diff --git a/.github/workflows/container-build-template.yml b/.github/workflows/container-build-template.yml new file mode 100644 index 0000000..9a2d7c7 --- /dev/null +++ b/.github/workflows/container-build-template.yml @@ -0,0 +1,53 @@ +name: Docker Build Template + +on: + workflow_call: + inputs: + push: + type: boolean + required: true + tag: + type: string + required: false + platforms: + type: string + required: false + default: linux/amd64,linux/arm64 + +jobs: + build: + name: Build and Push Container Image + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + if: ${{ inputs.push }} + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push container image + id: build-push + uses: docker/build-push-action@v6 + with: + cache-from: "ghcr.io/${{ github.repository }}/tools:latest" + file: docker/Dockerfile + context: docker + tags: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/tools:${{ inputs.tag }}" + platforms: ${{ inputs.platforms }} + push: ${{ inputs.push }} + + - name: Generate Artifact Attestation + if: ${{ inputs.push }} + uses: actions/attest-build-provenance@v2 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build-push.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml deleted file mode 100644 index 0510741..0000000 --- a/.github/workflows/shared-steps.yml +++ /dev/null @@ -1,64 +0,0 @@ -on: - workflow_call: - inputs: - registry: - required: true - type: string - do_tag: - required: true - type: string # boolean exists, but that will be a string as ENV VAR. Set to YES or NOPE - secrets: - token: - required: false - -jobs: - reusable: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Container Registry - if: ${{github.event_name != 'pull_request'}} - uses: docker/login-action@v3 - with: - registry: ${{ inputs.registry }} - username: ${{ github.actor }} - password: ${{ secrets.token }} - - - name: Do some shell magic - shell: bash - id: sh_settings - env: - DO_TAG: ${{inputs.do_tag}} - run: | - if [ $DO_TAG = 'YES' ]; then - echo "tag=lite-${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - else - echo "tag=lite" >> $GITHUB_OUTPUT - fi - echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - - - name: '[LITE] Build container image, (and push)' - id: push - uses: docker/build-push-action@v6 - with: - cache-from: ${{inputs.registry}}/${{github.repository}}/tools:${{ steps.sh_settings.outputs.tag }} - file: docker/Dockerfile.lite - context: docker - tags: ${{inputs.registry}}/${{ steps.sh_settings.outputs.repository }}/tools:${{ steps.sh_settings.outputs.tag }} - platforms: linux/amd64,linux/arm64 - push: ${{github.event_name != 'pull_request'}} - - - name: '[LITE] Generate artifact attestation' - if: ${{github.event_name != 'pull_request'}} - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ inputs.registry }}//${{ steps.sh_settings.outputs.repository }} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - \ No newline at end of file diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml deleted file mode 100644 index 564550b..0000000 --- a/.github/workflows/tools-container-latest.yaml +++ /dev/null @@ -1,36 +0,0 @@ -name: Tools Container - Publish Latest - -on: - push: - branches: - - main - paths: - - 'docker/**' - - '.github/**' - -jobs: - publish_latest: - name: Push latest container image to GitHub Packages - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push container image - uses: docker/build-push-action@v2 - with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest - file: docker/Dockerfile - context: docker - tags: ghcr.io/xenitab/github-actions/tools:latest - push: true diff --git a/.github/workflows/tools-container-latest.yml b/.github/workflows/tools-container-latest.yml new file mode 100644 index 0000000..ff432e1 --- /dev/null +++ b/.github/workflows/tools-container-latest.yml @@ -0,0 +1,16 @@ +name: Tools Container - Publish Latest + +on: + push: + branches: + - main + paths: + - 'docker/**' + - '.github/**' + +jobs: + publish_latest: + uses: ./.github/workflows/container-build-template.yml + with: + push: true + tag: "latest" diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 17f1351..d25323e 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -7,19 +7,7 @@ on: jobs: pr_validation: - name: PR Validation - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Build container image - uses: docker/build-push-action@v2 - with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest - file: docker/Dockerfile - context: docker - push: false + uses: ./.github/workflows/container-build-template.yml + with: + push: false + tag: "pr" \ No newline at end of file diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 03cefa0..73831c7 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -4,38 +4,22 @@ on: release: types: - published - paths: - - "docker/**" - - ".github/**" jobs: - publish_latest: - name: Push tagged container image to GitHub Packages + generate_tag: runs-on: ubuntu-latest + outputs: + date_tag: ${{ steps.get_date.outputs.date_tag }} steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Get GitHub Tag - id: get_tag + - name: Generate Tag + id: get_date run: | - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + date=$(date -u +"%Y.%-m.%-d") + echo "date_tag=${date}" >> $GITHUB_OUTPUT - - name: Build and push container image - uses: docker/build-push-action@v2 - with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest - file: docker/Dockerfile - context: docker - tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }} - push: true + publish_tag: + needs: generate_tag + uses: ./.github/workflows/container-build-template.yml + with: + push: true + tag: ${{ needs.generate_tag.outputs.date_tag }} \ No newline at end of file diff --git a/.github/workflows/tools-lite-container-latest.yml b/.github/workflows/tools-lite-container-latest.yml deleted file mode 100644 index 13929db..0000000 --- a/.github/workflows/tools-lite-container-latest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: '[LITE] Tools Container - Publish Latest' - -on: - workflow_dispatch: - push: - branches: - - main - paths: - - 'docker/**' - - '.github/**' - -jobs: - publish_latest: - name: Push latest [LITE] container image to GitHub Packages - permissions: - contents: read - packages: write - attestations: write - id-token: write - uses: ./.github/workflows/shared-steps.yml - with: - registry: ghcr.io - do_tag: 'NOPE' - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - diff --git a/.github/workflows/tools-lite-container-pr.yaml b/.github/workflows/tools-lite-container-pr.yaml deleted file mode 100644 index 570a7ae..0000000 --- a/.github/workflows/tools-lite-container-pr.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: '[LITE] Tools Container - PR Validation' - -on: - workflow_dispatch: - pull_request: - paths: - - 'docker/**' - -jobs: - pr_validation: - name: '[LITE] PR Validation' - uses: ./.github/workflows/shared-steps.yml - with: - registry: ghcr.io - do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-tag.yaml b/.github/workflows/tools-lite-container-tag.yaml deleted file mode 100644 index c724512..0000000 --- a/.github/workflows/tools-lite-container-tag.