From ac20c77c0d8fefa0643b1d8658b6840b944aa1cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 15:52:36 +0100 Subject: [PATCH 01/19] Multi-arch Dockerfile --- docker/Dockerfile | 137 +++++++++++++++++++++++----------------------- 1 file changed, 70 insertions(+), 67 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index a4a39b7..4ab1c79 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,93 +1,96 @@ -FROM golang:1.21 AS tf-prepare-builder -WORKDIR /workspace - -COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ -RUN go mod download -COPY ./go-tf-prepare/main.go main.go -COPY ./go-tf-prepare/pkg/ pkg/ -RUN GOOS=linux GOARCH=amd64 GO111MODULE=on go build -o tf-prepare main.go - -FROM debian:12.2-slim - -#Base -RUN apt-get update -y -RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils -RUN apt-get install -y ansible=7.7.0+dfsg-3+deb12u1 - -RUN mkdir -p /tmp/install /usr/src /work -WORKDIR /tmp/install +# Image used for the build stage +FROM debian:stable-slim + +# Set build arguments for target architecture +ARG TARGETARCH +ARG TARGETOS + +# Install dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + bash \ + ca-certificates \ + git \ + curl \ + openssl \ + unzip \ + gpg \ + wget \ + jq \ + yq && \ + rm -rf /var/lib/apt/lists/* # Install Azure CLI -COPY install-scripts/azure-cli.sh /usr/src/install-scripts/azure-cli.sh -RUN /usr/src/install-scripts/azure-cli.sh --version="2.55.0" +RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash -# Install AWS CLI -COPY install-scripts/aws-cli.sh /usr/src/install-scripts/aws-cli.sh -RUN /usr/src/install-scripts/aws-cli.sh --version="2.14.5" +# Install Terraform +RUN TERRAFORM_VERSION="1.11.0" && \ + curl -LO "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip" && \ + unzip terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip -d /usr/local/bin && \ + rm terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip # Install tflint -COPY install-scripts/tflint.sh /usr/src/install-scripts/tflint.sh -RUN /usr/src/install-scripts/tflint.sh --version="v0.49.0" --sha="56d862054e8f71e3ba392c6617fca2d730b5ecdf8a4a0768ba6087406dcc7d63" -COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl +RUN TFLINT_VERSION="v0.49.0" && \ + curl -L -o tflint.zip "https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_${TARGETARCH}.zip" && \ + unzip tflint.zip -d /usr/local/bin && \ + rm tflint.zip -# Install tflint ruleset -COPY install-scripts/tflint-ruleset.sh /usr/src/install-scripts/tflint-ruleset.sh -RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="azurerm" --version="v0.25.1" --sha="a0812b02b93dfbfcfb9521a665be249b025ee074f60943e5b5eb1869dbb36ee0" -RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="aws" --version="v0.28.0" --sha="f099944a68e464665dfd4067b663ff6c68229b703d5dff9faea789d3974b078a" +# Install tflint rulesets +COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl +RUN tflint --init --config=/work/.tflint.d/.tflint.hcl # Install terraform (tfenv) -COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh -RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="1.5.7" --tfenv-version="v3.0.0" +RUN TFENV_VERSION="1.5.7" && \ + git clone https://github.com/tfutils/tfenv.git ~/.tfenv && \ + echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bashrc && \ + ~/.tfenv/bin/tfenv install ${TFENV_VERSION} && \ + ~/.tfenv/bin/tfenv use ${TFENV_VERSION} # Install tfsec -COPY install-scripts/tfsec.sh /usr/src/install-scripts/tfsec.sh -RUN /usr/src/install-scripts/tfsec.sh --version="v1.28.4" --sha="ecd6c40122835356b78d9488328c2c1c186a1a03c8ae00c6a33ba1c08909a4d9" +RUN TFSEC_VERSION="v1.28.4" && \ + curl -L -o /usr/local/bin/tfsec "https://github.com/aquasecurity/tfsec/releases/download/${TFSEC_VERSION}/tfsec-linux-${TARGETARCH}" && \ + chmod +x /usr/local/bin/tfsec -# Install Open Policy Agent -COPY install-scripts/opa.sh /usr/src/install-scripts/opa.sh -RUN /usr/src/install-scripts/opa.sh --version="v0.43.0" --sha="d5337139a7ccb04149bd9f96ab7a1641a3e3c39f6e1fffa610c7a5c054b0881f" +# Install Open Policy Agent (OPA) +RUN OPA_VERSION="v0.43.0" && \ + curl -L -o opa "https://openpolicyagent.org/downloads/${OPA_VERSION}/opa_linux_${TARGETARCH}" && \ + chmod +x opa && \ + mv opa /usr/local/bin/ # Install sops -COPY install-scripts/sops.sh /usr/src/install-scripts/sops.sh -RUN /usr/src/install-scripts/sops.sh --version="v3.8.1" --sha="d6bf07fb61972127c9e0d622523124c2d81caf9f7971fb123228961021811697" +RUN SOPS_VERSION="v3.8.1" && \ + curl -L -o /usr/local/bin/sops "https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${TARGETARCH}" && \ + chmod +x /usr/local/bin/sops # Install GitHub CLI -COPY install-scripts/github-cli.sh /usr/src/install-scripts/github-cli.sh -RUN /usr/src/install-scripts/github-cli.sh --version="2.39.2" --sha="460d270662f80b8314928ff80ac36db619b8bbac281a1331afd0d6e822f40426" - -# Install jq -COPY install-scripts/jq.sh /usr/src/install-scripts/jq.sh -RUN /usr/src/install-scripts/jq.sh --version="1.7" --sha="2f312b9587b1c1eddf3a53f9a0b7d276b9b7b94576c85bda22808ca950569716" - -# Install yq -COPY install-scripts/yq.sh /usr/src/install-scripts/yq.sh -RUN /usr/src/install-scripts/yq.sh --version="3.1.0-3" +RUN GH_VERSION="2.39.2" && \ + curl -L -o gh.tar.gz "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${TARGETARCH}.tar.gz" && \ + tar -xzf gh.tar.gz && \ + mv gh_*/bin/gh /usr/local/bin/ && \ + rm -rf gh_* # Install kubectl -COPY install-scripts/kubectl.sh /usr/src/install-scripts/kubectl.sh -RUN /usr/src/install-scripts/kubectl.sh --version="v1.28.4" --sha="893c92053adea6edbbd4e959c871f5c21edce416988f968bec565d115383f7b8" +RUN KUBECTL_VERSION="v1.28.4" && \ + curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \ + chmod +x kubectl && \ + mv kubectl /usr/local/bin/ # Install helm -COPY install-scripts/helm.sh /usr/src/install-scripts/helm.sh -RUN /usr/src/install-scripts/helm.sh --version="v3.13.2" --sha="55a8e6dce87a1e52c61e0ce7a89bf85b38725ba3e8deb51d4a08ade8a2c70b2d" - -COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare -RUN chmod +x /usr/local/bin/tf-prepare +RUN HELM_VERSION="v3.13.2" && \ + curl -fsSL -o get_helm.sh "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3" && \ + chmod 700 get_helm.sh && \ + ./get_helm.sh --version "$HELM_VERSION" && \ + rm get_helm.sh -# Install packer -COPY install-scripts/packer.sh /usr/src/install-scripts/packer.sh -RUN /usr/src/install-scripts/packer.sh --version="1.9.4" --sha="6cd5269c4245aa8c99e551d1b862460d63fe711c58bec618fade25f8492e80d9" - -#Cleanup +# Cleanup RUN apt-get autoremove && \ apt-get clean -RUN rm -rf /tmp/install - -COPY opa-policies /opt/opa-policies -COPY terraform.sh /opt/terraform.sh -COPY packer.sh /opt/packer.sh +# Copy additional files +COPY ./opa-policies /opt/opa-policies +COPY ./terraform.sh /opt/terraform.sh +# Set environment variables ENV HOME=/work -WORKDIR /work +# Set working directory +WORKDIR /work \ No newline at end of file From b9a503d16569837fc64b1c593444a50ea873780e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 15:57:38 +0100 Subject: [PATCH 02/19] Updated pipelines to support multi-arch docker build --- .github/workflows/tools-container-latest.yaml | 1 + .github/workflows/tools-container-pr.yaml | 1 + .github/workflows/tools-container-tag.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 564550b..8600786 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -31,6 +31,7 @@ jobs: with: cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile + platforms: linux/amd64,linux/arm64 context: docker tags: ghcr.io/xenitab/github-actions/tools:latest push: true diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 17f1351..efb8dc4 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -21,5 +21,6 @@ jobs: with: cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile + platforms: linux/amd64,linux/arm64 context: docker push: false diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 03cefa0..8e26b83 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -36,6 +36,7 @@ jobs: with: cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile + platforms: linux/amd64,linux/arm64 context: docker tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }} push: true From fc3d4da3c3e91ac4b3d3e2c60a91ba063781007a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 16:23:31 +0100 Subject: [PATCH 03/19] /install-scripts = obsolete; iterate pipelines --- .github/workflows/shared-steps.yml | 10 +-- .github/workflows/tools-container-latest.yaml | 37 --------- .github/workflows/tools-container-pr.yaml | 25 ++---- .github/workflows/tools-container-tag.yaml | 48 ++++-------- .../workflows/tools-lite-container-latest.yml | 26 ------- .../workflows/tools-lite-container-pr.yaml | 15 ---- .../workflows/tools-lite-container-tag.yaml | 22 ------ docker/Dockerfile.lite | 76 ------------------- .../{ => obsolete}/install-scripts/aws-cli.sh | 0 .../install-scripts/azure-cli-lite.sh | 0 .../install-scripts/azure-cli.sh | 0 .../install-scripts/github-cli-lite.sh | 0 .../install-scripts/github-cli.sh | 0 docker/{ => obsolete}/install-scripts/helm.sh | 0 .../{ => obsolete}/install-scripts/jq-lite.sh | 0 docker/{ => obsolete}/install-scripts/jq.sh | 0 .../{ => obsolete}/install-scripts/kubectl.sh | 0 .../install-scripts/opa-lite.sh | 0 docker/{ => obsolete}/install-scripts/opa.sh | 0 .../{ => obsolete}/install-scripts/packer.sh | 0 .../install-scripts/sops-lite.sh | 0 docker/{ => obsolete}/install-scripts/sops.sh | 0 .../{ => obsolete}/install-scripts/tfenv.sh | 0 .../install-scripts/tflint-lite.sh | 0 .../install-scripts/tflint-ruleset-lite.sh | 0 .../install-scripts/tflint-ruleset.sh | 0 .../{ => obsolete}/install-scripts/tflint.sh | 0 .../install-scripts/tfsec-lite.sh | 0 .../{ => obsolete}/install-scripts/tfsec.sh | 0 docker/{ => obsolete}/install-scripts/yq.sh | 0 30 files changed, 26 insertions(+), 233 deletions(-) delete mode 100644 .github/workflows/tools-container-latest.yaml delete mode 100644 .github/workflows/tools-lite-container-latest.yml delete mode 100644 .github/workflows/tools-lite-container-pr.yaml delete mode 100644 .github/workflows/tools-lite-container-tag.yaml delete mode 100644 docker/Dockerfile.lite rename docker/{ => obsolete}/install-scripts/aws-cli.sh (100%) rename docker/{ => obsolete}/install-scripts/azure-cli-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/azure-cli.sh (100%) rename docker/{ => obsolete}/install-scripts/github-cli-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/github-cli.sh (100%) rename docker/{ => obsolete}/install-scripts/helm.sh (100%) rename docker/{ => obsolete}/install-scripts/jq-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/jq.sh (100%) rename docker/{ => obsolete}/install-scripts/kubectl.sh (100%) rename docker/{ => obsolete}/install-scripts/opa-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/opa.sh (100%) rename docker/{ => obsolete}/install-scripts/packer.sh (100%) rename docker/{ => obsolete}/install-scripts/sops-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/sops.sh (100%) rename docker/{ => obsolete}/install-scripts/tfenv.sh (100%) rename docker/{ => obsolete}/install-scripts/tflint-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/tflint-ruleset-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/tflint-ruleset.sh (100%) rename docker/{ => obsolete}/install-scripts/tflint.sh (100%) rename docker/{ => obsolete}/install-scripts/tfsec-lite.sh (100%) rename docker/{ => obsolete}/install-scripts/tfsec.sh (100%) rename docker/{ => obsolete}/install-scripts/yq.sh (100%) diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml index 0510741..9c8af5e 100644 --- a/.github/workflows/shared-steps.yml +++ b/.github/workflows/shared-steps.yml @@ -37,24 +37,24 @@ jobs: DO_TAG: ${{inputs.do_tag}} run: | if [ $DO_TAG = 'YES' ]; then - echo "tag=lite-${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT else - echo "tag=lite" >> $GITHUB_OUTPUT + echo "tag=" >> $GITHUB_OUTPUT fi echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - - name: '[LITE] Build container image, (and push)' + - name: 'Build container image, (and push)' id: push uses: docker/build-push-action@v6 with: cache-from: ${{inputs.registry}}/${{github.repository}}/tools:${{ steps.sh_settings.outputs.tag }} - file: docker/Dockerfile.lite + file: docker/Dockerfile context: docker tags: ${{inputs.registry}}/${{ steps.sh_settings.outputs.repository }}/tools:${{ steps.sh_settings.outputs.tag }} platforms: linux/amd64,linux/arm64 push: ${{github.event_name != 'pull_request'}} - - name: '[LITE] Generate artifact attestation' + - name: 'Generate artifact attestation' if: ${{github.event_name != 'pull_request'}} uses: actions/attest-build-provenance@v1 with: diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml deleted file mode 100644 index 8600786..0000000 --- a/.github/workflows/tools-container-latest.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: Tools Container - Publish Latest - -on: - push: - branches: - - main - paths: - - 'docker/**' - - '.github/**' - -jobs: - publish_latest: - name: Push latest container image to GitHub Packages - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push container image - uses: docker/build-push-action@v2 - with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest - file: docker/Dockerfile - platforms: linux/amd64,linux/arm64 - context: docker - tags: ghcr.io/xenitab/github-actions/tools:latest - push: true diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index efb8dc4..9d62ad8 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -1,26 +1,15 @@ -name: Tools Container - PR Validation +name: 'Tools Container - PR Validation' on: + workflow_dispatch: pull_request: paths: - 'docker/**' jobs: pr_validation: - name: PR Validation - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Build container image - uses: docker/build-push-action@v2 - with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest - file: docker/Dockerfile - platforms: linux/amd64,linux/arm64 - context: docker - push: false + name: 'PR Validation' + uses: ./.github/workflows/shared-steps.yml + with: + registry: ghcr.io + do_tag: 'NOPE' diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 8e26b83..db18545 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -1,42 +1,22 @@ -name: Tools Container - Publish Tag +name: 'Tools Container - Publish Tag' on: + workflow_dispatch: release: types: - published - paths: - - "docker/**" - - ".github/**" jobs: publish_latest: - name: Push tagged container image to GitHub Packages - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Get GitHub Tag - id: get_tag - run: | - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - - - name: Build and push container image - uses: docker/build-push-action@v2 - with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest - file: docker/Dockerfile - platforms: linux/amd64,linux/arm64 - context: docker - tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }} - push: true + name: 'Push tagged container image to GitHub Packages' + permissions: + contents: read + packages: write + attestations: write + id-token: write + uses: ./.github/workflows/shared-steps.yml + with: + registry: ghcr.io + do_tag: 'YES' + secrets: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tools-lite-container-latest.yml b/.github/workflows/tools-lite-container-latest.yml deleted file mode 100644 index 13929db..0000000 --- a/.github/workflows/tools-lite-container-latest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: '[LITE] Tools Container - Publish Latest' - -on: - workflow_dispatch: - push: - branches: - - main - paths: - - 'docker/**' - - '.github/**' - -jobs: - publish_latest: - name: Push latest [LITE] container image to GitHub Packages - permissions: - contents: read - packages: write - attestations: write - id-token: write - uses: ./.github/workflows/shared-steps.yml - with: - registry: ghcr.io - do_tag: 'NOPE' - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - diff --git a/.github/workflows/tools-lite-container-pr.yaml b/.github/workflows/tools-lite-container-pr.yaml deleted file mode 100644 index 570a7ae..0000000 --- a/.github/workflows/tools-lite-container-pr.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: '[LITE] Tools Container - PR Validation' - -on: - workflow_dispatch: - pull_request: - paths: - - 'docker/**' - -jobs: - pr_validation: - name: '[LITE] PR Validation' - uses: ./.github/workflows/shared-steps.yml - with: - registry: ghcr.io - do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-tag.yaml b/.github/workflows/tools-lite-container-tag.yaml deleted file mode 100644 index c724512..0000000 --- a/.github/workflows/tools-lite-container-tag.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: '[LITE] Tools Container - Publish Tag' - -on: - workflow_dispatch: - release: - types: - - published - -jobs: - publish_latest: - name: '[LITE] Push tagged container image to GitHub Packages' - permissions: - contents: read - packages: write - attestations: write - id-token: write - uses: ./.github/workflows/shared-steps.yml - with: - registry: ghcr.io - do_tag: 'YES' - secrets: - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/docker/Dockerfile.lite b/docker/Dockerfile.lite deleted file mode 100644 index 15a26e2..0000000 --- a/docker/Dockerfile.lite +++ /dev/null @@ -1,76 +0,0 @@ -FROM golang:1.23-bookworm AS tf-prepare-builder -WORKDIR /workspace -ARG TARGETARCH - -COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ -RUN go mod download -COPY ./go-tf-prepare/main.go main.go -COPY ./go-tf-prepare/pkg/ pkg/ -RUN GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -o tf-prepare main.go - -FROM debian:bookworm-slim - -#Base -RUN apt-get update -y -RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils - -RUN mkdir -p /tmp/install /usr/src /work -WORKDIR /tmp/install - -# Install Azure CLI -COPY install-scripts/azure-cli-lite.sh /usr/src/install-scripts/azure-cli.sh -RUN /usr/src/install-scripts/azure-cli.sh --version="2.64.0" - -# Install tflint -COPY install-scripts/tflint-lite.sh /usr/src/install-scripts/tflint.sh -RUN /usr/src/install-scripts/tflint.sh --version="v0.53.0" -COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl - -# Install tflint ruleset -COPY install-scripts/tflint-ruleset-lite.sh /usr/src/install-scripts/tflint-ruleset.sh -RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="azurerm" --version="v0.27.0" - -# Install terraform (tfenv) -COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh -RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="1.9.5" --tfenv-version="v3.0.0" - -# Install tfsec -COPY install-scripts/tfsec-lite.sh /usr/src/install-scripts/tfsec.sh -RUN /usr/src/install-scripts/tfsec.sh --version="v1.28.10" - -# Install Open Policy Agent, version 0.43.0 ??? -COPY install-scripts/opa-lite.sh /usr/src/install-scripts/opa.sh -RUN /usr/src/install-scripts/opa.sh --version="v0.68.0" - -# Install sops -COPY install-scripts/sops-lite.sh /usr/src/install-scripts/sops.sh -RUN /usr/src/install-scripts/sops.sh --version="v3.9.0" - -# Install GitHub CLI -COPY install-scripts/github-cli-lite.sh /usr/src/install-scripts/github-cli.sh -RUN /usr/src/install-scripts/github-cli.sh --version="2.58.0" - -# Install jq -COPY install-scripts/jq-lite.sh /usr/src/install-scripts/jq.sh -RUN /usr/src/install-scripts/jq.sh --version="1.6-2.1" - -# Install yq -COPY install-scripts/yq.sh /usr/src/install-scripts/yq.sh -RUN /usr/src/install-scripts/yq.sh --version="3.1.0-3" - -# Install tfprepare -COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare -RUN chmod +x /usr/local/bin/tf-prepare - -#Cleanup -RUN apt-get autoremove && \ - apt-get clean - -RUN rm -rf /tmp/install - -COPY opa-policies /opt/opa-policies -COPY terraform.sh /opt/terraform.sh - -ENV HOME=/work - -WORKDIR /work diff --git a/docker/install-scripts/aws-cli.sh b/docker/obsolete/install-scripts/aws-cli.sh similarity index 100% rename from docker/install-scripts/aws-cli.sh rename to docker/obsolete/install-scripts/aws-cli.sh diff --git a/docker/install-scripts/azure-cli-lite.sh b/docker/obsolete/install-scripts/azure-cli-lite.sh similarity index 100% rename from docker/install-scripts/azure-cli-lite.sh rename to docker/obsolete/install-scripts/azure-cli-lite.sh diff --git a/docker/install-scripts/azure-cli.sh b/docker/obsolete/install-scripts/azure-cli.sh similarity index 100% rename from docker/install-scripts/azure-cli.sh rename to docker/obsolete/install-scripts/azure-cli.sh diff --git a/docker/install-scripts/github-cli-lite.sh b/docker/obsolete/install-scripts/github-cli-lite.sh similarity index 100% rename from docker/install-scripts/github-cli-lite.sh rename to docker/obsolete/install-scripts/github-cli-lite.sh diff --git a/docker/install-scripts/github-cli.sh b/docker/obsolete/install-scripts/github-cli.sh similarity index 100% rename from docker/install-scripts/github-cli.sh rename to docker/obsolete/install-scripts/github-cli.sh diff --git a/docker/install-scripts/helm.sh b/docker/obsolete/install-scripts/helm.sh similarity index 100% rename from docker/install-scripts/helm.sh rename to docker/obsolete/install-scripts/helm.sh diff --git a/docker/install-scripts/jq-lite.sh b/docker/obsolete/install-scripts/jq-lite.sh similarity index 100% rename from docker/install-scripts/jq-lite.sh rename to docker/obsolete/install-scripts/jq-lite.sh diff --git a/docker/install-scripts/jq.sh b/docker/obsolete/install-scripts/jq.sh similarity index 100% rename from docker/install-scripts/jq.sh rename to docker/obsolete/install-scripts/jq.sh diff --git a/docker/install-scripts/kubectl.sh b/docker/obsolete/install-scripts/kubectl.sh similarity index 100% rename from docker/install-scripts/kubectl.sh rename to docker/obsolete/install-scripts/kubectl.sh diff --git a/docker/install-scripts/opa-lite.sh b/docker/obsolete/install-scripts/opa-lite.sh similarity index 100% rename from