From cb5ee2529b70aa66213d3f98fb6258a1b1f99f3e Mon Sep 17 00:00:00 2001 From: Cris Daniluk Date: Fri, 23 Aug 2024 19:05:14 -0400 Subject: [PATCH 1/9] bump pre-commit checks and move to trivy --- .github/workflows/pre-commit.yaml | 1 + .github/workflows/pullRequest.yaml | 2 +- .github/workflows/tfsec.yaml | 26 ------------- .github/workflows/trivy.yaml | 31 ++++++++++++++++ .pre-commit-config.yaml | 59 ++++++------------------------ .tflint.hcl | 6 +++ LICENSE | 2 +- README.md | 4 +- bin/install-macos.sh | 5 +-- bin/install-ubuntu.sh | 3 ++ main.tf | 2 +- 11 files changed, 60 insertions(+), 81 deletions(-) delete mode 100644 .github/workflows/tfsec.yaml create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 398767c..daf3160 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -3,6 +3,7 @@ name: pre-commit-check on: push: branches: + - main - master - prod - develop diff --git a/.github/workflows/pullRequest.yaml b/.github/workflows/pullRequest.yaml index 8f1eba5..b5c558d 100644 --- a/.github/workflows/pullRequest.yaml +++ b/.github/workflows/pullRequest.yaml @@ -24,7 +24,7 @@ jobs: terraform_tflint_deep, no-commit-to-branch, terraform_tflint_nocreds, - terraform_tfsec + terraform_trivy tflint: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/tfsec.yaml b/.github/workflows/tfsec.yaml deleted file mode 100644 index 2f75a3e..0000000 --- a/.github/workflows/tfsec.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: tfsec -on: - push: - branches: - - main - - master - - prod - - develop - -jobs: - tfsec: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Install prerequisites - run: ./bin/install-ubuntu.sh - - name: Terraform init - run: terraform init --backend=false - - name: tfsec - uses: reviewdog/action-tfsec@master - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - reporter: github-check - filter_mode: nofilter - level: error diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..53a9d16 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,31 @@ +--- +name: trivy +on: + push: + branches: + - master + +jobs: + trivy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install prerequisites + run: ./bin/install-ubuntu.sh + - name: Terraform init + run: terraform init --backend=false + - name: Trivy scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + hide-progress: false + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0b856e7..39a8a97 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,58 +6,22 @@ repos: - id: terraform_docs always_run: true - id: terraform_fmt + - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true + exclude: examples\/ - id: terraform_tflint alias: terraform_tflint_nocreds + exclude: examples\/ name: terraform_tflint_nocreds - - id: terraform_tfsec - - repo: local - hooks: - - id: terraform_validate - name: terraform_validate - entry: | - bash -c ' - AWS_DEFAULT_REGION=us-east-1 - declare -a DIRS - for FILE in "$@" - do - DIRS+=($(dirname "$FILE")) - done - for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u) - do - cd $(dirname "$FILE") - terraform init --backend=false - terraform validate . - cd .. - done - ' - language: system - verbose: true - files: \.tf(vars)?$ - exclude: examples - - id: tflock - name: provider_locks - entry: | - bash -c ' - AWS_DEFAULT_REGION=us-east-1 - declare -a DIRS - for FILE in "$@" - do - DIRS+=($(dirname "$FILE")) - done - for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u) - do - cd $(dirname "$FILE") - terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 - cd .. - done - ' - language: system - verbose: true - files: \.tf(vars)?$ - exclude: examples + - id: terraform_trivy + args: + - --args=--skip-dirs="**/.terraform,examples/*" + - id: terraform_providers_lock - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 hooks: + - id: check-added-large-files - id: check-case-conflict - id: check-json - id: check-merge-conflict @@ -65,6 +29,7 @@ repos: - id: check-yaml args: - --unsafe + - id: detect-private-key - id: end-of-file-fixer - id: mixed-line-ending args: @@ -86,4 +51,4 @@ repos: - --markdown-linebreak-ext=md exclude: README.md ci: - skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock] + skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_trivy, tflock] diff --git a/.tflint.hcl b/.tflint.hcl index 854fb92..c700b79 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -2,6 +2,12 @@ config { module = true } +plugin "aws" { + enabled = true + version = "0.30.