diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yml similarity index 58% rename from .github/workflows/checkov.yaml rename to .github/workflows/checkov.yml index c0e4451..f9d1341 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yml @@ -1,7 +1,10 @@ -name: "Checkov GitHub Action" +name: "checkov" +permissions: read-all + on: pull_request: - branches: [test, dev, qa, prod, main] + branches: + - main jobs: checkov: @@ -17,5 +20,4 @@ jobs: id: checkov uses: bridgecrewio/checkov-action@master with: - download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry - quiet: true # optional: display only failed checks + config_file: ".checkov.yaml" diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 34da00e..8b16bae 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -1,4 +1,5 @@ name: "Semantic Pull Request" +permissions: read-all on: pull_request: diff --git a/.github/workflows/shiftleft-terraform.yaml b/.github/workflows/shiftleft-terraform.yaml deleted file mode 100644 index 6eda45f..0000000 --- a/.github/workflows/shiftleft-terraform.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# This workflow integrates ShiftLeft NG SAST with GitHub -# Visit https://docs.shiftleft.io for help -name: shiftleft-terraform - -on: - pull_request: - workflow_dispatch: - -jobs: - shiftleft-terraform: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV - - name: Download ShiftLeft CLI - run: | - curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - - name: Extract branch name - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branch - - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd) - env: - SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} diff --git a/.github/workflows/shiftleft-terraform.yml b/.github/workflows/shiftleft-terraform.yml new file mode 100644 index 0000000..9614ebc --- /dev/null +++ b/.github/workflows/shiftleft-terraform.yml @@ -0,0 +1,27 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: shiftleft-terraform +permissions: read-all + +on: + pull_request: + workflow_dispatch: + +jobs: + shiftleft-terraform: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yml similarity index 55% rename from .github/workflows/terraform.yaml rename to .github/workflows/terraform.yml index a215406..153a705 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yml @@ -1,4 +1,6 @@ name: "terraform" +permissions: read-all + on: pull_request: branches: @@ -10,70 +12,40 @@ env: tf_version: "latest" tf_working_dir: "." GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS_READ_ALL_PROJECTS }} - GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }} - TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} - TF_VAR_google_project: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} - TF_VAR_google_region: ${{ secrets.TERRATEST_GOOGLE_REGION }} jobs: terraform: name: "terraform" runs-on: ubuntu-latest - strategy: - matrix: - tests: - - "mysql_instance_with_read_replica" - - "postgres_instance_with_read_replica" steps: - name: Checkout uses: actions/checkout@v2 with: submodules: "recursive" token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} - - name: Set up Terraform uses: hashicorp/setup-terraform@v1 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - name: Terraform Format id: fmt - run: make lint + run: terraform fmt continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} - - name: Terraform Init id: init - run: cd examples/${{ matrix.tests }}; terraform init - + run: terraform init - name: Terraform Validate id: validate - run: cd examples/${{ matrix.tests }}; terraform validate -no-color - - - name: Terraform Plan - id: plan - run: cd examples/${{ matrix.tests }}; terraform plan -no-color - continue-on-error: true - + run: terraform validate -no-color - uses: actions/github-script@v4 if: github.event_name == 'pull_request' with: github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} script: | - const output = `### Terraform Result 📝️ \`${{ matrix.tests }}\` - #### Terraform Format and Style 🖌 \`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙ ️\`${{ steps.init.outcome }}\` - #### Terraform Validation 🤖 - - \`\`\` - ${{ steps.validate.outputs.stdout }} - \`\`\` - - #### Terraform Plan 📖 \`${{ steps.plan.outcome }}\` - -
Show Plan - - \`\`\`terraform\n${{ steps.plan.outputs.stdout }}\`\`\` + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml deleted file mode 100644 index 4b08a2e..0000000 --- a/.github/workflows/terratest.yaml +++ /dev/null @@ -1,63 +0,0 @@ -name: terratest -on: - pull_request: - branches: - - main - push: - branches: - - main -env: - TERRATEST_GOOGLE_CREDENTIALS: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} - TERRATEST_GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }} - GOOGLE_CLOUD_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }} - TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} - TF_VAR_google_project: ${{ secrets.TERRATEST_GOOGLE_PROJECT }} - TF_VAR_google_region: ${{ secrets.TERRATEST_GOOGLE_REGION }} - TF_LOG: ${{ secrets.TF_LOG }} - -jobs: - terratest: - name: terratest - runs-on: ubuntu-20.04 - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - with: - submodules: true - - - name: Set up Go (1.18) - uses: actions/setup-go@v3 - with: - go-version: 1.18 - id: go - - - id: "google-cloud-auth" - name: Google Cloud Auth - uses: "google-github-actions/auth@v0" - with: - credentials_json: "${{ env.TERRATEST_GOOGLE_CREDENTIALS }}" - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@v0 - with: - version: "latest" # This is the default value anyways, just being explicit - project_id: ${{ env.TERRATEST_GOOGLE_PROJECT }} - - - name: "Use gcloud cli" - run: "gcloud info" - - - name: Run terratest - run: | - cd test - go clean -testcache - go test -v -timeout 90m - - name: Release - if: github.event_name == 'push' - uses: cycjimmy/semantic-release-action@v2 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - extra_plugins: | - @semantic-release/git@10.0.1 - @semantic-release/exec@6.0.3 - @semantic-release/changelog@6.0.1 diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml new file mode 100644 index 0000000..0c71097 --- /dev/null +++ b/.github/workflows/terratest.yml @@ -0,0 +1,51 @@ +name: terratest +permissions: read-all + +on: + pull_request: + branches: + - main + push: + branches: + - main +env: + TERRATEST_GOOGLE_CREDENTIALS: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} + GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT }} + GCP_SA_EMAIL: ${{ secrets.TERRATEST_GCP_SA_EMAIL }} + TF_VAR_google_project: ${{ secrets.TERRATEST_GOOGLE_PROJECT }} + TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} + TF_VAR_shared_vpc_host_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS }} +jobs: + terratest: + name: terratest + runs-on: ubuntu-latest + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + with: + submodules: true + - name: Set up Go (1.17) + uses: actions/setup-go@v2 + with: + go-version: 1.17 + id: go + - name: Login to Google Cloud + uses: google-github-actions/auth@v0 + with: + credentials_json: ${{ env.TERRATEST_GOOGLE_CREDENTIALS }} + + - name: Set Google Cloud project + run: gcloud config set project $GOOGLE_PROJECT + - name: Run terratest + run: | + make tests + - name: Release + if: github.event_name == 'push' + uses: cycjimmy/semantic-release-action@v2 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + extra_plugins: | + @semantic-release/git@10.0.1 + @semantic-release/exec@6.0.3 + @semantic-release/changelog@6.0.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 59d700d..cd17eee 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,14 +6,14 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-added-large-files - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.75.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.77.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - id: terraform_docs diff --git a/examples/create_mysql_instance_with_private_ip/README.md b/examples/create_mysql_instance_with_private_ip/README.md index 99f542a..7dbe5ae 100644 --- a/examples/create_mysql_instance_with_private_ip/README.md +++ b/examples/create_mysql_instance_with_private_ip/README.md @@ -7,7 +7,7 @@ No requirements. | Name | Version | |------|---------| -| [random](#provider\_random) | 3.4.3 | +| [random](#provider\_random) | n/a | ## Modules diff --git a/examples/create_mysql_instance_with_public_ip/README.md b/examples/create_mysql_instance_with_public_ip/README.md index aaa8ed9..d193cd2 100644 --- a/examples/create_mysql_instance_with_public_ip/README.md +++ b/examples/create_mysql_instance_with_public_ip/README.md @@ -7,7 +7,7 @@ No requirements. | Name | Version | |------|---------| -| [random](#provider\_random) | 3.4.3 | +| [random](#provider\_random) | n/a | ## Modules diff --git a/examples/mysql_instance_with_read_replica/README.md b/examples/mysql_instance_with_read_replica/README.md index 5b47471..380bc0d 100644 --- a/examples/mysql_instance_with_read_replica/README.md +++ b/examples/mysql_instance_with_read_replica/README.md @@ -7,7 +7,7 @@ No requirements. | Name | Version | |------|---------| -| [random](#provider\_random) | 3.4.3 | +| [random](#provider\_random) | n/a | ## Modules diff --git a/examples/postgres_instance_with_read_replica/README.md b/examples/postgres_instance_with_read_replica/README.md index d16a663..0ad4072 100644 --- a/examples/postgres_instance_with_read_replica/README.md +++ b/examples/postgres_instance_with_read_replica/README.md @@ -7,7 +7,7 @@ No requirements. | Name | Version | |------|---------| -| [random](#provider\_random) | 3.4.3 | +| [random](#provider\_random) | n/a | ## Modules diff --git a/modules/google_compute_global_address/README.md b/modules/google_compute_global_address/README.md index 6cf644b..c350100 100644 --- a/modules/google_compute_global_address/README.md +++ b/modules/google_compute_global_address/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.16.0 | +| [google](#provider\_google) | 4.55.0 | ## Modules diff --git a/modules/google_compute_network/README.md