From 15d3ae24dfce554b793f3385a4058dac83869475 Mon Sep 17 00:00:00 2001 From: Gabriel Martinez Date: Thu, 10 Feb 2022 16:02:58 +0000 Subject: [PATCH 1/4] Update actions --- .github/workflows/main.yml | 74 ----------------------- .github/workflows/terraform-checks.yml | 77 ++++++++++++++++++++++++ .github/workflows/terraform-security.yml | 27 +++++++++ .pre-commit-config.yaml | 20 +++--- 4 files changed, 116 insertions(+), 82 deletions(-) delete mode 100644 .github/workflows/main.yml create mode 100644 .github/workflows/terraform-checks.yml create mode 100644 .github/workflows/terraform-security.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 2371030..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Terraform Check - -on: - push: - branches: - - main - pull_request: - branches: - - main - -permissions: read-all - -defaults: - run: - shell: sh - -jobs: - - validate: - name: Validate - runs-on: ubuntu-latest - container: hashicorp/terraform:light - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Validate - run: find ./modules/ -maxdepth 1 -mindepth 1 - -exec terraform init {} \; - -exec terraform validate {} \; - - format: - name: Format - runs-on: ubuntu-latest - container: hashicorp/terraform:light - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Format - run: terraform fmt -check -diff -recursive - - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Setup - uses: terraform-linters/setup-tflint@v1.1.0 - - name: Show version - run: tflint --version - - name: Run - run: > - find ./modules/ -maxdepth 1 -mindepth 1 - -exec tflint {} --loglevel=info \; - - security: - name: Security - runs-on: ubuntu-latest - permissions: - checks: write - contents: read - security-events: write - statuses: write - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: tfsec - uses: tfsec/tfsec-sarif-action@master - with: - sarif_file: tfsec.sarif - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: tfsec.sarif diff --git a/.github/workflows/terraform-checks.yml b/.github/workflows/terraform-checks.yml new file mode 100644 index 0000000..7aa0f49 --- /dev/null +++ b/.github/workflows/terraform-checks.yml @@ -0,0 +1,77 @@ +name: Terraform Check + +on: + pull_request: + branches: + - main + +env: + TERRAFORM_DOCS_VERSION: v0.16.0 + +jobs: + collectInputs: + name: Collect workflow inputs + runs-on: ubuntu-latest + outputs: + directories: ${{ steps.dirs.outputs.directories }} + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Get root directories + id: dirs + uses: clowdhaus/terraform-composite-actions/directories@v1.3.0 + + preCommitMinVersions: + name: Min TF pre-commit + needs: collectInputs + runs-on: ubuntu-latest + strategy: + matrix: + directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Terraform min/max versions + id: minMax + uses: clowdhaus/terraform-min-max@v1.0.3 + with: + directory: ${{ matrix.directory }} + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} + # Run only validate pre-commit check on min version supported + if: ${{ matrix.directory != '.' }} + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + with: + terraform-version: ${{ steps.minMax.outputs.minVersion }} + args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} + # Run only validate pre-commit check on min version supported + if: ${{ matrix.directory == '.' }} + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + with: + terraform-version: ${{ steps.minMax.outputs.minVersion }} + args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' + + preCommitMaxVersion: + name: Max TF pre-commit + runs-on: ubuntu-latest + needs: collectInputs + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{github.event.pull_request.head.repo.full_name}} + + - name: Terraform min/max versions + id: minMax + uses: clowdhaus/terraform-min-max@v1.0.3 + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + with: + terraform-version: ${{ steps.minMax.outputs.maxVersion }} + terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} diff --git a/.github/workflows/terraform-security.yml b/.github/workflows/terraform-security.yml new file mode 100644 index 0000000..f200856 --- /dev/null +++ b/.github/workflows/terraform-security.yml @@ -0,0 +1,27 @@ +name: Terraform Security + +on: + pull_request: + branches: + - main + +jobs: + security: + name: Security + runs-on: ubuntu-latest + permissions: + checks: write + contents: read + security-events: write + statuses: write + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: tfsec + uses: tfsec/tfsec-sarif-action@master + with: + sarif_file: tfsec.