Refactor AWS Glue modules documentation and outputs

- Updated MODULE.md for aws-glue-data-lake-catalog to improve formatting and clarify input/output descriptions.
- Renamed output variable from  to  for consistency in aws-glue-data-lake-catalog.
- Enhanced MODULE.md for aws-glue-jobs with requirements, providers, modules, inputs, and outputs sections.
- Simplified variable definitions in aws-glue-jobs to remove default values for optional fields.
- Improved naming conventions for job tags in aws-glue-jobs to include resource prefix.
- Added default_run_properties to workflows in aws-glue-workflow for better job configuration.
- Updated regex checks in outputs for aws-glue-workflow to ensure proper trigger name matching.

Author: ulises-jeremias

.pre-commit-config.yaml

@@ -0,0 +1,124 @@
+# Pre-commit configuration for Terraform Infrastructure
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+
+default_stages: [pre-commit]
+default_language_version:
+  python: python3
+
+repos:
+  # Core pre-commit hooks for general file hygiene
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      # File formatting and structure
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+        exclude: \.ya?ml\.j2$
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: [--maxkb=1024]
+
+      # Git and file system checks
+      - id: check-case-conflict
+      - id: check-symlinks
+      - id: destroyed-symlinks
+
+      # Content validation
+      - id: check-executables-have-shebangs
+      - id: check-shebang-scripts-are-executable
+
+  # Terraform-specific hooks using the most popular pre-commit-terraform
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.99.5  # Latest as of Jan 2025
+    hooks:
+      # Core Terraform formatting and validation
+      - id: terraform_fmt
+        args:
+          - --args=-recursive
+          - --args=-diff
+
+      - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+
+      # Security scanning with Trivy (modern replacement for tfsec)
+      - id: terraform_trivy
+        args:
+          - --args=--format=compact
+          - --args=--exit-code=1
+          - --args=--severity=HIGH,CRITICAL
+          - --args=--skip-dirs="**/.terraform"
+
+      # Documentation generation
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=docs/MODULE.md
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true
+
+      # Provider lock file management
+      - id: terraform_providers_lock
+        args:
+          - --hook-config=--mode=only-check-is-current-lockfile-cross-platform
+          - --args=-platform=linux_amd64
+          - --args=-platform=linux_arm64
+          - --args=-platform=darwin_amd64
+          - --args=-platform=darwin_arm64
+
+  # Markdown linting for better documentation
+  - repo: https://github.com/DavidAnson/markdownlint-cli2
+    rev: v0.15.0
+    hooks:
+      - id: markdownlint-cli2
+        args:
+          - --config=.markdownlint.json
+
+  # YAML formatting and linting
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.37.0
+    hooks:
+      - id: yamllint
+        args: [-c=.yamllint]
+
+  # Shell script linting
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: [--severity=warning]
+
+  # Secret scanning for security
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.21.2
+    hooks:
+      - id: gitleaks
+
+  # Typo and spelling checks
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.28.3
+    hooks:
+      - id: typos
+        args: [--config=.typos.toml]
+        exclude: |
+          (?x)^(
+            .*\.lock.*|
+            .*\.tfstate.*|
+            .git/.*
+          )$
+
+# Configuration for excluding files/directories
+exclude: |
+  (?x)^(
+    \.terraform/.*|
+    \.terraform\.lock\.hcl$|
+    .*\.tfstate.*|
+    .*\.terraform\.lock\.hcl$|
+    node_modules/.*|
+    \.venv/.*|
+    __pycache__/.*
+  )$