docker/install-scripts/opa-lite.sh rename to docker/obsolete/install-scripts/opa-lite.sh diff --git a/docker/install-scripts/opa.sh b/docker/obsolete/install-scripts/opa.sh similarity index 100% rename from docker/install-scripts/opa.sh rename to docker/obsolete/install-scripts/opa.sh diff --git a/docker/install-scripts/packer.sh b/docker/obsolete/install-scripts/packer.sh similarity index 100% rename from docker/install-scripts/packer.sh rename to docker/obsolete/install-scripts/packer.sh diff --git a/docker/install-scripts/sops-lite.sh b/docker/obsolete/install-scripts/sops-lite.sh similarity index 100% rename from docker/install-scripts/sops-lite.sh rename to docker/obsolete/install-scripts/sops-lite.sh diff --git a/docker/install-scripts/sops.sh b/docker/obsolete/install-scripts/sops.sh similarity index 100% rename from docker/install-scripts/sops.sh rename to docker/obsolete/install-scripts/sops.sh diff --git a/docker/install-scripts/tfenv.sh b/docker/obsolete/install-scripts/tfenv.sh similarity index 100% rename from docker/install-scripts/tfenv.sh rename to docker/obsolete/install-scripts/tfenv.sh diff --git a/docker/install-scripts/tflint-lite.sh b/docker/obsolete/install-scripts/tflint-lite.sh similarity index 100% rename from docker/install-scripts/tflint-lite.sh rename to docker/obsolete/install-scripts/tflint-lite.sh diff --git a/docker/install-scripts/tflint-ruleset-lite.sh b/docker/obsolete/install-scripts/tflint-ruleset-lite.sh similarity index 100% rename from docker/install-scripts/tflint-ruleset-lite.sh rename to docker/obsolete/install-scripts/tflint-ruleset-lite.sh diff --git a/docker/install-scripts/tflint-ruleset.sh b/docker/obsolete/install-scripts/tflint-ruleset.sh similarity index 100% rename from docker/install-scripts/tflint-ruleset.sh rename to docker/obsolete/install-scripts/tflint-ruleset.sh diff --git a/docker/install-scripts/tflint.sh b/docker/obsolete/install-scripts/tflint.sh similarity index 100% rename from docker/install-scripts/tflint.sh rename to docker/obsolete/install-scripts/tflint.sh diff --git a/docker/install-scripts/tfsec-lite.sh b/docker/obsolete/install-scripts/tfsec-lite.sh similarity index 100% rename from docker/install-scripts/tfsec-lite.sh rename to docker/obsolete/install-scripts/tfsec-lite.sh diff --git a/docker/install-scripts/tfsec.sh b/docker/obsolete/install-scripts/tfsec.sh similarity index 100% rename from docker/install-scripts/tfsec.sh rename to docker/obsolete/install-scripts/tfsec.sh diff --git a/docker/install-scripts/yq.sh b/docker/obsolete/install-scripts/yq.sh similarity index 100% rename from docker/install-scripts/yq.sh rename to docker/obsolete/install-scripts/yq.sh From 497ee661aa55a2b9bf0bbca372aca6dd6fbea92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 16:26:52 +0100 Subject: [PATCH 04/19] iterate pipelines --- .github/workflows/tools-container-pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 9d62ad8..d05b9bb 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -12,4 +12,4 @@ jobs: uses: ./.github/workflows/shared-steps.yml with: registry: ghcr.io - do_tag: 'NOPE' + do_tag: 'YES' From 19d13390d011bf1495c183a6dd6828e3943d0e7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 17:59:08 +0100 Subject: [PATCH 05/19] iterate pipeline; using template --- .../workflows/container-build-template.yml | 56 ++++++++++++++++ .github/workflows/shared-steps.yml | 64 ------------------- .github/workflows/tools-container-latest.yml | 15 +++++ .github/workflows/tools-container-pr.yaml | 9 +-- .github/workflows/tools-container-tag.yaml | 31 +++++---- 5 files changed, 91 insertions(+), 84 deletions(-) create mode 100644 .github/workflows/container-build-template.yml delete mode 100644 .github/workflows/shared-steps.yml create mode 100644 .github/workflows/tools-container-latest.yml diff --git a/.github/workflows/container-build-template.yml b/.github/workflows/container-build-template.yml new file mode 100644 index 0000000..190eca7 --- /dev/null +++ b/.github/workflows/container-build-template.yml @@ -0,0 +1,56 @@ +name: Docker Build Template + +on: + workflow_call: + inputs: + push: + type: boolean + required: true + tag: + type: string + required: false + registry: + type: string + required: false + default: ghcr.io + platforms: + type: string + required: false + default: linux/amd64,linux/arm64 + +jobs: + build: + name: Build and Push Container Image + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ inputs.registry }} + username: ${{ github.actor }} + password: ${{ secrets.token }} + + - name: Build and push container image + id: build-push + uses: docker/build-push-action@v6 + with: + cache-from: "${{ inputs.registry }}/${{ github.repository }}/tools:latest" + file: docker/Dockerfile + context: docker + tags: "${{ inputs.registry }}/${{ github.repository }}/tools:${{ inputs.tag }}" + platforms: ${{ inputs.platforms }} + push: ${{ inputs.push }} + + - name: Generate Artifact Attestation + if: ${{ inputs.push }} + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ inputs.registry }}/${{ github.repository }} + subject-digest: ${{ steps.build-push.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml deleted file mode 100644 index 9c8af5e..0000000 --- a/.github/workflows/shared-steps.yml +++ /dev/null @@ -1,64 +0,0 @@ -on: - workflow_call: - inputs: - registry: - required: true - type: string - do_tag: - required: true - type: string # boolean exists, but that will be a string as ENV VAR. Set to YES or NOPE - secrets: - token: - required: false - -jobs: - reusable: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Container Registry - if: ${{github.event_name != 'pull_request'}} - uses: docker/login-action@v3 - with: - registry: ${{ inputs.registry }} - username: ${{ github.actor }} - password: ${{ secrets.token }} - - - name: Do some shell magic - shell: bash - id: sh_settings - env: - DO_TAG: ${{inputs.do_tag}} - run: | - if [ $DO_TAG = 'YES' ]; then - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - else - echo "tag=" >> $GITHUB_OUTPUT - fi - echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - - - name: 'Build container image, (and push)' - id: push - uses: docker/build-push-action@v6 - with: - cache-from: ${{inputs.registry}}/${{github.repository}}/tools:${{ steps.sh_settings.outputs.tag }} - file: docker/Dockerfile - context: docker - tags: ${{inputs.registry}}/${{ steps.sh_settings.outputs.repository }}/tools:${{ steps.sh_settings.outputs.tag }} - platforms: linux/amd64,linux/arm64 - push: ${{github.event_name != 'pull_request'}} - - - name: 'Generate artifact attestation' - if: ${{github.event_name != 'pull_request'}} - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ inputs.registry }}//${{ steps.sh_settings.outputs.repository }} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - \ No newline at end of file diff --git a/.github/workflows/tools-container-latest.yml b/.github/workflows/tools-container-latest.yml new file mode 100644 index 0000000..6f5cd92 --- /dev/null +++ b/.github/workflows/tools-container-latest.yml @@ -0,0 +1,15 @@ +name: Tools Container - Publish Latest + +on: + push: + branches: + - main + paths: + - 'docker/**' + - '.github/**' + +jobs: + publish_latest: + uses: ./.github/workflows/container-build-template.yml + with: + push: true \ No newline at end of file diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index d05b9bb..53b96ce 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -1,15 +1,12 @@ -name: 'Tools Container - PR Validation' +name: Tools Container - PR Validation on: - workflow_dispatch: pull_request: paths: - 'docker/**' jobs: pr_validation: - name: 'PR Validation' - uses: ./.github/workflows/shared-steps.yml + uses: ./.github/workflows/container-build-template.yml with: - registry: ghcr.io - do_tag: 'YES' + push: false \ No newline at end of file diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index db18545..73831c7 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -1,22 +1,25 @@ -name: 'Tools Container - Publish Tag' +name: Tools Container - Publish Tag on: - workflow_dispatch: release: types: - published jobs: - publish_latest: - name: 'Push tagged container image to GitHub Packages' - permissions: - contents: read - packages: write - attestations: write - id-token: write - uses: ./.github/workflows/shared-steps.yml + generate_tag: + runs-on: ubuntu-latest + outputs: + date_tag: ${{ steps.get_date.outputs.date_tag }} + steps: + - name: Generate Tag + id: get_date + run: | + date=$(date -u +"%Y.%-m.%-d") + echo "date_tag=${date}" >> $GITHUB_OUTPUT + + publish_tag: + needs: generate_tag + uses: ./.github/workflows/container-build-template.yml with: - registry: ghcr.io - do_tag: 'YES' - secrets: - token: ${{ secrets.GITHUB_TOKEN }} + push: true + tag: ${{ needs.generate_tag.outputs.date_tag }} \ No newline at end of file From d482d1a7b35f1656d9f26eaa7ca48adb0bf60845 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 18:01:06 +0100 Subject: [PATCH 06/19] fixed minor issue --- .github/workflows/container-build-template.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container-build-template.yml b/.github/workflows/container-build-template.yml index 190eca7..04c286c 100644 --- a/.github/workflows/container-build-template.yml +++ b/.github/workflows/container-build-template.yml @@ -30,7 +30,8 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + if: ${{inputs.push == 'true'}} + uses: docker/login-action@v3 with: registry: ${{ inputs.registry }} username: ${{ github.actor }} From 44a9e3066696703a36da5b554b8c7d19f35938c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 18:03:00 +0100 Subject: [PATCH 07/19] added tag to pr pipeline --- .github/workflows/tools-container-pr.