forked from tenable/terrascan
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add terrascan atlantis container files, scripts and doc. (tenable#684)
* add terrascan atlantis container details * updated docs and scripts
- Loading branch information
Devang Gaur
authored
May 5, 2021
1 parent
e6e6b8e
commit 0c7f4ca
Showing
8 changed files
with
306 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
FROM runatlantis/atlantis:v0.16.1 | ||
ENV DEFAULT_TERRASCAN_VERSION=1.5.1 | ||
ENV PLANFILE tfplan | ||
ADD setup.sh terrascan.sh launch-atlantis.sh entrypoint.sh /usr/local/bin/ | ||
RUN mkdir -p /etc/atlantis/ && \ | ||
chmod +x /usr/local/bin/*.sh && \ | ||
/usr/local/bin/setup.sh | ||
ADD terrascan-workflow.yaml /etc/atlantis/workflow.yaml | ||
USER atlantis | ||
RUN terrascan init | ||
ENTRYPOINT ["/bin/bash", "entrypoint.sh"] | ||
CMD ["server"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Copyright (C) 2020 Accurics, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
repos: | ||
- id: "/.*/" | ||
workflow: terrascan | ||
workflows: | ||
terrascan: | ||
plan: | ||
steps: | ||
- run: terraform init -input=false -no-color | ||
- run: terraform workspace select -no-color $WORKSPACE | ||
- run: terraform plan -input=false -refresh -no-color -out $PLANFILE | ||
- run: terraform show -no-color -json $PLANFILE > ${PLANFILE}.json | ||
- run: terrascan.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Copyright (C) 2020 Accurics, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
#!/bin/bash | ||
set -e | ||
count=1 | ||
declare config_file | ||
declare copy | ||
function fetch_configfile() { | ||
for i in "${@:1}" | ||
do | ||
if [[ "$i" == "-c"* ]]; then | ||
if [[ $i =~ -c=(.+) ]]; then | ||
eval config_file="${BASH_REMATCH[1]}" | ||
copy=${@/"$i"} | ||
elif [[ $i =~ -c(.+) ]]; then | ||
echo "unacceptable argument : $i" | ||
exit 1 | ||
else | ||
eval var='$'$(( count + 1 )) | ||
eval config_file="$var" | ||
copy=$(echo "$@" | sed "s/ -c//") | ||
copy=${copy/$config_file} | ||
fi | ||
fi | ||
(( count += 1 )) | ||
done | ||
} | ||
|
||
fetch_configfile "$@" | ||
if [[ ! -z $config_file ]]; then | ||
export TERRASCAN_CONFIG=$config_file | ||
fi | ||
|
||
if [[ -z $copy ]]; then | ||
launch-atlantis.sh $@ | ||
else | ||
launch-atlantis.sh $copy | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
# Copyright (C) 2020 Accurics, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
#!/bin/bash | ||
set -e | ||
|
||
declare flag | ||
|
||
function lookup_repo_config_flag() { | ||
for i in "$@" | ||
do | ||
if [[ "$i" == "--repo-config"* ]]; then | ||
flag="true" | ||
fi | ||
done | ||
} | ||
|
||
# Modified: https://github.com/hashicorp/docker-consul/blob/2c2873f9d619220d1eef0bc46ec78443f55a10b5/0.X/docker-entrypoint.sh | ||
|
||
# If the user is trying to run atlantis directly with some arguments, then | ||
# pass them to atlantis. | ||
if [ "${1:0:1}" = '-' ]; then | ||
set -- atlantis "$@" | ||
fi | ||
|
||
# If the user is running an atlantis subcommand (ex. server) then we want to prepend | ||
# atlantis as the first arg to exec. To detect if they're running a subcommand | ||
# we take the potential subcommand and run it through atlantis help {subcommand}. | ||
# If the output contains "atlantis subcommand" then we know it's a subcommand | ||
# since the help output contains that string. For anything else (ex. sh) | ||
# it won't contain that string. | ||
# NOTE: We use grep instead of the exit code since help always returns 0. | ||
if atlantis help "$1" 2>&1 | grep -q "atlantis $1"; then | ||