modules/aws-glue-code-registry/docs/MODULE.md

@@ -1,3 +1,74 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_code_artifacts_bucket"></a> [code\_artifacts\_bucket](#module\_code\_artifacts\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.2.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.code_registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.code_registry_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.additional_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.s3_code_artifacts_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_s3_bucket_notification.code_artifacts_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_s3_bucket_arns"></a> [additional\_s3\_bucket\_arns](#input\_additional\_s3\_bucket\_arns) | List of additional S3 bucket ARNs that the code registry IAM role needs access to | `list(string)` | `[]` | no |
+| <a name="input_cloudwatch_kms_key_id"></a> [cloudwatch\_kms\_key\_id](#input\_cloudwatch\_kms\_key\_id) | KMS key ID for CloudWatch Logs encryption | `string` | `null` | no |
+| <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Whether to create IAM role for code registry access | `bool` | `true` | no |
+| <a name="input_create_s3_bucket"></a> [create\_s3\_bucket](#input\_create\_s3\_bucket) | Whether to create a new S3 bucket for code artifacts | `bool` | `true` | no |
+| <a name="input_enable_cloudwatch_logging"></a> [enable\_cloudwatch\_logging](#input\_enable\_cloudwatch\_logging) | Whether to enable CloudWatch logging for code registry | `bool` | `true` | no |
+| <a name="input_enable_s3_notifications"></a> [enable\_s3\_notifications](#input\_enable\_s3\_notifications) | Whether to enable S3 bucket notifications for code artifact uploads | `bool` | `false` | no |
+| <a name="input_existing_s3_bucket_name"></a> [existing\_s3\_bucket\_name](#input\_existing\_s3\_bucket\_name) | Name of existing S3 bucket to use for code artifacts (when create\_s3\_bucket is false) | `string` | `null` | no |
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Whether to allow destruction of S3 bucket with objects (use with caution in production) | `bool` | `false` | no |
+| <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | Number of days to retain CloudWatch logs | `number` | `14` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration for the code registry access role (in seconds) | `number` | `3600` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be used as prefix for all resources created by this module | `string` | n/a | yes |
+| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the S3 bucket for code artifacts. If not provided, will be auto-generated | `string` | `null` | no |
+| <a name="input_s3_kms_key_id"></a> [s3\_kms\_key\_id](#input\_s3\_kms\_key\_id) | KMS key ID for S3 bucket encryption. If not provided, AES256 encryption will be used | `string` | `null` | no |
+| <a name="input_s3_lifecycle_rules"></a> [s3\_lifecycle\_rules](#input\_s3\_lifecycle\_rules) | S3 bucket lifecycle rules for cost optimization | `any` | <pre>[<br/>  {<br/>    "abort_incomplete_multipart_upload": {<br/>      "days_after_initiation": 7<br/>    },<br/>    "id": "delete_old_versions",<br/>    "noncurrent_version_expiration": {<br/>      "days": 90<br/>    },<br/>    "status": "Enabled"<br/>  }<br/>]</pre> | no |
+| <a name="input_s3_notification_configurations"></a> [s3\_notification\_configurations](#input\_s3\_notification\_configurations) | List of S3 notification configurations for code artifact uploads | <pre>list(object({<br/>    id            = string<br/>    events        = list(string)<br/>    filter_prefix = optional(string)<br/>    filter_suffix = optional(string)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "events": [<br/>      "s3:ObjectCreated:*"<br/>    ],<br/>    "filter_suffix": ".jar",<br/>    "id": "code-upload-notification"<br/>  },<br/>  {<br/>    "events": [<br/>      "s3:ObjectCreated:*"<br/>    ],<br/>    "filter_suffix": ".whl",<br/>    "id": "wheel-upload-notification"<br/>  }<br/>]</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to all resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_code_artifacts_bucket_arn"></a> [code\_artifacts\_bucket\_arn](#output\_code\_artifacts\_bucket\_arn) | ARN of the S3 bucket used for code artifacts |
+| <a name="output_code_artifacts_bucket_domain_name"></a> [code\_artifacts\_bucket\_domain\_name](#output\_code\_artifacts\_bucket\_domain\_name) | Domain name of the S3 bucket used for code artifacts |
+| <a name="output_code_artifacts_bucket_id"></a> [code\_artifacts\_bucket\_id](#output\_code\_artifacts\_bucket\_id) | ID of the S3 bucket used for code artifacts |
