From b2ae53d90eb4289b34a2139cfad914e9dd3e80d9 Mon Sep 17 00:00:00 2001
From: MOHANKUMAR T <mohan13081999@gmail.com>
Date: Mon, 25 Apr 2022 16:42:36 +0530
Subject: [PATCH] BAH-1615 | add. tfsec to pre-commit hooks

Co-authored-by: mradul1807 <mradul.jain@thoughtworks.com>
Co-authored-by: Umair Fayaz <omayrfayaz@gmail.com>
---
 .pre-commit-config.yaml |  4 ++++
 tfsec/tfsec.sh          | 30 ++++++++++++++++++++++++++++++
 tfsec/tfsec.yml         |  7 +++++++
 3 files changed, 41 insertions(+)
 create mode 100755 tfsec/tfsec.sh
 create mode 100644 tfsec/tfsec.yml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c46e6b7..f3f4030 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -13,3 +13,7 @@ repos:
       name: TFLint
       language: script
       entry: ./tflint/tflint.sh
+    - id: tfsec
+      name: TFSec
+      language: script
+      entry: ./tfsec/tfsec.sh
diff --git a/tfsec/tfsec.sh b/tfsec/tfsec.sh
new file mode 100755
index 0000000..899f8a5
--- /dev/null
+++ b/tfsec/tfsec.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+SCRIPT_PATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRECTORY=$(dirname "$SCRIPT_PATH")
+GREEN_COLOR="\033[1;32m"
+YELLOW_COLOR="\033[1;33m"
+NO_COLOR="\033[0m"
+
+run_scan(){
+    folder=$1
+
+    cd $folder
+    if [[ $GITHUB_ACTIONS ]]
+    then
+        terraform init -backend=false
+    fi
+
+    echo -e "${GREEN_COLOR}TFSec Scanning $folder....$NO_COLOR"
+    tfsec --config-file $SCRIPT_DIRECTORY/tfsec.yml --tfvars-file=terraform.tfvars --verbose
+
+    cd - > /dev/null
+    echo -e "\n"
+}
+
+run_scan terraform/shared
+for folder in terraform/environment/*
+do
+    run_scan $folder
+done;
diff --git a/tfsec/tfsec.yml b/tfsec/tfsec.yml
new file mode 100644
index 0000000..e03942d
--- /dev/null
+++ b/tfsec/tfsec.yml
@@ -0,0 +1,7 @@
+exclude:
+  - aws-eks-no-public-cluster-access          # Cluster Public access for deploying from Github CI
+  - aws-eks-no-public-cluster-access-to-cidr  # Cluster Public access for deploying from Github CI
+  - aws-eks-encrypt-secrets                   # Secret Encryption
+  - aws-rds-enable-performance-insights       # Performance insights are optional and costs additionaly
+  - aws-vpc-no-public-egress-sgr              # External access by instances to the internet
+  - aws-vpc-no-public-ingress-sgr             # Public access from anywhere to bastion host
\ No newline at end of file