Merge pull request #91 from aws-ia/ephemeral_project-updates

tbulding · web-flow · commit 564b7e91235d · 2024-02-29T18:33:42.000-06:00
diff --git a/.checkov.yml b/.checkov.yml
diff --git a/.config/.checkov.yml b/.config/.checkov.yml
@@ -0,0 +1,23 @@
+download-external-modules: False
+evaluate-variables: true
+directory:
+- ./
+framework:
+- terraform
+skip-check:
+- CKV2_GCP*
+- CKV_AZURE*
+- CKV2_AZURE*
+- CKV_TF_1 # default to Terraform registry instead of Git
+- CKV_AWS_109 # the given example intentionally violates this rule
+- CKV_AWS_111 # the given example intentionally violates this rule
+- CKV_AWS_356 # the given example intentionally violates this rule
+- CKV_AWS_7 # not required for this example
+- CKV_AWS_158 # not required for this example
+- CKV_AWS_66 # not required for this example
+- CKV_AWS_338 # not required for this example
+- CKV2_AWS_31 # false alarm
+summary-position: bottom
+output: 'cli'
+compact: True
+quiet: True
diff --git a/.config/.mdlrc b/.config/.mdlrc
diff --git a/.config/.terraform-docs.yaml b/.config/.terraform-docs.yaml
diff --git a/.config/.tflint.hcl b/.config/.tflint.hcl
diff --git a/.config/.tfsec.yml b/.config/.tfsec.yml
@@ -0,0 +1,3 @@
+{
+  "minimum_severity": "MEDIUM"
+}
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,6 +1,6 @@
 # This file is auto-generated, changes will be overwritten
-_commit: v0.0.6
-_src_path: /task/85181ca7-edb8-11ed-83ce-460647dd8021/projecttype
+_commit: v0.1.2
+_src_path: /task/fda2926f-d695-11ee-a46e-46fb9214c7b7/projecttype
 starting_version: v0.0.0
 version_file: VERSION
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,7 +10,7 @@ repos:
     hooks:
       - id: terraform-docs-go
         args: 
-          - "--config=.terraform-docs.yaml"
+          - "--config=.config/.terraform-docs.yaml"
           - "--lockfile=false"
           - "--recursive"
           - "--recursive-path=examples/"
diff --git a/.project_automation/functional_tests/Dockerfile b/.project_automation/functional_tests/Dockerfile
@@ -10,5 +10,3 @@ RUN curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/
 RUN cd /tmp && \
     wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
     tar -C /usr/local/bin -xzf go${GO_VERSION}.linux-amd64.tar.gz && chmod 755 /usr/local/bin/go
-
-RUN pip3 install checkov
diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh
@@ -27,17 +27,7 @@ aws ssm get-parameter \
   --output "text" \
   --region "us-east-1" >> functional_test.tfvars
 
-#********** Checkov Analysis *************
-echo "Running Checkov Analysis on root module"
-checkov --directory . --skip-path examples --framework terraform
-
-echo "Running Checkov Analysis on terraform plan"
-terraform init
-terraform plan -out tf.plan -var-file functional_test.tfvars
-terraform show -json tf.plan  > tf.json 
-checkov 
-
-# #********** Terratest execution **********
+#********** Terratest execution **********
 echo "Running Terratest"
 export GOPROXY=https://goproxy.io,direct
 cd test
diff --git a/.project_automation/publication/entrypoint.sh b/.project_automation/publication/entrypoint.sh
@@ -18,5 +18,3 @@ else
   echo "creating new version"
   gh release create ${VERSION} --target ${BRANCH} --generate-notes
 fi
-
-
diff --git a/.project_automation/static_tests/Dockerfile b/.project_automation/static_tests/Dockerfile
@@ -20,6 +20,8 @@ RUN wget -O /tmp/tflint-ruleset-aws.zip https://github.com/terraform-linters/tfl
 