+| <a name="output_code_artifacts_bucket_name"></a> [code\_artifacts\_bucket\_name](#output\_code\_artifacts\_bucket\_name) | Name of the S3 bucket used for code artifacts |
+| <a name="output_code_artifacts_bucket_regional_domain_name"></a> [code\_artifacts\_bucket\_regional\_domain\_name](#output\_code\_artifacts\_bucket\_regional\_domain\_name) | Regional domain name of the S3 bucket used for code artifacts |
+| <a name="output_code_registry_role_arn"></a> [code\_registry\_role\_arn](#output\_code\_registry\_role\_arn) | ARN of the code registry access IAM role |
+| <a name="output_code_registry_role_id"></a> [code\_registry\_role\_id](#output\_code\_registry\_role\_id) | ID of the code registry access IAM role |
+| <a name="output_code_registry_role_name"></a> [code\_registry\_role\_name](#output\_code\_registry\_role\_name) | Name of the code registry access IAM role |
+| <a name="output_code_registry_summary"></a> [code\_registry\_summary](#output\_code\_registry\_summary) | Summary of code registry configuration |
+| <a name="output_common_tags"></a> [common\_tags](#output\_common\_tags) | Common tags applied to all resources |
+| <a name="output_log_group_arns"></a> [log\_group\_arns](#output\_log\_group\_arns) | ARNs of the CloudWatch log groups for code registry |
+| <a name="output_log_group_names"></a> [log\_group\_names](#output\_log\_group\_names) | Names of the CloudWatch log groups for code registry |
+| <a name="output_resource_prefix"></a> [resource\_prefix](#output\_resource\_prefix) | Resource prefix used for naming |
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -48,8 +119,8 @@
 | <a name="input_name"></a> [name](#input\_name) | Name to be used as prefix for all resources created by this module | `string` | n/a | yes |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the S3 bucket for code artifacts. If not provided, will be auto-generated | `string` | `null` | no |
 | <a name="input_s3_kms_key_id"></a> [s3\_kms\_key\_id](#input\_s3\_kms\_key\_id) | KMS key ID for S3 bucket encryption. If not provided, AES256 encryption will be used | `string` | `null` | no |
-| <a name="input_s3_lifecycle_rules"></a> [s3\_lifecycle\_rules](#input\_s3\_lifecycle\_rules) | S3 bucket lifecycle rules for cost optimization | `any` | <pre>[<br>  {<br>    "abort_incomplete_multipart_upload": {<br>      "days_after_initiation": 7<br>    },<br>    "id": "delete_old_versions",<br>    "noncurrent_version_expiration": {<br>      "days": 90<br>    },<br>    "status": "Enabled"<br>  }<br>]</pre> | no |
-| <a name="input_s3_notification_configurations"></a> [s3\_notification\_configurations](#input\_s3\_notification\_configurations) | List of S3 notification configurations for code artifact uploads | <pre>list(object({<br>    id            = string<br>    events        = list(string)<br>    filter_prefix = optional(string)<br>    filter_suffix = optional(string)<br>  }))</pre> | <pre>[<br>  {<br>    "events": [<br>      "s3:ObjectCreated:*"<br>    ],<br>    "filter_suffix": ".jar",<br>    "id": "code-upload-notification"<br>  },<br>  {<br>    "events": [<br>      "s3:ObjectCreated:*"<br>    ],<br>    "filter_suffix": ".whl",<br>    "id": "wheel-upload-notification"<br>  }<br>]</pre> | no |
+| <a name="input_s3_lifecycle_rules"></a> [s3\_lifecycle\_rules](#input\_s3\_lifecycle\_rules) | S3 bucket lifecycle rules for cost optimization | `any` | <pre>[<br/>  {<br/>    "abort_incomplete_multipart_upload": {<br/>      "days_after_initiation": 7<br/>    },<br/>    "id": "delete_old_versions",<br/>    "noncurrent_version_expiration": {<br/>      "days": 90<br/>    },<br/>    "status": "Enabled"<br/>  }<br/>]</pre> | no |
+| <a name="input_s3_notification_configurations"></a> [s3\_notification\_configurations](#input\_s3\_notification\_configurations) | List of S3 notification configurations for code artifact uploads | <pre>list(object({<br/>    id            = string<br/>    events        = list(string)<br/>    filter_prefix = optional(string)<br/>    filter_suffix = optional(string)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "events": [<br/>      "s3:ObjectCreated:*"<br/>    ],<br/>    "filter_suffix": ".jar",<br/>    "id": "code-upload-notification"<br/>  },<br/>  {<br/>    "events": [<br/>      "s3:ObjectCreated:*"<br/>    ],<br/>    "filter_suffix": ".whl",<br/>    "id": "wheel-upload-notification"<br/>  }<br/>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to all resources | `map(string)` | `{}` | no |
 | <a name="input_workload_account_ids"></a> [workload\_account\_ids](#input\_workload\_account\_ids) | List of AWS account IDs that should have cross-account access to the code artifacts bucket | `list(string)` | `[]` | no |
 
