diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index d49ee21412..0000000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: build -on: - push: - branches: - - master -jobs: - build: - runs-on: [self-hosted, public, linux, x64] - steps: - - uses: actions/checkout@v2 - name: Checkout repo - with: - fetch-depth: 0 - - name: Run yor action - uses: bridgecrewio/yor-action@main - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 - with: - python-version: 3.7 - - name: Update documentation - run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - git fetch --tags - git pull - latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`) - echo "latest tag: $latest_tag" - new_tag=$(echo $latest_tag | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}') - echo "new tag: $new_tag" - - pip install -U checkov - cat .github/template.md > README.md && checkov -d terraform -o github_failed_only -s >> README.md - git add README.md || echo "No changes to commit" - git commit -m "update resource scan result doc" README.md || echo "No changes to commit" - git push origin - git tag $new_tag - git push origin $new_tag diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..b27af55241 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,54 @@ +name: Prisma Cloud IaC Scan +on: + pull_request: + types: + - closed +jobs: + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api0.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/azure/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml deleted file mode 100644 index f3c271a117..0000000000 --- a/.github/workflows/pull_request.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: build -on: - pull_request -jobs: - checkov-job: - runs-on: ubuntu-latest - name: checkov-action - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - - name: Run Checkov action - id: checkov - uses: bridgecrewio/checkov-action@master - with: - directory: terraform/ diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index ca54ccb98e..0000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,16 +0,0 @@ -on: - pull_request: {} - push: - branches: - - main - - master -name: Semgrep -jobs: - semgrep: - name: Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: returntocorp/semgrep-action@v1 - with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index 00e0ba940f..21aea0d712 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -1,11 +1,12 @@ resource "aws_instance" "web_host" { # ec2 have plain text secrets in user data - ami = "${var.ami}" + # test change + ami = var.ami instance_type = "t2.nano" vpc_security_group_ids = [ "${aws_security_group.web-node.id}"] - subnet_id = "${aws_subnet.web_subnet.id}" + subnet_id = aws_subnet.web_subnet.id user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html +d EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" @@ -31,8 +33,10 @@ EOF }) } + resource "aws_ebs_volume" "web_host_storage" { # unencrypted volume + # delete this availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 @@ -48,11 +52,15 @@ resource "aws_ebs_volume" "web_host_storage" { git_repo = "terragoat" yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" }) + + } + + resource "aws_ebs_snapshot" "example_snapshot" { # ebs snapshot without encryption - volume_id = "${aws_ebs_volume.web_host_storage.id}" + volume_id = aws_ebs_volume.web_host_storage.id description = "${local.resource_prefix.value}-ebs-snapshot" tags = merge({ Name = "${local.resource_prefix.value}-ebs-snapshot" @@ -70,8 +78,8 @@ resource "aws_ebs_snapshot" "example_snapshot" { resource "aws_volume_attachment" "ebs_att" { device_name = "/dev/sdh" - volume_id = "${aws_ebs_volume.web_host_storage.id}" - instance_id = "${aws_instance.web_host.id}" + volume_id = aws_ebs_volume.web_host_storage.id + instance_id = aws_instance.web_host.id } resource "aws_security_group" "web-node" { diff --git a/terraform/aws/eks.tf b/terraform/aws/eks.tf index 