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 53b96ce..d25323e 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -9,4 +9,5 @@ jobs: pr_validation: uses: ./.github/workflows/container-build-template.yml with: - push: false \ No newline at end of file + push: false + tag: "pr" \ No newline at end of file From ca9b4517c711e2e4869372a66bc09b94d8a63795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 18:01:06 +0100 Subject: [PATCH 08/19] added tag to pr pipeline --- docker/Dockerfile | 18 +++++++++--------- docker/config/.tflint.hcl | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 4ab1c79..899a155 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -29,7 +29,7 @@ RUN TERRAFORM_VERSION="1.11.0" && \ rm terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip # Install tflint -RUN TFLINT_VERSION="v0.49.0" && \ +RUN TFLINT_VERSION="v0.55.1" && \ curl -L -o tflint.zip "https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_${TARGETARCH}.zip" && \ unzip tflint.zip -d /usr/local/bin && \ rm tflint.zip @@ -39,43 +39,43 @@ COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl RUN tflint --init --config=/work/.tflint.d/.tflint.hcl # Install terraform (tfenv) -RUN TFENV_VERSION="1.5.7" && \ +RUN TFENV_VERSION="1.11.0" && \ git clone https://github.com/tfutils/tfenv.git ~/.tfenv && \ echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bashrc && \ ~/.tfenv/bin/tfenv install ${TFENV_VERSION} && \ ~/.tfenv/bin/tfenv use ${TFENV_VERSION} # Install tfsec -RUN TFSEC_VERSION="v1.28.4" && \ +RUN TFSEC_VERSION="v1.28.13" && \ curl -L -o /usr/local/bin/tfsec "https://github.com/aquasecurity/tfsec/releases/download/${TFSEC_VERSION}/tfsec-linux-${TARGETARCH}" && \ chmod +x /usr/local/bin/tfsec # Install Open Policy Agent (OPA) -RUN OPA_VERSION="v0.43.0" && \ +RUN OPA_VERSION="v1.2.0" && \ curl -L -o opa "https://openpolicyagent.org/downloads/${OPA_VERSION}/opa_linux_${TARGETARCH}" && \ chmod +x opa && \ mv opa /usr/local/bin/ # Install sops -RUN SOPS_VERSION="v3.8.1" && \ - curl -L -o /usr/local/bin/sops "https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${TARGETARCH}" && \ +RUN SOPS_VERSION="v3.9.4" && \ + curl -L -o /usr/local/bin/sops "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${TARGETARCH}" && \ chmod +x /usr/local/bin/sops # Install GitHub CLI -RUN GH_VERSION="2.39.2" && \ +RUN GH_VERSION="2.67.0" && \ curl -L -o gh.tar.gz "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${TARGETARCH}.tar.gz" && \ tar -xzf gh.tar.gz && \ mv gh_*/bin/gh /usr/local/bin/ && \ rm -rf gh_* # Install kubectl -RUN KUBECTL_VERSION="v1.28.4" && \ +RUN KUBECTL_VERSION="v1.32.0" && \ curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \ chmod +x kubectl && \ mv kubectl /usr/local/bin/ # Install helm -RUN HELM_VERSION="v3.13.2" && \ +RUN HELM_VERSION="v3.17.0" && \ curl -fsSL -o get_helm.sh "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3" && \ chmod 700 get_helm.sh && \ ./get_helm.sh --version "$HELM_VERSION" && \ diff --git a/docker/config/.tflint.hcl b/docker/config/.tflint.hcl index 485ed8f..b00229c 100644 --- a/docker/config/.tflint.hcl +++ b/docker/config/.tflint.hcl @@ -1,5 +1,5 @@ config { - module = false + call_module_type = "local" force = false disabled_by_default = false } From 919a207e47137d7c5733ab1a26e6e7ece203bc35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 19:05:51 +0100 Subject: [PATCH 09/19] added container build template --- .github/workflows/container-build-template.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/container-build-template.yml b/.github/workflows/container-build-template.yml index 04c286c..2bee813 100644 --- a/.github/workflows/container-build-template.yml +++ b/.github/workflows/container-build-template.yml @@ -24,13 +24,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Convert Repository Name to Lowercase + run: echo "REPO_LOWER=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV + - name: Login to GitHub Container Registry - if: ${{inputs.push == 'true'}} + if: ${{ inputs.push }} uses: docker/login-action@v3 with: registry: ${{ inputs.registry }} @@ -41,17 +44,17 @@ jobs: id: build-push uses: docker/build-push-action@v6 with: - cache-from: "${{ inputs.registry }}/${{ github.repository }}/tools:latest" + cache-from: "${{ inputs.registry }}/${{ env.REPO_LOWER }}/tools:latest" file: docker/Dockerfile context: docker - tags: "${{ inputs.registry }}/${{ github.repository }}/tools:${{ inputs.tag }}" + tags: "${{ inputs.registry }}/${{ env.REPO_LOWER }}/tools:${{ inputs.tag }}" platforms: ${{ inputs.platforms }} push: ${{ inputs.push }} - name: Generate Artifact Attestation if: ${{ inputs.push }} - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@v2 with: - subject-name: ${{ inputs.registry }}/${{ github.repository }} + subject-name: ${{ inputs.registry }}/${{ env.REPO_LOWER }} subject-digest: ${{ steps.build-push.outputs.digest }} push-to-registry: true \ No newline at end of file From 02468f78f0efe474a2f1e71ed3b4c4a267372fed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Tue, 4 Mar 2025 20:31:11 +0100 Subject: [PATCH 10/19] updated tools-container-latest.yml with tag == latest --- .github/workflows/tools-container-latest.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tools-container-latest.yml b/.github/workflows/tools-container-latest.yml index 6f5cd92..ff432e1 100644 --- a/.github/workflows/tools-container-latest.yml +++ b/.github/workflows/tools-container-latest.yml @@ -12,4 +12,5 @@ jobs: publish_latest: uses: ./.github/workflows/container-build-template.yml with: - push: true \ No newline at end of file + push: true + tag: "latest" From 9144a6bf574c6d9195d7f5c8d201c0eae7de7b42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Wed, 5 Mar 2025 10:46:28 +0100 Subject: [PATCH 11/19] reverted golang app --- docker/Dockerfile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 899a155..9d8b2e6 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,3 +1,13 @@ +# Image used for the go-tf-prepare stage +FROM golang:1.24 AS tf-prepare-builder +WORKDIR /workspace + +COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ +RUN go mod download +COPY ./go-tf-prepare/main.go main.go +COPY ./go-tf-prepare/pkg/ pkg/ +RUN GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -o tf-prepare main.go + # Image used for the build stage FROM debian:stable-slim @@ -5,6 +15,9 @@ FROM debian:stable-slim ARG TARGETARCH ARG TARGETOS +# MKDIR +RUN mkdir -p /work + # Install dependencies RUN apt-get update && apt-get install -y --no-install-recommends \ bash \ From db98e8a578a0d2f2a683454a347cc83b59022e74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Wed, 5 Mar 2025 11:37:41 +0100 Subject: [PATCH 12/19] tf-prepare --- docker/Dockerfile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 9d8b2e6..8c93ed7 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -6,7 +6,9 @@ COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ RUN go mod download COPY ./go-tf-prepare/main.go main.go COPY ./go-tf-prepare/pkg/ pkg/ -RUN GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -o tf-prepare main.go +RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -o tf-prepare main.go + +# ------------------------------ # Image used for the build stage FROM debian:stable-slim @@ -20,10 +22,10 @@ RUN mkdir -p /work # Install dependencies RUN apt-get update && apt-get install -y --no-install-recommends \ - bash \ ca-certificates \ - git \ curl \ + git \ + make \ openssl \ unzip \ gpg \ @@ -101,6 +103,8 @@ RUN apt-get autoremove && \ # Copy additional files COPY ./opa-policies /opt/opa-policies COPY ./terraform.sh /opt/terraform.sh +COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare +RUN chmod +x /usr/local/bin/tf-prepare # Set environment variables ENV HOME=/work From 90ce4468c6b6b8b966d002a1a219e93ebb38a6b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Wed, 5 Mar 2025 22:28:28 +0100 Subject: [PATCH 13/19] dockerFile improvements --- docker/Dockerfile | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 8c93ed7..6b6be49 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -38,10 +38,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash # Install Terraform -RUN TERRAFORM_VERSION="1.11.0" && \ - curl -LO "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip" && \ - unzip terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip -d /usr/local/bin && \ - rm terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip +RUN TERRAFORM_VERSION="1.11.1" && \ + curl -L -o terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip" && \ + unzip terraform.zip -d /usr/local/bin && \ + rm terraform.zip # Install tflint RUN TFLINT_VERSION="v0.55.1" && \ @@ -67,11 +67,10 @@ RUN TFSEC_VERSION="v1.28.13" && \ # Install Open Policy Agent (OPA) RUN OPA_VERSION="v1.2.0" && \ - curl -L -o opa "https://openpolicyagent.org/downloads/${OPA_VERSION}/opa_linux_${TARGETARCH}" && \ - chmod +x opa && \ - mv opa /usr/local/bin/ + curl -L -o /usr/local/bin/opa "https://openpolicyagent.org/downloads/${OPA_VERSION}/opa_linux_${TARGETARCH}_static" && \ + chmod +x /usr/local/bin/opa -# Install sops +# Install sopsh RUN SOPS_VERSION="v3.9.4" && \ curl -L -o /usr/local/bin/sops "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${TARGETARCH}" && \ chmod +x /usr/local/bin/sops @@ -85,9 +84,8 @@ RUN GH_VERSION="2.67.0" && \ # Install kubectl RUN KUBECTL_VERSION="v1.32.0" && \ - curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \ - chmod +x kubectl && \ - mv kubectl /usr/local/bin/ + curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \ + chmod +x /usr/local/bin/kubectl # Install helm RUN HELM_VERSION="v3.17.0" && \ From e003587a1b8f4fd3667f0611a63838050b12ba80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Mon, 10 Mar 2025 12:32:28 +0100 Subject: [PATCH 14/19] fix; tflint --- docker/terraform.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/terraform.sh b/docker/terraform.sh index 09560ed..2aaeb4f 100755 --- a/docker/terraform.sh +++ b/docker/terraform.sh @@ -148,7 +148,7 @@ validate () { terraform validate terraform fmt . terraform fmt variables/ - tflint --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" . + tflint --recursive --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" tfsec . } @@ -193,4 +193,4 @@ case $ACTION in validate ) validate ;; -esac +esac \ No newline at end of file From da79616a3fe8f2d45ee3b4a6390900273fad3250 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Anundsson?= Date: Mon, 10 Mar 2025 14:14:42 +0100 Subject: [PATCH 15/19] tflint --init at runtime --- docker/Dockerfile | 3 +-- docker/terraform.sh | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 6b6be49..a83623a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -49,9 +49,8 @@ RUN TFLINT_VERSION="v0.55.1" && \ unzip tflint.zip -d /usr/local/bin && \ rm tflint.zip -# Install tflint rulesets +# Copy tflint configuration COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl -RUN tflint --init --config=/work/.tflint.d/.tflint.hcl # Install terraform (tfenv) RUN TFENV_VERSION="1.11.0" && \ diff --git a/docker/terraform.sh b/docker/terraform.sh index 2aaeb4f..c4be9ed 100755 --- a/docker/terraform.sh +++ b/docker/terraform.sh @@ -148,6 +148,7 @@ validate () { terraform validate terraform fmt . terraform fmt variables/ + tflint --init --config "/work/.tflint.d/.tflint.hcl" tflint --recursive --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" tfsec . } From d93f96694c27fec3b4a5c13ea60b92f6ba4d3e90 Mon Sep 17 00:00:00 2001 From: "Andre Anundsson (Xenit)" Date: Thu, 10 Apr 2025 00:57:48 +0200 Subject: [PATCH 16/19] working tflint_config --- docker/config/.tflint.hcl | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docker/config/.tflint.hcl b/docker/config/.tflint.hcl index b00229c..7e943a3 100644 --- a/docker/config/.tflint.hcl +++ b/docker/config/.tflint.hcl @@ -5,11 +5,15 @@ config { } plugin "azurerm" { - enabled = true + enabled = true + source = "github.com/terraform-linters/tflint-ruleset-azurerm" + version = "0.28.0" } plugin "aws" { - enabled = true + enabled = true + source = "github.com/terraform-linters/tflint-ruleset-aws" + version = "0.38.0" } rule "terraform_deprecated_interpolation" { @@ -62,4 +66,4 @@ rule "terraform_standard_module_structure" { rule "terraform_workspace_remote" { enabled = true -} +} \ No newline at end of file From 6871b949705973a5628afeedfc0db3680194ecaf Mon Sep 17 00:00:00 2001 From: "Andre Anundsson (Xenit)" Date: Thu, 10 Apr 2025 09:55:52 +0200 Subject: [PATCH 17/19] added support for rego v1 --- docker/Dockerfile | 19 +- docker/config/.tflint.hcl | 4 - docker/opa-policies/terraform.rego | 192 +++++++++--------- .../opa-policies/test_aws_ecr_repository.rego | 64 ++---- docker/opa-policies/test_aws_eks_cluster.rego | 64 ++---- docker/opa-policies/test_aws_s3_bucket.rego | 64 ++---- docker/opa-policies/test_aws_vpc.rego | 64 ++---- .../test_azuread_application_password.rego | 64 ++---- docker/opa-policies/test_azuread_group.rego | 64 ++---- .../test_azurerm_container_registry.rego | 64 ++---- .../test_azurerm_kubernetes_cluster.rego | 64 ++---- .../test_azurerm_resource_group.rego | 64 ++---- .../test_azurerm_storage_account.rego | 64 ++---- .../test_azurerm_user_assigned_identity.rego | 64 ++---- .../test_azurerm_virtual_machine.rego | 64 ++---- .../test_azurerm_virtual_network.rego | 64 ++---- docker/opa-policies/test_fake_resource.rego | 64 ++---- docker/opa-policies/test_helm_release.rego | 64 ++---- .../test_kubernetes_namespace.rego | 64 ++---- .../test_kubernetes_service_account.rego | 64 ++---- docker/terraform.sh | 1 - 21 files changed, 470 insertions(+), 834 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index a83623a..ff80a8b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -38,7 +38,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash # Install Terraform -RUN TERRAFORM_VERSION="1.11.1" && \ +RUN TERRAFORM_VERSION="1.11.3" && \ curl -L -o terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip" && \ unzip terraform.zip -d /usr/local/bin && \ rm terraform.zip @@ -47,11 +47,22 @@ RUN TERRAFORM_VERSION="1.11.1" && \ RUN TFLINT_VERSION="v0.55.1" && \ curl -L -o tflint.zip "https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_${TARGETARCH}.zip" && \ unzip tflint.zip -d /usr/local/bin && \ - rm tflint.zip + rm tflint.zip && \ + mkdir -p /work/.tflint.d/plugins/ -# Copy tflint configuration +# Install tflint rulesets && copy tflint configuration COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl +RUN AZURERM_RULESET_VERSION="v0.28.0" && \ + curl -L -o tflint-ruleset-azurerm.zip "https://github.com/terraform-linters/tflint-ruleset-azurerm/releases/download/${AZURERM_RULESET_VERSION}/tflint-ruleset-azurerm_linux_${TARGETARCH}.zip" && \ + unzip tflint-ruleset-azurerm.zip -d /work/.tflint.d/plugins/ && \ + rm tflint-ruleset-azurerm.zip + +RUN AWS_RULESET_VERSION="v0.38.0" && \ + curl -L -o tflint-ruleset-aws.zip "https://github.com/terraform-linters/tflint-ruleset-aws/releases/download/${AWS_RULESET_VERSION}/tflint-ruleset-aws_linux_${TARGETARCH}.zip" && \ + unzip tflint-ruleset-aws.zip -d /work/.tflint.d/plugins/ && \ + rm tflint-ruleset-aws.zip + # Install terraform (tfenv) RUN TFENV_VERSION="1.11.0" && \ git clone https://github.com/tfutils/tfenv.git ~/.tfenv && \ @@ -65,7 +76,7 @@ RUN TFSEC_VERSION="v1.28.13" && \ chmod +x /usr/local/bin/tfsec # Install Open Policy Agent (OPA) -RUN OPA_VERSION="v1.2.0" && \ +RUN OPA_VERSION="v1.3.0" && \ curl -L -o /usr/local/bin/opa "https://openpolicyagent.org/downloads/${OPA_VERSION}/opa_linux_${TARGETARCH}_static" && \ chmod +x /usr/local/bin/opa diff --git a/docker/config/.tflint.hcl b/docker/config/.tflint.hcl index 7e943a3..4b935c9 100644 --- a/docker/config/.tflint.hcl +++ b/docker/config/.tflint.hcl @@ -6,14 +6,10 @@ config { plugin "azurerm" { enabled = true - source = "github.com/terraform-linters/tflint-ruleset-azurerm" - version = "0.28.0" } plugin "aws" { enabled = true - source = "github.com/terraform-linters/tflint-ruleset-aws" - version = "0.38.0" } rule "terraform_deprecated_interpolation" { diff --git a/docker/opa-policies/terraform.rego b/docker/opa-policies/terraform.rego index 990c8bb..e827f39 100644 --- a/docker/opa-policies/terraform.rego +++ b/docker/opa-policies/terraform.rego @@ -1,5 +1,7 @@ package terraform.analysis +import rego.v1 + import input as tfplan ######################## @@ -12,32 +14,33 @@ import input as tfplan # cat [...].tfplan.json | jq "{resource_changes: [{change: {actions: .resource_changes[_].change.actions}, type: .resource_changes[_].type}]}" > test.json # acceptable score for automated authorization -blast_radius = data.blast_radius +blast_radius := data.blast_radius # weights assigned for each operation on each resource-type -weights = { - "kubernetes_namespace": {"delete": 100, "create": 1, "modify": 1}, - "kubernetes_service_account": {"delete": 100, "create": 1, "modify": 1}, - "azuread_group": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_container_registry": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_kubernetes_cluster": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_resource_group": {"delete": 200, "create": 1, "modify": 1}, - "azurerm_storage_account": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_virtual_network": {"delete": 100, "create": 1, "modify": 1}, - "azurerm_virtual_machine": {"delete": 100, "create": 1, "modify": 1}, - "azuread_application_password": {"delete": 100, "create": 1, "modify": 100}, - "azurerm_user_assigned_identity": {"delete": 100, "create": 1, "modify": 100}, - "helm_release": {"delete": 100, "create": 1, "modify": 1}, - "aws_ecr_repository": {"delete": 100, "create": 1, "modify": 1}, - "aws_eks_cluster": {"delete": 100, "create": 1, "modify": 1}, - "aws_s3_bucket": {"delete": 100, "create": 1, "modify": 1}, - "aws_vpc": {"delete": 100, "create": 1, "modify": 1} +weights := { + "kubernetes_namespace": {"delete": 100, "create": 1, "modify": 1}, + "kubernetes_service_account": {"delete": 100, "create": 1, "modify": 1}, + "azuread_group": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_container_registry": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_kubernetes_cluster": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_resource_group": {"delete": 200, "create": 1, "modify": 1}, + "azurerm_storage_account": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_virtual_network": {"delete": 100, "create": 1, "modify": 1}, + "azurerm_virtual_machine": {"delete": 100, "create": 1, "modify": 1}, + "azuread_application_password": {"delete": 100, "create": 1, "modify": 100}, + "azurerm_user_assigned_identity": {"delete": 100, "create": 1, "modify": 100}, + "helm_release": {"delete": 100, "create": 1, "modify": 1}, + "aws_ecr_repository": {"delete": 100, "create": 1, "modify": 1}, + "aws_eks_cluster": {"delete": 100, "create": 1, "modify": 1}, + "aws_s3_bucket": {"delete": 100, "create": 1, "modify": 1}, + "aws_vpc": {"delete": 100, "create": 1, "modify": 1}, } -resource_types = { r | weights[r] } -other_resource_types[type] { - type := tfplan.resource_changes[_].type - not resource_types[type] +resource_types := {r | weights[r]} + +other_resource_types contains type if { + type := tfplan.resource_changes[_].type + not resource_types[type] } ######### @@ -45,31 +48,32 @@ other_resource_types[type] { ######### # Authorization holds if score for the plan is acceptable and no changes are made to IAM -default authz = false -authz { - score < blast_radius - # not touches_iam +default authz := false + +authz if { + score < blast_radius + # not touches_iam } # Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications -score = s { - all := [ x | - some resource_type - crud := weights[resource_type]; - del := crud["delete"] * num_deletes[resource_type]; - new := crud["create"] * num_creates[resource_type]; - mod := crud["modify"] * num_modifies[resource_type]; - x := del + new + mod - ] - others := [ x | - some resource_type - crud := {"delete": 100, "create": 1, "modify": 1}; - del := crud["delete"] * other_num_deletes[resource_type]; - new := crud["create"] * other_num_creates[resource_type]; - mod := crud["modify"] * other_num_modifies[resource_type]; - x := del + new + mod - ] - s := sum(all) + sum(others) +score := s if { + all := [x | + some resource_type + crud := weights[resource_type] + del := crud.delete * num_deletes[resource_type] + new := crud.create * num_creates[resource_type] + mod := crud.modify * num_modifies[resource_type] + x := (del + new) + mod + ] + others := [x | + some resource_type + crud := {"delete": 100, "create": 1, "modify": 1} + del := crud.delete * other_num_deletes[resource_type] + new := crud.create * other_num_creates[resource_type] + mod := crud.modify * other_num_modifies[resource_type] + x := (del + new) + mod + ] + s := sum(all) + sum(others) } # Whether there is any change to IAM @@ -83,71 +87,71 @@ score = s { #################### # list of all resources of a given type -resources[resource_type] := all { - some resource_type - resource_types[resource_type] - all := [name | - name:= tfplan.resource_changes[_] - name.type == resource_type - ] +resources[resource_type] := all if { + some resource_type + resource_types[resource_type] + all := [name | + name := tfplan.resource_changes[_] + name.type == resource_type + ] } -other_resources[resource_type] := all { - some resource_type - other_resource_types[resource_type] - all := [name | - name:= tfplan.resource_changes[_] - name.type == resource_type - ] +other_resources[resource_type] := all if { + some resource_type + other_resource_types[resource_type] + all := [name | + name := tfplan.resource_changes[_] + name.type == resource_type + ] } # number of creations of resources of a given type -num_creates[resource_type] := num { - some resource_type - resource_types[resource_type] - all := resources[resource_type] - creates := [res | res:= all[_]; res.change.actions[_] == "create"] - num := count(creates) +num_creates[resource_type] := num if { + some resource_type + resource_types[resource_type] + all := resources[resource_type] + creates := [res | res := all[_]; res.change.actions[_] == "create"] + num := count(creates) } -other_num_creates[resource_type] := num { - some resource_type - other_resource_types[resource_type] - all := other_resources[resource_type] - creates := [res | res:= all[_]; res.change.actions[_] == "create"] - num := count(creates) +other_num_creates[resource_type] := num if { + some resource_type + other_resource_types[resource_type] + all := other_resources[resource_type] + creates := [res | res := all[_]; res.change.actions[_] == "create"] + num := count(creates) } # number of deletions of resources of a given type -num_deletes[resource_type] := num { - some resource_type - resource_types[resource_type] - all := resources[resource_type] - deletions := [res | res:= all[_]; res.change.actions[_] == "delete"] - num := count(deletions) +num_deletes[resource_type] := num if { + some resource_type + resource_types[resource_type] + all := resources[resource_type] + deletions := [res | res := all[_]; res.change.actions[_] == "delete"] + num := count(deletions) } -other_num_deletes[resource_type] := num { - some resource_type - other_resource_types[resource_type] - all := other_resources[resource_type] - deletions := [res | res:= all[_]; res.change.actions[_] == "delete"] - num := count(deletions) +other_num_deletes[resource_type] := num if { + some resource_type + other_resource_types[resource_type] + all := other_resources[resource_type] + deletions := [res | res := all[_]; res.change.actions[_] == "delete"] + num := count(deletions) } # number of modifications to resources of a given type -num_modifies[resource_type] := num { - some resource_type - resource_types[resource_type] - all := resources[resource_type] - modifies := [res | res:= all[_]; res.change.actions[_] == "update"] - num := count(modifies) +num_modifies[resource_type] := num if { + some resource_type + resource_types[resource_type] + all := resources[resource_type] + modifies := [res | res := all[_]; res.change.actions[_] == "update"] + num := count(modifies) } -other_num_modifies[resource_type] := num { - some resource_type - other_resource_types[resource_type] - all := other_resources[resource_type] - modifies := [res | res:= all[_]; res.change.actions[_] == "update"] - num := count(modifies) +other_num_modifies[resource_type] := num if { + some resource_type + other_resource_types[resource_type] + all := other_resources[resource_type] + modifies := [res | res := all[_]; res.change.actions[_] == "update"] + num := count(modifies) } diff --git a/docker/opa-policies/test_aws_ecr_repository.rego b/docker/opa-policies/test_aws_ecr_repository.rego index 724bffb..549c7da 100644 --- a/docker/opa-policies/test_aws_ecr_repository.rego +++ b/docker/opa-policies/test_aws_ecr_repository.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_ecr_repository = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_ecr_repository" - } - ] -} +import rego.v1 -input_delete_aws_ecr_repository = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_ecr_repository" - } - ] -} +input_create_aws_ecr_repository := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_ecr_repository", +}]} -input_update_aws_ecr_repository = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_ecr_repository" - } - ] -} +input_delete_aws_ecr_repository := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_ecr_repository", +}]} -test_create_aws_ecr_repository { - authz with input as input_create_aws_ecr_repository +input_update_aws_ecr_repository := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_ecr_repository", +}]} + +test_create_aws_ecr_repository if { + authz with input as input_create_aws_ecr_repository } -test_delete_aws_ecr_repository { - not authz with input as input_delete_aws_ecr_repository +test_delete_aws_ecr_repository if { + not authz with input as input_delete_aws_ecr_repository } -test_update_aws_ecr_repository { - authz with input as input_update_aws_ecr_repository -} \ No newline at end of file +test_update_aws_ecr_repository if { + authz with input as input_update_aws_ecr_repository +} diff --git a/docker/opa-policies/test_aws_eks_cluster.rego b/docker/opa-policies/test_aws_eks_cluster.rego index c09c79f..a8803ce 100644 --- a/docker/opa-policies/test_aws_eks_cluster.rego +++ b/docker/opa-policies/test_aws_eks_cluster.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_eks_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_eks_cluster" - } - ] -} +import rego.v1 -input_delete_aws_eks_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_eks_cluster" - } - ] -} +input_create_aws_eks_cluster := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_eks_cluster", +}]} -input_update_aws_eks_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_eks_cluster" - } - ] -} +input_delete_aws_eks_cluster := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_eks_cluster", +}]} -test_create_aws_eks_cluster { - authz with input as input_create_aws_eks_cluster +input_update_aws_eks_cluster := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_eks_cluster", +}]} + +test_create_aws_eks_cluster if { + authz with input as input_create_aws_eks_cluster } -test_delete_aws_eks_cluster { - not authz with input as input_delete_aws_eks_cluster +test_delete_aws_eks_cluster if { + not authz with input as input_delete_aws_eks_cluster } -test_update_aws_eks_cluster { - authz with input as input_update_aws_eks_cluster -} \ No newline at end of file +test_update_aws_eks_cluster if { + authz with input as input_update_aws_eks_cluster +} diff --git a/docker/opa-policies/test_aws_s3_bucket.rego b/docker/opa-policies/test_aws_s3_bucket.rego index 4e15971..009fd62 100644 --- a/docker/opa-policies/test_aws_s3_bucket.rego +++ b/docker/opa-policies/test_aws_s3_bucket.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_s3_bucket = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_s3_bucket" - } - ] -} +import rego.v1 -input_delete_aws_s3_bucket = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_s3_bucket" - } - ] -} +input_create_aws_s3_bucket := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_s3_bucket", +}]} -input_update_aws_s3_bucket = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_s3_bucket" - } - ] -} +input_delete_aws_s3_bucket := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_s3_bucket", +}]} -test_create_aws_s3_bucket { - authz with input as input_create_aws_s3_bucket +input_update_aws_s3_bucket := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_s3_bucket", +}]} + +test_create_aws_s3_bucket if { + authz with input as input_create_aws_s3_bucket } -test_delete_aws_s3_bucket { - not authz with input as input_delete_aws_s3_bucket +test_delete_aws_s3_bucket if { + not authz with input as input_delete_aws_s3_bucket } -test_update_aws_s3_bucket { - authz with input as input_update_aws_s3_bucket -} \ No newline at end of file +test_update_aws_s3_bucket if { + authz with input as input_update_aws_s3_bucket +} diff --git a/docker/opa-policies/test_aws_vpc.rego b/docker/opa-policies/test_aws_vpc.rego index c06869d..08b270d 100644 --- a/docker/opa-policies/test_aws_vpc.rego +++ b/docker/opa-policies/test_aws_vpc.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_aws_vpc = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "aws_vpc" - } - ] -} +import rego.v1 -input_delete_aws_vpc = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "aws_vpc" - } - ] -} +input_create_aws_vpc := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "aws_vpc", +}]} -input_update_aws_vpc = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "aws_vpc" - } - ] -} +input_delete_aws_vpc := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "aws_vpc", +}]} -test_create_aws_vpc { - authz with input as input_create_aws_vpc +input_update_aws_vpc := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "aws_vpc", +}]} + +test_create_aws_vpc if { + authz with input as input_create_aws_vpc } -test_delete_aws_vpc { - not authz with input as input_delete_aws_vpc +test_delete_aws_vpc if { + not authz with input as input_delete_aws_vpc } -test_update_aws_vpc { - authz with input as input_update_aws_vpc -} \ No newline at end of file +test_update_aws_vpc if { + authz with input as input_update_aws_vpc +} diff --git a/docker/opa-policies/test_azuread_application_password.rego b/docker/opa-policies/test_azuread_application_password.rego index b82427f..2b16683 100644 --- a/docker/opa-policies/test_azuread_application_password.rego +++ b/docker/opa-policies/test_azuread_application_password.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azuread_application_password = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azuread_application_password" - } - ] -} +import rego.v1 -input_delete_azuread_application_password = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azuread_application_password" - } - ] -} +input_create_azuread_application_password := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azuread_application_password", +}]} -input_update_azuread_application_password = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azuread_application_password" - } - ] -} +input_delete_azuread_application_password := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azuread_application_password", +}]} -test_create_azuread_application_password { - authz with input as input_create_azuread_application_password +input_update_azuread_application_password := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azuread_application_password", +}]} + +test_create_azuread_application_password if { + authz with input as input_create_azuread_application_password } -test_delete_azuread_application_password { - not authz with input as input_delete_azuread_application_password +test_delete_azuread_application_password if { + not authz with input as input_delete_azuread_application_password } -test_update_azuread_application_password { - not authz with input as input_update_azuread_application_password -} \ No newline at end of file +test_update_azuread_application_password if { + not authz with input as input_update_azuread_application_password +} diff --git a/docker/opa-policies/test_azuread_group.rego b/docker/opa-policies/test_azuread_group.rego index a195f38..c987d09 100644 --- a/docker/opa-policies/test_azuread_group.rego +++ b/docker/opa-policies/test_azuread_group.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azuread_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azuread_group" - } - ] -} +import rego.v1 -input_delete_azuread_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azuread_group" - } - ] -} +input_create_azuread_group := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azuread_group", +}]} -input_update_azuread_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azuread_group" - } - ] -} +input_delete_azuread_group := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azuread_group", +}]} -test_create_azuread_group { - authz with input as input_create_azuread_group +input_update_azuread_group := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azuread_group", +}]} + +test_create_azuread_group if { + authz with input as input_create_azuread_group } -test_delete_azuread_group { - not authz with input as input_delete_azuread_group +test_delete_azuread_group if { + not authz with input as input_delete_azuread_group } -test_update_azuread_group { - authz with input as input_update_azuread_group -} \ No newline at end of file +test_update_azuread_group if { + authz with input as input_update_azuread_group +} diff --git a/docker/opa-policies/test_azurerm_container_registry.rego b/docker/opa-policies/test_azurerm_container_registry.rego index 7fe91ae..ba54d44 100644 --- a/docker/opa-policies/test_azurerm_container_registry.rego +++ b/docker/opa-policies/test_azurerm_container_registry.