Skip to content

Commit

Permalink
add terrascan atlantis container details
Browse files Browse the repository at this point in the history
  • Loading branch information
devang-gaur committed Apr 24, 2021
1 parent 585edcc commit 6c2617e
Show file tree
Hide file tree
Showing 7 changed files with 178 additions and 4 deletions.
8 changes: 8 additions & 0 deletions atlantis/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM runatlantis/atlantis
ENV DEFAULT_TERRASCAN_VERSION=1.5.0
ENV PLANFILE tfplan
ADD setup.sh terrascan.sh launch-atlantis.sh entrypoint.sh /usr/local/bin/
RUN touch ${PLANFILE} && mkdir -p /etc/atlantis/ && chmod +x /usr/local/bin/setup.sh /usr/local/bin/terrascan.sh /usr/local/bin/launch-atlantis.sh /usr/local/bin/entrypoint.sh && setup.sh
ADD terrascan_workflow.yaml /etc/atlantis/workflow.yaml
ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
CMD ["server"]
36 changes: 36 additions & 0 deletions atlantis/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/bash
set -e
count=1
declare config_file
declare copy
function fetch_configfile() {
for i in "${@:1}"
do
if [[ "$i" == "-c"* ]]; then
if [[ $i =~ -c=(.+) ]]; then
eval config_file="${BASH_REMATCH[1]}"
copy=${@/"$i"}
elif [[ $i =~ -c(.+) ]]; then
echo "unacceptable argument : $i"
exit 1
else
eval var='$'$(( count + 1 ))
eval config_file="$var"
copy=$(echo "$@" | sed "s/-c//")
copy=${copy/$config_file}
fi
fi
(( count += 1 ))
done
}

fetch_configfile "$@"
if [[ ! -z $config_file ]]; then
export TERRASCAN_CONFIG=$config_file
fi

if [[ -z $copy ]]; then
launch-atlantis.sh $@
else
launch-atlantis.sh $copy
fi
69 changes: 69 additions & 0 deletions atlantis/launch-atlantis.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/bin/bash
set -e

declare flag

function lookup_repo_config_flag() {
for i in "$@"
do
if [[ "$i" == "--repo-config"* ]]; then
flag="true"
fi
done
}

# Modified: https://github.com/hashicorp/docker-consul/blob/2c2873f9d619220d1eef0bc46ec78443f55a10b5/0.X/docker-entrypoint.sh

# If the user is trying to run atlantis directly with some arguments, then
# pass them to atlantis.
if [ "${1:0:1}" = '-' ]; then
set -- atlantis "$@"
fi

# If the user is running an atlantis subcommand (ex. server) then we want to prepend
# atlantis as the first arg to exec. To detect if they're running a subcommand
# we take the potential subcommand and run it through atlantis help {subcommand}.
# If the output contains "atlantis subcommand" then we know it's a subcommand
# since the help output contains that string. For anything else (ex. sh)
# it won't contain that string.
# NOTE: We use grep instead of the exit code since help always returns 0.
if atlantis help "$1" 2>&1 | grep -q "atlantis $1"; then
# We can't use the return code to check for the existence of a subcommand, so
# we have to use grep to look for a pattern in the help output.
set -- atlantis "$@"
fi

# If the current uid running does not have a user create one in /etc/passwd
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/atlantis:/sbin/nologin" >> /etc/passwd
fi
fi

# If we're running as root and we're trying to execute atlantis then we use
# gosu to step down from root and run as the atlantis user.
# In OpenShift, containers are run as a random users so we don't need to use gosu.
if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then
# If requested, set the capability to bind to privileged ports before
# we drop to the non-root user. Note that this doesn't work with all
# storage drivers (it won't work with AUFS).
if [ ! -z ${ATLANTIS_ALLOW_PRIVILEGED_PORTS+x} ]; then
setcap "cap_net_bind_service=+ep" /bin/atlantis
fi

set -- gosu atlantis "$@"
fi

to_exec=""

lookup_repo_config_flag $@

if [[ $flag != "true" ]] && [[ "$@" == *"atlantis"* ]] && [[ "$@" == *"server"* ]] && [[ -f /etc/atlantis/terrascan_workflow.yaml ]]; then
echo "using the default repo-config"
to_exec="$@ --repo-config=/etc/atlantis/workflow.yaml"
else
to_exec="$@"
fi

echo "executing command : $to_exec"
exec $to_exec
14 changes: 14 additions & 0 deletions atlantis/setup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
if [[ -z "${TERRASCAN_VERSION}" ]]; then
TERRASCAN_VERSION=${DEFAULT_TERRASCAN_VERSION}
fi