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: '[LITE] Tools Container - Publish Tag' - -on: - workflow_dispatch: - release: - types: - - published - -jobs: - publish_latest: - name: '[LITE] Push tagged container image to GitHub Packages' - permissions: - contents: read - packages: write - attestations: write - id-token: write - uses: ./.github/workflows/shared-steps.yml - with: - registry: ghcr.io - do_tag: 'YES' - secrets: - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tools-opa-test.yaml b/.github/workflows/tools-opa-test.yaml index 7b76d63..ddb60b3 100644 --- a/.github/workflows/tools-opa-test.yaml +++ b/.github/workflows/tools-opa-test.yaml @@ -8,9 +8,9 @@ jobs: uses: actions/checkout@v3 - name: Setup OPA - uses: open-policy-agent/setup-opa@v1 + uses: open-policy-agent/setup-opa@v2 with: - version: 0.40.0 + version: 1.3.0 - name: Run OPA Tests run: opa test docker/opa-policies/ -v diff --git a/docker/Dockerfile b/docker/Dockerfile index a4a39b7..ab6d0b1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,93 +1,121 @@ -FROM golang:1.21 AS tf-prepare-builder +# Image used for the go-tf-prepare stage +FROM golang:1.24 AS tf-prepare-builder WORKDIR /workspace COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ RUN go mod download COPY ./go-tf-prepare/main.go main.go COPY ./go-tf-prepare/pkg/ pkg/ -RUN GOOS=linux GOARCH=amd64 GO111MODULE=on go build -o tf-prepare main.go - -FROM debian:12.2-slim - -#Base -RUN apt-get update -y -RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils -RUN apt-get install -y ansible=7.7.0+dfsg-3+deb12u1 - -RUN mkdir -p /tmp/install /usr/src /work -WORKDIR /tmp/install +RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -o tf-prepare main.go + +# ------------------------------ + +# Image used for the build stage +FROM debian:stable-slim + +# Set build arguments for target architecture +ARG TARGETARCH +ARG TARGETOS + +# MKDIR +RUN mkdir -p /work + +# Install dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + git \ + make \ + openssl \ + unzip \ + gpg \ + wget \ + jq \ + yq && \ + rm -rf /var/lib/apt/lists/* # Install Azure CLI -COPY install-scripts/azure-cli.sh /usr/src/install-scripts/azure-cli.sh -RUN /usr/src/install-scripts/azure-cli.sh --version="2.55.0" +RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash -# Install AWS CLI -COPY install-scripts/aws-cli.sh /usr/src/install-scripts/aws-cli.sh -RUN /usr/src/install-scripts/aws-cli.sh --version="2.14.5" +# Install Terraform +RUN TERRAFORM_VERSION="1.11.4" && \ + curl -L -o terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip" && \ + unzip terraform.zip -d /usr/local/bin && \ + rm terraform.zip # Install tflint -COPY install-scripts/tflint.sh /usr/src/install-scripts/tflint.sh -RUN /usr/src/install-scripts/tflint.sh --version="v0.49.0" --sha="56d862054e8f71e3ba392c6617fca2d730b5ecdf8a4a0768ba6087406dcc7d63" +RUN TFLINT_VERSION="v0.55.1" && \ + curl -L -o tflint.zip "https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_${TARGETARCH}.zip" && \ + unzip tflint.zip -d /usr/local/bin && \ + rm tflint.zip && \ + mkdir -p /work/.tflint.d/plugins/ + +# Install tflint rulesets && copy tflint configuration COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl -# Install tflint ruleset -COPY install-scripts/tflint-ruleset.sh /usr/src/install-scripts/tflint-ruleset.sh -RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="azurerm" --version="v0.25.1" --sha="a0812b02b93dfbfcfb9521a665be249b025ee074f60943e5b5eb1869dbb36ee0" -RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="aws" --version="v0.28.0" --sha="f099944a68e464665dfd4067b663ff6c68229b703d5dff9faea789d3974b078a" +RUN AZURERM_RULESET_VERSION="v0.28.0" && \ + curl -L -o tflint-ruleset-azurerm.zip "https://github.com/terraform-linters/tflint-ruleset-azurerm/releases/download/${AZURERM_RULESET_VERSION}/tflint-ruleset-azurerm_linux_${TARGETARCH}.zip" && \ + unzip tflint-ruleset-azurerm.zip -d /work/.tflint.d/plugins/ && \ + rm tflint-ruleset-azurerm.zip + +RUN AWS_RULESET_VERSION="v0.38.0" && \ + curl -L -o tflint-ruleset-aws.zip "https://github.com/terraform-linters/tflint-ruleset-aws/releases/download/${AWS_RULESET_VERSION}/tflint-ruleset-aws_linux_${TARGETARCH}.zip" && \ + unzip tflint-ruleset-aws.zip -d /work/.tflint.d/plugins/ && \ + rm tflint-ruleset-aws.zip # Install terraform (tfenv) -COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh -RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="1.5.7" --tfenv-version="v3.0.0" +RUN TFENV_VERSION="1.11.0" && \ + git clone https://github.com/tfutils/tfenv.git ~/.tfenv && \ + echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bashrc && \ + ~/.tfenv/bin/tfenv install ${TFENV_VERSION} && \ + ~/.tfenv/bin/tfenv use ${TFENV_VERSION} # Install tfsec -COPY install-scripts/tfsec.sh /usr/src/install-scripts/tfsec.sh -RUN /usr/src/install-scripts/tfsec.sh --version="v1.28.4" --sha="ecd6c40122835356b78d9488328c2c1c186a1a03c8ae00c6a33ba1c08909a4d9" +RUN TFSEC_VERSION="v1.28.13" && \ + curl -L -o /usr/local/bin/tfsec "https://github.com/aquasecurity/tfsec/releases/download/${TFSEC_VERSION}/tfsec-linux-${TARGETARCH}" && \ + chmod +x /usr/local/bin/tfsec -# Install Open Policy Agent -COPY install-scripts/opa.sh /usr/src/install-scripts/opa.sh -RUN /usr/src/install-scripts/opa.sh --version="v0.43.0" --sha="d5337139a7ccb04149bd9f96ab7a1641a3e3c39f6e1fffa610c7a5c054b0881f" +# Install Open Policy Agent (OPA) +RUN OPA_VERSION="v1.3.0" && \ + curl -L -o /usr/local/bin/opa "https://openpolicyagent.org/downloads/${OPA_VERSION}/opa_linux_${TARGETARCH}_static" && \ + chmod +x /usr/local/bin/opa -# Install sops -COPY install-scripts/sops.sh /usr/src/install-scripts/sops.sh -RUN /usr/src/install-scripts/sops.sh --version="v3.8.1" --sha="d6bf07fb61972127c9e0d622523124c2d81caf9f7971fb123228961021811697" +# Install sopsh +RUN SOPS_VERSION="v3.9.4" && \ + curl -L -o /usr/local/bin/sops "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${TARGETARCH}" && \ + chmod +x /usr/local/bin/sops # Install GitHub CLI -COPY install-scripts/github-cli.sh /usr/src/install-scripts/github-cli.sh -RUN /usr/src/install-scripts/github-cli.sh --version="2.39.2" --sha="460d270662f80b8314928ff80ac36db619b8bbac281a1331afd0d6e822f40426" - -# Install jq -COPY install-scripts/jq.sh /usr/src/install-scripts/jq.sh -RUN /usr/src/install-scripts/jq.sh --version="1.7" --sha="2f312b9587b1c1eddf3a53f9a0b7d276b9b7b94576c85bda22808ca950569716" - -# Install yq -COPY install-scripts/yq.sh /usr/src/install-scripts/yq.sh -RUN /usr/src/install-scripts/yq.sh --version="3.1.0-3" +RUN GH_VERSION="2.67.0" && \ + curl -L -o gh.tar.gz "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${TARGETARCH}.tar.gz" && \ + tar -xzf gh.tar.gz && \ + mv gh_*/bin/gh /usr/local/bin/ && \ + rm -rf gh_* # Install kubectl -COPY install-scripts/kubectl.sh /usr/src/install-scripts/kubectl.sh -RUN /usr/src/install-scripts/kubectl.sh --version="v1.28.4" --sha="893c92053adea6edbbd4e959c871f5c21edce416988f968bec565d115383f7b8" +RUN KUBECTL_VERSION="v1.32.0" && \ + curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \ + chmod +x /usr/local/bin/kubectl # Install helm -COPY install-scripts/helm.sh /usr/src/install-scripts/helm.sh -RUN /usr/src/install-scripts/helm.sh --version="v3.13.2" --sha="55a8e6dce87a1e52c61e0ce7a89bf85b38725ba3e8deb51d4a08ade8a2c70b2d" +RUN HELM_VERSION="v3.17.0" && \ + curl -fsSL -o get_helm.sh "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3" && \ + chmod 700 get_helm.sh && \ + ./get_helm.sh --version "$HELM_VERSION" && \ + rm get_helm.sh -COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare -RUN chmod +x /usr/local/bin/tf-prepare - -# Install packer -COPY install-scripts/packer.sh /usr/src/install-scripts/packer.sh -RUN /usr/src/install-scripts/packer.sh --version="1.9.4" --sha="6cd5269c4245aa8c99e551d1b862460d63fe711c58bec618fade25f8492e80d9" - -#Cleanup +# Cleanup RUN apt-get autoremove && \ apt-get clean -RUN rm -rf /tmp/install - -COPY opa-policies /opt/opa-policies -COPY terraform.sh /opt/terraform.sh -COPY packer.sh /opt/packer.sh +# Copy additional files +COPY ./opa-policies /opt/opa-policies +COPY ./terraform.sh /opt/terraform.sh +COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare +RUN chmod +x /usr/local/bin/tf-prepare +# Set environment variables ENV HOME=/work -WORKDIR /work +# Set working directory +WORKDIR /work \ No newline at end of file diff --git a/docker/Dockerfile.lite b/docker/Dockerfile.lite deleted file mode 100644 index 15a26e2..0000000 --- a/docker/Dockerfile.lite +++ /dev/null @@ -1,76 +0,0 @@ -FROM golang:1.23-bookworm AS tf-prepare-builder -WORKDIR /workspace -ARG TARGETARCH - -COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ -RUN go mod download -COPY ./go-tf-prepare/main.go main.go -COPY ./go-tf-prepare/pkg/ pkg/ -RUN GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -o tf-prepare main.go - -FROM debian:bookworm-slim - -#Base -RUN apt-get update -y -RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils - -RUN mkdir -p /tmp/install /usr/src /work -WORKDIR /tmp/install - -# Install Azure CLI -COPY install-scripts/azure-cli-lite.sh /usr/src/install-scripts/azure-cli.sh -RUN /usr/src/install-scripts/azure-cli.sh --version="2.64.0" - -# Install tflint -COPY install-scripts/tflint-lite.sh /usr/src/install-scripts/tflint.sh -RUN /usr/src/install-scripts/tflint.sh --version="v0.53.0" -COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl - -# Install tflint ruleset -COPY install-scripts/tflint-ruleset-lite.sh /usr/src/install-scripts/tflint-ruleset.sh -RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="azurerm" --version="v0.27.0" - -# Install terraform (tfenv) -COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh -RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="1.9.5" --tfenv-version="v3.0.0" - -# Install tfsec -COPY install-scripts/tfsec-lite.sh /usr/src/install-scripts/tfsec.sh -RUN /usr/src/install-scripts/tfsec.sh --version="v1.28.10" - -# Install Open Policy Agent, version 0.43.0 ??? -COPY install-scripts/opa-lite.sh /usr/src/install-scripts/opa.sh -RUN /usr/src/install-scripts/opa.sh --version="v0.68.0" - -# Install sops -COPY install-scripts/sops-lite.sh /usr/src/install-scripts/sops.sh -RUN /usr/src/install-scripts/sops.sh --version="v3.9.0" - -# Install GitHub CLI -COPY install-scripts/github-cli-lite.sh /usr/src/install-scripts/github-cli.sh -RUN /usr/src/install-scripts/github-cli.sh --version="2.58.0" - -# Install jq -COPY install-scripts/jq-lite.sh /usr/src/install-scripts/jq.sh -RUN /usr/src/install-scripts/jq.sh --version="1.6-2.1" - -# Install yq -COPY install-scripts/yq.sh /usr/src/install-scripts/yq.sh -RUN /usr/src/install-scripts/yq.sh --version="3.1.0-3" - -# Install tfprepare -COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare -RUN chmod +x /usr/local/bin/tf-prepare - -#Cleanup -RUN apt-get autoremove && \ - apt-get clean - -RUN rm -rf /tmp/install - -COPY opa-policies /opt/opa-policies -COPY terraform.sh /opt/terraform.sh - -ENV HOME=/work - -WORKDIR /work diff --git a/docker/config/.tflint.hcl b/docker/config/.tflint.hcl index 485ed8f..4b935c9 100644 --- a/docker/config/.tflint.hcl +++ b/docker/config/.tflint.hcl @@ -1,15 +1,15 @@ config { - module = false + call_module_type = "local" force = false disabled_by_default = false } plugin "azurerm" { - enabled = true + enabled = true } plugin "aws" { - enabled = true + enabled = true } rule "terraform_deprecated_interpolation" { @@ -62,4 +62,4 @@ rule "terraform_standard_module_structure" { rule "terraform_workspace_remote" { enabled = true -} +} \ No newline at end of file diff --git a/docker/install-scripts/aws-cli.sh b/docker/obsolete/install-scripts/aws-cli.sh similarity index 100% rename from docker/install-scripts/aws-cli.sh rename to docker/obsolete/install-scripts/aws-cli.sh diff --git a/docker/install-scripts/azure-cli-lite.sh b/docker/obsolete/install-scripts/azure-cli-lite.sh similarity index 100% rename from docker/install-scripts/azure-cli-lite.sh rename to docker/obsolete/install-scripts/azure-cli-lite.sh diff --git a/docker/install-scripts/azure-cli.sh b/docker/obsolete/install-scripts/azure-cli.sh similarity index 100% rename from docker/install-scripts/azure-cli.sh rename to docker/obsolete/install-scripts/azure-cli.sh diff --git a/docker/install-scripts/github-cli-lite.sh b/docker/obsolete/install-scripts/github-cli-lite.sh similarity index 100% rename from docker/install-scripts/github-cli-lite.sh rename to docker/obsolete/install-scripts/github-cli-lite.sh diff --git a/docker/install-scripts/github-cli.sh b/docker/obsolete/install-scripts/github-cli.sh similarity index 100% rename from docker/install-scripts/github-cli.sh rename to docker/obsolete/install-scripts/github-cli.sh diff --git a/docker/install-scripts/helm.sh b/docker/obsolete/install-scripts/helm.sh similarity index 100% rename from docker/install-scripts/helm.sh rename to docker/obsolete/install-scripts/helm.sh diff --git a/docker/install-scripts/jq-lite.sh b/docker/obsolete/install-scripts/jq-lite.sh similarity index 100% rename from docker/install-scripts/jq-lite.sh rename to docker/obsolete/install-scripts/jq-lite.sh diff --git a/docker/install-scripts/jq.sh b/docker/obsolete/install-scripts/jq.sh similarity index 100% rename from docker/install-scripts/jq.sh rename to docker/obsolete/install-scripts/jq.sh diff --git a/docker/install-scripts/kubectl.sh b/docker/obsolete/install-scripts/kubectl.sh similarity index 100% rename from docker/install-scripts/kubectl.sh rename to docker/obsolete/install-scripts/kubectl.sh diff --git a/docker/install-scripts/opa-lite.sh b/docker/obsolete/install-scripts/opa-lite.sh similarity index 100% rename from docker/install-scripts/opa-lite.sh rename to docker/obsolete/install-scripts/opa-lite.sh diff --git a/docker/install-scripts/opa.sh b/docker/obsolete/install-scripts/opa.sh similarity index 100% rename from docker/install-scripts/opa.sh rename to docker/obsolete/install-scripts/opa.sh diff --git a/docker/install-scripts/packer.sh b/docker/obsolete/install-scripts/packer.sh similarity index 100% rename from docker/install-scripts/packer.sh rename to docker/obsolete/install-scripts/packer.sh diff --git a/docker/install-scripts/sops-lite.sh b/docker/obsolete/install-scripts/sops-lite.sh similarity index 100% rename from docker/install-scripts/sops-lite.sh rename to docker/obsolete/install-scripts/sops-lite.sh diff --git a/docker/install-scripts/sops.sh b/docker/obsolete/install-scripts/sops.sh similarity index 100% rename from docker/install-scripts/sops.sh rename to docker/obsolete/install-scripts/sops.sh diff --git a/docker/install-scripts/tfenv.sh b/docker/obsolete/install-scripts/tfenv.sh similarity index 100% rename from docker/install-scripts/tfenv.sh rename to docker/obsolete/install-scripts/tfenv.sh diff --git a/docker/install-scripts/tflint-lite.sh b/docker/obsolete/install-scripts/tflint-lite.sh similarity index 100% rename from docker/install-scripts/tflint-lite.sh rename to docker/obsolete/install-scripts/tflint-lite.sh diff --git a/docker/install-scripts/tflint-ruleset-lite.sh b/docker/obsolete/install-scripts/tflint-ruleset-lite.sh similarity index 100% rename from docker/install-scripts/tflint-ruleset-lite.sh rename to