 RUN curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
 
+RUN pip3 install checkov
+
 RUN gem install mdl
 
 ENV TERRAFORM_DOCS_VERSION=v0.16.0
diff --git a/.project_automation/static_tests/entrypoint.sh b/.project_automation/static_tests/entrypoint.sh
@@ -13,35 +13,47 @@ terraform validate
 
 #********** tflint ********************
 echo 'Starting tflint'
-tflint --init
-MYLINT=$(tflint --force)
+tflint --init --config ${PROJECT_PATH}/.config/.tflint.hcl
+MYLINT=$(tflint --force --config ${PROJECT_PATH}/.config/.tflint.hcl)
 if [ -z "$MYLINT" ]
 then
     echo "Success - tflint found no linting issues!"
 else
-    echo "Failure - tflint found linting issues!" 
+    echo "Failure - tflint found linting issues!"
     echo "$MYLINT"
     exit 1
 fi
 #********** tfsec *********************
-# tfsec will report to the console with success or Failure
-# therefore there is no need to provide such conditional stetements
 echo 'Starting tfsec'
-tfsec .
+MYTFSEC=$(tfsec . --config-file ${PROJECT_PATH}/.config/.tfsec.yml || true)
+if [[ $MYTFSEC == *"No problems detected!"* ]];
+then
+    echo "Success - tfsec found no security issues!"
+    echo "$MYTFSEC"
+else
+    echo "Failure - tfsec found security issues!"
+    echo "$MYTFSEC"
+    exit 1
+fi
+
+#********** Checkov Analysis *************
+echo "Running Checkov Analysis"
+checkov --config-file ${PROJECT_PATH}/.config/.checkov.yml
+
 #********** Markdown Lint **************
 echo 'Starting markdown lint'
-MYMDL=$(mdl .header.md || true)
+MYMDL=$(mdl --config ${PROJECT_PATH}/.config/.mdlrc .header.md examples/*/.header.md || true)
 if [ -z "$MYMDL" ]
 then
     echo "Success - markdown lint found no linting issues!"
 else
-    echo "Failure - markdown lint found linting issues!" 
+    echo "Failure - markdown lint found linting issues!"
     echo "$MYMDL"
     exit 1
 fi
 #********** Terraform Docs *************
 echo 'Starting terraform-docs'
-TDOCS="$(terraform-docs --lockfile=false ./)"
+TDOCS="$(terraform-docs --config ${PROJECT_PATH}/.config/.terraform-docs.yaml --lockfile=false ./)"
 git add -N README.md
 GDIFF="$(git diff --compact-summary)"
 if [ -z "$GDIFF" ]
@@ -52,4 +64,4 @@ else
     exit 1
 fi
 #***************************************
-echo "End of Static Tests"
+echo "End of Static Tests"
diff --git a/examples/demo_workspace/.header.md b/examples/demo_workspace/.header.md
@@ -14,7 +14,7 @@ Follow the steps below to attach the run task created from the module into a new
 
 * Change the org name in with your own Terraform Cloud org name.
 
-  ```
+  ```hcl
   terraform {
 
