From a7a0d192a50253c0da853d4b95e9c93caf850713 Mon Sep 17 00:00:00 2001 From: shanice-skylight Date: Tue, 17 Dec 2024 00:31:05 -0500 Subject: [PATCH 1/2] added gitub actions to run terraform plan, terraform apply, tflint, and trivy --- .github/workflows/ecs_deployment_apply.yaml | 84 +++++++++++++++++++++ .github/workflows/ecs_deployment_plan.yaml | 82 ++++++++++++++++++++ .github/workflows/tflint.yaml | 53 +++++++++++++ .github/workflows/trivy.yaml | 31 ++++++++ .gitignore | 4 + 5 files changed, 254 insertions(+) create mode 100644 .github/workflows/ecs_deployment_apply.yaml create mode 100644 .github/workflows/ecs_deployment_plan.yaml create mode 100644 .github/workflows/tflint.yaml create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/ecs_deployment_apply.yaml b/.github/workflows/ecs_deployment_apply.yaml new file mode 100644 index 000000000..56867ccdd --- /dev/null +++ b/.github/workflows/ecs_deployment_apply.yaml @@ -0,0 +1,84 @@ +name: Terraform Apply +run-name: Terraform apply ${{ inputs.workspace }} by @${{ github.actor }} + +on: + workflow_dispatch: + inputs: + workspace: + description: "The workspace to terraform against" + required: true + type: choice + options: + - dev + - prod + +concurrency: + group: ${{ github.event.inputs.workspace }}-terraform + cancel-in-progress: false + +permissions: + id-token: write + contents: read + +env: + workspace: ${{ github.event.inputs.workspace }} + terraform_action: apply + +jobs: + terraform: + name: Run Terraform + runs-on: ubuntu-latest + defaults: + run: + shell: bash + # this may need to be updated if you change the directory you are working with + # ./terraform/implementation/dev || ./terraform/implementation/prod for example + # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts + working-directory: ./terraform/implementation/ecs + steps: + - name: Check Out Changes + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.9.8" + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: githubDeploymentWorkflow + aws-region: ${{ vars.AWS_REGION }} + + - name: Terraform + env: + ACTION: ${{ env.terraform_action }} + BUCKET: ${{ secrets.TFSTATE_BUCKET }} + DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }} + OWNER: ${{ vars.OWNER }} + PROJECT: ${{ vars.PROJECT }} + REGION: ${{ vars.AWS_REGION }} + WORKSPACE: ${{ env.workspace }} + UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }} + ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}} + TLS_CERT: ${{ secrets.TLS_CERT}} + TLS_KEY: ${{ secrets.TLS_KEY}} + shell: bash + run: | + echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars + echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars + echo "region = \"$REGION\"" >> $WORKSPACE.tfvars + terraform init \ + -var-file="$WORKSPACE.tfvars" \ + -backend-config "bucket=$BUCKET" \ + -backend-config "dynamodb_table=$DYNAMODB_TABLE" \ + -backend-config "region=$REGION" \ + || (echo "terraform init failed, exiting..." && exit 1) + terraform workspace select "$WORKSPACE" + terraform apply -auto-approve \ + -var-file="$WORKSPACE.tfvars" \ + -var "umls_api_key=${UMLS_API_KEY}" \ + -var "ersd_api_key=${ERSD_API_KEY}" \ + -var "qc_tls_key=${TLS_KEY}" \ + -var "qc_tls_cert"=${TLS_CERT}" \ \ No newline at end of file diff --git a/.github/workflows/ecs_deployment_plan.yaml b/.github/workflows/ecs_deployment_plan.yaml new file mode 100644 index 000000000..dceee0e91 --- /dev/null +++ b/.github/workflows/ecs_deployment_plan.yaml @@ -0,0 +1,82 @@ +name: Terraform Plan +run-name: Terraform plan ${{ inputs.workspace }} by @${{ github.actor }} + +on: + workflow_dispatch: + inputs: + workspace: + description: "The workspace to terraform against" + required: true + type: string + default: "dev" + +concurrency: + group: ${{ github.event.inputs.workspace }}-terraform + cancel-in-progress: false + +permissions: + id-token: write + contents: read + +env: + workspace: ${{ github.event.inputs.workspace }} + terraform_action: plan + +jobs: + terraform: + name: Run Terraform + runs-on: ubuntu-latest + defaults: + run: + shell: bash + # this may need to be updated if you change the directory you are working with + # ./terraform/implementation/dev || ./terraform/implementation/prod for example + # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts + working-directory: ./terraform/implementation/ecs + steps: + - name: Check Out Changes + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.9.8" + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: githubDeploymentWorkflow + aws-region: ${{ secrets.AWS_REGION }} + + - name: Terraform + env: + ACTION: ${{ env.terraform_action }} + BUCKET: ${{ secrets.TFSTATE_BUCKET }} + DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }} + OWNER: ${{ vars.OWNER }} + PROJECT: ${{ vars.PROJECT }} + REGION: ${{ vars.region }} + WORKSPACE: ${{ env.workspace }} + UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }} + ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}} + TLS_CERT: ${{ secrets.TLS_CERT}} + TLS_KEY: ${{ secrets.TLS_KEY}} + shell: bash + run: | + echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars + echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars + echo "region = \"$REGION\"" >> $WORKSPACE.tfvars + terraform init \ + -var-file="$WORKSPACE.tfvars" \ + -backend-config "bucket=$BUCKET" \ + -backend-config "dynamodb_table=$DYNAMODB_TABLE" \ + -backend-config "region=$REGION" \ + || (echo "terraform init failed, exiting..." && exit 1) + terraform workspace select "$WORKSPACE" + terraform apply -auto-approve \ + -var-file="$WORKSPACE.tfvars" \ + -var "umls_api_key=${UMLS_API_KEY}" \ + -var "ersd_api_key=${ERSD_API_KEY}" \ + -var "qc_tls_key=${TLS_KEY}" \ + -var "qc_tls_cert"=${TLS_CERT}" \ \ No newline at end of file diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml new file mode 100644 index 000000000..0160d98db --- /dev/null +++ b/.github/workflows/tflint.yaml @@ -0,0 +1,53 @@ +name: Terraform Linting +on: + pull_request: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + tflint: + runs-on: ubuntu-latest + + strategy: + matrix: + dirs: + [ + terraform/modules/oidc, + terraform/modules/tfstate, + terraform/implementation/setup, + terraform/implementation/ecs, + ] + + steps: + - uses: actions/checkout@v4 + name: Checkout source code + + - uses: actions/cache@v4 + name: Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: ${{ matrix.dirs }}-tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v0.52.0 + + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable + # env: + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + # GITHUB_TOKEN: ${{ github.token }} + + - name: Run TFLint + working-directory: ${{ github.workspace }}/${{matrix.dirs}} + run: tflint -f compact \ No newline at end of file diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 000000000..b97071050 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,31 @@ +name: Trivy Security Scan + +on: + pull_request: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + trivy: + name: trivy + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: "terraform/modules/" + scanners: "vuln,secret,config" + ignore-unfixed: false + exit-code: "1" + format: "table" + severity: "CRITICAL,HIGH" \ No newline at end of file diff --git a/.gitignore b/.gitignore index 7b750b314..b117f99d9 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,7 @@ build/ .env .local.env + +tmp_remote_image_* + +.terraform \ No newline at end of file From db64eb3f4e540683ea0203a9b4a9b5a824fac304 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 05:33:36 +0000 Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit hooks --- .github/workflows/ecs_deployment_apply.yaml | 2 +- .github/workflows/ecs_deployment_plan.yaml | 2 +- .github/workflows/tflint.yaml | 2 +- .github/workflows/trivy.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ecs_deployment_apply.yaml b/.github/workflows/ecs_deployment_apply.yaml index 56867ccdd..23e862956 100644 --- a/.github/workflows/ecs_deployment_apply.yaml +++ b/.github/workflows/ecs_deployment_apply.yaml @@ -81,4 +81,4 @@ jobs: -var "umls_api_key=${UMLS_API_KEY}" \ -var "ersd_api_key=${ERSD_API_KEY}" \ -var "qc_tls_key=${TLS_KEY}" \ - -var "qc_tls_cert"=${TLS_CERT}" \ \ No newline at end of file + -var "qc_tls_cert"=${TLS_CERT}" \ diff --git a/.github/workflows/ecs_deployment_plan.yaml b/.github/workflows/ecs_deployment_plan.yaml index dceee0e91..255c2413d 100644 --- a/.github/workflows/ecs_deployment_plan.yaml +++ b/.github/workflows/ecs_deployment_plan.yaml @@ -79,4 +79,4 @@ jobs: -var "umls_api_key=${UMLS_API_KEY}" \ -var "ersd_api_key=${ERSD_API_KEY}" \ -var "qc_tls_key=${TLS_KEY}" \ - -var "qc_tls_cert"=${TLS_CERT}" \ \ No newline at end of file + -var "qc_tls_cert"=${TLS_CERT}" \ diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml index 0160d98db..24b9da671 100644 --- a/.github/workflows/tflint.yaml +++ b/.github/workflows/tflint.yaml @@ -50,4 +50,4 @@ jobs: - name: Run TFLint working-directory: ${{ github.workspace }}/${{matrix.dirs}} - run: tflint -f compact \ No newline at end of file + run: tflint -f compact diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index b97071050..3f1648119 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -28,4 +28,4 @@ jobs: ignore-unfixed: false exit-code: "1" format: "table" - severity: "CRITICAL,HIGH" \ No newline at end of file + severity: "CRITICAL,HIGH"