diff --git a/.github/checkov.yml b/.github/checkov.yml new file mode 100644 index 0000000..2027ddd --- /dev/null +++ b/.github/checkov.yml @@ -0,0 +1,48 @@ +name: checkov + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + push: + branches: [ "main", "master" ] + pull_request: + branches: [ "main", "master" ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it + - uses: actions/checkout@v3 + + - name: Checkov GitHub Action + uses: bridgecrewio/checkov-action@v12 + with: + # This will add both a CLI output to the console and create a results.sarif file + output_format: cli,sarif + output_file_path: console,results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Security checks that do not pass will 'fail'. + # An alternative is to add `continue-on-error: true` to the previous step + # Or 'soft_fail: true' to checkov. + if: success() || failure() + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.gitignore b/.gitignore index 2faf43d..fb22f57 100644 --- a/.gitignore +++ b/.gitignore @@ -13,7 +13,6 @@ crash.*.log # password, private keys, and other secrets. These should not be part of version # control as they are data points which are potentially sensitive and subject # to change depending on the environment. -*.tfvars *.tfvars.json # Ignore override files as they are usually used to override resources locally and so diff --git a/backend.tf b/backend.tf new file mode 100644 index 0000000..dfd1c46 --- /dev/null +++ b/backend.tf @@ -0,0 +1,7 @@ +terraform { + backend "remote" { + hostname = "app.terraform.io" + organization = "cloudcodecoffee" + workspaces { name = "playground" } + } +} \ No newline at end of file diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/provider.tf b/provider.tf new file mode 100644 index 0000000..c8305b0 --- /dev/null +++ b/provider.tf @@ -0,0 +1,27 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = var.region + allowed_account_ids = [var.aws_account] + + assume_role { + role_arn = "arn:aws:iam::${var.aws_account}:role/svc_terraform" + session_name = "Terraform" + } + + default_tags { + tags = { + ManagedBy = "terraform" + Workspace = terraform.workspace + } + } +} \ No newline at end of file diff --git a/terraform.tfvars b/terraform.tfvars new file mode 100644 index 0000000..c44606e --- /dev/null +++ b/terraform.tfvars @@ -0,0 +1,2 @@ +name = "playground" +region = "us-west-2" \ No newline at end of file diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..e69de29