@@ -70,4 +141,4 @@
 | <a name="output_log_group_arns"></a> [log\_group\_arns](#output\_log\_group\_arns) | ARNs of the CloudWatch log groups for code registry |
 | <a name="output_log_group_names"></a> [log\_group\_names](#output\_log\_group\_names) | Names of the CloudWatch log groups for code registry |
 | <a name="output_resource_prefix"></a> [resource\_prefix](#output\_resource\_prefix) | Resource prefix used for naming |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

modules/aws-glue-data-lake-catalog/docs/MODULE.md

@@ -1,3 +1,5 @@
+# aws-glue-data-lake-catalog
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -26,14 +28,14 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_databases"></a> [additional\_databases](#input\_additional\_databases) | Map of additional databases to create outside of the standard data lake layers | <pre>map(object({<br>    description = string<br>    location    = optional(string, null)<br>    parameters  = optional(map(string), {})<br>  }))</pre> | `{}` | no |
+| <a name="input_additional_databases"></a> [additional\_databases](#input\_additional\_databases) | Map of additional databases to create outside of the standard data lake layers | <pre>map(object({<br/>    description = string<br/>    location    = optional(string, null)<br/>    parameters  = optional(map(string), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_catalog_id"></a> [catalog\_id](#input\_catalog\_id) | The ID of the Glue Catalog. If not provided, the AWS account ID will be used | `string` | `null` | no |
 | <a name="input_create_export_database"></a> [create\_export\_database](#input\_create\_export\_database) | Whether to create an export database for final outputs | `bool` | `true` | no |
 | <a name="input_create_shared_databases"></a> [create\_shared\_databases](#input\_create\_shared\_databases) | Whether to create shared databases (shared, export) | `bool` | `true` | no |
-| <a name="input_data_lake_paths"></a> [data\_lake\_paths](#input\_data\_lake\_paths) | Map of layer names to their S3 path prefixes | `map(string)` | <pre>{<br>  "bronze": "iceberg-warehouse/bronze",<br>  "gold": "iceberg-warehouse/gold",<br>  "silver": "iceberg-warehouse/silver"<br>}</pre> | no |
+| <a name="input_data_lake_paths"></a> [data\_lake\_paths](#input\_data\_lake\_paths) | Map of layer names to their S3 path prefixes | `map(string)` | <pre>{<br/>  "bronze": "iceberg-warehouse/bronze",<br/>  "gold": "iceberg-warehouse/gold",<br/>  "silver": "iceberg-warehouse/silver"<br/>}</pre> | no |
 | <a name="input_data_lake_sublayers"></a> [data\_lake\_sublayers](#input\_data\_lake\_sublayers) | Configuration for sublayers within each data lake layer. Each layer can have multiple sublayers (e.g., source systems, processing stages) | `map(list(string))` | `{}` | no |
 | <a name="input_database_prefix"></a> [database\_prefix](#input\_database\_prefix) | Prefix for all Glue database names. Should follow the pattern: namespace-short\_domain-account\_name (e.g., dwh-wl-workloads-data-lake-develop) | `string` | n/a | yes |
-| <a name="input_layers"></a> [layers](#input\_layers) | List of data lake layers to create databases for | `list(string)` | <pre>[<br>  "bronze",<br>  "silver",<br>  "gold"<br>]</pre> | no |
+| <a name="input_layers"></a> [layers](#input\_layers) | List of data lake layers to create databases for | `list(string)` | <pre>[<br/>  "bronze",<br/>  "silver",<br/>  "gold"<br/>]</pre> | no |
 | <a name="input_s3_bucket_uri"></a> [s3\_bucket\_uri](#input\_s3\_bucket\_uri) | The S3 bucket URI where data lake data is stored (e.g., s3://bucket-name) | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to all resources created by this module | `map(string)` | `{}` | no |
 
@@ -48,7 +50,7 @@ No modules.
 | <a name="output_databases_by_sublayer"></a> [databases\_by\_sublayer](#output\_databases\_by\_sublayer) | Map of databases organized by sublayer |
 | <a name="output_export_database"></a> [export\_database](#output\_export\_database) | Export database details |
 | <a name="output_gold_database_name"></a> [gold\_database\_name](#output\_gold\_database\_name) | Name of the first gold database (for backward compatibility) |
-| <a name="output_raw_zone_database_name"></a> [raw\_zone\_database\_name](#output\_raw\_zone\_database\_name) | Name of the first raw\_zone database (for backward compatibility) |
+| <a name="output_raw_database_name"></a> [raw\_database\_name](#output\_raw\_database\_name) | Name of the first raw\_zone database (for backward compatibility) |
 | <a name="output_shared_database"></a> [shared\_database](#output\_shared\_database) | Shared database details |
 | <a name="output_silver_database_name"></a> [silver\_database\_name](#output\_silver\_database\_name) | Name of the first silver database (for backward compatibility) |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

modules/aws-glue-data-lake-catalog/outputs.tf

@@ -65,7 +65,7 @@ output "export_database" {
 }
 
 # Legacy outputs for backward compatibility (pick the first database for each layer)
-output "raw_zone_database_name" {
+output "raw_database_name" {
   description = "Name of the first raw_zone database (for backward compatibility)"
   value = length([
     for key, db in aws_glue_catalog_database.databases : db.name