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + rule "terraform_deprecated_interpolation" { enabled = true } diff --git a/LICENSE b/LICENSE index 3fe5c34..9f1b0ba 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2020 Rhythmic Technologies, Inc. +Copyright (c) 2024 Rhythmic Technologies, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index e693e78..168691f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Template repository for terraform modules. Good for any cloud and any provider. [![tflint](https://github.com/rhythmictech/terraform-terraform-template/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster) -[![tfsec](https://github.com/rhythmictech/terraform-terraform-template/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster) +[![trivy](https://github.com/rhythmictech/terraform-terraform-template/workflows/trivy/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster) [![yamllint](https://github.com/rhythmictech/terraform-terraform-template/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster) [![misspell](https://github.com/rhythmictech/terraform-terraform-template/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster) [![pre-commit-check](https://github.com/rhythmictech/terraform-terraform-template/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster) @@ -32,7 +32,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 | +| [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1 | ## Resources diff --git a/bin/install-macos.sh b/bin/install-macos.sh index 3800165..349bb9d 100755 --- a/bin/install-macos.sh +++ b/bin/install-macos.sh @@ -2,9 +2,8 @@ echo 'installing brew packages' brew update -brew tap liamg/tfsec -brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils -brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils +brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils +brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils echo 'installing pre-commit hooks' pre-commit install diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh index 670d0b9..5c3e343 100755 --- a/bin/install-ubuntu.sh +++ b/bin/install-ubuntu.sh @@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template echo 'installing terraform with tfenv' tfenv install + +wget https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.54.1_Linux-64bit.deb +sudo dpkg -i trivy_0.54.1_Linux-64bit.deb diff --git a/main.tf b/main.tf index b0bc3ba..6b99d12 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,7 @@ module "tags" { source = "rhythmictech/tags/terraform" - version = "~> 1.1.0" + version = "~> 1.1" enforce_case = "UPPER" names = [var.name] From 81c87945ddb87b9a6e91af2bb39a18a4fef70b42 Mon Sep 17 00:00:00 2001 From: Cris Daniluk Date: Mon, 26 Aug 2024 15:11:05 -0400 Subject: [PATCH 2/9] fix trivy --- bin/install-ubuntu.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh index 5c3e343..c54f20c 100755 --- a/bin/install-ubuntu.sh +++ b/bin/install-ubuntu.sh @@ -31,5 +31,5 @@ pre-commit init-templatedir ~/.git-template echo 'installing terraform with tfenv' tfenv install -wget https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.54.1_Linux-64bit.deb +wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb sudo dpkg -i trivy_0.54.1_Linux-64bit.deb From ae888d1a3b2e90ce74038c34f1f36ebb48281ccf Mon Sep 17 00:00:00 2001 From: Cris Daniluk Date: Mon, 26 Aug 2024 15:29:21 -0400 Subject: [PATCH 3/9] update check --- .github/workflows/pullRequest.yaml | 2 +- .pre-commit-config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pullRequest.yaml b/.github/workflows/pullRequest.yaml index b5c558d..101b621 100644 --- a/.github/workflows/pullRequest.yaml +++ b/.github/workflows/pullRequest.yaml @@ -41,7 +41,7 @@ jobs: filter_mode: added flags: --module level: error - tfsec: + trivy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 39a8a97..5ba19b5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -51,4 +51,4 @@ repos: - --markdown-linebreak-ext=md exclude: README.md ci: - skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_trivy, tflock] + skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_trivy, terraform_providers_lock] From 0c081f42521f384f18c5426e80316d53cad02f00 Mon Sep 17 00:00:00 2001 From: Cris Daniluk Date: Mon, 26 Aug 2024 15:53:06 -0400 Subject: [PATCH 4/9] update check --- .gitignore | 2 -- .pre-commit-config.yaml | 2 +- .terraform-version | 2 +- bin/install-ubuntu.sh | 2 +- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 74c83e8..371d818 100644 --- a/.gitignore +++ b/.gitignore @@ -13,5 +13,3 @@ # temp folders tmp - -.terraform.lock.