From ff6678b5e018bf7fdf56fbd78e6588cf4e8a7b73 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 20:53:48 +0100 Subject: [PATCH 1/8] replace precommit with a CI job --- .github/workflows/ci.yaml | 41 +++++++++++++++++++++++++++++++ .github/workflows/pre-commit.yaml | 38 ---------------------------- .pre-commit-config.yaml | 22 ----------------- 3 files changed, 41 insertions(+), 60 deletions(-) create mode 100644 .github/workflows/ci.yaml delete mode 100644 .github/workflows/pre-commit.yaml delete mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..3d72541 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,41 @@ +name: ci +on: + pull_request: +permissions: + contents: read +defaults: + run: + shell: bash +jobs: + ci: + runs-on: ubuntu-latest + steps: + # Setup dependencies + - uses: actions/checkout@v3 + - uses: actions/setup-python@v5 + with: + python-version: 3.10 + - uses: pre-commit/action@v3.0.1 + + # Run a couple of native Terraform checks + - uses: hashicorp/setup-terraform@v3 + - run: terraform init + - run: terraform fmt -recursive -check + - run: terraform validate + + # Checkov + - uses: bridgecrewio/checkov-action@v12 + with: + directory: . + quiet: true + skip_check: CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18 + framework: terraform + + # Terraform-docs + - uses: terraform-docs/gh-actions@v1.1.0 + with: + working-dir: . + output-file: README.md + output-method: inject + fail-on-diff: true + args: --lockfile=false diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml deleted file mode 100644 index 7d1a97c..0000000 --- a/.github/workflows/pre-commit.yaml +++ /dev/null @@ -1,38 +0,0 @@ -name: precommit -on: - pull_request: -permissions: - contents: read -defaults: - run: - shell: bash -jobs: - precommit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Python - uses: actions/setup-python@v2 - with: - python-version: 3.8 - - name: Create virtual environment - run: python3 -m venv venv && source venv/bin/activate - - name: Install pre-commit and checkov - run: | - python3 -m pip install --upgrade pip - python3 -m pip install pre-commit==3.5.0 checkov==2.5.10 - - name: install terraform-docs - run: | - curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz - tar -xzf terraform-docs.tar.gz - chmod +x terraform-docs - mv terraform-docs /usr/local/bin/ - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - ${{ runner.os }}-pip- - - name: Run pre-commit - run: pre-commit run --show-diff-on-failure --color=always --all-files diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index f5bb6d1..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -repos: - - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.74.1 - hooks: - - id: terraform_checkov - args: - - --args=--quiet - - --args=--compact - - --args=--framework=terraform - - --args=--skip-check=CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18 - - id: terraform_fmt - exclude: ^examples/ - - id: terraform_validate - exclude: ^examples/ - - id: terraform_docs - args: ["--args=--lockfile=false"] - exclude: ^examples/ - - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 - hooks: - - id: check-merge-conflict From 763107ff36eb3a27c0057c590b2fbdaf1a423acf Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 20:55:10 +0100 Subject: [PATCH 2/8] use quotes --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3d72541..0979677 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-python@v5 with: - python-version: 3.10 + python-version: "3.10" - uses: pre-commit/action@v3.0.1 # Run a couple of native Terraform checks From f42316097fb48a671125aa18ae502588eb697cfb Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 20:56:40 +0100 Subject: [PATCH 3/8] rm precommit from CI job --- .github/workflows/ci.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0979677..a4f0d53 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,10 +12,6 @@ jobs: steps: # Setup dependencies - uses: actions/checkout@v3 - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - uses: pre-commit/action@v3.0.1 # Run a couple of native Terraform checks - uses: hashicorp/setup-terraform@v3 From 436cba46142ebba6d6bb04eb9462bcdabaddaf13 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 20:58:52 +0100 Subject: [PATCH 4/8] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e7e9660..5077354 100644 --- a/README.md +++ b/README.md @@ -178,7 +178,8 @@ This error indicates that the Google Cloud Managed SSL certificate is not yet fu If all configurations are correct, it may take up to 25 minutes for the certificate to be provisioned. You can check the status of the certificate in the Google Cloud Console. - + + ## Requirements | Name | Version | @@ -271,4 +272,4 @@ You can check the status of the certificate in the Google Cloud Console. | [ip\_address](#output\_ip\_address) | The IPv4 address of the load balancer | | [managed\_ssl\_certificate\_certificate\_id](#output\_managed\_ssl\_certificate\_certificate\_id) | The unique identifier of the Google Managed SSL certificate | | [managed\_ssl\_certificate\_expire\_time](#output\_managed\_ssl\_certificate\_expire\_time) | Expire time of the Google Managed SSL certificate | - + \ No newline at end of file From 21a3c12322125b242f86438050f7a6e9b235cbed Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 21:04:19 +0100 Subject: [PATCH 5/8] allow to push the docs change --- .github/workflows/ci.