docker/obsolete/install-scripts/tflint-ruleset-lite.sh diff --git a/docker/install-scripts/tflint-ruleset.sh b/docker/obsolete/install-scripts/tflint-ruleset.sh similarity index 100% rename from docker/install-scripts/tflint-ruleset.sh rename to docker/obsolete/install-scripts/tflint-ruleset.sh diff --git a/docker/install-scripts/tflint.sh b/docker/obsolete/install-scripts/tflint.sh similarity index 100% rename from docker/install-scripts/tflint.sh rename to docker/obsolete/install-scripts/tflint.sh diff --git a/docker/install-scripts/tfsec-lite.sh b/docker/obsolete/install-scripts/tfsec-lite.sh similarity index 100% rename from docker/install-scripts/tfsec-lite.sh rename to docker/obsolete/install-scripts/tfsec-lite.sh diff --git a/docker/install-scripts/tfsec.sh b/docker/obsolete/install-scripts/tfsec.sh similarity index 100% rename from docker/install-scripts/tfsec.sh rename to docker/obsolete/install-scripts/tfsec.sh diff --git a/docker/install-scripts/yq.sh b/docker/obsolete/install-scripts/yq.sh similarity index 100% rename from docker/install-scripts/yq.sh rename to docker/obsolete/install-scripts/yq.sh diff --git a/docker/opa-policies/terraform.rego b/docker/opa-policies/terraform.rego index 990c8bb..e827f39 100644 --- a/docker/opa-policies/terraform.rego +++ b/docker/opa-policies/terraform.rego @@ -1,5 +1,7 @@ package terraform.analysis +import rego.v1 + import input as tfplan ######################## @@ -12,32 +14,33 @@ import input as tfplan # cat [...].tfplan.json | jq "{resource_changes: [{change: {actions: .resource_changes[_].change.actions}, type: .resource_changes[_].type}]}" > test.json # acceptable score for automated authorization -blast_radius = data.blast_radius +blast_radius := data.blast_radius # weights assigned for each operation on each resource-type -weights = { - "kubernetes_namespace": {"delete": 100, "create": 1, "modify": 1}, - "kubernetes_service_account": {"delete": 100, "create": 1, "modify": 1}, - "azuread_group": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_container_registry": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_kubernetes_cluster": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_resource_group": {"delete": 200, "create": 1, "modify": 1}, - "azurerm_storage_account": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_virtual_network": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_virtual_machine": {"delete": 100, "create": 1, "modify": 1}, - "azuread_application_password": {"delete": 100, "create": 1, "modify": 100}, - "azurerm_user_assigned_identity": {"delete": 100, "create": 1, "modify": 100}, - "helm_release": {"delete": 100, "create": 1, "modify": 1}, - "aws_ecr_repository": {"delete": 100, "create": 1, "modify": 1}, - "aws_eks_cluster": {"delete": 100, "create": 1, "modify": 1}, - "aws_s3_bucket": {"delete": 100, "create": 1, "modify": 1}, - "aws_vpc": {"delete": 100, "create": 1, "modify": 1} +weights := { + "kubernetes_namespace": {"delete": 100, "create": 1, "modify": 1}, + "kubernetes_service_account": {"delete": 100, "create": 1, "modify": 1}, + "azuread_group": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_container_registry": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_kubernetes_cluster": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_resource_group": {"delete": 200, "create": 1, "modify": 1}, + "azurerm_storage_account": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_virtual_network": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_virtual_machine": {"delete": 100, "create": 1, "modify": 1}, + "azuread_application_password": {"delete": 100, "create": 1, "modify": 100}, + "azurerm_user_assigned_identity": {"delete": 100, "create": 1, "modify": 100}, + "helm_release": {"delete": 100, "create": 1, "modify": 1}, + "aws_ecr_repository": {"delete": 100, "create": 1, "modify": 1}, + "aws_eks_cluster": {"delete": 100, "create": 1, "modify": 1}, + "aws_s3_bucket": {"delete": 100, "create": 1, "modify": 1}, + "aws_vpc": {"delete": 100, "create": 1, "modify": 1}, } -resource_types = { r | weights[r] } -other_resource_types[type] { - type := tfplan.resource_changes[_].type - not resource_types[type] +resource_types := {r | weights[r]} + +other_resource_types contains type if { + type := tfplan.resource_changes[_].type + not resource_types[type] } ######### @@ -45,31 +48,32 @@ other_resource_types[type] { ######### # Authorization holds if score for the plan is acceptable and no changes are made to IAM -default authz = false -authz { - score < blast_radius - # not touches_iam +default authz := false + +authz if { + score < blast_radius + # not touches_iam } # Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications -score = s { - all := [ x | - some resource_type - crud := weights[resource_type]; - del := crud["delete"] * num_deletes[resource_type]; - new := crud["create"] * num_creates[resource_type]; - mod := crud["modify"] * num_modifies[resource_type]; - x := del + new + mod - ] - others := [ x | - some resource_type - crud := {"delete": 100, "create": 1, "modify": 1}; - del := crud["delete"] * other_num_deletes[resource_type]; - new := crud["create"] * other_num_creates[resource_type]; - mod := crud["modify"] * other_num_modifies[resource_type]; - x := del + new + mod - ] - s := sum(all) + sum(others) +score := s if { + all := [x | + some resource_type + crud := weights[resource_type] + del := crud.delete * num_deletes[resource_type] + new := crud.create * num_creates[resource_type] + mod := crud.modify * num_modifies[resource_type] + x := (del + new) + mod + ] + others := [x | + some resource_type + crud := {"delete": 100, "create": 1, "modify": 1} + del := crud.delete * other_num_deletes[resource_type] + new := crud.create * other_num_creates[resource_type] + mod := crud.modify * other_num_modifies[resource_type] + x := (del + new) + mod + ] + s := sum(all) + sum(others) } # Whether there is any change to IAM @@ -83,71 +87,71 @@ score = s { #################### # list of all resources of a given type -resources[resource_type] := all { - some resource_type - resource_types[resource_type] - all := [name | - name:= tfplan.resource_changes[_] - name.type == resource_type - ] +resources[resource_type] := all if { + some resource_type + resource_types[resource_type] + all := [name | + name := tfplan.resource_changes[_] + name.type == resource_type + ] } -other_resources[resource_type] := all { - some resource_type - other_resource_types[resource_type] - all := [name | - name:= tfplan.resource_changes[_] - name.type == resource_type - ] +other_resources[resource_type] := all if { + some resource_type + other_resource_types[resource_type] + all := [name | + name := tfplan.resource_changes[_] + name.type == resource_type + ] } # number of creations of resources of a given type -num_creates[resource_type] := num { - some resource_type - resource_types[resource_type] - all := resources[resource_type] - creates := [res | res:= all[_]; res.change.actions[_] == "create"] - num := count(creates) +num_creates[resource_type] := num if { + some resource_type + resource_types[resource_type] + all := resources[resource_type] + creates := [res | res := all[_]; res.change.actions[_] == "create"] + num := count(creates) } -other_num_creates[resource_type] := num { - some resource_type - other_resource_types[resource_type] - all := other_resources[resource_type] - creates := [res | res:= all[_]; res.change.actions[_] == "create"] - num := count(creates) +other_num_creates[resource_type] := num