diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml new file mode 100644 index 0000000..4cb931c --- /dev/null +++ b/.github/workflows/tf-fmt-check.yml @@ -0,0 +1,21 @@ +name: tfactions +on: + push: + branches: + - main + pull_request: +jobs: + tfactions: + name: tfactions + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: hashicorp/setup-terraform@v3 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + - name: Terraform fmt + id: fmt + run: terraform fmt -check \ No newline at end of file diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 32a9446..b29f5d3 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,18 +1,37 @@ +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: tfsec + on: push: - branches: - - main + branches: [ "main" ] pull_request: + branches: [ "main" ] + schedule: + - cron: '27 20 * * 5' + jobs: tfsec: - name: tfsec + name: Run tfsec sarif report runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - name: Clone repo - uses: actions/checkout@master - - name: tfsec - uses: aquasecurity/tfsec-action@v1.0.0 + uses: actions/checkout@v4 + + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 with: - soft_fail: true + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif \ No newline at end of file diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..ef31f06 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.62.0" + constraints = "~> 5.0" + hashes = [ + "h1:X3LAZdkVhb/77gTlhPwKYCA9oblBCSu866fZDDOojPY=", + "zh:1f366cbcda72fb123015439a42ab19f96e10ce4edb404273f4e1b7e06da20b73", + "zh:25f098454a34b483279e0382b24b4f42e51c067222c6e797eda5d3ec33b9beb1", + "zh:4b59d48b527e3cefd73f196853bfc265b3e1e57b55c1c8a2d12ff6e3534b4f07", + "zh:7bb88c1ca95e2b3f0f1fe8636925133b9813fc5b137cc467ba6a233ddf4b360e", + "zh:8a93dece40e816c92647e762839d0370e9cad2aa21dc4ca95baee9385f116459", + "zh:8dfe82c55ab8f633c1e2a39c687e9ca8c892d1c2005bf5166ac396ce868ecd05", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a754952d69b4860480d5207390e3ab42350c964dbca9a5ac0c6912dd24b4c11d", + "zh:b2a4dbf4abee0e9ec18c5d323b99defdcd3c681f8c4306fb6e02cff7de038f85", + "zh:b57d84be258b571c04271015f03858ab215768b82e47c11ecd86e789d577030a", + "zh:be811b03289407c8d59e6b199bf16e6071165565ffe502148172d0886cf849c4", + "zh:d4144c7366c840eff1ac15ba13d96063f798f0983d24053a832362033624fe6f", + "zh:d88612856d453c4e10c49c76e4ef522b7d068b4f7c3e2e0b03dd74540986eecd", + "zh:e8bd231a5d0786cc4aab8471bb6dabd5a5df1c598afda077a9f27987ada57b67", + "zh:ffb40a66b4d000a8ee4c54227eeb998f887ad867419c3af7d3981587788de074", + ] +} diff --git a/provider.tf b/provider.tf index c8305b0..9403982 100644 --- a/provider.tf +++ b/provider.tf @@ -14,7 +14,7 @@ provider "aws" { allowed_account_ids = [var.aws_account] assume_role { - role_arn = "arn:aws:iam::${var.aws_account}:role/svc_terraform" + role_arn = "arn:aws:iam::${var.aws_account}:role/terraform-service" session_name = "Terraform" } diff --git a/variables.tf b/variables.tf index e69de29..85c5bf1 100644 --- a/variables.tf +++ b/variables.tf @@ -0,0 +1,13 @@ +variable "name" { + type = string +} + +variable "region" { + description = "AWS region to create resources in" + type = string + default = "us-east-1" +} + +variable "aws_account" { + description = "Account number to create AWS resources in. This variable should be defined in the Terraform Cloud workspace settings" +} \ No newline at end of file