b/modules/google_compute_network/README.md index efd4854..c6e12c1 100644 --- a/modules/google_compute_network/README.md +++ b/modules/google_compute_network/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.16.0 | +| [google](#provider\_google) | 4.55.0 | ## Modules diff --git a/modules/google_compute_network/main.tf b/modules/google_compute_network/main.tf index 08993a8..4af46a8 100644 --- a/modules/google_compute_network/main.tf +++ b/modules/google_compute_network/main.tf @@ -8,6 +8,9 @@ terraform { } resource "google_compute_network" "vpc_network" { + # This is a component module - these setting will be overridden from the embedding module/repo. + #checkov:skip=CKV2_GCP_18:Ensure GCP network defines a firewall and does not use the default firewall + name = var.name description = var.description diff --git a/modules/google_service_networking_connection/README.md b/modules/google_service_networking_connection/README.md index c425e89..f299e7b 100644 --- a/modules/google_service_networking_connection/README.md +++ b/modules/google_service_networking_connection/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.16.0 | +| [google](#provider\_google) | 4.55.0 | ## Modules diff --git a/modules/google_sql_database/README.md b/modules/google_sql_database/README.md index a4736da..132f9b8 100644 --- a/modules/google_sql_database/README.md +++ b/modules/google_sql_database/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.16.0 | +| [google](#provider\_google) | 4.55.0 | ## Modules diff --git a/modules/google_sql_database_instance/README.md b/modules/google_sql_database_instance/README.md index 3abca9f..9cf34dd 100644 --- a/modules/google_sql_database_instance/README.md +++ b/modules/google_sql_database_instance/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.16.0 | +| [google](#provider\_google) | 4.55.0 | ## Modules diff --git a/modules/google_sql_database_instance/main.tf b/modules/google_sql_database_instance/main.tf index 40ef44f..394bd70 100644 --- a/modules/google_sql_database_instance/main.tf +++ b/modules/google_sql_database_instance/main.tf @@ -21,6 +21,7 @@ locals { "pgaudit.log_client" = "on" "pgaudit.log_level" = "notice" log_hostname = "on" + log_duration = "on" # google-sql-enable-pg-temp-file-logging log_temp_files = "0" # google-sql-pg-log-connections @@ -41,9 +42,13 @@ locals { } #These setting will override from code -#tfsec:ignore:google-sql-enable-pg-temp-file-logging tfsec:ignore:google-sql-pg-log-connections tfsec:ignore:google-sql-pg-log-lock-waits tfsec:ignore:google-sql-pg-log-disconnections tfsec:ignore:google-sql-pg-log-checkpoints +#tfsec:ignore:google-sql-enable-pg-temp-file-logging +#tfsec:ignore:google-sql-pg-log-connections +#tfsec:ignore:google-sql-pg-log-lock-waits +#tfsec:ignore:google-sql-pg-log-disconnections +#tfsec:ignore:google-sql-pg-log-checkpoints resource "google_sql_database_instance" "instance" { - #This is a component module - these setting will be overridden from the embedding module/repo. + # This is a component module - these setting will be overridden from the embedding module/repo. #checkov:skip=CKV_GCP_51:Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' #checkov:skip=CKV_GCP_52:Ensure PostgreSQL database 'log_connections' flag is set to 'on' #checkov:skip=CKV_GCP_53:Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' @@ -52,6 +57,8 @@ resource "google_sql_database_instance" "instance" { #checkov:skip=CKV_GCP_109:Ensure the GCP PostgreSQL database log levels are set to ERROR or lower 'pgaudit.log_level' flag is set to 'notice' #checkov:skip=CKV_GCP_110:Ensure pgAudit is enabled for your GCP PostgreSQL database 'cloudsql.enable_pgaudit' flag is set to 'on' #checkov:skip=CKV_GCP_111:Ensure GCP PostgreSQL logs SQL statements 'pgaudit.log' flag is set to 'all' + #checkov:skip=CKV2_GCP_20:Ensure MySQL DB instance has point-in-time recovery backup configured + #checkov:skip=CKV2_GCP_13:Ensure PostgreSQL database flag 'log_duration' is set to 'on' database_version = var.database_version @@ -134,6 +141,8 @@ resource "google_sql_database_instance" "read_replica" { #checkov:skip=CKV_GCP_109:Ensure the GCP PostgreSQL database log levels are set to ERROR or lower 'pgaudit.log_level' flag is set to 'notice' #checkov:skip=CKV_GCP_110:Ensure pgAudit is enabled for your GCP PostgreSQL database 'cloudsql.enable_pgaudit' flag is set to 'on' #checkov:skip=CKV_GCP_111:Ensure GCP PostgreSQL logs SQL statements 'pgaudit.log' flag is set to 'all' + #checkov:skip=CKV2_GCP_20:Ensure MySQL DB instance has point-in-time recovery backup configured + #checkov:skip=CKV2_GCP_13:Ensure PostgreSQL database flag 'log_duration' is set to 'on' depends_on = [ google_sql_database_instance.instance diff --git a/modules/google_sql_user/README.md b/modules/google_sql_user/README.md index de4bdf9..d4d99b4 100644 --- a/modules/google_sql_user/README.md +++ b/modules/google_sql_user/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.16.0 | +| [google](#provider\_google) | 4.55.0 | ## Modules