fix(security): Mark webhooks variable as sensitive (#35)

cloudandthings · Jan 18, 2023 · 6e3cbe9 · 6e3cbe9
1 parent f829f95
commit 6e3cbe9
Show file tree

Hide file tree

Showing 9 changed files with 226 additions and 256 deletions.
diff --git a/.checkov-config.yml b/.checkov-config.yml
@@ -0,0 +1,7 @@
+download-external-modules: true
+quiet: true
+skip-check:
+  # Github: Ensure top-level permissions are not set to write-all
+  - CKV2_GHA_1
+  # Ensure AWS Lambda function is configured to validate code-signing
+  - CKV_AWS_272
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -0,0 +1,100 @@
+name: pre-commit
+
+env:
+  AWS_REGION: af-south-1
+  AWS_ROLE_ARN: arn:aws:iam::353444730604:role/cat-genrl-prd-infra-github-workflows
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+
+  # Called from https://github.com/cloudandthings/cat-docker-terraform-aws-github
+  workflow_call:
+    inputs:
+      container-image:
+        required: true
+        type: string
+      disable-tests:
+        required: false
+        default: true
+        type: boolean
+
+permissions:
+  id-token: write
+  contents: read
+
+defaults:
+  # Set shell for steps inside containers (default=sh)
+  run:
+    shell: bash
+
+jobs:
+  #--------------------------------------------------------------
+  # PRE-COMMIT
+  #--------------------------------------------------------------
+  pre_commit:
+    name: 💍 pre-commit
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ubuntu-latest
+    container: ${{ inputs.container-image || 'bjorncloudandthings/terraform-aws-github:develop' }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v2
+      - uses: hashicorp/setup-terraform@v2
+      - name: Install requirements
+        run: |
+          python -m venv .venv
+          source .venv/bin/activate
+          if [ -f requirements.txt ]; then
+            pip install -r requirements.txt
+          else
+            pip install pre-commit
+          fi
+      - name: Run
+        run: |
+          source .venv/bin/activate
+          pre-commit install
+          if [[ "${{ env.GITHUB_REPOSITORY}}" == "cloudandthings/terraform-aws-template" ]]; then
+            export SKIP=no-vanilla-readme
+          fi
+          pre-commit run --all-files --show-diff-on-failure
+
+  #--------------------------------------------------------------
+  # TESTS
+  #--------------------------------------------------------------
+  tests:
+    needs: [pre_commit]
+    name: ✅ tests
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ubuntu-latest
+    container: ${{ inputs.container-image || 'bjorncloudandthings/terraform-aws-github:develop' }}
+    if: ${{ !inputs.disable-tests || true }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v2
+      - uses: hashicorp/setup-terraform@v2
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: ${{ env.AWS_ROLE_ARN }}
+          role-duration-seconds: 3600
+      - name: Install requirements
+        run: |
+          python -m venv .venv
+          source .venv/bin/activate
+          pip install -r requirements.txt
+      - name: Run
+        if: ${{ ! inputs.disable-tests || true }}
+        run: |
+          source .venv/bin/activate
+          echo "::echo::off"
+          pytest
+        env:
+          PYTEST_ADDOPTS: "--color=yes"
+        timeout-minutes: 10
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -0,0 +1,45 @@
+name: release
+
+# Overview ref: https://github.com/googleapis/release-please
+# Configuration ref: https://github.com/google-github-actions/release-please-action
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+
+jobs:
+  release-please:
+    name: 🙏 release-please
+    runs-on: ubuntu-latest
+    steps:
+      - name: release-please
+        uses: google-github-actions/release-please-action@v3
+        id: release
+        with:
+          release-type: simple
+          # These bumps are honoured only if there is an
+          # initial tag of v0.1.0 . Create it manually if needed.
+          #
+          # BREAKING CHANGE only bumps semver minor if version < 1.0.0
+          bump-minor-pre-major: true
+          # feat commits bump semver patch instead of minor if version < 1.0.0
+          bump-patch-for-minor-pre-major: true
+          # prerelease when committing to develop
+          prerelease: ${{ github.ref == 'refs/heads/develop' }}
+      #--------------------------------------------
+      # Comment
+      #--------------------------------------------
+      - name: comment
+        uses: thollander/actions-comment-pull-request@v2
+        if: github.event_name == 'pull_request' && steps.release.outputs.releases_created
+        with:
+          message: |
+            :white_check_mark: **Release PR details** :white_check_mark:
+
+            ${{ steps.release.outputs.pr }}
+
+            #${{ steps.release.outputs.pr.number }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/terraform-min-max.yml b/.github/workflows/terraform-min-max.yml
@@ -0,0 +1,66 @@
+name: Terraform min-max
+
+on:
+  pull_request:
+
+  # Called from https://github.com/cloudandthings/cat-docker-terraform-aws-github
+  workflow_call:
+    inputs:
+      container-image:
+        required: true
+        type: string
+
+jobs:
+  collectDirectories:
+    name: 🍱 collect directories
+    # Outputs a list of all unique directories
+    # that contain *.tf files and do not start with .
+    runs-on: ubuntu-latest
+    outputs:
+      directories: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v3
+      - id: set-matrix
+        run: |
+          DIRS=$(find . -type f -name '*.tf' -not -path '**/.*' | sed -r 's|/[^/]+$||' | sort | uniq)
+          DIRS_JSON=$(jq -ncR '[inputs]' <<< "$DIRS")
+          cat <<< matrix=$DIRS_JSON >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+  validateTerraformMinMaxVersions:
+    name: 🏗️ Validate Terraform min/max versions
+    needs: collectDirectories
+    # For public repos use runs-on: ubuntu-latest
+    # For private repos use runs-on: self-hosted
+    runs-on: ubuntu-latest
+    container: ${{ inputs.container-image || 'bjorncloudandthings/terraform-aws-github:develop' }}
+    strategy:
+      matrix:
+        directory: ${{ fromJson(needs.collectDirectories.outputs.directories) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@v1.2.4
+        with:
+          directory: ${{ matrix.directory }}
+
+      - name: Validate min Terraform version (${{ steps.minMax.outputs.minVersion }})
+        run: |
+          ls -la ~
+          tfenv install ${{ steps.minMax.outputs.minVersion }}
+          tfenv use ${{ steps.minMax.outputs.minVersion }}
+          terraform --version
+          terraform init -backend=false
+          terraform validate
+
+      - name: Validate max Terraform version (${{ steps.minMax.outputs.maxVersion }})
+        run: |
+          ls -la ~
+          tfenv install ${{ steps.minMax.outputs.maxVersion }}
+          tfenv use ${{ steps.minMax.outputs.maxVersion }}
+          terraform --version
+          terraform init -backend=false
+          terraform validate