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_container_registry = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_container_registry" - } - ] -} +import rego.v1 -input_delete_azurerm_container_registry = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_container_registry" - } - ] -} +input_create_azurerm_container_registry := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_container_registry", +}]} -input_update_azurerm_container_registry = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_container_registry" - } - ] -} +input_delete_azurerm_container_registry := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_container_registry", +}]} -test_create_azurerm_container_registry { - authz with input as input_create_azurerm_container_registry +input_update_azurerm_container_registry := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_container_registry", +}]} + +test_create_azurerm_container_registry if { + authz with input as input_create_azurerm_container_registry } -test_delete_azurerm_container_registry { - not authz with input as input_delete_azurerm_container_registry +test_delete_azurerm_container_registry if { + not authz with input as input_delete_azurerm_container_registry } -test_update_azurerm_container_registry { - authz with input as input_update_azurerm_container_registry -} \ No newline at end of file +test_update_azurerm_container_registry if { + authz with input as input_update_azurerm_container_registry +} diff --git a/docker/opa-policies/test_azurerm_kubernetes_cluster.rego b/docker/opa-policies/test_azurerm_kubernetes_cluster.rego index 75c9a29..eda4849 100644 --- a/docker/opa-policies/test_azurerm_kubernetes_cluster.rego +++ b/docker/opa-policies/test_azurerm_kubernetes_cluster.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_kubernetes_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_kubernetes_cluster" - } - ] -} +import rego.v1 -input_delete_azurerm_kubernetes_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_kubernetes_cluster" - } - ] -} +input_create_azurerm_kubernetes_cluster := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_kubernetes_cluster", +}]} -input_update_azurerm_kubernetes_cluster = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_kubernetes_cluster" - } - ] -} +input_delete_azurerm_kubernetes_cluster := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_kubernetes_cluster", +}]} -test_create_azurerm_kubernetes_cluster { - authz with input as input_create_azurerm_kubernetes_cluster +input_update_azurerm_kubernetes_cluster := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_kubernetes_cluster", +}]} + +test_create_azurerm_kubernetes_cluster if { + authz with input as input_create_azurerm_kubernetes_cluster } -test_delete_azurerm_kubernetes_cluster { - not authz with input as input_delete_azurerm_kubernetes_cluster +test_delete_azurerm_kubernetes_cluster if { + not authz with input as input_delete_azurerm_kubernetes_cluster } -test_update_azurerm_kubernetes_cluster { - authz with input as input_update_azurerm_kubernetes_cluster -} \ No newline at end of file +test_update_azurerm_kubernetes_cluster if { + authz with input as input_update_azurerm_kubernetes_cluster +} diff --git a/docker/opa-policies/test_azurerm_resource_group.rego b/docker/opa-policies/test_azurerm_resource_group.rego index 3b49b1b..faf9407 100644 --- a/docker/opa-policies/test_azurerm_resource_group.rego +++ b/docker/opa-policies/test_azurerm_resource_group.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_resource_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_resource_group" - } - ] -} +import rego.v1 -input_delete_azurerm_resource_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_resource_group" - } - ] -} +input_create_azurerm_resource_group := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_resource_group", +}]} -input_update_azurerm_resource_group = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_resource_group" - } - ] -} +input_delete_azurerm_resource_group := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_resource_group", +}]} -test_create_azurerm_resource_group { - authz with input as input_create_azurerm_resource_group +input_update_azurerm_resource_group := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_resource_group", +}]} + +test_create_azurerm_resource_group if { + authz with input as input_create_azurerm_resource_group } -test_delete_azurerm_resource_group { - not authz with input as input_delete_azurerm_resource_group +test_delete_azurerm_resource_group if { + not authz with input as input_delete_azurerm_resource_group } -test_update_azurerm_resource_group { - authz with input as input_update_azurerm_resource_group -} \ No newline at end of file +test_update_azurerm_resource_group if { + authz with input as input_update_azurerm_resource_group +} diff --git a/docker/opa-policies/test_azurerm_storage_account.rego b/docker/opa-policies/test_azurerm_storage_account.rego index 59d0858..bc88726 100644 --- a/docker/opa-policies/test_azurerm_storage_account.rego +++ b/docker/opa-policies/test_azurerm_storage_account.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_storage_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_storage_account" - } - ] -} +import rego.v1 -input_delete_azurerm_storage_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_storage_account" - } - ] -} +input_create_azurerm_storage_account := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_storage_account", +}]} -input_update_azurerm_storage_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_storage_account" - } - ] -} +input_delete_azurerm_storage_account := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_storage_account", +}]} -test_create_azurerm_storage_account { - authz with input as input_create_azurerm_storage_account +input_update_azurerm_storage_account := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_storage_account", +}]} + +test_create_azurerm_storage_account if { + authz with input as input_create_azurerm_storage_account } -test_delete_azurerm_storage_account { - not authz with input as input_delete_azurerm_storage_account +test_delete_azurerm_storage_account if { + not authz with input as input_delete_azurerm_storage_account } -test_update_azurerm_storage_account { - authz with input as input_update_azurerm_storage_account -} \ No newline at end of file +test_update_azurerm_storage_account if { + authz with input as input_update_azurerm_storage_account +} diff --git a/docker/opa-policies/test_azurerm_user_assigned_identity.rego b/docker/opa-policies/test_azurerm_user_assigned_identity.rego index ad8fa3d..0fe6464 100644 --- a/docker/opa-policies/test_azurerm_user_assigned_identity.rego +++ b/docker/opa-policies/test_azurerm_user_assigned_identity.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_user_assigned_identity = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_user_assigned_identity" - } - ] -} +import rego.v1 -input_delete_azurerm_user_assigned_identity = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_user_assigned_identity" - } - ] -} +input_create_azurerm_user_assigned_identity := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_user_assigned_identity", +}]} -input_update_azurerm_user_assigned_identity = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_user_assigned_identity" - } - ] -} +input_delete_azurerm_user_assigned_identity := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_user_assigned_identity", +}]} -test_create_azurerm_user_assigned_identity { - authz with input as input_create_azurerm_user_assigned_identity +input_update_azurerm_user_assigned_identity := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_user_assigned_identity", +}]} + +test_create_azurerm_user_assigned_identity if { + authz with input as input_create_azurerm_user_assigned_identity } -test_delete_azurerm_user_assigned_identity { - not authz with input as input_delete_azurerm_user_assigned_identity +test_delete_azurerm_user_assigned_identity if { + not authz with input as input_delete_azurerm_user_assigned_identity } -test_update_azurerm_user_assigned_identity { - not authz with input as input_update_azurerm_user_assigned_identity -} \ No newline at end of file +test_update_azurerm_user_assigned_identity if { + not authz with input as input_update_azurerm_user_assigned_identity +} diff --git a/docker/opa-policies/test_azurerm_virtual_machine.rego b/docker/opa-policies/test_azurerm_virtual_machine.rego index 4602868..d70104c 100644 --- a/docker/opa-policies/test_azurerm_virtual_machine.rego +++ b/docker/opa-policies/test_azurerm_virtual_machine.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_virtual_machine = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_virtual_machine" - } - ] -} +import rego.v1 -input_delete_azurerm_virtual_machine = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_virtual_machine" - } - ] -} +input_create_azurerm_virtual_machine := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_virtual_machine", +}]} -input_update_azurerm_virtual_machine = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_virtual_machine" - } - ] -} +input_delete_azurerm_virtual_machine := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_virtual_machine", +}]} -test_create_azurerm_virtual_machine { - authz with input as input_create_azurerm_virtual_machine +input_update_azurerm_virtual_machine := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_virtual_machine", +}]} + +test_create_azurerm_virtual_machine if { + authz with input as input_create_azurerm_virtual_machine } -test_delete_azurerm_virtual_machine { - not authz with input as input_delete_azurerm_virtual_machine +test_delete_azurerm_virtual_machine if { + not authz with input as input_delete_azurerm_virtual_machine } -test_update_azurerm_virtual_machine { - authz with input as input_update_azurerm_virtual_machine -} \ No newline at end of file +test_update_azurerm_virtual_machine if { + authz with input as input_update_azurerm_virtual_machine +} diff --git a/docker/opa-policies/test_azurerm_virtual_network.rego b/docker/opa-policies/test_azurerm_virtual_network.rego index edf8e62..998f801 100644 --- a/docker/opa-policies/test_azurerm_virtual_network.rego +++ b/docker/opa-policies/test_azurerm_virtual_network.