     cloud {
@@ -25,10 +25,11 @@ Follow the steps below to attach the run task created from the module into a new
       }
     }
     ...
-  }   
+  }
   ```
 
 * Populate the required variables, change the placeholder value below.
+
   ```bash
   echo 'tfc_org="<enter your org name here>"' >> tf.auto.tfvars
   echo 'aws_region="<enter the AWS region here>"' >> tf.auto.tfvars
@@ -37,38 +38,38 @@ Follow the steps below to attach the run task created from the module into a new
   ```
 
 * Initialize Terraform Cloud. When prompted, enter the name of the new demo workspace as you specified in the previous step.
+
   ```bash
   terraform init
   ```
 
 * Configure the AWS credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) in Terraform Cloud, i.e. using variable sets. [Follow these instructions to learn more](https://developer.hashicorp.com/terraform/tutorials/cloud-get-started/cloud-create-variable-set).
 
-* In order to create and configure the run tasks, you also need to have Terraform Cloud token stored as Variable/Variable Sets in the workspace. Add `TFE_HOSTNAME` and `TFE_TOKEN` environment variable to the same variable set or directly on the workspace.
-![TFC Configure Variable Set](../diagram/TerraformCloud-VariableSets.png?raw=true "Configure Terraform Cloud Variable Set")
+* In order to create and configure the run tasks, you also need to have Terraform Cloud token stored as Variable/Variable Sets in the workspace. Add `TFE_HOSTNAME` and `TFE_TOKEN` environment variable to the same variable set or directly on the workspace. ![TFC Configure Variable Set](../diagram/TerraformCloud-VariableSets.png?raw=true "Configure Terraform Cloud Variable Set")
+
+* Enable the flag to attach the run task to the demo workspace.
 
- * Enable the flag to attach the run task to the demo workspace.
    ```bash
    echo 'flag_attach_runtask="true"' >> tf.auto.tfvars
    terraform apply
    ```
 
-* Navigate back to Terraform Cloud, locate the new demo workspace and confirm that the Run Task is attached to the demo workspace. 
-![TFC Run Task in Workspace](../../diagram/TerraformCloud-RunTaskWorkspace.png?raw=true "Run Task attached to the demo workspace")
-
+* Navigate back to Terraform Cloud, locate the new demo workspace and confirm that the Run Task is attached to the demo workspace. ![TFC Run Task in Workspace](../../diagram/TerraformCloud-RunTaskWorkspace.png?raw=true "Run Task attached to the demo workspace")
 
 ## Test IAM Access Analyzer using Run Task
 
 The following steps deploy simple IAM policy with invalid permissions. This should trigger the Run Task to send failure and stop the apply.
 
 * Enable the flag to deploy invalid IAM policy to the demo workspace.
+
   ```bash
   echo 'flag_deploy_invalid_resource="true"' >> tf.auto.tfvars
   ```
 
 * Run Terraform apply again
+
   ```bash
   terraform apply
   ```
 
-* Terraform apply will fail due to several errors, use the CloudWatch link to review the errors. 
-![TFC Run Task results](../../diagram/TerraformCloud-RunTaskOutput.png?raw=true "Run Task output with IAM Access Analyzer validation")
+* Terraform apply will fail due to several errors, use the CloudWatch link to review the errors. ![TFC Run Task results](../../diagram/TerraformCloud-RunTaskOutput.png?raw=true "Run Task output with IAM Access Analyzer validation")
diff --git a/examples/module_workspace/.header.md b/examples/module_workspace/.header.md
@@ -3,6 +3,7 @@
 First step is to deploy the module into dedicated Terraform Cloud workspace. The output `runtask_id` is used on other Terraform Cloud workspace to configure the runtask.
 
 * Build and package the Lambda files using the makefile. Run this command from the root directory of this repository.
+
   ```bash
   make all
   ```
@@ -15,7 +16,7 @@ First step is to deploy the module into dedicated Terraform Cloud workspace. The
 
 * Change the org name to your TFC org.
 
-  ```
+  ```hcl
   terraform {
 
     cloud {
@@ -26,10 +27,11 @@ First step is to deploy the module into dedicated Terraform Cloud workspace. The
       }
     }
     ...
-  }   
+  }
   ```
 
 * Initialize Terraform Cloud. When prompted, enter a new workspace name, i.e. `aws-ia2-infra`
+
   ```bash
   terraform init
   ```
@@ -40,9 +42,10 @@ First step is to deploy the module into dedicated Terraform Cloud workspace. The
 
 * In order to create and configure the run tasks, you also need to have Terraform Cloud token stored as Environment Variables. Add `TFE_HOSTNAME` and `TFE_TOKEN` environment variable.
 
-* Run Terraform apply 
+* Run Terraform apply
+
   ```bash
   terraform apply
   ```
 
-* Use the output value `runtask_id` when deploying the demo workspace. See example of [demo workspace here](../demo_workspace/README.md)
+* Use the output value `runtask_id` when deploying the demo workspace. See example of [demo workspace here](../demo_workspace/README.md)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "minimum_severity": "MEDIUM"`
	`3`	`+}`