if { + some resource_type + other_resource_types[resource_type] + all := other_resources[resource_type] + creates := [res | res := all[_]; res.change.actions[_] == "create"] + num := count(creates) } # number of deletions of resources of a given type -num_deletes[resource_type] := num { - some resource_type - resource_types[resource_type] - all := resources[resource_type] - deletions := [res | res:= all[_]; res.change.actions[_] == "delete"] - num := count(deletions) +num_deletes[resource_type] := num if { + some resource_type + resource_types[resource_type] + all := resources[resource_type] + deletions := [res | res := all[_]; res.change.actions[_] == "delete"] + num := count(deletions) } -other_num_deletes[resource_type] := num { - some resource_type - other_resource_types[resource_type] - all := other_resources[resource_type] - deletions := [res | res:= all[_]; res.change.actions[_] == "delete"] - num := count(deletions) +other_num_deletes[resource_type] := num if { + some resource_type + other_resource_types[resource_type] + all := other_resources[resource_type] + deletions := [res | res := all[_]; res.change.actions[_] == "delete"] + num := count(deletions) } # number of modifications to resources of a given type -num_modifies[resource_type] := num { - some resource_type - resource_types[resource_type] - all := resources[resource_type] - modifies := [res | res:= all[_]; res.change.actions[_] == "update"] - num := count(modifies) +num_modifies[resource_type] := num if { + some resource_type + resource_types[resource_type] + all := resources[resource_type] + modifies := [res | res := all[_]; res.change.actions[_] == "update"] + num := count(modifies) } -other_num_modifies[resource_type] := num { - some resource_type - other_resource_types[resource_type] - all := other_resources[resource_type] - modifies := [res | res:= all[_]; res.change.actions[_] == "update"] - num := count(modifies) +other_num_modifies[resource_type] := num if { + some resource_type + other_resource_types[resource_type] + all := other_resources[resource_type] + modifies := [res | res := all[_]; res.change.actions[_] == "update"] + num := count(modifies) } diff --git a/docker/opa-policies/test_aws_ecr_repository.rego b/docker/opa-policies/test_aws_ecr_repository.rego index 724bffb..549c7da 100644 --- a/docker/opa-policies/test_aws_ecr_repository.rego +++ b/docker/opa-policies/test_aws_ecr_repository.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_ecr_repository = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_ecr_repository" - } - ] -} +import rego.v1 -input_delete_aws_ecr_repository = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_ecr_repository" - } - ] -} +input_create_aws_ecr_repository := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_ecr_repository", +}]} -input_update_aws_ecr_repository = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_ecr_repository" - } - ] -} +input_delete_aws_ecr_repository := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_ecr_repository", +}]} -test_create_aws_ecr_repository { - authz with input as input_create_aws_ecr_repository +input_update_aws_ecr_repository := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_ecr_repository", +}]} + +test_create_aws_ecr_repository if { + authz with input as input_create_aws_ecr_repository } -test_delete_aws_ecr_repository { - not authz with input as input_delete_aws_ecr_repository +test_delete_aws_ecr_repository if { + not authz with input as input_delete_aws_ecr_repository } -test_update_aws_ecr_repository { - authz with input as input_update_aws_ecr_repository -} \ No newline at end of file +test_update_aws_ecr_repository if { + authz with input as input_update_aws_ecr_repository +} diff --git a/docker/opa-policies/test_aws_eks_cluster.rego b/docker/opa-policies/test_aws_eks_cluster.rego index c09c79f..a8803ce 100644 --- a/docker/opa-policies/test_aws_eks_cluster.rego +++ b/docker/opa-policies/test_aws_eks_cluster.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_eks_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_eks_cluster" - } - ] -} +import rego.v1 -input_delete_aws_eks_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_eks_cluster" - } - ] -} +input_create_aws_eks_cluster := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_eks_cluster", +}]} -input_update_aws_eks_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_eks_cluster" - } - ] -} +input_delete_aws_eks_cluster := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_eks_cluster", +}]} -test_create_aws_eks_cluster { - authz with input as input_create_aws_eks_cluster +input_update_aws_eks_cluster := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_eks_cluster", +}]} + +test_create_aws_eks_cluster if { + authz with input as input_create_aws_eks_cluster } -test_delete_aws_eks_cluster { - not authz with input as input_delete_aws_eks_cluster +test_delete_aws_eks_cluster if { + not authz with input as input_delete_aws_eks_cluster } -test_update_aws_eks_cluster { - authz with input as input_update_aws_eks_cluster -} \ No newline at end of file +test_update_aws_eks_cluster if { + authz with input as input_update_aws_eks_cluster +} diff --git a/docker/opa-policies/test_aws_s3_bucket.rego b/docker/opa-policies/test_aws_s3_bucket.rego index 4e15971..009fd62 100644 --- a/docker/opa-policies/test_aws_s3_bucket.rego +++ b/docker/opa-policies/test_aws_s3_bucket.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_s3_bucket = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_s3_bucket" - } - ] -} +import rego.v1 -input_delete_aws_s3_bucket = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_s3_bucket" - } - ] -} +input_create_aws_s3_bucket := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_s3_bucket", +}]} -input_update_aws_s3_bucket = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_s3_bucket" - } - ] -} +input_delete_aws_s3_bucket := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_s3_bucket", +}]} -test_create_aws_s3_bucket { - authz with input as input_create_aws_s3_bucket +input_update_aws_s3_bucket := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_s3_bucket", +}]} + +test_create_aws_s3_bucket if { + authz with input as input_create_aws_s3_bucket } -test_delete_aws_s3_bucket { - not authz with input as input_delete_aws_s3_bucket +test_delete_aws_s3_bucket if { + not authz with input as input_delete_aws_s3_bucket } -test_update_aws_s3_bucket { - authz with input as input_update_aws_s3_bucket -} \ No newline at end of file +test_update_aws_s3_bucket if { + authz with input as input_update_aws_s3_bucket +} diff --git a/docker/opa-policies/test_aws_vpc.rego b/docker/opa-policies/test_aws_vpc.rego index c06869d..08b270d 100644 --- a/docker/opa-policies/test_aws_vpc.rego +++ b/docker/opa-policies/test_aws_vpc.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_vpc = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_vpc" - } - ] -} +import rego.v1 -input_delete_aws_vpc = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_vpc" - } - ] -} +input_create_aws_vpc := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_vpc", +}]} -input_update_aws_vpc = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_vpc" - } - ] -} +input_delete_aws_vpc := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_vpc", +}]} -test_create_aws_vpc { - authz with input as input_create_aws_vpc +input_update_aws_vpc := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_vpc", +}]} + +test_create_aws_vpc if { + authz with input as input_create_aws_vpc } -test_delete_aws_vpc { - not authz with input as input_delete_aws_vpc +test_delete_aws_vpc if { + not authz with input as input_delete_aws_vpc } -test_update_aws_vpc { - authz with input as input_update_aws_vpc -} \ No newline at end of file +test_update_aws_vpc if { + authz with input as input_update_aws_vpc +} diff --git a/docker/opa-policies/test_azuread_application_password.rego b/docker/opa-policies/test_azuread_application_password.rego index b82427f..2b16683 100644 --- a/docker/opa-policies/test_azuread_application_password.rego +++ b/docker/opa-policies/test_azuread_application_password.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azuread_application_password = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azuread_application_password" - } - ] -} +import rego.v1 -input_delete_azuread_application_password = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azuread_application_password" - } - ] -} +input_create_azuread_application_password := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azuread_application_password", +}]} -input_update_azuread_application_password = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azuread_application_password" - } - ] -} +input_delete_azuread_application_password := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azuread_application_password", +}]} -test_create_azuread_application_password { - authz with input as input_create_azuread_application_password +input_update_azuread_application_password := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azuread_application_password", +}]} + +test_create_azuread_application_password if { + authz with input as input_create_azuread_application_password } -test_delete_azuread_application_password { - not authz with input as input_delete_azuread_application_password +test_delete_azuread_application_password if { + not authz with input as input_delete_azuread_application_password } -test_update_azuread_application_password { - not authz with input as input_update_azuread_application_password -} \ No newline at end of file +test_update_azuread_application_password if { + not authz with input as input_update_azuread_application_password +} diff --git a/docker/opa-policies/test_azuread_group.rego b/docker/opa-policies/test_azuread_group.rego index a195f38..c987d09 100644 --- a/docker/opa-policies/test_azuread_group.rego +++ b/docker/opa-policies/test_azuread_group.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azuread_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azuread_group" - } - ] -} +import rego.v1 -input_delete_azuread_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azuread_group" - } - ] -} +input_create_azuread_group := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azuread_group", +}]} -input_update_azuread_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azuread_group" - } - ] -} +input_delete_azuread_group := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azuread_group", +}]} -test_create_azuread_group { - authz with input as input_create_azuread_group +input_update_azuread_group := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azuread_group", +}]} + +test_create_azuread_group if { + authz with input as input_create_azuread_group } -test_delete_azuread_group { - not authz with input as input_delete_azuread_group +test_delete_azuread_group if { + not authz with input as input_delete_azuread_group } -test_update_azuread_group { - authz with input as input_update_azuread_group -} \ No newline at end of file +test_update_azuread_group if { + authz with input as input_update_azuread_group +} diff --git a/docker/opa-policies/test_azurerm_container_registry.rego b/docker/opa-policies/test_azurerm_container_registry.rego index 7fe91ae..ba54d44 100644 --- a/docker/opa-policies/test_azurerm_container_registry.rego +++ b/docker/opa-policies/test_azurerm_container_registry.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_container_registry = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_container_registry" - } - ] -} +import rego.v1 -input_delete_azurerm_container_registry = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_container_registry" - } - ] -} +input_create_azurerm_container_registry := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_container_registry", +}]} -input_update_azurerm_container_registry = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_container_registry" - } - ] -} +input_delete_azurerm_container_registry := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_container_registry", +}]} -test_create_azurerm_container_registry { - authz with input as input_create_azurerm_container_registry +input_update_azurerm_container_registry := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_container_registry", +}]} + +test_create_azurerm_container_registry if { + authz with input as input_create_azurerm_container_registry } -test_delete_azurerm_container_registry { - not authz with input as input_delete_azurerm_container_registry +test_delete_azurerm_container_registry if { + not authz with input as input_delete_azurerm_container_registry } -test_update_azurerm_container_registry { - authz with input as input_update_azurerm_container_registry -} \ No newline at end of file +test_update_azurerm_container_registry if { + authz with input as input_update_azurerm_container_registry +} diff --git a/docker/opa-policies/test_azurerm_kubernetes_cluster.rego b/docker/opa-policies/test_azurerm_kubernetes_cluster.rego index 75c9a29..eda4849 100644 --- a/docker/opa-policies/test_azurerm_kubernetes_cluster.rego +++ b/docker/opa-policies/test_azurerm_kubernetes_cluster.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_kubernetes_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_kubernetes_cluster" - } - ] -} +import rego.v1 -input_delete_azurerm_kubernetes_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_kubernetes_cluster" - } - ] -} +input_create_azurerm_kubernetes_cluster := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_kubernetes_cluster", +}]} -input_update_azurerm_kubernetes_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_kubernetes_cluster" - } - ] -} +input_delete_azurerm_kubernetes_cluster := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_kubernetes_cluster", +}]} -test_create_azurerm_kubernetes_cluster { - authz with input as input_create_azurerm_kubernetes_cluster +input_update_azurerm_kubernetes_cluster := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_kubernetes_cluster", +}]} + +test_create_azurerm_kubernetes_cluster if { + authz with input as input_create_azurerm_kubernetes_cluster } -test_delete_azurerm_kubernetes_cluster { - not authz with input as input_delete_azurerm_kubernetes_cluster +test_delete_azurerm_kubernetes_cluster if { + not authz with input as input_delete_azurerm_kubernetes_cluster } -test_update_azurerm_kubernetes_cluster { - authz with input as input_update_azurerm_kubernetes_cluster -} \ No newline at end of file +test_update_azurerm_kubernetes_cluster if { + authz with input as input_update_azurerm_kubernetes_cluster +} diff --git a/docker/opa-policies/test_azurerm_resource_group.rego b/docker/opa-policies/test_azurerm_resource_group.rego index 3b49b1b..faf9407 100644 --- a/docker/opa-policies/test_azurerm_resource_group.rego +++ b/docker/opa-policies/test_azurerm_resource_group.