⭐️ terraform actions for plan and state files (#34)

Signed-off-by: Christoph Hartmann <[email protected]>

Signed-off-by: Christoph Hartmann <[email protected]>

.github/test_files/tf/.gitignore

@@ -0,0 +1 @@
+.terraform/*

.github/test_files/tfplan/.gitignore

@@ -0,0 +1,4 @@
+.terraform/*
+plan
+plan.json
+.terraform.lock.hcl

.github/test_files/tfplan/main.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 4.0"
+    }
+  }
+}
+
+# Configure the GitHub Provider
+provider "github" {}
+
+
+resource "github_repository" "example" {
+  name        = "example"
+  description = "My awesome codebase"
+
+  visibility = "public"
+
+  template {
+    owner      = "github"
+    repository = "terraform-module-template"
+  }
+}

.github/test_files/tfplan/policy/policy.mql.yaml

@@ -0,0 +1,23 @@
+policies:
+  - uid: terraform-plan-sample-policy
+    name: Terraform Plan - GitHub
+    version: "1.1.0"
+    authors:
+      - name: Mondoo, Inc.
+        email: [email protected]
+    specs:
+      - title: GitHub Test
+        asset_filter:
+          query: |
+            platform.name == "terraform-plan"
+            terraform.plan.resourceChanges.any( providerName == "registry.terraform.io/integrations/github")
+        scoring_queries:
+          terraform-github-repo-visibility: null
+queries:
+  - uid: terraform-github-repo-visibility
+    title: Check GitHub repository visibility
+    query: |
+      terraform.plan.resourceChanges.where( type == "github_repository" && mode == "managed") {
+        name == "example"
+        change.after["visibility"] = "public"
+      }

.github/test_files/tfstate/.gitignore

@@ -0,0 +1,7 @@
+.terraform/*
+.terraform.lock.hcl
+plan
+plan.json
+state.json
+terraform.tfstate
+terraform.tfstate.backup

.github/test_files/tfstate/build.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+terraform init
+terraform plan -out plan
+terraform apply plan
+terraform show -json plan > plan.json
+terraform show -json terraform.tfstate > state.json 

.github/test_files/tfstate/main.tf

@@ -0,0 +1,5 @@
+resource "null_resource" "ls" {
+  provisioner "local-exec" {
+    command = "ls"
+  }
+}

.github/test_files/tfstate/policy/policy.mql.yaml

@@ -0,0 +1,19 @@
+policies:
+  - uid: terraform-state-sample-policy
+    name: Terraform State - GitHub
+    version: "1.1.0"
+    authors:
+      - name: Mondoo, Inc.
+        email: [email protected]
+    specs:
+      - title: GitHub Test
+        asset_filter:
+          query: |
+            platform.name == "terraform-state"
+        scoring_queries:
+          terraform-state-check-null-provider: null
+queries:
+  - uid: terraform-state-check-null-provider
+    title: Check null provider
+    query: |
+      terraform.state.rootModule.resources { providerName == "registry.terraform.io/hashicorp/null" }

.github/workflows/terraform.yaml → .github/workflows/terraform-hcl.yaml

@@ -1,10 +1,10 @@
-name: Terraform Scanning
+name: Terraform HCL Scanning Tests
 on:
   pull_request:
   push:
     paths:
       - "action.yaml"
-      - "terraform/*"
+      - "terraform-hcl/*"
       - ".github/test_files/**"
     branches:
       - "main"
@@ -16,9 +16,8 @@ jobs:
     name: Test Terraform scanning
     steps:
       - uses: actions/checkout@v3
-
-      - name: Scan Terraform
-        uses: ./terraform
+      - name: Scan Terraform HCL
+        uses: ./terraform-hcl
         with:
           service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
           path: ./.github/test_files/tf