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: tfsec.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6beab84..e90ecc3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,14 @@ --- repos: -- repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.31.0 - hooks: - - id: terraform_fmt - - id: terraform_validate - - id: terraform_docs_replace - - id: terraform_tflint - - id: terraform_tfsec + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.63.0 + hooks: + - id: terraform_fmt + - id: terraform_validate + - id: terraform_docs + - id: terraform_tflint + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.1.0 + hooks: + - id: check-merge-conflict + - id: end-of-file-fixer From 378f6be93ddfaabd5f30ecfba911eba3b346ade7 Mon Sep 17 00:00:00 2001 From: Gabriel Martinez Date: Thu, 10 Feb 2022 16:03:47 +0000 Subject: [PATCH 2/4] Update dependabot --- .github/dependabot.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9704244..c48f2b3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,10 +1,21 @@ -# https://dependabot.com/docs/config-file-beta/validator/ --- version: 2 updates: - - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / + open-pull-requests-limit: 5 schedule: - interval: "weekly" - day: "wednesday" + interval: monthly + day: wednesday + - package-ecosystem: terraform + directory: modules/aws-asg + open-pull-requests-limit: 5 + schedule: + interval: monthly + day: wednesday + - package-ecosystem: terraform + directory: modules/aws-asg/examples + open-pull-requests-limit: 5 + schedule: + interval: monthly + day: wednesday From 4b6ede2846090e5c0b4bccf74282d96e7fc1770d Mon Sep 17 00:00:00 2001 From: Gabriel Martinez Date: Thu, 10 Feb 2022 15:04:39 +0000 Subject: [PATCH 3/4] Remove aws provider from the module and update examples --- README.md | 4 +++- modules/aws-asg/README.md | 1 + .../examples/{ => cga-with-vpc}/README.md | 5 +++-- .../{cga_with_vpc.tf => cga-with-vpc/main.tf} | 21 ++++++++++++------- modules/aws-asg/provider.tf | 7 ------- 5 files changed, 20 insertions(+), 18 deletions(-) rename modules/aws-asg/examples/{ => cga-with-vpc}/README.md (83%) rename modules/aws-asg/examples/{cga_with_vpc.tf => cga-with-vpc/main.tf} (86%) delete mode 100644 modules/aws-asg/provider.tf diff --git a/README.md b/README.md index 102370f..5a3cdb0 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,9 @@ Check the [Product Documentation](https://campus.barracuda.com/product/cloudgena ## Misc - This repository has [pre-commit](https://github.com/antonbabenko/pre-commit-terraform) configured - - Test all the pre-commit hooks with `pre-commit run -a` + - Test all the pre-commit hooks with: + - `docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:latest run -a` + - Cleanup, in case of plugin issues: `find . -name ".terraform*" -print0 | xargs -0 rm -r` - Test github actions with [nektos/act](https://github.com/nektos/act) ## Links diff --git a/modules/aws-asg/README.md b/modules/aws-asg/README.md index ae9437c..1ac865e 100644 --- a/modules/aws-asg/README.md +++ b/modules/aws-asg/README.md @@ -79,3 +79,4 @@ No modules. | Name | Description | |------|-------------| | [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | Update the CloudGen Access Proxy in the Console with this DNS name | +| [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | Use this group to allow CloudGen Access Proxy access to internal resources | diff --git a/modules/aws-asg/examples/README.md b/modules/aws-asg/examples/cga-with-vpc/README.md similarity index 83% rename