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_resource_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_resource_group" - } - ] -} +import rego.v1 -input_delete_azurerm_resource_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_resource_group" - } - ] -} +input_create_azurerm_resource_group := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_resource_group", +}]} -input_update_azurerm_resource_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_resource_group" - } - ] -} +input_delete_azurerm_resource_group := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_resource_group", +}]} -test_create_azurerm_resource_group { - authz with input as input_create_azurerm_resource_group +input_update_azurerm_resource_group := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_resource_group", +}]} + +test_create_azurerm_resource_group if { + authz with input as input_create_azurerm_resource_group } -test_delete_azurerm_resource_group { - not authz with input as input_delete_azurerm_resource_group +test_delete_azurerm_resource_group if { + not authz with input as input_delete_azurerm_resource_group } -test_update_azurerm_resource_group { - authz with input as input_update_azurerm_resource_group -} \ No newline at end of file +test_update_azurerm_resource_group if { + authz with input as input_update_azurerm_resource_group +} diff --git a/docker/opa-policies/test_azurerm_storage_account.rego b/docker/opa-policies/test_azurerm_storage_account.rego index 59d0858..bc88726 100644 --- a/docker/opa-policies/test_azurerm_storage_account.rego +++ b/docker/opa-policies/test_azurerm_storage_account.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_storage_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_storage_account" - } - ] -} +import rego.v1 -input_delete_azurerm_storage_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_storage_account" - } - ] -} +input_create_azurerm_storage_account := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_storage_account", +}]} -input_update_azurerm_storage_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_storage_account" - } - ] -} +input_delete_azurerm_storage_account := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_storage_account", +}]} -test_create_azurerm_storage_account { - authz with input as input_create_azurerm_storage_account +input_update_azurerm_storage_account := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_storage_account", +}]} + +test_create_azurerm_storage_account if { + authz with input as input_create_azurerm_storage_account } -test_delete_azurerm_storage_account { - not authz with input as input_delete_azurerm_storage_account +test_delete_azurerm_storage_account if { + not authz with input as input_delete_azurerm_storage_account } -test_update_azurerm_storage_account { - authz with input as input_update_azurerm_storage_account -} \ No newline at end of file +test_update_azurerm_storage_account if { + authz with input as input_update_azurerm_storage_account +} diff --git a/docker/opa-policies/test_azurerm_user_assigned_identity.rego b/docker/opa-policies/test_azurerm_user_assigned_identity.rego index ad8fa3d..0fe6464 100644 --- a/docker/opa-policies/test_azurerm_user_assigned_identity.rego +++ b/docker/opa-policies/test_azurerm_user_assigned_identity.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_user_assigned_identity = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_user_assigned_identity" - } - ] -} +import rego.v1 -input_delete_azurerm_user_assigned_identity = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_user_assigned_identity" - } - ] -} +input_create_azurerm_user_assigned_identity := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_user_assigned_identity", +}]} -input_update_azurerm_user_assigned_identity = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_user_assigned_identity" - } - ] -} +input_delete_azurerm_user_assigned_identity := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_user_assigned_identity", +}]} -test_create_azurerm_user_assigned_identity { - authz with input as input_create_azurerm_user_assigned_identity +input_update_azurerm_user_assigned_identity := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_user_assigned_identity", +}]} + +test_create_azurerm_user_assigned_identity if { + authz with input as input_create_azurerm_user_assigned_identity } -test_delete_azurerm_user_assigned_identity { - not authz with input as input_delete_azurerm_user_assigned_identity +test_delete_azurerm_user_assigned_identity if { + not authz with input as input_delete_azurerm_user_assigned_identity } -test_update_azurerm_user_assigned_identity { - not authz with input as input_update_azurerm_user_assigned_identity -} \ No newline at end of file +test_update_azurerm_user_assigned_identity if { + not authz with input as input_update_azurerm_user_assigned_identity +} diff --git a/docker/opa-policies/test_azurerm_virtual_machine.rego b/docker/opa-policies/test_azurerm_virtual_machine.rego index 4602868..d70104c 100644 --- a/docker/opa-policies/test_azurerm_virtual_machine.rego +++ b/docker/opa-policies/test_azurerm_virtual_machine.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_virtual_machine = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_virtual_machine" - } - ] -} +import rego.v1 -input_delete_azurerm_virtual_machine = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_virtual_machine" - } - ] -} +input_create_azurerm_virtual_machine := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_virtual_machine", +}]} -input_update_azurerm_virtual_machine = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_virtual_machine" - } - ] -} +input_delete_azurerm_virtual_machine := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_virtual_machine", +}]} -test_create_azurerm_virtual_machine { - authz with input as input_create_azurerm_virtual_machine +input_update_azurerm_virtual_machine := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_virtual_machine", +}]} + +test_create_azurerm_virtual_machine if { + authz with input as input_create_azurerm_virtual_machine } -test_delete_azurerm_virtual_machine { - not authz with input as input_delete_azurerm_virtual_machine +test_delete_azurerm_virtual_machine if { + not authz with input as input_delete_azurerm_virtual_machine } -test_update_azurerm_virtual_machine { - authz with input as input_update_azurerm_virtual_machine -} \ No newline at end of file +test_update_azurerm_virtual_machine if { + authz with input as input_update_azurerm_virtual_machine +} diff --git a/docker/opa-policies/test_azurerm_virtual_network.rego b/docker/opa-policies/test_azurerm_virtual_network.rego index edf8e62..998f801 100644 --- a/docker/opa-policies/test_azurerm_virtual_network.rego +++ b/docker/opa-policies/test_azurerm_virtual_network.