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a4f0d53..0cd3756 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,17 +1,15 @@ name: ci on: - pull_request: -permissions: - contents: read -defaults: - run: - shell: bash + - pull_request + jobs: ci: runs-on: ubuntu-latest steps: # Setup dependencies - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} # Run a couple of native Terraform checks - uses: hashicorp/setup-terraform@v3 @@ -35,3 +33,5 @@ jobs: output-method: inject fail-on-diff: true args: --lockfile=false + git-push: "true" # automatically push the changes to the branch + From 20749f24e1aeb359baa9dd96cd307d3bec05cdb1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 27 Mar 2024 20:04:59 +0000 Subject: [PATCH 6/8] terraform-docs: automated action --- checkov-problem-matcher-softfail.json | 22 ++++++++++++++++++++++ checkov-problem-matcher.json | 21 +++++++++++++++++++++ results.sarif | 1 + 3 files changed, 44 insertions(+) create mode 100644 checkov-problem-matcher-softfail.json create mode 100644 checkov-problem-matcher.json create mode 100644 results.sarif diff --git a/checkov-problem-matcher-softfail.json b/checkov-problem-matcher-softfail.json new file mode 100644 index 0000000..34a45f8 --- /dev/null +++ b/checkov-problem-matcher-softfail.json @@ -0,0 +1,22 @@ +{ + "problemMatcher": [ + { + "owner": "checkov", + "pattern": [ + { + "regexp": "^Check: (\\w+: .*)$", + "message": 1 + }, + { + "regexp": "^\\WFAILED.*$" + }, + { + "regexp": "^\\WFile: \/(.+):(\\d+)-(\\d+)$", + "file": 1, + "line": 2 + } + ], + "severity": "error" + } + ] +} diff --git a/checkov-problem-matcher.json b/checkov-problem-matcher.json new file mode 100644 index 0000000..bfdf0bb --- /dev/null +++ b/checkov-problem-matcher.json @@ -0,0 +1,21 @@ +{ + "problemMatcher": [ + { + "owner": "checkov", + "pattern": [ + { + "regexp": "^Check: (\\w+: .*)$", + "message": 1 + }, + { + "regexp": "^\\WFAILED.*$" + }, + { + "regexp": "^\\WFile: \/(.+):(\\d+)-(\\d+)$", + "file": 1, + "line": 2 + } + ] + } + ] +} diff --git a/results.sarif b/results.sarif new file mode 100644 index 0000000..a8fa027 --- /dev/null +++ b/results.sarif @@ -0,0 +1 @@ +{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [{"tool": {"driver": {"name": "Checkov", "version": "3.2.48", "informationUri": "https://checkov.io", "rules": [], "organization": "bridgecrew"}}, "results": []}]} \ No newline at end of file From 4759059f68f2a4735da637ab0cd8dbd6c00732b8 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 21:08:31 +0100 Subject: [PATCH 7/8] Revert "terraform-docs: automated action" This reverts commit 20749f24e1aeb359baa9dd96cd307d3bec05cdb1. --- checkov-problem-matcher-softfail.json | 22 ---------------------- checkov-problem-matcher.json | 21 --------------------- results.sarif | 1 - 3 files changed, 44 deletions(-) delete mode 100644 checkov-problem-matcher-softfail.json delete mode 100644 checkov-problem-matcher.json delete mode 100644 results.sarif diff --git a/checkov-problem-matcher-softfail.json b/checkov-problem-matcher-softfail.json deleted file mode 100644 index 34a45f8..0000000 --- a/checkov-problem-matcher-softfail.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "problemMatcher": [ - { - "owner": "checkov", - "pattern": [ - { - "regexp": "^Check: (\\w+: .*)$", - "message": 1 - }, - { - "regexp": "^\\WFAILED.*$" - }, - { - "regexp": "^\\WFile: \/(.+):(\\d+)-(\\d+)$", - "file": 1, - "line": 2 - } - ], - "severity": "error" - } - ] -} diff --git a/checkov-problem-matcher.json b/checkov-problem-matcher.json deleted file mode 100644 index bfdf0bb..0000000 --- a/checkov-problem-matcher.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "problemMatcher": [ - { - "owner": "checkov", - "pattern": [ - { - "regexp": "^Check: (\\w+: .*)$", - "message": 1 - }, - { - "regexp": "^\\WFAILED.*$" - }, - { - "regexp": "^\\WFile: \/(.+):(\\d+)-(\\d+)$", - "file": 1, - "line": 2 - } - ] - } - ] -} diff --git a/results.sarif b/results.sarif deleted file mode 100644 index a8fa027..0000000 --- a/results.sarif +++ /dev/null @@ -1 +0,0 @@ -{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [{"tool": {"driver": {"name": "Checkov", "version": "3.2.48", "informationUri": "https://checkov.io", "rules": [], "organization": "bridgecrew"}}, "results": []}]} \ No newline at end of file From 51eeb71ef4df6f0643cd1d62740f001a1c2ed5f2 Mon Sep 17 00:00:00 2001 From: Bruno Schaatsbergen Date: Wed, 27 Mar 2024 21:08:33 +0100 Subject: [PATCH 8/8] Update .gitignore --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index 53074ba..06948e9 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,8 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* + +# Checkov files +checkov-problem-matcher-softfail.json +checkov-problem-matcher.json +results.sarif \ No newline at end of file