from modules/aws-asg/examples/README.md rename to modules/aws-asg/examples/cga-with-vpc/README.md index 8682c38..2eb5047 100644 --- a/modules/aws-asg/examples/README.md +++ b/modules/aws-asg/examples/cga-with-vpc/README.md @@ -6,8 +6,8 @@ No requirements. | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | -| [tls](#provider\_tls) | n/a | +| [aws](#provider\_aws) | 3.74.1 | +| [tls](#provider\_tls) | 3.1.0 | ## Modules @@ -35,3 +35,4 @@ No requirements. | Name | Description | |------|-------------| | [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | n/a | +| [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | n/a | diff --git a/modules/aws-asg/examples/cga_with_vpc.tf b/modules/aws-asg/examples/cga-with-vpc/main.tf similarity index 86% rename from modules/aws-asg/examples/cga_with_vpc.tf rename to modules/aws-asg/examples/cga-with-vpc/main.tf index e28847c..4abe96f 100644 --- a/modules/aws-asg/examples/cga_with_vpc.tf +++ b/modules/aws-asg/examples/cga-with-vpc/main.tf @@ -16,6 +16,12 @@ locals { provider "aws" { region = local.aws_region + default_tags { + tags = { + Owner = "team" + Environment = "test" + } + } } # @@ -23,10 +29,11 @@ provider "aws" { # module "cloudgen-access-proxy" { - source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.2.2" + source = "../../" # More examples # run 'rm -rf .terraform/' after changing source + # source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=vx.x.x" # source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=" # source = "../" @@ -51,8 +58,7 @@ module "cloudgen-access-proxy" { launch_cfg_key_pair_name = module.key_pair.key_pair_key_name tags = { - Environment = "test" - Team = "awesome" + extra_tag = "extra-value" } } @@ -68,7 +74,7 @@ output "Security_Group_for_Resources" { # SSH key for instances # -# (!) The private key will be saves in the terraform state file +# (!) The private key will be saved in the terraform state file resource "tls_private_key" "private_key" { algorithm = "RSA" } @@ -127,7 +133,7 @@ module "vpc" { manage_default_security_group = true tags = { - environment = local.application + extra_tag = "extra-value" } vpc_tags = { @@ -139,8 +145,7 @@ resource "aws_default_route_table" "default" { default_route_table_id = module.vpc.default_route_table_id tags = { - Name = "${local.application}-default" - environment = local.application - warning = "This is created by AWS for the VPC and cannot be removed" + Name = "${local.application}-default" + warning = "This is created by AWS for the VPC and cannot be removed" } } diff --git a/modules/aws-asg/provider.tf b/modules/aws-asg/provider.tf deleted file mode 100644 index 73541ff..0000000 --- a/modules/aws-asg/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -provider "aws" { - region = var.aws_region - - default_tags { - tags = local.common_tags_map - } -} From 38b62d15351531921ff718900d2421a89ffe8826 Mon Sep 17 00:00:00 2001 From: Gabriel Martinez Date: Thu, 10 Feb 2022 17:14:55 +0000 Subject: [PATCH 4/4] Fix tfsec warning --- modules/aws-asg/main.tf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/aws-asg/main.tf b/modules/aws-asg/main.tf index 1088b55..b9230cf 100644 --- a/modules/aws-asg/main.tf +++ b/modules/aws-asg/main.tf @@ -96,14 +96,14 @@ resource "aws_security_group" "inbound" { from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS008 + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr } egress { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS009 + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr } tags = { @@ -237,11 +237,17 @@ resource "aws_launch_configuration" "launch_config" { instance_type = var.launch_cfg_instance_type key_name = var.launch_cfg_key_pair_name name_prefix = "cga-proxy-${random_string.prefix.result}-" + + metadata_options { + http_tokens = "required" + } + security_groups = compact([ aws_security_group.inbound.id, aws_security_group.resources.id, local.redis_enabled ? aws_security_group.redis[0].id : "" ]) + user_data = <<-EOT #!/bin/bash %{~if var.cloudwatch_logs_enabled~}