# We can't use the return code to check for the existence of a subcommand, so | ||
# we have to use grep to look for a pattern in the help output. | ||
set -- atlantis "$@" | ||
fi | ||
|
||
# If the current uid running does not have a user create one in /etc/passwd | ||
if ! whoami &> /dev/null; then | ||
if [ -w /etc/passwd ]; then | ||
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/atlantis:/sbin/nologin" >> /etc/passwd | ||
fi | ||
fi | ||
|
||
# If we're running as root and we're trying to execute atlantis then we use | ||
# gosu to step down from root and run as the atlantis user. | ||
# In OpenShift, containers are run as a random users so we don't need to use gosu. | ||
if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then | ||
# If requested, set the capability to bind to privileged ports before | ||
# we drop to the non-root user. Note that this doesn't work with all | ||
# storage drivers (it won't work with AUFS). | ||
if [ ! -z ${ATLANTIS_ALLOW_PRIVILEGED_PORTS+x} ]; then | ||
setcap "cap_net_bind_service=+ep" /bin/atlantis | ||
fi | ||
|
||
set -- gosu atlantis "$@" | ||
fi | ||
|
||
to_exec="" | ||
|
||
lookup_repo_config_flag $@ | ||
|
||
if [[ $flag != "true" ]] && [[ "$@" == *"atlantis"* ]] && [[ "$@" == *"server"* ]] && [[ -f /etc/atlantis/workflow.yaml ]]; then | ||
to_exec="$@ --repo-config=/etc/atlantis/workflow.yaml" | ||
else | ||
to_exec="$@" | ||
fi | ||
|
||
exec $to_exec |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Copyright (C) 2020 Accurics, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
#!/bin/bash | ||
set -ex | ||
|
||
if [[ -z "${TERRASCAN_VERSION}" ]]; then | ||
TERRASCAN_VERSION=${DEFAULT_TERRASCAN_VERSION} | ||
fi | ||
|
||
VERSION=${TERRASCAN_VERSION} | ||
|
||
curl -LOs https://github.com/accurics/terrascan/releases/download/v${VERSION}/terrascan_${VERSION}_Linux_x86_64.tar.gz | ||
mkdir /usr/local/bin/terrascan_${VERSION} | ||
tar -C /usr/local/bin/terrascan_${VERSION} -xzf terrascan_${VERSION}_Linux_x86_64.tar.gz | ||
|
||
mv /usr/local/bin/terrascan_${VERSION}/terrascan /usr/local/bin/terrascan | ||
|
||
rm terrascan_${VERSION}_Linux_x86_64.tar.gz | ||
rm -rf /usr/local/bin/terrascan_${VERSION}/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Copyright (C) 2020 Accurics, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
repos: | ||
- id: "/.*/" | ||
workflow: terrascan | ||
workflows: | ||
terrascan: | ||
plan: | ||
steps: | ||
- run: terraform init -input=false -no-color | ||
- run: terraform workspace select -no-color $WORKSPACE | ||
- run: terraform plan -input=false -refresh -no-color -out $PLANFILE | ||
- run: terraform show -no-color -json $PLANFILE > ${PLANFILE}.json | ||
- run: terrascan.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Copyright (C) 2020 Accurics, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
#!/bin/bash | ||
|
||
terrascan scan -i tfplan --iac-version v1 -f ${PLANFILE}.json -l error > output | ||
exitcode=$? | ||
|
||
if [[ ! $exitcode -eq 0 ]]; then | ||
echo | ||
echo '- Terrascan identified IAC policy violations:' | ||
echo | ||
echo 'Scan Results:' | ||
cat output | ||
echo | ||
echo '```' | ||
echo '</details>' | ||
echo '<p><strong>Further atlantis details below:</strong></p>' | ||
echo '<details>' | ||
echo | ||
echo '```diff' | ||
echo | ||
fi | ||
|
||
exit $exitcode |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters