Add tfsec

XenitAB · Mar 3, 2021 · b140d2f · b140d2f
1 parent 8b8d3e0
commit b140d2f
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 3 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -58,6 +58,10 @@ RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="aws" --version="v0.2.1
 COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh
 RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="0.14.7" --tfenv-version="v2.2.0" --user="${USER}" --group="${GROUP}"
 
+# Install tfsec
+COPY install-scripts/tfsec.sh /usr/src/install-scripts/tfsec.sh
+RUN /usr/src/install-scripts/tfsec.sh --version="v0.39.5" --sha="60e52ef9a2b2eb5aebf74fbebfbaf0d30fa107816a8bbc2759cfe5d5c2a9021d"
+
 # Install Open Policy Agent
 COPY install-scripts/opa.sh /usr/src/install-scripts/opa.sh
 RUN /usr/src/install-scripts/opa.sh --version="v0.24.0" --sha="e40bde4cca8a5819518e3c35862bc5b6c388bc2904d412227059af29170f79e9"

diff --git a/docker/config/.tflint.hcl b/docker/config/.tflint.hcl
@@ -8,8 +8,8 @@ plugin "azurerm" {
     enabled = true
 }
 
-plugin "azurerm" {
-    enabled = aws
+plugin "aws" {
+    enabled = true
 }
 
 rule "terraform_deprecated_interpolation" {

diff --git a/docker/install-scripts/tfsec.sh b/docker/install-scripts/tfsec.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --version=*)
+      VERSION="${1#*=}"
+      ;;
+    --sha=*)
+      SHA="${1#*=}"
+      ;;
+    *)
+      echo "Error: Invalid argument."
+      exit 1
+  esac
+  shift
+done
+
+
+wget https://github.com/tfsec/tfsec/releases/download/${VERSION}/tfsec-linux-amd64
+
+DOWNLOAD_SHA=$(openssl sha1 -sha256 tfsec-linux-amd64 | awk '{print $2}')
+if [[ "${SHA}" != "${DOWNLOAD_SHA}" ]]; then
+    echo "Downloaded checksum (${DOWNLOAD_SHA}) does not match expected value: ${SHA}"
+    exit 1
+fi
+
+chmod +x tfsec-linux-amd64
+mv tfsec-linux-amd64 /usr/local/bin/tfsec
diff --git a/docker/terraform.sh b/docker/terraform.sh
@@ -150,7 +150,15 @@ state_remove () {
   fi
 }
 
-
+validate () {
+  terraform init -input=false -backend-config="key=${BACKEND_KEY}" -backend-config="resource_group_name=${BACKEND_RG}" -backend-config="storage_account_name=${BACKEND_NAME}" -backend-config="container_name=${CONTAINER_NAME}" -backend-config="snapshot=true"
+  terraform workspace select ${ENVIRONMENT}
+  terraform validate
+  terraform fmt .
+  terraform fmt variables/
+  tflint --config="/home/${USER}/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" .
+  tfsec .
+}
 
 envup() {
   if [ -f ${ENVIRONMENT_FILE} ]; then
@@ -183,4 +191,8 @@ case $ACTION in
   state-remove )
     state_remove
     ;;
+
+  validate )
+    validate
+    ;;
 esac