From 822e1a1f90cfc02195dd64e0923ef670cc8c165c Mon Sep 17 00:00:00 2001 From: Brandon Cruz Date: Thu, 21 Mar 2024 17:25:36 -0400 Subject: [PATCH] Upgrade CI, trivy, remove checkov --- .github/ci-versions.env | 7 +++-- .github/workflows/tf-ci.yml | 49 ++++++++++++++--------------------- .pre-commit-config.yaml | 22 ++++++++-------- README.md | 5 ++-- iam-preset-poweruseraccess.tf | 2 -- versions.tf | 3 ++- 6 files changed, 39 insertions(+), 49 deletions(-) diff --git a/.github/ci-versions.env b/.github/ci-versions.env index 5902739..5c61868 100644 --- a/.github/ci-versions.env +++ b/.github/ci-versions.env @@ -1,4 +1,3 @@ -TERRAGRUNT_VERSION=v0.38.7 -TERRAFORM_VERSION=1.2.6 -TFSEC_VERSION=v1.27.1 -TFLINT_VERSION=v0.39.2 +TERRAFORM_VERSION=1.5.6 +TRIVY_VERSION=v1.27.1 +TFLINT_VERSION=v0.50.3 diff --git a/.github/workflows/tf-ci.yml b/.github/workflows/tf-ci.yml index 479d86b..2c57337 100644 --- a/.github/workflows/tf-ci.yml +++ b/.github/workflows/tf-ci.yml @@ -29,8 +29,8 @@ jobs: - name: Import CI .env file uses: cardinalby/export-env-action@v1 with: - envFile: '.github/ci-versions.env' - expand: 'true' + envFile: ".github/ci-versions.env" + expand: "true" - name: Install Terraform uses: hashicorp/setup-terraform@v2 @@ -56,8 +56,8 @@ jobs: - name: Import CI .env file uses: cardinalby/export-env-action@v1 with: - envFile: '.github/ci-versions.env' - expand: 'true' + envFile: ".github/ci-versions.env" + expand: "true" - name: Install Terraform uses: hashicorp/setup-terraform@v2 @@ -65,30 +65,21 @@ jobs: terraform_wrapper: false terraform_version: ${{ env.TERRAFORM_VERSION }} - - name: Setup tfsec - run: | - wget https://github.com/aquasecurity/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-linux-amd64 - chmod +x tfsec-linux-amd64 - sudo mv tfsec-linux-amd64 /usr/local/bin/tfsec - - - name: Run tfsec - shell: bash --noprofile --norc -exo pipefail {0} - run: tfsec . - - checkov: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - - name: checkov - id: checkov - uses: bridgecrewio/checkov-action@c9e3e20671a02850d20e1b1dae97e34b39ff9b37 + - name: Run Trivy vulnerability scanner in IaC mode + uses: aquasecurity/trivy-action@master + with: + scan-type: "config" + hide-progress: false + format: "sarif" + output: "trivy-results.sarif" + exit-code: "1" + ignore-unfixed: true + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - quiet: true - framework: terraform - output_format: github_failed_only # optional: the output format, one of: cli, json, junitxml, github_failed_only - download_external_modules: true + sarif_file: "trivy-results.sarif" validate: runs-on: ubuntu-latest @@ -99,8 +90,8 @@ jobs: - name: Import CI .env file uses: cardinalby/export-env-action@v1 with: - envFile: '.github/ci-versions.env' - expand: 'true' + envFile: ".github/ci-versions.env" + expand: "true" - name: Install Terraform uses: hashicorp/setup-terraform@v2 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9c2eb92..6a0882d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,12 +1,12 @@ repos: -# Run terraform fmt to fix our terraform styling -# Run terraform docs to generate documentation for our terraform code -# Run tflint to lint our terraform code -# Run tfsec to scan our terraform code for security problems -- repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.62.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases - hooks: - - id: terraform_fmt - - id: terraform_docs - - id: terraform_tflint - - id: terraform_tfsec + # Run terraform fmt to fix our terraform styling + # Run terraform docs to generate documentation for our terraform code + # Run tflint to lint our terraform code + # Run tfsec to scan our terraform code for security problems + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.88.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_fmt + - id: terraform_docs + - id: terraform_tflint + - id: terraform_trivy diff --git a/README.md b/README.md index d6d13e5..4802000 100644 --- a/README.md +++ b/README.md @@ -11,13 +11,14 @@ The module also supports passing in a custom IAM policy document (typically gene | Name | Version | |------|---------| -| [aws](#requirement\_aws) | >= 3.0.0, < 5.0.0 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 5.0.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.0.0, < 5.0.0 | +| [aws](#provider\_aws) | >= 5.0.0 | ## Modules diff --git a/iam-preset-poweruseraccess.tf b/iam-preset-poweruseraccess.tf index 3fc84c9..e5da19d 100644 --- a/iam-preset-poweruseraccess.tf +++ b/iam-preset-poweruseraccess.tf @@ -7,8 +7,6 @@ resource "aws_iam_role_policy_attachment" "PowerUserAccess" { } data "aws_iam_policy_document" "PowerUserIAMAccess" { - # checkov:skip=CKV_AWS_109:This role is needed if using a role that needs limited IAM write access, even if it does allow permission escalation - # checkov:skip=CKV_AWS_110:This role is needed if using a role that needs limited IAM write access, even if it does allow permission escalation statement { effect = "Allow" actions = [ diff --git a/versions.tf b/versions.tf index f2b0395..fcb5bc5 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,8 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.0.0, < 5.0.0" + version = ">= 5.0.0" } } + required_version = ">= 1.0.0" }