VERSION=${TERRASCAN_VERSION}

curl -LOs https://github.com/accurics/terrascan/releases/download/v${VERSION}/terrascan_${VERSION}_Linux_x86_64.tar.gz
mkdir /usr/local/bin/terrascan_${VERSION}
tar -C /usr/local/bin/terrascan_${VERSION} -xzf terrascan_${VERSION}_Linux_x86_64.tar.gz

mv /usr/local/bin/terrascan_${VERSION}/terrascan /usr/local/bin/terrascan

rm terrascan_${VERSION}_Linux_x86_64.tar.gz
rm -rf /usr/local/bin/terrascan_${VERSION}/
10 changes: 10 additions & 0 deletions atlantis/terrascan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash

terrascan scan -i tfplan --iac-version v1 -f ${PLANFILE}.json -l error > output

#Formatting- create Terrascan block:
sed -i '1s/^/<details><Summary>Terrascan Scan Results<\/Summary>\n\n```diff\n/' output
#Close up original block
sed -i '1s/^/```\n<\/details>\n/' output

cat output
12 changes: 12 additions & 0 deletions atlantis/terrascan_workflow.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
repos:
- id: "/.*/"
workflow: terrascan
workflows:
terrascan:
plan:
steps:
- run: terraform init -input=false -no-color
- run: terraform workspace select -no-color $WORKSPACE
- run: terraform plan -input=false -refresh -no-color -out $PLANFILE
- run: terraform show -no-color -json $PLANFILE > ${PLANFILE}.json
- run: terrascan.sh
33 changes: 29 additions & 4 deletions docs/integrations/atlantis-integration.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ In either scenario, the configuration of Atlantis is a diverse topic which will
Through this method, you will modify or create a custom workflow for atlantis so your repositories will be scanned by terrascan as part of the pull request automation.

**Requirements**

* The atlantis server must have TCP connectivity to where the terrascan server is running.
* The `curl` command needs to be installed on the system so the `terrascan-remote-scan.sh` script can make the scan request. Atlantis's [docker image](https://hub.docker.com/r/runatlantis/atlantis/) has curl preinstalled.

Expand Down Expand Up @@ -62,7 +61,7 @@ $ atlantis server \
--gh-token="$TOKEN" \
--gh-webhook-secret="$SECRET" \
--repo-allowlist="$REPO_ALLOWLIST" \
--repo-config=terrascan-workflow.yaml
--repo-config=terrascan-terrascan_workflow.yaml
```
(the variables in the example above must be set separately using `export` or similar shell methods)

Expand All @@ -74,6 +73,32 @@ terrascan server

Once the systems are running, when atlantis is called via pull request, or a comment of `atlantis plan`, terrascan will be called as part of the atlantis plan flow. Scan results will be placed in a comment on the pull request, and if issues are found the test will be marked as failed.

## Custom Atlantis Contaier
(coming soon...)
## Custom Atlantis Container

### Usage

To use our container image:
```
docker pull accurics/terrascan_atlantis
```

To build your own container image:
```
docker build ./atlantis -t <image_name>
```

Running the container:

```
docker run -e AWS_ACCESS_KEY_ID=<value> -e AWS_SECRET_ACCESS_KEY=<value> -e AWS_REGION=<value> -p 4141:4141 --user=atlantis -v <pwd>/data/:/etc/terrascan/ <image-name> server --gh-user=<GH_USER> --gh-token=<GH_PersonalAccessToken> --repo-allowlist=<gh_repo> --gh-webhook-secret=<webhook-secret> -c /etc/terrascan/config.toml
```

PS: You need to provide all the environment variables that terraform requires to operate with your respective cloud providers.

The server command is same as in [atlantis docs](https://www.runatlantis.io/docs/), except for an additional `-c` flag,
which is used to pass in the toml config filepath for terrascan.

Another way to provide the toml config filepath would be the TERRASCAN_CONFIG environment variable.

The default workflow.yaml file used is the `atlantis/workflow.yaml` in this repo. You're allowed to override on your own
by using the `--repo-config` flag. To trigger the terrascan scan, make sure you include a step to execute `atlantis/terrascan.sh` in your workflow file.

0 comments on commit 6c2617e

Please sign in to comment.