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_virtual_network = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_virtual_network" - } - ] -} +import rego.v1 -input_delete_azurerm_virtual_network = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_virtual_network" - } - ] -} +input_create_azurerm_virtual_network := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_virtual_network", +}]} -input_update_azurerm_virtual_network = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_virtual_network" - } - ] -} +input_delete_azurerm_virtual_network := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_virtual_network", +}]} -test_create_azurerm_virtual_network { - authz with input as input_create_azurerm_virtual_network +input_update_azurerm_virtual_network := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_virtual_network", +}]} + +test_create_azurerm_virtual_network if { + authz with input as input_create_azurerm_virtual_network } -test_delete_azurerm_virtual_network { - not authz with input as input_delete_azurerm_virtual_network +test_delete_azurerm_virtual_network if { + not authz with input as input_delete_azurerm_virtual_network } -test_update_azurerm_virtual_network { - authz with input as input_update_azurerm_virtual_network -} \ No newline at end of file +test_update_azurerm_virtual_network if { + authz with input as input_update_azurerm_virtual_network +} diff --git a/docker/opa-policies/test_fake_resource.rego b/docker/opa-policies/test_fake_resource.rego index fc33700..56cc51d 100644 --- a/docker/opa-policies/test_fake_resource.rego +++ b/docker/opa-policies/test_fake_resource.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_fake_resource = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "fake_resource" - } - ] -} +import rego.v1 -input_delete_fake_resource = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "fake_resource" - } - ] -} +input_create_fake_resource := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "fake_resource", +}]} -input_update_fake_resource = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "fake_resource" - } - ] -} +input_delete_fake_resource := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "fake_resource", +}]} -test_create_fake_resource { - authz with input as input_create_fake_resource +input_update_fake_resource := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "fake_resource", +}]} + +test_create_fake_resource if { + authz with input as input_create_fake_resource } -test_delete_fake_resource { - not authz with input as input_delete_fake_resource +test_delete_fake_resource if { + not authz with input as input_delete_fake_resource } -test_update_fake_resource { - authz with input as input_update_fake_resource -} \ No newline at end of file +test_update_fake_resource if { + authz with input as input_update_fake_resource +} diff --git a/docker/opa-policies/test_helm_release.rego b/docker/opa-policies/test_helm_release.rego index f62feed..53aadad 100644 --- a/docker/opa-policies/test_helm_release.rego +++ b/docker/opa-policies/test_helm_release.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_helm_release = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "helm_release" - } - ] -} +import rego.v1 -input_delete_helm_release = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "helm_release" - } - ] -} +input_create_helm_release := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "helm_release", +}]} -input_update_helm_release = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "helm_release" - } - ] -} +input_delete_helm_release := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "helm_release", +}]} -test_create_helm_release { - authz with input as input_create_helm_release +input_update_helm_release := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "helm_release", +}]} + +test_create_helm_release if { + authz with input as input_create_helm_release } -test_delete_helm_release { - not authz with input as input_delete_helm_release +test_delete_helm_release if { + not authz with input as input_delete_helm_release } -test_update_helm_release { - authz with input as input_update_helm_release -} \ No newline at end of file +test_update_helm_release if { + authz with input as input_update_helm_release +} diff --git a/docker/opa-policies/test_kubernetes_namespace.rego b/docker/opa-policies/test_kubernetes_namespace.rego index f3e02ec..1de1079 100644 --- a/docker/opa-policies/test_kubernetes_namespace.rego +++ b/docker/opa-policies/test_kubernetes_namespace.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_kubernetes_namespace = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "kubernetes_namespace" - } - ] -} +import rego.v1 -input_delete_kubernetes_namespace = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "kubernetes_namespace" - } - ] -} +input_create_kubernetes_namespace := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "kubernetes_namespace", +}]} -input_update_kubernetes_namespace = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "kubernetes_namespace" - } - ] -} +input_delete_kubernetes_namespace := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "kubernetes_namespace", +}]} -test_create_kubernetes_namespace { - authz with input as input_create_kubernetes_namespace +input_update_kubernetes_namespace := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "kubernetes_namespace", +}]} + +test_create_kubernetes_namespace if { + authz with input as input_create_kubernetes_namespace } -test_delete_kubernetes_namespace { - not authz with input as input_delete_kubernetes_namespace +test_delete_kubernetes_namespace if { + not authz with input as input_delete_kubernetes_namespace } -test_update_kubernetes_namespace { - authz with input as input_update_kubernetes_namespace -} \ No newline at end of file +test_update_kubernetes_namespace if { + authz with input as input_update_kubernetes_namespace +} diff --git a/docker/opa-policies/test_kubernetes_service_account.rego b/docker/opa-policies/test_kubernetes_service_account.rego index 62bf37f..258bd0f 100644 --- a/docker/opa-policies/test_kubernetes_service_account.rego +++ b/docker/opa-policies/test_kubernetes_service_account.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_kubernetes_service_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "kubernetes_service_account" - } - ] -} +import rego.v1 -input_delete_kubernetes_service_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "kubernetes_service_account" - } - ] -} +input_create_kubernetes_service_account := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "kubernetes_service_account", +}]} -input_update_kubernetes_service_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "kubernetes_service_account" - } - ] -} +input_delete_kubernetes_service_account := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "kubernetes_service_account", +}]} -test_create_kubernetes_service_account { - authz with input as input_create_kubernetes_service_account +input_update_kubernetes_service_account := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "kubernetes_service_account", +}]} + +test_create_kubernetes_service_account if { + authz with input as input_create_kubernetes_service_account } -test_delete_kubernetes_service_account { - not authz with input as input_delete_kubernetes_service_account +test_delete_kubernetes_service_account if { + not authz with input as input_delete_kubernetes_service_account } -test_update_kubernetes_service_account { - authz with input as input_update_kubernetes_service_account -} \ No newline at end of file +test_update_kubernetes_service_account if { + authz with input as input_update_kubernetes_service_account +} diff --git a/docker/terraform.sh b/docker/terraform.sh index 09560ed..a374373 100755 --- a/docker/terraform.sh +++ b/docker/terraform.sh @@ -148,7 +148,7 @@ validate () { terraform validate terraform fmt . terraform fmt variables/ - tflint --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" . + tflint --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" tfsec . } @@ -193,4 +193,4 @@ case $ACTION in validate ) validate ;; -esac +esac \ No newline at end of file