zachrundle · zachrundle · Aug 12, 2024 · Aug 11, 2024 · Aug 11, 2024 · Aug 11, 2024
diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml
@@ -0,0 +1,22 @@
+name: tfactions
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  tfactions:
+    name: tfactions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+          soft_fail: true
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -check
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
@@ -6,13 +6,26 @@ on:
   pull_request:
 jobs:
   tfsec:
-    name: tfsec
+    name: tfsec sarif report
     runs-on: ubuntu-latest
-
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - name: Clone repo
-        uses: actions/checkout@master
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
       - name: tfsec
-        uses: aquasecurity/[email protected]
+        uses: aquasecurity/[email protected]
+        with:
+          sarif_file: tfsec.sarif 
+          additional_args: '--severity HIGH'         
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
         with:
-          soft_fail: true
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: tfsec.sarif
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/main.tf b/main.tf
@@ -1,0 +1,7 @@
+resource "aws_s3_bucket" "my_bucket" {
+  bucket = "test-bucket-42353242213123"
+  tags = {
+    Name        = "MyS3Bucket"
+    Environment =                       "Dev"
+  }
+}
diff --git a/provider.tf b/provider.tf
@@ -14,7 +14,7 @@ provider "aws" {
   allowed_account_ids = [var.aws_account]
 
   assume_role {
-    role_arn     = "arn:aws:iam::${var.aws_account}:role/svc_terraform"
+    role_arn     = "arn:aws:iam::${var.aws_account}:role/terraform-service"
     session_name = "Terraform"
   }
 

diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,13 @@
+variable "name" {
+  type = string
+}
+
+variable "region" {
+  description = "AWS region to create resources in"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "aws_account" {
+  description = "Account number to create AWS resources in. This variable should be defined in the Terraform Cloud workspace settings"
+}