53707039d8..64d718c28e 100644 --- a/terraform/aws/eks.tf +++ b/terraform/aws/eks.tf @@ -4,7 +4,7 @@ locals { } } -data aws_iam_policy_document "iam_policy_eks" { +data "aws_iam_policy_document" "iam_policy_eks" { statement { effect = "Allow" actions = ["sts:AssumeRole"] @@ -15,7 +15,7 @@ data aws_iam_policy_document "iam_policy_eks" { } } -resource aws_iam_role "iam_for_eks" { +resource "aws_iam_role" "iam_for_eks" { name = "${local.resource_prefix.value}-iam-for-eks" assume_role_policy = data.aws_iam_policy_document.iam_policy_eks.json tags = { @@ -30,17 +30,17 @@ resource aws_iam_role "iam_for_eks" { } } -resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSClusterPolicy" { +resource "aws_iam_role_policy_attachment" "policy_attachment-AmazonEKSClusterPolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.iam_for_eks.name } -resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSServicePolicy" { +resource "aws_iam_role_policy_attachment" "policy_attachment-AmazonEKSServicePolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" role = aws_iam_role.iam_for_eks.name } -resource aws_vpc "eks_vpc" { +resource "aws_vpc" "eks_vpc" { cidr_block = "10.10.0.0/16" enable_dns_hostnames = true enable_dns_support = true @@ -58,7 +58,7 @@ resource aws_vpc "eks_vpc" { }) } -resource aws_subnet "eks_subnet1" { +resource "aws_subnet" "eks_subnet1" { vpc_id = aws_vpc.eks_vpc.id cidr_block = "10.10.10.0/24" availability_zone = "${var.region}a" @@ -86,7 +86,7 @@ resource aws_subnet "eks_subnet1" { }) } -resource aws_subnet "eks_subnet2" { +resource "aws_subnet" "eks_subnet2" { vpc_id = aws_vpc.eks_vpc.id cidr_block = "10.10.11.0/24" availability_zone = "${var.region}b" @@ -114,9 +114,9 @@ resource aws_subnet "eks_subnet2" { }) } -resource aws_eks_cluster "eks_cluster" { +resource "aws_eks_cluster" "eks_cluster" { name = local.eks_name.value - role_arn = "${aws_iam_role.iam_for_eks.arn}" + role_arn = aws_iam_role.iam_for_eks.arn vpc_config { endpoint_private_access = true @@ -140,9 +140,9 @@ resource aws_eks_cluster "eks_cluster" { } output "endpoint" { - value = "${aws_eks_cluster.eks_cluster.endpoint}" + value = aws_eks_cluster.eks_cluster.endpoint } output "kubeconfig-certificate-authority-data" { - value = "${aws_eks_cluster.eks_cluster.certificate_authority.0.data}" + value = aws_eks_cluster.eks_cluster.certificate_authority.0.data } diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..e33b4352cf 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # test update bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ @@ -139,3 +140,27 @@ resource "aws_s3_bucket" "logs" { yor_trace = "01946fe9-aae2-4c99-a975-e9b0d3a4696c" }) } + +resource "aws_s3_bucket_policy" "allow_access_from_another_account" { + bucket = aws_s3_bucket.logs.id + policy = data.aws_iam_policy_document.allow_access_from_another_account.json +} + +data "aws_iam_policy_document" "allow_access_from_another_account" { + statement { + principals { + type = "AWS" + identifiers = ["123456789012"] + } + + actions = [ + "s3:GetObject", + "s3:ListBucket", + ] + + resources = [ + aws_s3_bucket.example.arn, + "${aws_s3_bucket.example.arn}/*", + ] + } +} \ No newline at end of file diff --git a/terraform/azure/aks.tf b/terraform/azure/aks.tf index ebb613bdf0..6bd5a2eeef 100644 --- a/terraform/azure/aks.tf +++ b/terraform/azure/aks.tf @@ -1,4 +1,4 @@ -resource azurerm_kubernetes_cluster "k8s_cluster" { +resource "azurerm_kubernetes_cluster" "k8s_cluster" { dns_prefix = "terragoat-${var.environment}" location = var.location name = "terragoat-aks-${var.environment}" @@ -32,4 +32,4 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { git_repo = "terragoat" yor_trace = "6103d111-864e-42e5-899c-1864de281fd1" } -} \ No newline at end of file +} diff --git a/terraform/azure/app_service.tf b/terraform/azure/app_service.tf index fa4f23edff..5a5e0c3655 100644 --- a/terraform/azure/app_service.tf +++ b/terraform/azure/app_service.tf @@ -1,4 +1,4 @@ -resource azurerm_app_service_plan "example" { +resource "azurerm_app_service_plan" "example" { name = "terragoat-app-service-plan-${var.environment}" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name @@ -19,7 +19,7 @@ resource azurerm_app_service_plan "example" { } } -resource azurerm_app_service "app-service1" { +resource "azurerm_app_service" "app-service1" { app_service_plan_id = azurerm_app_service_plan.example.id location = var.location name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" @@ -40,7 +40,7 @@ resource azurerm_app_service "app-service1" { } } -resource azurerm_app_service "app-service2" { +resource "azurerm_app_service" "app-service2" { app_service_plan_id = azurerm_app_service_plan.example.id location = var.location name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" diff --git a/terraform/azure/networking.tf b/terraform/azure/networking.tf index ab01c60d07..8543e72afb 100644 --- a/terraform/azure/networking.tf +++ b/terraform/azure/networking.tf @@ -1,4 +1,6 @@ resource "azurerm_virtual_network" "example" { + # commentzz + # new comment name = "terragoat-vn-${var.environment}" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location @@ -66,7 +68,7 @@ resource "azurerm_network_interface" "ni_win" { } } -resource azurerm_network_security_group "bad_sg" { +resource "azurerm_network_security_group" "bad_sg" { location = var.location name = "terragoat-${var.environment}" resource_group_name = azurerm_resource_group.example.name @@ -106,7 +108,7 @@ resource azurerm_network_security_group "bad_sg" { } } -resource azurerm_network_watcher "network_watcher" { +resource "azurerm_network_watcher" "network_watcher" { location = var.location name = "terragoat-network-watcher-${var.environment}" resource_group_name = azurerm_resource_group.example.name @@ -122,7 +124,8 @@ resource azurerm_network_watcher "network_watcher" { } } -resource azurerm_network_watcher_flow_log "flow_log" { +resource "azurerm_network_watcher_flow_log" "flow_log" { + name = "test-flow-log-name" enabled = false network_security_group_id = azurerm_network_security_group.bad_sg.id network_watcher_name = azurerm_network_watcher.network_watcher.name @@ -142,4 +145,4 @@ resource azurerm_network_watcher_flow_log "flow_log" { git_repo = "terragoat" yor_trace = "33a7212e-7f1a-49fc-af73-8e525c5546ec" } -} \ No newline at end of file +} diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index 8d6886286d..966b9f4fe2 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -55,7 +55,7 @@ resource "azurerm_storage_account" "example" { git_modifiers = "Adin.Ermie/nimrodkor" git_org = "bridgecrewio" git_repo = "terragoat" - yor_trace = "23861ff4-c42d-495e-80ac-776c74035f43" + yor_trace = "a0ac11af-a429-4d9f-b706-cfcc13d082a9" } } @@ -67,3 +67,45 @@ resource "azurerm_storage_account_network_rules" "test" { ip_rules = ["127.0.0.1"] bypass = ["Metrics"] } + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" + tags = { + yor_trace = "a5ed0240-5652-4df8-a146-29e6f0bb6283" + } +} + +resource "azurerm_storage_account" "example" { + name = "examplestoracc" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + tags = { + git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542" + git_file = "terraform/azure/storage.tf" + git_last_modified_at = "2021-05-02 10:06:10" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "a0ac11af-a429-4d9f-b706-cfcc13d082a9" + } +} + + +resource "azurerm_storage_container" "example" { + # this blob container shouldn't be public + name = "content" + storage_account_name = azurerm_storage_account.example.name + container_access_type = "public" +} + +resource "azurerm_storage_blob" "example" { + name = "my-awesome-content.zip" + storage_account_name = azurerm_storage_account.example.name + storage_container_name = azurerm_storage_container.example.name + type = "Block" + source = "some-local-file.zip" +}