
       bucket_location_variable_name = optional(string)
-      bucket_location = string
+      bucket_location               = string
     }))
     custom = optional(object({
-      organization_secrets = map(string)
+      organization_secrets   = map(string)
       organization_variables = map(string)
-      repository_secrets = map(map(string))
-      repository_variables = map(map(string))
+      repository_secrets     = map(map(string))
+      repository_variables   = map(map(string))
     }))
   })
   validation {
-    condition = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
+    condition     = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
     error_message = "At least one oidc_configuration must be set."
   }
-}
+}

modules/github-foundations/versions.tf

@@ -1,9 +1,13 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.6"
   required_providers {
     github = {
       source  = "integrations/github"
       version = "~> 6.0"
     }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.5.1"
+    }
   }
 }

modules/github-gcloud-oidc/README.md

@@ -2,22 +2,23 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | >= 3.77 |
 | <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 3.77 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | >= 3.77 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.6 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_oidc"></a> [oidc](#module\_oidc) | terraform-google-modules/github-actions-runners/google//modules/gh-oidc | n/a |
+| <a name="module_oidc"></a> [oidc](#module\_oidc) | terraform-google-modules/github-actions-runners/google//modules/gh-oidc | 3.1.2 |
 
 ## Resources
 
@@ -57,7 +58,6 @@
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | Bucket lifecycle rule. | <pre>map(object({<br>    action = object({<br>      type          = string<br>      storage_class = optional(string)<br>    })<br>    condition = object({<br>      age                        = optional(number)<br>      created_before             = optional(string)<br>      custom_time_before         = optional(string)<br>      days_since_custom_time     = optional(number)<br>      days_since_noncurrent_time = optional(number)<br>      matches_prefix             = optional(list(string))<br>      matches_storage_class      = optional(list(string)) # STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, DURABLE_REDUCED_AVAILABILITY<br>      matches_suffix             = optional(list(string))<br>      noncurrent_time_before     = optional(string)<br>      num_newer_versions         = optional(number)<br>      with_state                 = optional(string) # "LIVE", "ARCHIVED", "ANY"<br>    })<br>  }))</pre> | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Bucket location. | `string` | n/a | yes |
 | <a name="input_logging_config"></a> [logging\_config](#input\_logging\_config) | Bucket logging configuration. | <pre>object({<br>    log_bucket        = string<br>    log_object_prefix = optional(string)<br>  })</pre> | `null` | no |
-| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | The organization id. | `string` | n/a | yes |
 | <a name="input_parent"></a> [parent](#input\_parent) | Parent in folders/folder\_id or organizations/org\_id format. | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Optional prefix used to generate project id and name. | `string` | `null` | no |
 | <a name="input_project_create"></a> [project\_create](#input\_project\_create) | Create project. When set to false, uses a data source to reference existing project. | `bool` | `true` | no |

modules/github-gcloud-oidc/folder.tf

@@ -1,8 +1,8 @@
 locals {
   folder = (
     var.folder_create
-    ? try(google_folder.folder.0, null)
-    : try(data.google_folder.folder.0, null)
+    ? try(google_folder.folder[0], null)
+    : try(data.google_folder.folder[0], null)
   )
 }
 
@@ -15,4 +15,4 @@ resource "google_folder" "folder" {
   count        = var.folder_create ? 1 : 0
   display_name = var.folder_name
   parent       = var.parent
-}
+}

modules/github-gcloud-oidc/oidc.tf

@@ -4,7 +4,6 @@ locals {
 
   bootstrap_repo_name     = "bootstrap"
   organizations_repo_name = "organizations"
-  projects_repo_name      = "projects"
 
   state_file_access_roles = tolist(["roles/storage.objectAdmin", "roles/storage.admin"])
 
@@ -53,6 +52,7 @@ resource "google_project_iam_member" "organizations_member" {
 */
 module "oidc" {
   source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+  version     = "3.1.2"
   depends_on  = [google_project_service.project_services, google_service_account.bootstrap_sa, google_service_account.organizations_sa]
   project_id  = google_project.project[0].project_id
   pool_id     = local.pool_id

modules/github-gcloud-oidc/project.tf

@@ -25,14 +25,14 @@ locals {
   project = (
     var.project_create ?
     {
-      project_id = try(google_project.project.0.project_id, null)
-      number     = try(google_project.project.0.number, null)
-      name       = try(google_project.project.0.name, null)
+      project_id = try(google_project.project[0].project_id, null)
+      number     = try(google_project.project[0].number, null)
+      name       = try(google_project.project[0].name, null)
     }
     : {
       project_id = local.project_id
-      number     = try(data.google_project.project.0.number, null)
-      name       = try(data.google_project.project.0.name, null)
+      number     = try(data.google_project.project[0].number, null)
+      name       = try(data.google_project.project[0].name, null)
     }
   )
 }
@@ -66,4 +66,3 @@ resource "google_project_service" "project_services" {
   disable_on_destroy         = var.service_config.disable_on_destroy
   disable_dependent_services = var.service_config.disable_dependent_services
 }
-

modules/github-gcloud-oidc/storage.tf

@@ -1,3 +1,4 @@
+#trivy:ignore:avd-gcp-0066
 resource "google_storage_bucket" "bucket" {
   name                        = lower(var.bucket_name)
   depends_on                  = [google_project_service.project_services]
@@ -94,4 +95,4 @@ resource "google_storage_bucket" "bucket" {
       data_locations = var.custom_placement_config
     }
   }
-}
+}

modules/github-gcloud-oidc/variables.tf

@@ -1,9 +1,3 @@
-#Organization Variables
-variable "organization_id" {
-  description = "The organization id."
-  type        = string
-}
-
 #Folder Variables
 variable "folder_create" {
   description = "Create folder. When set to false, uses id to reference an existing folder."
@@ -277,4 +271,4 @@ variable "custom_placement_config" {
 variable "github_foundations_organization_name" {
   type        = string
   description = "The name of the organization that the github foundation repos will be under."
-}
+}

modules/github-gcloud-oidc/versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.6"
   required_providers {
     google = {
       source  = "hashicorp/google"
@@ -9,5 +9,9 @@ terraform {
       source  = "hashicorp/google-beta"
       version = ">= 3.77" # tftest
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6" # tftest
+    }
   }
-}
+}

modules/organization/README.md

@@ -2,7 +2,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
 
 ## Providers