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_azurerm_virtual_network = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "azurerm_virtual_network" - } - ] -} +import rego.v1 -input_delete_azurerm_virtual_network = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "azurerm_virtual_network" - } - ] -} +input_create_azurerm_virtual_network := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "azurerm_virtual_network", +}]} -input_update_azurerm_virtual_network = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "azurerm_virtual_network" - } - ] -} +input_delete_azurerm_virtual_network := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "azurerm_virtual_network", +}]} -test_create_azurerm_virtual_network { - authz with input as input_create_azurerm_virtual_network +input_update_azurerm_virtual_network := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "azurerm_virtual_network", +}]} + +test_create_azurerm_virtual_network if { + authz with input as input_create_azurerm_virtual_network } -test_delete_azurerm_virtual_network { - not authz with input as input_delete_azurerm_virtual_network +test_delete_azurerm_virtual_network if { + not authz with input as input_delete_azurerm_virtual_network } -test_update_azurerm_virtual_network { - authz with input as input_update_azurerm_virtual_network -} \ No newline at end of file +test_update_azurerm_virtual_network if { + authz with input as input_update_azurerm_virtual_network +} diff --git a/docker/opa-policies/test_fake_resource.rego b/docker/opa-policies/test_fake_resource.rego index fc33700..56cc51d 100644 --- a/docker/opa-policies/test_fake_resource.rego +++ b/docker/opa-policies/test_fake_resource.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_fake_resource = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "fake_resource" - } - ] -} +import rego.v1 -input_delete_fake_resource = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "fake_resource" - } - ] -} +input_create_fake_resource := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "fake_resource", +}]} -input_update_fake_resource = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "fake_resource" - } - ] -} +input_delete_fake_resource := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "fake_resource", +}]} -test_create_fake_resource { - authz with input as input_create_fake_resource +input_update_fake_resource := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "fake_resource", +}]} + +test_create_fake_resource if { + authz with input as input_create_fake_resource } -test_delete_fake_resource { - not authz with input as input_delete_fake_resource +test_delete_fake_resource if { + not authz with input as input_delete_fake_resource } -test_update_fake_resource { - authz with input as input_update_fake_resource -} \ No newline at end of file +test_update_fake_resource if { + authz with input as input_update_fake_resource +} diff --git a/docker/opa-policies/test_helm_release.rego b/docker/opa-policies/test_helm_release.rego index f62feed..53aadad 100644 --- a/docker/opa-policies/test_helm_release.rego +++ b/docker/opa-policies/test_helm_release.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_helm_release = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "helm_release" - } - ] -} +import rego.v1 -input_delete_helm_release = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "helm_release" - } - ] -} +input_create_helm_release := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "helm_release", +}]} -input_update_helm_release = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "helm_release" - } - ] -} +input_delete_helm_release := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "helm_release", +}]} -test_create_helm_release { - authz with input as input_create_helm_release +input_update_helm_release := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "helm_release", +}]} + +test_create_helm_release if { + authz with input as input_create_helm_release } -test_delete_helm_release { - not authz with input as input_delete_helm_release +test_delete_helm_release if { + not authz with input as input_delete_helm_release } -test_update_helm_release { - authz with input as input_update_helm_release -} \ No newline at end of file +test_update_helm_release if { + authz with input as input_update_helm_release +} diff --git a/docker/opa-policies/test_kubernetes_namespace.rego b/docker/opa-policies/test_kubernetes_namespace.rego index f3e02ec..1de1079 100644 --- a/docker/opa-policies/test_kubernetes_namespace.rego +++ b/docker/opa-policies/test_kubernetes_namespace.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_kubernetes_namespace = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "kubernetes_namespace" - } - ] -} +import rego.v1 -input_delete_kubernetes_namespace = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "kubernetes_namespace" - } - ] -} +input_create_kubernetes_namespace := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "kubernetes_namespace", +}]} -input_update_kubernetes_namespace = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "kubernetes_namespace" - } - ] -} +input_delete_kubernetes_namespace := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "kubernetes_namespace", +}]} -test_create_kubernetes_namespace { - authz with input as input_create_kubernetes_namespace +input_update_kubernetes_namespace := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "kubernetes_namespace", +}]} + +test_create_kubernetes_namespace if { + authz with input as input_create_kubernetes_namespace } -test_delete_kubernetes_namespace { - not authz with input as input_delete_kubernetes_namespace +test_delete_kubernetes_namespace if { + not authz with input as input_delete_kubernetes_namespace } -test_update_kubernetes_namespace { - authz with input as input_update_kubernetes_namespace -} \ No newline at end of file +test_update_kubernetes_namespace if { + authz with input as input_update_kubernetes_namespace +} diff --git a/docker/opa-policies/test_kubernetes_service_account.rego b/docker/opa-policies/test_kubernetes_service_account.rego index 62bf37f..258bd0f 100644 --- a/docker/opa-policies/test_kubernetes_service_account.rego +++ b/docker/opa-policies/test_kubernetes_service_account.rego @@ -1,52 +1,30 @@ package terraform.analysis -input_create_kubernetes_service_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "create" - ] - }, - "type": "kubernetes_service_account" - } - ] -} +import rego.v1 -input_delete_kubernetes_service_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "delete" - ] - }, - "type": "kubernetes_service_account" - } - ] -} +input_create_kubernetes_service_account := {"resource_changes": [{ + "change": {"actions": ["create"]}, + "type": "kubernetes_service_account", +}]} -input_update_kubernetes_service_account = { - "resource_changes": [ - { - "change": { - "actions": [ - "update" - ] - }, - "type": "kubernetes_service_account" - } - ] -} +input_delete_kubernetes_service_account := {"resource_changes": [{ + "change": {"actions": ["delete"]}, + "type": "kubernetes_service_account", +}]} -test_create_kubernetes_service_account { - authz with input as input_create_kubernetes_service_account +input_update_kubernetes_service_account := {"resource_changes": [{ + "change": {"actions": ["update"]}, + "type": "kubernetes_service_account", +}]} + +test_create_kubernetes_service_account if { + authz with input as input_create_kubernetes_service_account } -test_delete_kubernetes_service_account { - not authz with input as input_delete_kubernetes_service_account +test_delete_kubernetes_service_account if { + not authz with input as input_delete_kubernetes_service_account } -test_update_kubernetes_service_account { - authz with input as input_update_kubernetes_service_account -} \ No newline at end of file +test_update_kubernetes_service_account if { + authz with input as input_update_kubernetes_service_account +} diff --git a/docker/terraform.sh b/docker/terraform.sh index c4be9ed..2aaeb4f 100755 --- a/docker/terraform.sh +++ b/docker/terraform.sh @@ -148,7 +148,6 @@ validate () { terraform validate terraform fmt . terraform fmt variables/ - tflint --init --config "/work/.tflint.d/.tflint.hcl" tflint --recursive --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" tfsec . } From 26c03bdb03a5976d8eaf60077b524d0812e29d9f Mon Sep 17 00:00:00 2001 From: "Andre Anundsson (Xenit)" Date: Thu, 10 Apr 2025 10:01:35 +0200 Subject: [PATCH 18/19] updated OPA Unit test --- .github/workflows/tools-opa-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tools-opa-test.yaml b/.github/workflows/tools-opa-test.yaml index 7b76d63..ddb60b3 100644 --- a/.github/workflows/tools-opa-test.yaml +++ b/.github/workflows/tools-opa-test.yaml @@ -8,9 +8,9 @@ jobs: uses: actions/checkout@v3 - name: Setup OPA - uses: open-policy-agent/setup-opa@v1 + uses: open-policy-agent/setup-opa@v2 with: - version: 0.40.0 + version: 1.3.0 - name: Run OPA Tests run: opa test docker/opa-policies/ -v From 8ac63e556d2773935e2b54678362321356a2c19a Mon Sep 17 00:00:00 2001 From: "Andre Anundsson (Xenit)" Date: Thu, 10 Apr 2025 13:46:27 +0200 Subject: [PATCH 19/19] updated terrraform --- .github/workflows/container-build-template.yml | 17 +++++------------ docker/Dockerfile | 2 +- docker/terraform.sh | 2 +- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/container-build-template.yml b/.github/workflows/container-build-template.yml index 2bee813..9a2d7c7 100644 --- a/.github/workflows/container-build-template.yml +++ b/.github/workflows/container-build-template.yml @@ -9,10 +9,6 @@ on: tag: type: string required: false - registry: - type: string - required: false - default: ghcr.io platforms: type: string required: false @@ -29,25 +25,22 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Convert Repository Name to Lowercase - run: echo "REPO_LOWER=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV - - name: Login to GitHub Container Registry if: ${{ inputs.push }} uses: docker/login-action@v3 with: - registry: ${{ inputs.registry }} + registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.token }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push container image id: build-push uses: docker/build-push-action@v6 with: - cache-from: "${{ inputs.registry }}/${{ env.REPO_LOWER }}/tools:latest" + cache-from: "ghcr.io/${{ github.repository }}/tools:latest" file: docker/Dockerfile context: docker - tags: "${{ inputs.registry }}/${{ env.REPO_LOWER }}/tools:${{ inputs.tag }}" + tags: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/tools:${{ inputs.tag }}" platforms: ${{ inputs.platforms }} push: ${{ inputs.push }} @@ -55,6 +48,6 @@ jobs: if: ${{ inputs.push }} uses: actions/attest-build-provenance@v2 with: - subject-name: ${{ inputs.registry }}/${{ env.REPO_LOWER }} + subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.build-push.outputs.digest }} push-to-registry: true \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index ff80a8b..ab6d0b1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -38,7 +38,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash # Install Terraform -RUN TERRAFORM_VERSION="1.11.3" && \ +RUN TERRAFORM_VERSION="1.11.4" && \ curl -L -o terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip" && \ unzip terraform.zip -d /usr/local/bin && \ rm terraform.zip diff --git a/docker/terraform.sh b/docker/terraform.sh index 2aaeb4f..a374373 100755 --- a/docker/terraform.sh +++ b/docker/terraform.sh @@ -148,7 +148,7 @@ validate () { terraform validate terraform fmt . terraform fmt variables/ - tflint --recursive --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" + tflint --config="/work/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" tfsec . }