From d3dc675b0a1d2af2e45cd667e964fb221d6febf2 Mon Sep 17 00:00:00 2001
From: Cris Daniluk <cdaniluk@rhythmictech.com>
Date: Wed, 18 Sep 2024 11:47:53 -0400
Subject: [PATCH] bump pre-commit checks and move to trivy (#95)

* bump pre-commit checks and move to trivy

* fix trivy

* update check

* update check

* update check

* update check
---
 .github/workflows/pre-commit.yaml  |  1 +
 .github/workflows/pullRequest.yaml |  4 +-
 .github/workflows/tfsec.yaml       | 26 -------------
 .github/workflows/trivy.yaml       | 31 +++++++++++++++
 .gitignore                         |  2 -
 .pre-commit-config.yaml            | 61 +++++++-----------------------
 .terraform-version                 |  2 +-
 .tflint.hcl                        |  6 +++
 LICENSE                            |  2 +-
 README.md                          |  4 +-
 bin/install-macos.sh               |  5 +--
 bin/install-ubuntu.sh              |  5 ++-
 main.tf                            |  2 +-
 13 files changed, 64 insertions(+), 87 deletions(-)
 delete mode 100644 .github/workflows/tfsec.yaml
 create mode 100644 .github/workflows/trivy.yaml

diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
index 398767c..daf3160 100644
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@@ -3,6 +3,7 @@ name: pre-commit-check
 on:
   push:
     branches:
+      - main
       - master
       - prod
       - develop
diff --git a/.github/workflows/pullRequest.yaml b/.github/workflows/pullRequest.yaml
index 8f1eba5..101b621 100644
--- a/.github/workflows/pullRequest.yaml
+++ b/.github/workflows/pullRequest.yaml
@@ -24,7 +24,7 @@ jobs:
             terraform_tflint_deep,
             no-commit-to-branch,
             terraform_tflint_nocreds,
-            terraform_tfsec
+            terraform_trivy
   tflint:
     runs-on: ubuntu-latest
     steps:
@@ -41,7 +41,7 @@ jobs:
           filter_mode: added
           flags: --module
           level: error
-  tfsec:
+  trivy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/tfsec.yaml b/.github/workflows/tfsec.yaml
deleted file mode 100644
index 2f75a3e..0000000
--- a/.github/workflows/tfsec.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-name: tfsec
-on:
-  push:
-    branches:
-      - main
-      - master
-      - prod
-      - develop
-
-jobs:
-  tfsec:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Install prerequisites
-        run: ./bin/install-ubuntu.sh
-      - name: Terraform init
-        run: terraform init --backend=false
-      - name: tfsec
-        uses: reviewdog/action-tfsec@master
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: github-check
-          filter_mode: nofilter
-          level: error
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 0000000..53a9d16
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,31 @@
+---
+name: trivy
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install prerequisites
+        run: ./bin/install-ubuntu.sh
+      - name: Terraform init
+        run: terraform init --backend=false
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.gitignore b/.gitignore
index 74c83e8..371d818 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,5 +13,3 @@
 
