From d392cb93bc33e9dac1a92a7c2fd351cb4e74c19e Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 20:12:26 +0000 Subject: [PATCH 1/8] Added tfsec step --- .github/workflows/aws-template-terraform.yml | 16 +++++++++-- .github/workflows/deploy-infra-dev.yml | 28 ++++++++++++++++---- 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml index a66e1708..3a173b92 100644 --- a/.github/workflows/aws-template-terraform.yml +++ b/.github/workflows/aws-template-terraform.yml @@ -1,4 +1,4 @@ -name: AWS Bootstrap Workflow +name: AWS Template Workflow on: workflow_call: @@ -52,6 +52,18 @@ jobs: done < files.txt echo "infra_changed=$infra_changed" >> "$GITHUB_OUTPUT" + scan: + name: Scan TF Code + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Run tfsec + uses: aquasecurity/tfsec-action + with: + working_directory: ${{ inputs.CONTEXT_FOLDER }} + needs: [check_changes] + deploy_infra: name: Deploy Infra runs-on: ubuntu-latest @@ -62,7 +74,7 @@ jobs: TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }} TF_VAR_kms_key_name: ${{ vars.KMS_KEY_NAME }} TF_VAR_vpc_id: ${{ vars.VPC_ID }} - needs: [check_changes] + needs: [scan] steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml index c8b37f00..12b83779 100644 --- a/.github/workflows/deploy-infra-dev.yml +++ b/.github/workflows/deploy-infra-dev.yml @@ -1,14 +1,32 @@ -name: Deploy AWS Infra to Dev +name: Publish Infra on: + # PR targeting master is created or new commits are pushed + push: + branches: + - master + paths: + - "infra/**" + + # Manual trigger via GH Actions UI workflow_dispatch: + inputs: + environment: + description: "Select target environment" + required: true + default: "dev" + type: choice + options: + - dev + - test + - prod jobs: - infrastructure_deploy_dev: + deploy: uses: ./.github/workflows/aws-template-terraform.yml with: - CONTEXT_FOLDER: ./infrastructure/cloud/environments/dev - CHANGE_FOLDER_NAME: environments/dev - ENVIRONMENT_NAME: dev + CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment }}" + CHANGE_FOLDER_NAME: environments/${{ inputs.environment }} + ENVIRONMENT_NAME: ${{ inputs.environment }} TEST_BUCKET_NAME: jasper-test-bucket secrets: inherit From bc064da83fcf45424895388d2af4ff9f6378798a Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 20:13:25 +0000 Subject: [PATCH 2/8] Renamed path from infra to infrastructure --- .github/workflows/deploy-infra-dev.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml index 12b83779..37eb0d9b 100644 --- a/.github/workflows/deploy-infra-dev.yml +++ b/.github/workflows/deploy-infra-dev.yml @@ -6,7 +6,7 @@ on: branches: - master paths: - - "infra/**" + - "infrastructure/**" # Manual trigger via GH Actions UI workflow_dispatch: From 50ab0bff11d4fb61c40535205836218c085a25be Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 20:40:02 +0000 Subject: [PATCH 3/8] Removed string interpolation --- .github/workflows/deploy-infra-dev.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml index 37eb0d9b..fac39787 100644 --- a/.github/workflows/deploy-infra-dev.yml +++ b/.github/workflows/deploy-infra-dev.yml @@ -25,8 +25,12 @@ jobs: deploy: uses: ./.github/workflows/aws-template-terraform.yml with: - CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment }}" - CHANGE_FOLDER_NAME: environments/${{ inputs.environment }} - ENVIRONMENT_NAME: ${{ inputs.environment }} + # CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment }}" + # CHANGE_FOLDER_NAME: environments/${{ inputs.environment }} + # ENVIRONMENT_NAME: ${{ inputs.environment }} + # TEST_BUCKET_NAME: jasper-test-bucket + CONTEXT_FOLDER: "./infrastructure/cloud/environments/dev" + CHANGE_FOLDER_NAME: environments/dev + ENVIRONMENT_NAME: dev TEST_BUCKET_NAME: jasper-test-bucket secrets: inherit From 618d216cf18604c3381161e1234b1ded4bb664ec Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 20:50:17 +0000 Subject: [PATCH 4/8] Revert to previous master codebase --- .github/workflows/deploy-infra-dev.yml | 28 +++----------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml index fac39787..c8b37f00 100644 --- a/.github/workflows/deploy-infra-dev.yml +++ b/.github/workflows/deploy-infra-dev.yml @@ -1,35 +1,13 @@ -name: Publish Infra +name: Deploy AWS Infra to Dev on: - # PR targeting master is created or new commits are