chore: Add exclussion for false positive for new Checkov rule (#22)

.github/workflows/checkov.yaml → .github/workflows/checkov.yml

@@ -1,7 +1,10 @@
-name: "Checkov GitHub Action"
+name: "checkov"
+permissions: read-all
+
 on:
   pull_request:
-    branches: [test, dev, qa, prod, main]
+    branches:
+      - main
 
 jobs:
   checkov:
@@ -17,5 +20,4 @@ jobs:
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
-          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
-          quiet: true # optional: display only failed checks
+          config_file: ".checkov.yaml"

.github/workflows/semantic-pr.yaml

@@ -1,4 +1,5 @@
 name: "Semantic Pull Request"
+permissions: read-all
 
 on:
   pull_request:

.github/workflows/shiftleft-terraform.yml

@@ -0,0 +1,27 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: shiftleft-terraform
+permissions: read-all
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  shiftleft-terraform:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
+      - name: Download ShiftLeft CLI
+        run: |
+          curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+      - name: Extract branch name
+        shell: bash
+        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+        id: extract_branch
+      - name: NextGen Static Analysis
+        run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd)
+        env:
+          SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

.github/workflows/terraform.yaml → .github/workflows/terraform.yml

@@ -1,4 +1,6 @@
 name: "terraform"
+permissions: read-all
+
 on:
   pull_request:
     branches:
@@ -10,70 +12,40 @@ env:
   tf_version: "latest"
   tf_working_dir: "."
   GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS_READ_ALL_PROJECTS }}
-  GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }}
-  TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
-  TF_VAR_google_project: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
-  TF_VAR_google_region: ${{ secrets.TERRATEST_GOOGLE_REGION }}
 jobs:
   terraform:
     name: "terraform"
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        tests:
-        - "mysql_instance_with_read_replica"
-        - "postgres_instance_with_read_replica"
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           submodules: "recursive"
           token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
-
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v1
         with:
           cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
-
       - name: Terraform Format
         id: fmt
-        run: make lint
+        run: terraform fmt
         continue-on-error: true
         env:
           GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
-
       - name: Terraform Init
         id: init
-        run: cd examples/${{ matrix.tests }}; terraform init
-
+        run: terraform init
       - name: Terraform Validate
         id: validate
-        run: cd examples/${{ matrix.tests }}; terraform validate -no-color
-
-      - name: Terraform Plan
-        id: plan
-        run: cd examples/${{ matrix.tests }}; terraform plan -no-color
-        continue-on-error: true
-
+        run: terraform validate -no-color
       - uses: actions/github-script@v4
         if: github.event_name == 'pull_request'
         with:
           github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
           script: |
-            const output = `### Terraform Result 📝️ \`${{ matrix.tests }}\`
-            #### Terraform Format and Style 🖌 \`${{ steps.fmt.outcome }}\`
-            #### Terraform Initialization ⚙ ️\`${{ steps.init.outcome }}\`
-            #### Terraform Validation 🤖
-
-            \`\`\`
-            ${{ steps.validate.outputs.stdout }}
-            \`\`\`
-
-            #### Terraform Plan 📖 \`${{ steps.plan.outcome }}\`
-
-            <details><summary>Show Plan</summary>
-
-            \`\`\`terraform\n${{ steps.plan.outputs.stdout }}\`\`\`
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
 
             </details>
 

.github/workflows/terratest.yml

@@ -0,0 +1,51 @@
+name: terratest
+permissions: read-all
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+env:
+  TERRATEST_GOOGLE_CREDENTIALS: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
+  GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }}
+  GCP_SA_EMAIL: ${{ secrets.TERRATEST_GCP_SA_EMAIL }}
+  TF_VAR_google_project: ${{ secrets.TERRATEST_GOOGLE_PROJECT }}
+  TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
+  TF_VAR_shared_vpc_host_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }}
+jobs:
+  terratest:
+    name: terratest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          submodules: true
+      - name: Set up Go (1.17)
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+        id: go
+      - name: Login to Google Cloud
+        uses: google-github-actions/auth@v0
+        with:
+          credentials_json: ${{ env.TERRATEST_GOOGLE_CREDENTIALS }}
+
+      - name: Set Google Cloud project
+        run: gcloud config set project $GOOGLE_PROJECT
+      - name: Run terratest
+        run: |
+          make tests
+      - name: Release
+        if: github.event_name == 'push'
+        uses: cycjimmy/semantic-release-action@v2
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          extra_plugins: |
+            @semantic-release/git@10.0.1
+            @semantic-release/exec@6.0.3
+            @semantic-release/changelog@6.0.1

.pre-commit-config.yaml

@@ -6,14 +6,14 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-yaml
       - id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.75.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.77.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

examples/create_mysql_instance_with_private_ip/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 

examples/create_mysql_instance_with_public_ip/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 

examples/mysql_instance_with_read_replica/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 

examples/postgres_instance_with_read_replica/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 

modules/google_compute_global_address/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.16.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.55.0 |
 
 ## Modules
 

modules/google_compute_network/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.16.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.55.0 |
 
 ## Modules
 

modules/google_compute_network/main.tf

@@ -8,6 +8,9 @@ terraform {
 }
 
 resource "google_compute_network" "vpc_network" {
+  # This is a component module - these setting will be overridden from the embedding module/repo.
+  #checkov:skip=CKV2_GCP_18:Ensure GCP network defines a firewall and does not use the default firewall
+
   name        = var.name
   description = var.description
 

modules/google_service_networking_connection/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.16.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.55.0 |
 
 ## Modules
 

modules/google_sql_database/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.16.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.55.0 |
 
 ## Modules
 

modules/google_sql_database_instance/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.16.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.55.0 |
 
 ## Modules