.github/workflows/terraform-plan.yaml

@@ -0,0 +1,46 @@
+name: Terraform Plan Scanning Tests
+on:
+  pull_request:
+  push:
+    paths:
+      - "action.yaml"
+      - "terraform-plan/*"
+      - "terraform-state/*"
+      - ".github/test_files/**"
+    branches:
+      - "main"
+    tags: ["v*.*.*"]
+
+jobs:
+  terraform-tests:
+    runs-on: ubuntu-latest
+    name: Test Terraform scanning
+    steps:
+      - uses: actions/checkout@v3
+
+      # run terraform plan checks
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          # super important setting, otherwise you cannot pipe terraform show -json
+          # see https://stackoverflow.com/questions/66496105/how-can-i-remove-all-the-extraneous-output-from-redirected-output-in-github-acti
+          terraform_wrapper: false
+      - run: terraform init
+        working-directory: ./.github/test_files/tfplan
+      - name: Write terraform plan
+        run: terraform plan -out plan
+        working-directory: ./.github/test_files/tfplan
+      - name: Export terraform plan to json
+        shell: bash
+        run: terraform show -json plan > plan.json
+        working-directory: ./.github/test_files/tfplan
+      - name: Upload terraform plan
+        uses: actions/upload-artifact@v3
+        with:
+          name: terraform-plan.json
+          path: .github/test_files/tfplan/plan.json
+      - name: Scan Terraform Plan
+        uses: ./terraform-plan
+        with:
+          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+          path: ".github/test_files/tfplan/plan.json"
+          args: "--policy-bundle .github/test_files/tfplan/policy/policy.mql.yaml"

.github/workflows/terraform-state.yaml

@@ -0,0 +1,54 @@
+name: Terraform State Scanning Tests
+on:
+  pull_request:
+  push:
+    paths:
+      - "action.yaml"
+      - "terraform-plan/*"
+      - "terraform-state/*"
+      - ".github/test_files/**"
+    branches:
+      - "main"
+    tags: ["v*.*.*"]
+
+jobs:
+  terraform-tests:
+    runs-on: ubuntu-latest
+    name: Test Terraform scanning
+    steps:
+      - uses: actions/checkout@v3
+
+      # run terraform plan checks
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          # super important setting, otherwise you cannot pipe terraform show -json
+          # see https://stackoverflow.com/questions/66496105/how-can-i-remove-all-the-extraneous-output-from-redirected-output-in-github-acti
+          terraform_wrapper: false
+      - run: terraform init
+        working-directory: ./.github/test_files/tfstate
+      - name: Write terraform plan
+        run: terraform plan -out plan
+        working-directory: ./.github/test_files/tfstate
+      - name: Export terraform plan to json
+        shell: bash
+        run: terraform show -json plan > plan.json
+        working-directory: ./.github/test_files/tfstate
+      - name: Export terraform state to json
+        shell: bash
+        run: |
+          terraform apply plan
+          terraform show -json terraform.tfstate > state.json
+        working-directory: ./.github/test_files/tfstate
+      - name: Upload terraform plan
+        uses: actions/upload-artifact@v3
+        with:
+          name: terraform
+          path: |
+            .github/test_files/tfstate/plan.json
+            .github/test_files/tfstate/state.json
+      - name: Scan Terraform State
+        uses: ./terraform-state
+        with:
+          service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+          path: ".github/test_files/tfstate/state.json"
+          args: "--policy-bundle .github/test_files/tfstate/policy/policy.mql.yaml"

README.md

@@ -10,7 +10,9 @@ A set of GitHub Action for using Mondoo to check for vulnerabilities and misconf
 - [Kubernetes Manifest](k8s-manifest) - Scan Kubernetes manifests for misconfigurations before applying changes to the cluster.
 - [Policy](policy) - Publish Mondoo policies to Mondoo Platform using GitHub Actions.
 - [Setup](setup) - Install and configure Mondoo into any existing GitHub Action workflow.
-- [Terraform](terraform) - Scan HashiCorp Terraform code for security misconfigurations.
+- [Terraform HCL](terraform-hcl) - Scan HashiCorp Terraform HCL code for security misconfigurations.
+- [Terraform Plan](terraform-plan) - Scan HashiCorp Terraform Plan for security misconfigurations.
+- [Terraform State](terraform-state) - Scan HashiCorp Terraform State output for security misconfigurations.
 
