diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml new file mode 100644 index 0000000..5a97381 --- /dev/null +++ b/.github/workflows/code-scan.yml @@ -0,0 +1,48 @@ +name: checkov-static-analysis-scan + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + push: + branches: [ "*" ] + pull_request: + branches: [ "main" ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: +permissions: read-all +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it + - uses: actions/checkout@v3 + + - name: Checkov GitHub Action + uses: bridgecrewio/checkov-action@v12 + with: + # This will add both a CLI output to the console and create a results.sarif file + output_format: cli,sarif + output_file_path: console,results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Security checks that do not pass will 'fail'. + # An alternative is to add `continue-on-error: true` to the previous step + # Or 'soft_fail: true' to checkov. + if: success() || failure() + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml new file mode 100644 index 0000000..da2f485 --- /dev/null +++ b/.github/workflows/terraform.yml @@ -0,0 +1,161 @@ +name: terraform-infra-provisioning + +on: + workflow_dispatch: + push: + branches: [ '*' ] + paths-ignore: + - '**/README.md' + pull_request: + branches: ["main"] + paths-ignore: + - '**/README.md' + +permissions: read-all +#-------------------------- +# +# PLEASE READ: Add a GitHub Actions variable 'INFRACOST_SCAN_TYPE' and set the value to either 'hcl_code' or 'tf_plan' depending on what type of Infracost scan desired. +# +#-------------------------- +jobs: + terraform: + name: 'continuous-integration' + runs-on: ubuntu-latest + environment: development + permissions: + contents: read + id-token: write + pull-requests: write + # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + defaults: + run: + shell: bash + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure AWS Credentials Action For GitHub Actions + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + role-to-assume: ${{ secrets.IAM_ROLE }} + role-session-name: AWSSession + aws-region: us-east-2 + + - name: Setup Infracost + uses: infracost/actions/setup@v2 + if: github.event_name == 'pull_request' + # See https://github.com/infracost/actions/tree/master/setup for other inputs + # If you can't use this action, see Docker images in https://infracost.io/cicd + with: + api-key: ${{ secrets.INFRACOST_API_KEY }} + + # Checkout the base branch of the pull request (e.g. main/master). + - name: Checkout base branch + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + uses: actions/checkout@v3 + with: + ref: '${{ github.event.pull_request.base.ref }}' + + # Generate Infracost JSON file as the baseline. + - name: Generate Infracost cost estimate baseline + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + run: | + infracost breakdown --path=. \ + --format=json \ + --out-file=/tmp/infracost-base.json + + # Checkout the current PR branch so we can create a diff. + - name: Checkout PR branch + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + uses: actions/checkout@v3 + + # Generate an Infracost diff and save it to a JSON file. + - name: Generate Infracost diff + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }} + run: | + infracost diff --path=. \ + --format=json \ + --compare-to=/tmp/infracost-base.json \ + --out-file=/tmp/infracost.json + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + id: init + run: terraform init + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Format + id: fmt + if: github.event_name == 'pull_request' + run: terraform fmt -check + # Checks that all Terraform configuration files are correctly written + - name: Terraform Validate + id: validate + if: github.event_name == 'pull_request' + run: terraform validate -no-color + # Generates an execution plan for Terraform + - name: Terraform Plan + id: plan + if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request' + run: | + terraform plan -no-color -input=false -out=TFplan.JSON + continue-on-error: true + + # Generate an Infracost diff and save it to a JSON file. + - name: Generate Infracost diff + if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }} + run: | + infracost diff --path=TFplan.JSON \ + --format=json \ + --out-file=/tmp/infracost.json + + - name: Post Infracost comment + if: github.event_name == 'pull_request' + run: | + infracost comment github --path=/tmp/infracost.json \ + --repo=$GITHUB_REPOSITORY \ + --github-token=${{github.token}} \ + --pull-request=${{github.event.pull_request.number}} \ + --show-skipped \ + --behavior=update + + - name: Post Terraform Plan Output + uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + env: + PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` + +
Show Plan + + \`\`\`\n + ${process.env.PLAN} + \`\`\` + +
+ + *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + # On push to "main", build or change infrastructure according to Terraform configuration files + # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + - name: Terraform Apply + if: github.ref == 'refs/heads/main' + run: terraform apply -auto-approve -input=false