We are using terraform starterkit in an example project in the sub folder of a project. Yes, a kind of subproject.
The project is a module development.
The subprojet uses module located outside the subproject dire but inside some parent folder of the subproject.

.
├── example
│   ├── terraform
│   │   └── test
│   │           └── main.tf
│   ├── configure.yaml
│   ├── docker-compose-tools.yml
│   ├── docker-compose.yml
│   ├── get-starter-kit.sh
│   ├── Makefile
│   └── remove-starter-kit.sh
├── main.tf
├── variables.tf
└── versions.tf

At the moment, there's no way to configure the starterkit docker container to mount the entire project folder and not only the example folder.

The content of example/terraform/test/main.tf.

module "this" {
  source = "../../../"

  ...
}
...

Add a tool to check if we are using the last version of terraform module and providers

Create a validate command related to each plan

Expected

make validate_<plan_name_with_underscore>

Add a make init step in plan jobs before make plan.

• fix handling default value for PROJECT_DIR and PROJECT_ROOT_DIR variables
• fix TF_PLUGIN_CACHE value in docker-compose.yml

Add the ability to use sonarqube

Gilab provides dotenv handling between jobs using artifacts and dependencies keywords in a CICD pipeline code. It looks like following

my_job:
  stage: build
  script:
    - echo "ENV_VAR=content" >> .env
  artifacts:
    reports:
      dotenv: .env

anotherjob:
  stage: deploy
  script:
    - echo $ENV_VAR
  dependencies:
    - job: my_job
      artifacts: true

Description

For project which doesn't use an s3 bucket as backend, make init command can not be used.

Proposed solution

Add configurable backend type. At least for local backend.

The only keyword is deprecated. Replace it with rules.

To allow the project to be used with module sourced from git repository using an ssh url openssh-client lib must be added to the Docker build image.

my install test by newbee !!!!

1. On readme in home, there is not link to install doc :)
2. In step 4 https://github.com/Orange-OpenSource/AWSTerraformStarterKit/blob/master/docs/installation.md?plain=1#L126
   why is need to use : AWS_DEFAULT_REGION
   could is possible to use : AWS_SESSION_TOKEN

after my "make start"

who I can teste and use ?

 => => exporting layers                                                                                                                                               0.8s
 => => writing image sha256:be297fa0b955ab00dbd3fd17e6f1de5fd9044fa00c70fd120403beaad879a32b                                                                          0.0s
 => => naming to docker.io/library/tfenv:3.0.0                                                                                                                        0.0s
[+] Running 1/1
 ✔ Container starterkit_terraform  Started                                                                                                                            0.1s
# docker compose -f docker-compose.yml exec terraform apk add --no-cache python3 py3-pip
guillaume@docker:~/GIT/WSTerraformStarterKit_demo (master)$ docker compose -f docker-compose.yml exec terraform apk add --no-cache python3 py3-pip
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
guillaume@docker:~/GIT/WSTerraformStarterKit_demo (master)$ ls -l
total 52
drwxrwx--- 1 root vboxsf  4096 déc.   8 09:58 automation
-rwxrwx--- 1 root vboxsf  4733 janv.  5 17:15 configure.yaml
-rwxrwx--- 1 root vboxsf  4733 déc.   8 09:58 configure.yaml.dist
-rwxrwx--- 1 root vboxsf  3863 déc.   8 09:58 docker-compose-tools.yml
-rwxrwx--- 1 root vboxsf   744 déc.   8 09:58 docker-compose.yml
-rwxrwx--- 1 root vboxsf  1991 janv.  5 10:31 get-starter-kit.sh
-rwxrwx--- 1 root vboxsf 14341 janv.  5 17:21 Makefile
-rwxrwx--- 1 root vboxsf  2383 janv.  5 17:21 makeplan.mk
drwxrwx--- 1 root vboxsf     0 janv.  5 10:31 terraform
guillaume@docker:~/GIT/WSTerraformStarterKit_demo (master)$ docker ps
CONTAINER ID   IMAGE         COMMAND               CREATED              STATUS              PORTS     NAMES
3ae0305c3d63   tfenv:3.0.0   "tail -f /dev/null"   About a minute ago   Up About a minute             starterkit_terraform
guillaume@docker:~/GIT/WSTerraformStarterKit_demo (master)$
guillaume@docker:~/GIT/WSTerraformStarterKit_demo (master)$

As .config folder is not committed in project repositories, when running tools operation jobs they fail because of missing configuration file. For example this is the case for:

• tflint
• terrascan
• etc.

In get-starter-kit.sh add a way to get and store the version download in a file located at the root of the project

Add a make command to compare the keys present and not present between the projet configure.yaml and the StarterKit configure.yaml.dist

The terraform starterkit uses default config file available on the public remote repository. Users may want (I do) to use their own tool configuration file. For example, there's no solution to use our own custom terraform-docs configuration.

This isssue ie a feature request for a mechanism to override config file for the following tools:

• terrascan
• terraform-docs
• tflint
• markdown lint
• trivy
• yamllint
• shellcheck
• pre-commit-config

Add for example corkscrew to allow ssh over http proxy.

We should have additional to make console a make console_<plan> for each plan.

Terrascan target in makefile runs the following commands
$(TERRASCAN_RUN) scan -i terraform --verbose --config-path=./.terrascan_config.toml {% for plan_name in plans_install %} --iac-dir={{ plan_name }} {% endfor %}

the --config-path value is incorrect. must set --config-path=.config/.terrascan_config.toml.

Remove mandatory cli parameter "module_path". "module_path" variable is mandatory but we don't always need it on out projects.
If forces to create a "module_path" variable in on project modules.

Must mention the fact that this starterkit is depends on Gitlab.

I think these points are missing

• A Gitlab instance as a requirement
• Clearly state that this starterkit code must be downloaded or copied to a Dedicated Gitlab project, the project must then be Released and the correct asset produced (The "How To Guide" on how to acheive this must also be documented) and only after that the get-starter-kit.sh script could be run
• Clearly mention that the value of GITLAB_TOKEN must be a Project Access Token for the Dedicated Gitlab Project for Starterkit created before with api and read_api scope permission.

For really large project, with long validate task, wait for all validate task to finish cause the context to expire which leads to force run init perform again for plan command.

Solution: perform plan job directly after its validate job before without wating for all other validate job to run.

git-secrets scan commit messages and files to detect senstive information. Add it as pre-commit hooks(?).
The idea here is to use git-secrets to prevent secrets leak.
Can be added as a merge-request validation job which prevent pull request with senstive information to be merged into the main branch for example.
More possibilities to explore here.

the compare_configuration action run from a container with a default non configurable wokdir set to /workdir set in the built Dockerfile.
Workdir must be configured dynamicaly using PROJECT_ROOT_DIR and PROJECT_DIR variables.

Some IAM roles require an ExternalId to be assumed. The externalId cannot be store in git.

Add this security Audit tool to the StarterKit https://github.com/nccgroup/ScoutSuite

Build and store Docker Images in a docker registry

Add check for new version availability and print user informational message when a user runs make start command.

• configure plugin cache directory with "terraform rc"
• use gitlab job caches to allow reuse of terraform local cache made from first init
• modify validate, plan, install (apply), destroy to not perform init again but only the intended operation. (Atomicity)