From c1881085050986a6bb3d299e87171c64bed102af Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Wed, 3 Apr 2024 15:20:13 +0530 Subject: [PATCH 01/13] SUMO-238066: TF github action --- .github/workflows/tf-test.yml | 64 +++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/tf-test.yml diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml new file mode 100644 index 00000000..bcf12bb1 --- /dev/null +++ b/.github/workflows/tf-test.yml @@ -0,0 +1,64 @@ +name: "TF template tests" +on: [workflow_dispatch, pull_request] + +jobs: + ValidateTF: + runs-on: ubuntu-latest + name: "Validate Terraform module" + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: terraform validate + uses: dflook/terraform-validate@v1 + with: + path: my-terraform-config + + ValidateLinting: + runs-on: ${{ matrix.os }} + name: "Terraform template linting verification" + + strategy: + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + + steps: + - uses: actions/checkout@v4 + name: Checkout source code + + - uses: actions/cache@v4 + name: Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v0.50.3 + + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + env: + GITHUB_TOKEN: '' + + - name: Run TFLint + run: tflint -f compact + + TFSecurityChecks: + name: "terraform template tests using checkov" + runs-on: "ubuntu-latest" + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - uses: bridgecrewio/checkov-action@master + with: + directory: 'aws-observability-terraform/' + quiet: true + framework: terraform + output_format: cli + output_bc_ids: false \ No newline at end of file From b54a4d7a88bc6302600797a704d11df47c2265a2 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Wed, 3 Apr 2024 15:40:54 +0530 Subject: [PATCH 02/13] SUMO-238066: Update in Validate Terraform module --- .github/workflows/tf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index bcf12bb1..efe8c009 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -12,7 +12,7 @@ jobs: - name: terraform validate uses: dflook/terraform-validate@v1 with: - path: my-terraform-config + directory: 'aws-observability-terraform/' ValidateLinting: runs-on: ${{ matrix.os }} From 039b9138e9621767b2bde5e89b1b1208ae16db12 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 11:06:56 +0530 Subject: [PATCH 03/13] SUMO-238066: review changes --- .github/workflows/tf-test.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index efe8c009..18de84a7 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -12,7 +12,7 @@ jobs: - name: terraform validate uses: dflook/terraform-validate@v1 with: - directory: 'aws-observability-terraform/' + directory: aws-observability-terraform/ ValidateLinting: runs-on: ${{ matrix.os }} @@ -20,7 +20,7 @@ jobs: strategy: matrix: - os: [ubuntu-latest, macos-latest, windows-latest] + os: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -61,4 +61,5 @@ jobs: quiet: true framework: terraform output_format: cli - output_bc_ids: false \ No newline at end of file + output_bc_ids: false + download_external_modules: true \ No newline at end of file From b8240d164863bf0dd298d92c8fbc14f556e67298 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 11:09:44 +0530 Subject: [PATCH 04/13] SUMO-238066: review changes --- .github/workflows/tf-test.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 18de84a7..6c32ebd6 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -15,12 +15,9 @@ jobs: directory: aws-observability-terraform/ ValidateLinting: - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest name: "Terraform template linting verification" - strategy: - matrix: - os: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -30,7 +27,7 @@ jobs: name: Cache plugin dir with: path: ~/.tflint.d/plugins - key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }} - uses: terraform-linters/setup-tflint@v4 name: Setup TFLint From 92703913a2fcd06d51b2e84b37773bdd36b0cdd8 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 15:16:13 +0530 Subject: [PATCH 05/13] SUMO-238066: adding skip_check in TF --- .github/workflows/tf-test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 6c32ebd6..9204a449 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -59,4 +59,5 @@ jobs: framework: terraform output_format: cli output_bc_ids: false - download_external_modules: true \ No newline at end of file + download_external_modules: true + skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240 \ No newline at end of file From 1311c898c42d3093243e29f9b20064e7048f06ab Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 16:04:27 +0530 Subject: [PATCH 06/13] SUMO-238066: adding skip_check in TF --- .github/workflows/tf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 9204a449..8d1142d6 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -60,4 +60,4 @@ jobs: output_format: cli output_bc_ids: false download_external_modules: true - skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240 \ No newline at end of file + skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240,CKV2_AWS_6,CKV2_AWS_62,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV_AWS_145,CKV_TF_1 \ No newline at end of file From b6297cee9eaca161034853fa421dced26afe1ca3 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 17:25:37 +0530 Subject: [PATCH 07/13] SUMO-238066: adding skip_check in TF --- .github/workflows/tf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 8d1142d6..8dd7ecce 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -60,4 +60,4 @@ jobs: output_format: cli output_bc_ids: false download_external_modules: true - skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240,CKV2_AWS_6,CKV2_AWS_62,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV_AWS_145,CKV_TF_1 \ No newline at end of file + skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240,CKV2_AWS_6,CKV2_AWS_62,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV_AWS_145,CKV_TF_1,CKV_AWS_27,CKV_AWS_124,CKV2_AWS_10 \ No newline at end of file From 577eea82a5b2319ad61c052e2bdb6c7318742725 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 17:56:32 +0530 Subject: [PATCH 08/13] SUMO-238066: adding skip_check in TF --- .github/workflows/tf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 8dd7ecce..4995dd98 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -60,4 +60,4 @@ jobs: output_format: cli output_bc_ids: false download_external_modules: true - skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240,CKV2_AWS_6,CKV2_AWS_62,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV_AWS_145,CKV_TF_1,CKV_AWS_27,CKV_AWS_124,CKV2_AWS_10 \ No newline at end of file + skip_check: CKV_AWS_26,CKV_AWS_35,CKV_AWS_67,CKV_AWS_36,CKV_AWS_252,CKV_AWS_158,CKV_AWS_338,CKV_AWS_117,CKV_AWS_115,CKV_AWS_173,CKV_AWS_50,CKV_AWS_241,CKV_AWS_240,CKV2_AWS_6,CKV2_AWS_62,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV_AWS_145,CKV_TF_1,CKV_AWS_27,CKV_AWS_124,CKV2_AWS_10,CKV_AWS_272,CKV2_AWS_61 \ No newline at end of file From f3c1ab5c24316e060e20d8cf1dc77b30e5101b7a Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 18:41:22 +0530 Subject: [PATCH 09/13] SUMO-238066: review comment --- .github/workflows/tf-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 6c32ebd6..22c6705a 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -54,7 +54,7 @@ jobs: - uses: bridgecrewio/checkov-action@master with: - directory: 'aws-observability-terraform/' + path: 'aws-observability-terraform/' quiet: true framework: terraform output_format: cli From aee7494497ebd5f8d4c604c9e83e6c5cf5f3da16 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 18:42:16 +0530 Subject: [PATCH 10/13] SUMO-238066: review comment --- .github/workflows/tf-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 22c6705a..4a585c8e 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -12,7 +12,7 @@ jobs: - name: terraform validate uses: dflook/terraform-validate@v1 with: - directory: aws-observability-terraform/ + path: aws-observability-terraform/ ValidateLinting: runs-on: ubuntu-latest @@ -54,7 +54,7 @@ jobs: - uses: bridgecrewio/checkov-action@master with: - path: 'aws-observability-terraform/' + directory: 'aws-observability-terraform/' quiet: true framework: terraform output_format: cli From 6daf96f2a0db38fb9cb4b76e116b0c22e30d03f1 Mon Sep 17 00:00:00 2001 From: Himanshu Pal Date: Thu, 4 Apr 2024 19:00:15 +0530 Subject: [PATCH 11/13] added aws ruleset and added recursive --- .github/workflows/tf-test.yml | 14 ++++++++------ aws-observability-terraform/.tflint.hcl | 10 ++++++++++ 2 files changed, 18 insertions(+), 6 deletions(-) create mode 100644 aws-observability-terraform/.tflint.hcl diff --git a/.github/workflows/tf-test.yml b/.github/workflows/tf-test.yml index 4a585c8e..b841ec9b 100644 --- a/.github/workflows/tf-test.yml +++ b/.github/workflows/tf-test.yml @@ -4,7 +4,7 @@ on: [workflow_dispatch, pull_request] jobs: ValidateTF: runs-on: ubuntu-latest - name: "Validate Terraform module" + name: "Validate Terraform module for AWSO" steps: - name: Checkout uses: actions/checkout@v3 @@ -16,13 +16,15 @@ jobs: ValidateLinting: runs-on: ubuntu-latest - name: "Terraform template linting verification" - + name: "Terraform template linting verification for AWSO" steps: - uses: actions/checkout@v4 name: Checkout source code + - name: Change directory + run: cd aws-observability-terraform/ + - uses: actions/cache@v4 name: Cache plugin dir with: @@ -43,10 +45,10 @@ jobs: GITHUB_TOKEN: '' - name: Run TFLint - run: tflint -f compact + run: tflint --recursive -f checkstyle TFSecurityChecks: - name: "terraform template tests using checkov" + name: "terraform template tests using checkov for AWSO" runs-on: "ubuntu-latest" steps: - name: Checkout repo @@ -59,4 +61,4 @@ jobs: framework: terraform output_format: cli output_bc_ids: false - download_external_modules: true \ No newline at end of file + download_external_modules: true diff --git a/aws-observability-terraform/.tflint.hcl b/aws-observability-terraform/.tflint.hcl new file mode 100644 index 00000000..49948351 --- /dev/null +++ b/aws-observability-terraform/.tflint.hcl @@ -0,0 +1,10 @@ +plugin "aws" { + enabled = true + version = "0.30.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + +plugin "terraform" { + enabled = true + preset = "recommended" +} From 56bc7537ea6867c2dd2cab1ec06a004063bc2629 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 19:07:22 +0530 Subject: [PATCH 12/13] SUMO-238066: TF validate check --- aws-observability-terraform/app-modules/elb/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-observability-terraform/app-modules/elb/outputs.tf b/aws-observability-terraform/app-modules/elb/outputs.tf index 29ac0b5a..d6d30e7e 100644 --- a/aws-observability-terraform/app-modules/elb/outputs.tf +++ b/aws-observability-terraform/app-modules/elb/outputs.tf @@ -9,6 +9,6 @@ output "sumologic_field_extraction_rule" { } output "sumologic_content" { - value = module.classic_elb_module.sumologic_content + value : module.classic_elb_module.sumologic_content description = "This output contains classic elb App." } \ No newline at end of file From 3b5fb605701be8aed8ebf420f96c5607bc2336a2 Mon Sep 17 00:00:00 2001 From: shivani-sumo Date: Thu, 4 Apr 2024 19:11:20 +0530 Subject: [PATCH 13/13] SUMO-238066: TF validate check --- aws-observability-terraform/app-modules/elb/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-observability-terraform/app-modules/elb/outputs.tf b/aws-observability-terraform/app-modules/elb/outputs.tf index d6d30e7e..29ac0b5a 100644 --- a/aws-observability-terraform/app-modules/elb/outputs.tf +++ b/aws-observability-terraform/app-modules/elb/outputs.tf @@ -9,6 +9,6 @@ output "sumologic_field_extraction_rule" { } output "sumologic_content" { - value : module.classic_elb_module.sumologic_content + value = module.classic_elb_module.sumologic_content description = "This output contains classic elb App." } \ No newline at end of file