Add checkov to github workflows

Author: William Chrisp

.github/workflows/aws_cicd.yaml

@@ -20,12 +20,12 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_wrapper: false
 
       - name: Configure dev AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: arn:aws:iam::099267815798:role/github_oidc
           aws-region: ap-southeast-2
@@ -42,16 +42,23 @@ jobs:
         with:
           node-version: 18
       - name: Install cdktf
-        run: npm install --global cdktf-cli@latest
+        run: npm install --global cdktf-cli@0.15.5
 
       - name: Install pip packages
         run: make install-dependencies
 
       - name: Perform unittest
         run: make unittest
 
-      - name: Synthesize terraform configuration template
-        run: make aws-synth
+      - name: Plan terraform configuration
+        run: make aws-plan-all
+
+      - name: Checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: infrastructure/aws/cdktf.out/stacks/
+          framework: terraform_plan
+          skip_check: CKV_AWS_116,CKV_AWS_117,CKV_AWS_272
 
       - name: Dev deployment
         run: make aws-deploy-all INFRA_ARGS=--auto-approve
@@ -64,7 +71,7 @@ jobs:
 
       - name: Configure prod AWS credentials
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: arn:aws:iam::103417687554:role/github_oidc
           aws-region: ap-southeast-2

.github/workflows/gcp_cicd.yaml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_wrapper: false
 
@@ -43,13 +43,19 @@ jobs:
         with:
           node-version: 18
       - name: Install cdktf
-        run: npm install --global cdktf-cli@latest
+        run: npm install --global cdktf-cli@0.15.5
 
       - name: Install pip packages
         run: make install-dependencies
 
-      - name: Synthesize terraform configuration template
-        run: make gcp-synth
+      - name: Plan terraform configuration template
+        run: make gcp-plan-all
+
+      - name: Checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: infrastructure/gcp/cdktf.out/stacks/ 
+          framework: terraform_plan
 
       - name: Deploy base infrastructure
         run: make gcp-deploy-base INFRA_ARGS=--auto-approve

Makefile

@@ -64,15 +64,24 @@ aws-synth: aws-build-dependencies
 	@echo "\n\n---AWS-SYNTH---\n"
 	cd infrastructure/aws;cdktf synth
 
-aws-plan-core:
+aws-plan-core: 
 	@echo "\n\n---AWS-PLAN-CORE---\n"
 	cd infrastructure/aws;cdktf plan aws_core
 
 aws-plan-grafana:
 	@echo "\n\n---AWS-PLAN-GRAFANA---\n"
 	cd infrastructure/aws;cdktf plan aws_grafana_dashboard
 
-aws-plan-all: aws-plan-core aws-plan-grafana
+aws-plan-all: aws-build-dependencies aws-plan-core aws-plan-grafana aws-plan-convert
+
+aws-plan-convert: 
+	@echo "\n\n---Converting AWS plans file to json---\n"
+	cd infrastructure/aws/cdktf.out/stacks; \
+	find . -type f -name 'plan' -exec dirname {} \; | while read file; do \
+		cd "$$file"; \
+		terraform show -json plan > plan.json; \
+		cd -; \
+	done
 
 aws-deploy-core:
 	@echo "\n\n---AWS-DEPLOY-CORE---\n"
@@ -125,7 +134,16 @@ gcp-plan-grafana:
 	@echo "\n\n---GCP-PLAN-GRAFANA---\n"
 	cd infrastructure/gcp;cdktf plan gcp_grafana 
 
-gcp-plan-all: gcp-plan-base gcp-plan-core #gcp-plan-grafana
+gcp-plan-all: gcp-build-dependencies gcp-plan-base gcp-plan-core gcp-plan-convert
+
+gcp-plan-convert: 
+	@echo "\n\n---Converting GCP plans file to json---\n"
+	cd infrastructure/gcp/cdktf.out/stacks; \
+	find . -type f -name 'plan' -exec dirname {} \; | while read file; do \
+		cd "$$file"; \
+		terraform show -json plan > plan.json; \
+		cd -; \
+	done
 
 gcp-deploy-base:
 	@echo "\n\n---GCP-DEPLOY-BASE---\n"

