-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
name: checkov | ||
|
||
# Controls when the workflow will run | ||
on: | ||
# Triggers the workflow on push or pull request events but only for the "main" branch | ||
push: | ||
branches: [ "main", "master" ] | ||
pull_request: | ||
branches: [ "main", "master" ] | ||
|
||
# Allows you to run this workflow manually from the Actions tab | ||
workflow_dispatch: | ||
|
||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel | ||
jobs: | ||
# This workflow contains a single job called "scan" | ||
scan: | ||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
|
||
# The type of runner that the job will run on | ||
runs-on: ubuntu-latest | ||
|
||
# Steps represent a sequence of tasks that will be executed as part of the job | ||
steps: | ||
# Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Checkov GitHub Action | ||
uses: bridgecrewio/checkov-action@v12 | ||
with: | ||
continue-on-error: true | ||
# This will add both a CLI output to the console and create a results.sarif file | ||
output_format: cli,sarif | ||
output_file_path: console,results.sarif | ||
|
||
- name: Upload SARIF file | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: results.sarif |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: supply-chain-security | ||
name: supply-chain-security | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: supply-chain-security | ||
template: | ||
metadata: | ||
labels: | ||
app: supply-chain-security | ||
spec: | ||
containers: | ||
- image: andifalk/supply-chain-security:latest | ||
name: supply-chain-security |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: MPL-2.0 | ||
|
||
variable "gke_username" { | ||
default = "" | ||
description = "gke username" | ||
} | ||
|
||
variable "gke_password" { | ||
default = "" | ||
description = "gke password" | ||
} | ||
|
||
variable "gke_num_nodes" { | ||
default = 2 | ||
description = "number of gke nodes" | ||
} | ||
|
||
# GKE cluster | ||
data "google_container_engine_versions" "gke_version" { | ||
location = var.region | ||
version_prefix = "1.27." | ||
} | ||
|
||
resource "google_container_cluster" "primary" { | ||
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
Check failure on line 25 in iac/gke.tf GitHub Actions / scan
|
||
name = "${var.project_id}-gke" | ||
location = var.region | ||
|
||
# We can't create a cluster with no node pool defined, but we want to only use | ||
# separately managed node pools. So we create the smallest possible default | ||
# node pool and immediately delete it. | ||
remove_default_node_pool = true | ||
initial_node_count = 1 | ||
|
||
network = google_compute_network.vpc.name | ||
subnetwork = google_compute_subnetwork.subnet.name | ||
} | ||
|
||
# Separately Managed Node Pool | ||
resource "google_container_node_pool" "primary_nodes" { | ||
name = google_container_cluster.primary.name | ||
location = var.region | ||
cluster = google_container_cluster.primary.name | ||
|
||
version = data.google_container_engine_versions.gke_version.release_channel_latest_version["STABLE"] | ||
node_count = var.gke_num_nodes | ||
|
||
node_config { | ||
oauth_scopes = [ | ||
"https://www.googleapis.com/auth/logging.write", | ||
"https://www.googleapis.com/auth/monitoring", | ||
] | ||
|
||
labels = { | ||
env = var.project_id | ||
} | ||
|
||
# preemptible = true | ||
machine_type = "n1-standard-1" | ||
tags = ["gke-node", "${var.project_id}-gke"] | ||
metadata = { | ||
disable-legacy-endpoints = "true" | ||
} | ||
} | ||
} | ||
|
||
|
||
# # Kubernetes provider | ||
# # The Terraform Kubernetes Provider configuration below is used as a learning reference only. | ||
# # It references the variables and resources provisioned in this file. | ||
# # We recommend you put this in another file -- so you can have a more modular configuration. | ||
# # https://learn.hashicorp.com/terraform/kubernetes/provision-gke-cluster#optional-configure-terraform-kubernetes-provider | ||
# # To learn how to schedule deployments and services using the provider, go here: https://learn.hashicorp.com/tutorials/terraform/kubernetes-provider. | ||
|
||
# provider "kubernetes" { | ||
# load_config_file = "false" | ||
|
||
# host = google_container_cluster.primary.endpoint | ||
# username = var.gke_username | ||
# password = var.gke_password | ||
|
||
# client_certificate = google_container_cluster.primary.master_auth.0.client_certificate | ||
# client_key = google_container_cluster.primary.master_auth.0.client_key | ||
# cluster_ca_certificate = google_container_cluster.primary.master_auth.0.cluster_ca_certificate | ||
# } |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: MPL-2.0 | ||
|
||
output "region" { | ||
value = var.region | ||
description = "GCloud Region" | ||
} | ||
|
||
output "project_id" { | ||
value = var.project_id | ||
description = "GCloud Project ID" | ||
} | ||
|
||
output "kubernetes_cluster_name" { | ||
value = google_container_cluster.primary.name | ||
description = "GKE Cluster Name" | ||
} | ||
|
||
output "kubernetes_cluster_host" { | ||
value = google_container_cluster.primary.endpoint | ||
description = "GKE Cluster Host" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: MPL-2.0 | ||
|
||
project_id = "pa-afa-kubernetes" | ||
region = "europe-west3" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: MPL-2.0 | ||
|
||
terraform { | ||
required_providers { | ||
google = { | ||
source = "hashicorp/google" | ||
version = "4.74.0" | ||
} | ||
} | ||
|
||
required_version = ">= 0.14" | ||
} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: MPL-2.0 | ||
|
||
variable "project_id" { | ||
description = "project id" | ||
} | ||
|
||
variable "region" { | ||
description = "region" | ||
} | ||
|
||
provider "google" { | ||
project = var.project_id | ||
region = var.region | ||
} | ||
|
||
# VPC | ||
resource "google_compute_network" "vpc" { | ||
name = "${var.project_id}-vpc" | ||
auto_create_subnetworks = "false" | ||
} | ||
|
||
# Subnet | ||
resource "google_compute_subnetwork" "subnet" { | ||
name = "${var.project_id}-subnet" | ||
region = var.region | ||
network = google_compute_network.vpc.name | ||
ip_cidr_range = "10.10.0.0/24" | ||
} |