pushed - push: - branches: - - master - paths: - - "infrastructure/**" - - # Manual trigger via GH Actions UI workflow_dispatch: - inputs: - environment: - description: "Select target environment" - required: true - default: "dev" - type: choice - options: - - dev - - test - - prod jobs: - deploy: + infrastructure_deploy_dev: uses: ./.github/workflows/aws-template-terraform.yml with: - # CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment }}" - # CHANGE_FOLDER_NAME: environments/${{ inputs.environment }} - # ENVIRONMENT_NAME: ${{ inputs.environment }} - # TEST_BUCKET_NAME: jasper-test-bucket - CONTEXT_FOLDER: "./infrastructure/cloud/environments/dev" + CONTEXT_FOLDER: ./infrastructure/cloud/environments/dev CHANGE_FOLDER_NAME: environments/dev ENVIRONMENT_NAME: dev TEST_BUCKET_NAME: jasper-test-bucket From 552145d5037fbc349cca0e236a8389aa1f7fc615 Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 20:55:49 +0000 Subject: [PATCH 5/8] Removed tfsec step --- .github/workflows/aws-template-terraform.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml index 3a173b92..0feae2c5 100644 --- a/.github/workflows/aws-template-terraform.yml +++ b/.github/workflows/aws-template-terraform.yml @@ -58,10 +58,10 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Run tfsec - uses: aquasecurity/tfsec-action - with: - working_directory: ${{ inputs.CONTEXT_FOLDER }} + # - name: Run tfsec + # uses: aquasecurity/tfsec-action + # with: + # working_directory: ${{ inputs.CONTEXT_FOLDER }} needs: [check_changes] deploy_infra: From 357868e642cd143404c24da0a0ce16c815227503 Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 21:02:13 +0000 Subject: [PATCH 6/8] Enable tfsec step --- .github/workflows/aws-template-terraform.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml index 0feae2c5..69cd7c88 100644 --- a/.github/workflows/aws-template-terraform.yml +++ b/.github/workflows/aws-template-terraform.yml @@ -58,10 +58,10 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - # - name: Run tfsec - # uses: aquasecurity/tfsec-action - # with: - # working_directory: ${{ inputs.CONTEXT_FOLDER }} + - name: tfsec + uses: aquasecurity/tfsec-action@v1.0.3 + with: + working_directory: ${{ inputs.CONTEXT_FOLDER }} needs: [check_changes] deploy_infra: From e8f38e63fbdf678af4efa04577013ccd1cdcea42 Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 21:05:34 +0000 Subject: [PATCH 7/8] Make publish infra generic --- .github/workflows/deploy-infra-dev.yml | 28 +++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml index c8b37f00..37eb0d9b 100644 --- a/.github/workflows/deploy-infra-dev.yml +++ b/.github/workflows/deploy-infra-dev.yml @@ -1,14 +1,32 @@ -name: Deploy AWS Infra to Dev +name: Publish Infra on: + # PR targeting master is created or new commits are pushed + push: + branches: + - master + paths: + - "infrastructure/**" + + # Manual trigger via GH Actions UI workflow_dispatch: + inputs: + environment: + description: "Select target environment" + required: true + default: "dev" + type: choice + options: + - dev + - test + - prod jobs: - infrastructure_deploy_dev: + deploy: uses: ./.github/workflows/aws-template-terraform.yml with: - CONTEXT_FOLDER: ./infrastructure/cloud/environments/dev - CHANGE_FOLDER_NAME: environments/dev - ENVIRONMENT_NAME: dev + CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment }}" + CHANGE_FOLDER_NAME: environments/${{ inputs.environment }} + ENVIRONMENT_NAME: ${{ inputs.environment }} TEST_BUCKET_NAME: jasper-test-bucket secrets: inherit From 4a1f273c907ac8c32a0d759a321541e71259539a Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 20 Aug 2024 21:18:04 +0000 Subject: [PATCH 8/8] Changed to tfsec sarif action --- .github/workflows/aws-template-terraform.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml index 69cd7c88..49feb9cc 100644 --- a/.github/workflows/aws-template-terraform.yml +++ b/.github/workflows/aws-template-terraform.yml @@ -58,10 +58,15 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: tfsec - uses: aquasecurity/tfsec-action@v1.0.3 + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 with: working_directory: ${{ inputs.CONTEXT_FOLDER }} + sarif_file: tfsec.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: tfsec.sarif needs: [check_changes] deploy_infra: