Upgrade CI, trivy, remove checkov

adhocteam · Mar 21, 2024 · 822e1a1 · 822e1a1
1 parent 4aaa0b8
commit 822e1a1
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 49 deletions.
diff --git a/.github/ci-versions.env b/.github/ci-versions.env
@@ -1,4 +1,3 @@
-TERRAGRUNT_VERSION=v0.38.7
-TERRAFORM_VERSION=1.2.6
-TFSEC_VERSION=v1.27.1
-TFLINT_VERSION=v0.39.2
+TERRAFORM_VERSION=1.5.6
+TRIVY_VERSION=v1.27.1
+TFLINT_VERSION=v0.50.3
diff --git a/.github/workflows/tf-ci.yml b/.github/workflows/tf-ci.yml
@@ -29,8 +29,8 @@ jobs:
       - name: Import CI .env file
         uses: cardinalby/export-env-action@v1
         with:
-          envFile: '.github/ci-versions.env'    
-          expand: 'true'
+          envFile: ".github/ci-versions.env"
+          expand: "true"
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@v2
@@ -56,39 +56,30 @@ jobs:
       - name: Import CI .env file
         uses: cardinalby/export-env-action@v1
         with:
-          envFile: '.github/ci-versions.env'    
-          expand: 'true'
+          envFile: ".github/ci-versions.env"
+          expand: "true"
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_wrapper: false
           terraform_version: ${{ env.TERRAFORM_VERSION }}
 
-      - name: Setup tfsec
-        run: |
-          wget https://github.com/aquasecurity/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-linux-amd64
-          chmod +x tfsec-linux-amd64
-          sudo mv tfsec-linux-amd64 /usr/local/bin/tfsec
-
-      - name: Run tfsec
-        shell: bash --noprofile --norc -exo pipefail {0}
-        run: tfsec .
-
-  checkov:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-
-      - name: checkov
-        id: checkov
-        uses: bridgecrewio/checkov-action@c9e3e20671a02850d20e1b1dae97e34b39ff9b37
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "config"
+          hide-progress: false
+          format: "sarif"
+          output: "trivy-results.sarif"
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          quiet: true
-          framework: terraform
-          output_format: github_failed_only # optional: the output format, one of: cli, json, junitxml, github_failed_only
-          download_external_modules: true
+          sarif_file: "trivy-results.sarif"
 
   validate:
     runs-on: ubuntu-latest
@@ -99,8 +90,8 @@ jobs:
       - name: Import CI .env file
         uses: cardinalby/export-env-action@v1
         with:
-          envFile: '.github/ci-versions.env'    
-          expand: 'true'
+          envFile: ".github/ci-versions.env"
+          expand: "true"
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@v2

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,12 +1,12 @@
 repos:
-# Run terraform fmt to fix our terraform styling
-# Run terraform docs to generate documentation for our terraform code
-# Run tflint to lint our terraform code
-# Run tfsec to scan our terraform code for security problems
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.62.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
-  hooks:
-    - id: terraform_fmt
-    - id: terraform_docs
-    - id: terraform_tflint
-    - id: terraform_tfsec
+  # Run terraform fmt to fix our terraform styling
+  # Run terraform docs to generate documentation for our terraform code
+  # Run tflint to lint our terraform code
+  # Run tfsec to scan our terraform code for security problems
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.88.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+      - id: terraform_tflint
+      - id: terraform_trivy
diff --git a/README.md b/README.md
@@ -11,13 +11,14 @@ The module also supports passing in a custom IAM policy document (typically gene
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0.0, < 5.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0.0, < 5.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |
 
 ## Modules
 

diff --git a/iam-preset-poweruseraccess.tf b/iam-preset-poweruseraccess.tf
@@ -7,8 +7,6 @@ resource "aws_iam_role_policy_attachment" "PowerUserAccess" {
 }
 
 data "aws_iam_policy_document" "PowerUserIAMAccess" {
-  # checkov:skip=CKV_AWS_109:This role is needed if using a role that needs limited IAM write access, even if it does allow permission escalation
-  # checkov:skip=CKV_AWS_110:This role is needed if using a role that needs limited IAM write access, even if it does allow permission escalation
   statement {
     effect = "Allow"
     actions = [

diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,8 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0.0, < 5.0.0"
+      version = ">= 5.0.0"
     }
   }
+  required_version = ">= 1.0.0"
 }