Pipfile.lock

@@ -14,7 +14,8 @@ The approach to scaling a landing zone on AWS is [elaborated here](https://aws.a
 - [Flight Controller Event Catalog](https://legendary-spoon-f82c1640.pages.github.io): `docs/`
   - [README.md](docs/README.md)
 - Flight Controller Infrastructure Terraform CDK Code - `infrastructure/`
-  - [README.md](infrastructure/README.md)
+  - [AWS](infrastructure/aws/README.md)
+  - [GCP](infrastructure/gcp/README.md)
 - Flight Controller Custom Publisher Code - `publisher/`
   - [README.md](publisher/README.md)
 - Flight Controller Code - `src/`

README.md

@@ -1,6 +1,9 @@
 from constructs import Construct
 
-from cdktf_cdktf_provider_aws import dynamodb_table
+from cdktf_cdktf_provider_aws import (
+    dynamodb_table,
+    kms_key
+)
 
 
 class DynamoDBcomponent(Construct):
@@ -9,12 +12,27 @@ def __init__(self, scope: Construct, id: str, name: str):
         self.partition_key = "aggregate_id"
         self.sort_key = "event_id"
 
+        # KMS Key
+        self.key = kms_key.KmsKey(
+            self,
+            "flight_controller_core_dynamodb_key",
+            description="Flight Controller Core DynamoDB KMS Key",
+            enable_key_rotation=True,
+        )
+
         # create dynamoDB table
         self.table = dynamodb_table.DynamodbTable(
             self,
             "table",
             name=name,
             billing_mode="PAY_PER_REQUEST",
+            point_in_time_recovery={
+                "enabled": True
+            },
+            server_side_encryption={
+                "enabled": True,
+                "kms_key_arn": self.key.arn
+            },
             hash_key=self.partition_key,
             range_key=self.sort_key,
             attribute=[

infrastructure/aws/dynamo_db_component.py

@@ -16,6 +16,7 @@
     lambda_function,
     grafana_workspace,
     lambda_permission,
+    kms_key
 )
 
 
@@ -26,6 +27,7 @@ def __init__(
         id: str,
         name: str,
         grafanaWorkspace: grafana_workspace.GrafanaWorkspace,
+        dynamo_db_key: str
     ):
         super().__init__(scope, id)
 
@@ -37,6 +39,15 @@ def __init__(
             asset_hash=dirhash(Path.join(os.getcwd(), "api_key_rotation"), "md5"),
         )
 
+        # KMS Key
+
+        key = kms_key.KmsKey(
+            self,
+            "flight_controller_grafana_rotation_lambda_key",
+            description="Flight Controller Grafana Rotation Lambda KMS Key",
+            enable_key_rotation=True
+        )
+
         # CREATE roles
 
         lambda_iam_role = iam_role.IamRole(
@@ -73,6 +84,30 @@ def __init__(
                         }
                     ),
                 ),
+                iam_role.IamRoleInlinePolicy(
+                    name="AllowKMSDecrypt",
+                    policy=json.dumps(
+                        {
+                            "Version": "2012-10-17",
+                            "Statement": [
+                                {
+                                    "Action": [
+                                        "kms:Decrypt",
+                                        "kms:Encrypt",
+                                        "kms:CreateGrant",
+                                    ],
+                                    "Resource": dynamo_db_key,
+                                    "Effect": "Allow",
+                                },
+                                {
+                                    "Action": "kms:ListAliases",
+                                    "Resource": "*",
+                                    "Effect": "Allow",
+                                }
+                            ]
+                        }
+                    ),
+                )
             ],
         )
 
@@ -97,6 +132,7 @@ def __init__(
             function_name=name,
             handler="main.lambda_handler",
             runtime="python3.9",
+            kms_key_arn=key.arn,
             role=lambda_iam_role.arn,
             filename=asset.path,
         )

infrastructure/aws/grafana_lambda_with_permissions_component.py

@@ -15,6 +15,7 @@
     lambda_function,
     dynamodb_table,
     timestreamwrite_table,
+    kms_key
 )
 
 from dirhash import dirhash
@@ -28,6 +29,7 @@ def __init__(
         name: str,
         dynamoDbTable: dynamodb_table.DynamodbTable,
         timestream_table: timestreamwrite_table,
+        dynamo_db_key: str
     ):
         super().__init__(scope, id)
 