 # temp folders
 tmp
-
-.terraform.lock.hcl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0b856e7..f209b71 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,63 +1,27 @@
 exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.92.2
     hooks:
       - id: terraform_docs
         always_run: true
       - id: terraform_fmt
+      - id: terraform_validate
+        args:
+        - --hook-config=--retry-once-with-cleanup=true
+        exclude: ^examples
       - id: terraform_tflint
         alias: terraform_tflint_nocreds
+        exclude: ^examples
         name: terraform_tflint_nocreds
-      - id: terraform_tfsec
-  - repo: local
-    hooks:
-      - id: terraform_validate
-        name: terraform_validate
-        entry: |
-          bash -c '
-            AWS_DEFAULT_REGION=us-east-1
-            declare -a DIRS
-            for FILE in "$@"
-            do
-              DIRS+=($(dirname "$FILE"))
-            done
-            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
-            do
-              cd $(dirname "$FILE")
-              terraform init --backend=false
-              terraform validate .
-              cd ..
-            done
-          '
-        language: system
-        verbose: true
-        files: \.tf(vars)?$
-        exclude: examples
-      - id: tflock
-        name: provider_locks
-        entry: |
-          bash -c '
-            AWS_DEFAULT_REGION=us-east-1
-            declare -a DIRS
-            for FILE in "$@"
-            do
-              DIRS+=($(dirname "$FILE"))
-            done
-            for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
-            do
-              cd $(dirname "$FILE")
-              terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
-              cd ..
-            done
-          '
-        language: system
-        verbose: true
-        files: \.tf(vars)?$
-        exclude: examples
+      - id: terraform_trivy
+        args:
+        - --args=--skip-dirs="**/.terraform,examples/*"
+      - id: terraform_providers_lock
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0
     hooks:
+      - id: check-added-large-files
       - id: check-case-conflict
       - id: check-json
       - id: check-merge-conflict
@@ -65,6 +29,7 @@ repos:
       - id: check-yaml
         args:
           - --unsafe
+      - id: detect-private-key
       - id: end-of-file-fixer
       - id: mixed-line-ending
         args:
@@ -86,4 +51,4 @@ repos:
           - --markdown-linebreak-ext=md
         exclude: README.md
 ci:
-  skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock]
+  skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock]
diff --git a/.terraform-version b/.terraform-version
index 4f20ea7..5a13b33 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-latest:^1.1
+latest:^1.6
diff --git a/.tflint.hcl b/.tflint.hcl
index 854fb92..c700b79 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -2,6 +2,12 @@ config {
   module     = true
 }
 
+plugin "aws" {
+    enabled = true
+    version = "0.30.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }
diff --git a/LICENSE b/LICENSE
index 3fe5c34..9f1b0ba 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Rhythmic Technologies, Inc.
+Copyright (c) 2024 Rhythmic Technologies, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index e693e78..168691f 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 Template repository for terraform modules. Good for any cloud and any provider.
 
 [![tflint](https://github.com/rhythmictech/terraform-terraform-template/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
-[![tfsec](https://github.com/rhythmictech/terraform-terraform-template/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
+[![trivy](https://github.com/rhythmictech/terraform-terraform-template/workflows/trivy/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster)
 [![yamllint](https://github.com/rhythmictech/terraform-terraform-template/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
 [![misspell](https://github.com/rhythmictech/terraform-terraform-template/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
 [![pre-commit-check](https://github.com/rhythmictech/terraform-terraform-template/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
@@ -32,7 +32,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 |
+| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1 |
 
 ## Resources
 
diff --git a/bin/install-macos.sh b/bin/install-macos.sh
index 3800165..349bb9d 100755
--- a/bin/install-macos.sh
+++ b/bin/install-macos.sh
@@ -2,9 +2,8 @@
 
 echo 'installing brew packages'
 brew update
-brew tap liamg/tfsec
-brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
-brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
+brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
+brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
 
 echo 'installing pre-commit hooks'
 pre-commit install
diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh
index 670d0b9..331e45b 100755
--- a/bin/install-ubuntu.sh
+++ b/bin/install-ubuntu.sh
@@ -7,7 +7,7 @@ pip3 install pre-commit
 # terraform docs
 mkdir tmp
 cd tmp
-curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz
 tar -xzf terraform-docs.tar.gz
 chmod +x terraform-docs
 sudo mv terraform-docs /usr/bin/
@@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
 tfenv install
+
+wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb
+sudo dpkg -i trivy_0.54.1_Linux-64bit.deb
diff --git a/main.tf b/main.tf
index b0bc3ba..6b99d12 100644
--- a/main.tf
+++ b/main.tf
@@ -1,7 +1,7 @@
 
 module "tags" {
   source  = "rhythmictech/tags/terraform"
-  version = "~> 1.1.0"
+  version = "~> 1.1"
 
   enforce_case = "UPPER"
   names        = [var.name]