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5ba19b5..4c1c12d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,7 @@ exclude: ".terraform" repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.92.1 + rev: v1.92.2 hooks: - id: terraform_docs always_run: true diff --git a/.terraform-version b/.terraform-version index 4f20ea7..5a13b33 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -latest:^1.1 +latest:^1.6 diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh index c54f20c..331e45b 100755 --- a/bin/install-ubuntu.sh +++ b/bin/install-ubuntu.sh @@ -7,7 +7,7 @@ pip3 install pre-commit # terraform docs mkdir tmp cd tmp -curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz +curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz tar -xzf terraform-docs.tar.gz chmod +x terraform-docs sudo mv terraform-docs /usr/bin/ From 4b3da7e19483e050a8ad3fd4c2716485f81a3d43 Mon Sep 17 00:00:00 2001 From: Cris Daniluk Date: Mon, 26 Aug 2024 16:43:19 -0400 Subject: [PATCH 5/9] update check --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4c1c12d..547aa61 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,7 @@ exclude: ".terraform" repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.92.2 + rev: v1.92.0 hooks: - id: terraform_docs always_run: true @@ -9,10 +9,10 @@ repos: - id: terraform_validate args: - --hook-config=--retry-once-with-cleanup=true - exclude: examples\/ + exclude: ^examples - id: terraform_tflint alias: terraform_tflint_nocreds - exclude: examples\/ + exclude: ^examples name: terraform_tflint_nocreds - id: terraform_trivy args: From f22acf7cf4d3de3c639593de83410c3cde92c192 Mon Sep 17 00:00:00 2001 From: Cris Daniluk Date: Mon, 26 Aug 2024 16:58:18 -0400 Subject: [PATCH 6/9] update check --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 547aa61..f209b71 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,7 @@ exclude: ".terraform" repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.92.0 + rev: v1.92.2 hooks: - id: terraform_docs always_run: true @@ -51,4 +51,4 @@ repos: - --markdown-linebreak-ext=md exclude: README.md ci: - skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_trivy, terraform_providers_lock] + skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock] From 6dab6294e9d858597fbeac3a2f4c5e886d159cb5 Mon Sep 17 00:00:00 2001 From: Steven B Date: Mon, 26 Aug 2024 18:27:58 -0400 Subject: [PATCH 7/9] Create terraform.yaml --- .github/workflows/terraform.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/terraform.yaml diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml new file mode 100644 index 0000000..1584401 --- /dev/null +++ b/.github/workflows/terraform.yaml @@ -0,0 +1,17 @@ +--- +name: tflint +on: + push: + +jobs: + tflint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install prerequisites + run: ./bin/install-ubuntu.sh + - name: Terraform init + run: terraform init --backend=false + - name: actions-terraform-composite + uses: rhythmictech/actions-terraform-composite@master + From b00e548cc939541c94032692e9533074a3ef800a Mon Sep 17 00:00:00 2001 From: Steven B Date: Mon, 26 Aug 2024 18:31:02 -0400 Subject: [PATCH 8/9] Update terraform.yaml --- .github/workflows/terraform.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 1584401..7bae18b 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -1,5 +1,5 @@ --- -name: tflint +name: Terraform Composite Action on: push: From 0071d9467e5343f59ff6df91054f7d1b212dcee1 Mon Sep 17 00:00:00 2001 From: Steven B Date: Mon, 26 Aug 2024 18:32:48 -0400 Subject: [PATCH 9/9] Update terraform.yaml --- .github/workflows/terraform.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 7bae18b..a2df833 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -4,7 +4,7 @@ on: push: jobs: - tflint: + terraform-composite: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2