@@ -43,6 +45,15 @@ def __init__(
             asset_hash=dirhash(Path.join(os.getcwd(), "controller_core"), "md5"),
         )
 
+        # KMS Key
+
+        key = kms_key.KmsKey(
+            self,
+            "flight_controller_core_lambda_key",
+            description="Flight Controller Core Lambda KMS Key",
+            enable_key_rotation=True,
+        )
+
         # CREATE roles
 
         lambda_iam_role = iam_role.IamRole(
@@ -99,6 +110,30 @@ def __init__(
                         }
                     ),
                 ),
+                iam_role.IamRoleInlinePolicy(
+                    name="AllowKMSDecrypt",
+                    policy=json.dumps(
+                        {
+                            "Version": "2012-10-17",
+                            "Statement": [
+                                {
+                                    "Action": [
+                                        "kms:Decrypt",
+                                        "kms:Encrypt",
+                                        "kms:CreateGrant",
+                                    ],
+                                    "Resource": dynamo_db_key,
+                                    "Effect": "Allow",
+                                },
+                                {
+                                    "Action": "kms:ListAliases",
+                                    "Resource": "*",
+                                    "Effect": "Allow",
+                                }
+                            ]
+                        }
+                    ),
+                )
             ],
         )
 
@@ -109,13 +144,14 @@ def __init__(
             role=lambda_iam_role.name,
         )
 
-        # # Create lambda function from asset
+        # Create lambda function from asset
         self.lambda_func = lambda_function.LambdaFunction(
             self,
             "lambda_flight_control",
             function_name=name,
             handler="src/entrypoints/aws_lambda.lambda_handler",
             runtime="python3.9",
+            kms_key_arn=key.arn,
             role=lambda_iam_role.arn,
             filename=asset.path,
             environment=lambda_function.LambdaFunctionEnvironment(

infrastructure/aws/lambda_with_permissions_component.py

@@ -48,6 +48,7 @@ def __init__(
             self.lambda_name,
             dynamoDBcomponent.table,
             timeStreamComponent.timestream_table,
+            dynamoDBcomponent.key.arn
         )
         # create event bridge
         eventBridgeComponent = EventBridgeComponent(
@@ -61,9 +62,11 @@ def __init__(
             self.grafana_workspace_name,
         )
 
+        self.grafana_workspace_id = grafanaWorkspace.grafana_workspace.id
+
         # Create lambda function to rotate Grafana key 
         grafanaLambdaComponent = GrafanaLambdaComponent(
-            self, "grafana_function", self.grafana_lambda_name, grafanaWorkspace.grafana_workspace,
+            self, "grafana_function", self.grafana_lambda_name, grafanaWorkspace.grafana_workspace, dynamoDBcomponent.key.arn
         )
 
         # Create rotation rules to trigger every 29 days
@@ -72,7 +75,7 @@ def __init__(
         )
 
 class AwsGrafana(TerraformStack):
-    def __init__(self, scope: Construct, id: str):
+    def __init__(self, scope: Construct, id: str, workspace_id: str):
         super().__init__(scope, id)
 
         AwsProvider(self, "AWS")
@@ -82,19 +85,13 @@ def __init__(self, scope: Construct, id: str):
             "api_key",
             secret_id="flight-controller/grafana-api-key",               # Secret name stored in AWS Secrets Manager
         )
-
-        workspace_id = data_aws_secretsmanager_secret_version.DataAwsSecretsmanagerSecretVersion(
-            self,
-            "workspace_id",
-            secret_id="flight-controller/grafana-workspace-id",               # Secret name stored in AWS Secrets Manager
-        )
 
         GrafanaProvider(
             self,
             "Grafana",
             auth=api_key.secret_string,
             url="https://"
-            + workspace_id.secret_string
+            + workspace_id
             + ".grafana-workspace.ap-southeast-2.amazonaws.com/",
         )
 
@@ -109,7 +106,7 @@ def __init__(self, scope: Construct, id: str):
 
 core_stack = AwsCore(app, "aws_core")
 
-grafana_dashboard_stack = AwsGrafana(app, "aws_grafana_dashboard")
+grafana_dashboard_stack = AwsGrafana(app, "aws_grafana_dashboard", core_stack.grafana_workspace_id)
 
 account_id = boto3.client("sts").get_caller_identity()["Account"]