Merge pull request #1 from clouddrove/i-sec/sftp-270

I sec/sftp 270
clouddrove · Apr 13, 2023 · 2d34cf6 · 2d34cf6
2 parents b123811 + 432ab37
commit 2d34cf6
Show file tree

Hide file tree

Showing 24 changed files with 862 additions and 177 deletions.
diff --git a/.editorconfig b/.editorconfig
diff --git a/.github/workflows/readme.yaml b/.github/workflows/readme.yaml
@@ -0,0 +1,54 @@
+name: 'Create README.md file'
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  readme-create:
+    name: 'readme-create'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2.3.4
+
+      - name: 'Set up Python 3.7'
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: 'create readme'
+        uses: 'clouddrove/github-actions@v8.0'
+        with:
+          actions_subcommand: 'readme'
+          github_token: '${{ secrets.GITHUB}}'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
+
+
+      - name: 'pre-commit check errors'
+        uses: pre-commit/action@v2.0.0
+        continue-on-error: true
+
+      - name: 'pre-commit fix errors'
+        uses: pre-commit/action@v2.0.0
+        continue-on-error: true
+
+      - name: 'push readme'
+        uses: 'clouddrove/github-actions@v8.0'
+        continue-on-error: true
+        with:
+          actions_subcommand: 'push'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
+
+      - name: 'Slack Notification'
+        uses: clouddrove/action-slack@v2
+        with:
+          status: ${{ job.status }}
+          fields: repo,author
+          author_name: 'CloudDrove'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required
+        if: always()
diff --git a/.github/workflows/semantic-releaser.yml b/.github/workflows/semantic-releaser.yml
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
diff --git a/.github/workflows/static-checks.yml → .github/workflows/terraform.yml b/.github/workflows/static-checks.yml → .github/workflows/terraform.yml
@@ -19,6 +19,7 @@ jobs:
       minVersion: ${{ steps.minMax.outputs.minVersion }}
       maxVersion: ${{ steps.minMax.outputs.maxVersion }}
 
+
   versionEvaluate:
     name: Evaluate Terraform versions
     runs-on: ubuntu-latest
@@ -30,7 +31,7 @@ jobs:
           - ${{ needs.versionExtract.outputs.minVersion }}
           - ${{ needs.versionExtract.outputs.maxVersion }}
         directory:
-          - _example/complete
+          - _example/
 
     steps:
       - name: Checkout
@@ -41,15 +42,25 @@ jobs:
         with:
           terraform_version: ${{ matrix.version }}
 
+      - name: 'Configure AWS Credentials'
+        uses: clouddrove/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
+          aws-region: us-east-2
+
       - name: Init & validate v${{ matrix.version }}
         run: |
           cd ${{ matrix.directory }}
           terraform init
           terraform validate
+          terraform plan -input=false -no-color
+
       - name: tflint
         uses: reviewdog/action-tflint@master
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tflint_version: v0.29.0
+          github_token: ${{ secrets.GITHUB }}
           working_directory: ${{ matrix.directory }}
           fail_on_error: 'true'
           filter_mode: 'nofilter'
@@ -70,4 +81,4 @@ jobs:
           terraform_version: ${{ needs.versionExtract.outputs.maxVersion }}
 
       - name: Check Terraform format changes
-        run: terraform fmt --recursive -check=true
+        run: terraform fmt --recursive
diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml
@@ -0,0 +1,40 @@
+name: 'Terratest GitHub Actions'
+on:
+  pull_request:
+    branches:
+      - master
+    types: [labeled]
+
+jobs:
+  Terratest:
+    name: 'Terratest'
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: 'Checkout'
+        uses: actions/checkout@v2.3.4
+
+      - name: 'Configure AWS Credentials'
+        uses: clouddrove/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
+          aws-region: us-east-2
+
+      - name: 'Terratest'
+        uses: 'clouddrove/github-actions@v8.0'
+        with:
+          actions_subcommand: 'terratest'
+          if: ${{ github.event.label.name == 'terratest' }}
+          tf_actions_working_dir: '_test'
+
+      - name: 'Slack Notification'
+        uses: clouddrove/action-slack@v2
+        with:
+          status: ${{ job.status }}
+          fields: repo,author
+          author_name: 'CloudDrove'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required
+        if: always()
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
@@ -1,38 +1,29 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 name: tfsec
-
 on:
-  push:
-    branches: [ "master" ]
   pull_request:
-    branches: [ "master" ]
-  schedule:
-    - cron: '17 13 * * 6'
 
 jobs:
   tfsec:
-    name: Run tfsec sarif report
+    name: tfsec sarif report
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     steps:
       - name: Clone repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@master
 
-      - name: Run tfsec
-        uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+      - name: tfsec
+        uses: aquasecurity/tfsec-sarif-action@v0.1.0
         with:
           sarif_file: tfsec.sarif
+          working_directory: ./_example/
+          full_repo_scan: true
 
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: tfsec.sarif
+      - name: 'Terraform security scan Advanced'
+        uses: triat/terraform-security-scan@v3.0.3
+        if: github.event_name == 'pull_request'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB}}
+          tfsec_actions_working_dir: ./_example/
+          tfsec_actions_comment: true
+          tfsec_output_format: sarif
+        continue-on-error: true
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,9 @@
+# ignored files
+*.tfstate
+*.tfstate.backup
+.terraform
+.idea
+*.iml
+*.terraform.lock.hcl
+/_test/go.mod
+/_test/go.sum
diff --git a/Makefile b/Makefile
@@ -0,0 +1,3 @@
+export GENIE_PATH ?= $(shell 'pwd')/../../../genie
+
+include $(GENIE_PATH)/Makefile