 ## Service Accounts
 

terraform-hcl/README.md

@@ -0,0 +1,35 @@
+# Mondoo Terraform HCL Action
+
+A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) [HCL code]](https://www.terraform.io/language/syntax/configuration) for security misconfigurations.
+
+## Properties
+
+The Terraform Action has properties which are passed to the underlying image. These are passed to the action using `with`.
+
+| Property                      | Required | Default | Description                                                                                                                                                          |
+| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `args`                        | false    |         | Additional arguments to pass to Mondoo Client.                                                                                                                       |
+| `log-level`                   | false    | info    | Sets the log level: error, warn, info, debug, trace (default "info")                                                                                                 |
+| `output`                      | false    | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")                                                   |
+| `path`                        | true     |         | Path to the Terraform working directory.                                                                                                                             |
+| `score-threshold`             | false    | 0       | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).      |
+| `service-account-credentials` | true     |         | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
+
+## Scan Terraform working directory
+
+You can use the Action as follows:
+
+```yaml
+name: Mondoo Terraform scan
+on:
+  push:
+    paths:
+      - "terraform/main.tf"
+jobs:
+  steps:
+    - uses: actions/checkout@v3
+    - uses: mondoohq/actions/terraform@main
+      with:
+        service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+        path: terraform
+```

terraform/action.yaml → terraform-hcl/action.yaml

@@ -1,5 +1,5 @@
-name: "Mondoo Terraform GitHub Action"
-description: "Scan HashiCorp Terraform for misconfigurations with Mondoo"
+name: "Mondoo Terraform HCL GitHub Action"
+description: "Scan HashiCorp Terraform HCL for misconfigurations with Mondoo"
 branding:
   icon: "shield"
   color: "purple"

terraform-plan/README.md

@@ -0,0 +1,35 @@
+# Mondoo Terraform Plan Action
+
+A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) code for security misconfigurations. Mondoo policies will verity [Terraform's HCL syntax]](https://www.terraform.io/language/syntax/configuration).
+
+## Properties
+
+The Terraform Action has properties which are passed to the underlying image. These are passed to the action using `with`.
+
+| Property                      | Required | Default | Description                                                                                                                                                          |
+| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `args`                        | false    |         | Additional arguments to pass to Mondoo Client.                                                                                                                       |
+| `log-level`                   | false    | info    | Sets the log level: error, warn, info, debug, trace (default "info")                                                                                                 |
+| `output`                      | false    | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")                                                   |
+| `path`                        | true     |         | Path to the Terraform working directory.                                                                                                                             |
+| `score-threshold`             | false    | 0       | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).      |
+| `service-account-credentials` | true     |         | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |
+
+## Scan Terraform working directory
+
+You can use the Action as follows:
+
+```yaml
+name: Mondoo Terraform Plan scan
+on:
+  push:
+    paths:
+      - "terraform/main.tf"
+jobs:
+  steps:
+    - uses: actions/checkout@v3
+    - uses: mondoohq/actions/terraform@main
+      with:
+        service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
+        path: terraform
+```

terraform-plan/action.yaml

@@ -0,0 +1,52 @@
+name: "Mondoo Terraform Plan GitHub Action"
+description: "Scan HashiCorp Terraform Plan for misconfigurations with Mondoo"
+branding:
+  icon: "shield"
+  color: "purple"
+inputs:
+  args:
+    description: >-
+      Additional arguments to pass to Mondoo Client.
+    required: false
+  log-level:
+    description: >-
+      Sets the log level: error, warn, info, debug, trace (default "info")
+    default: info
+    required: false
+  output:
+    description: >-
+      Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact")
+    default: compact
+    required: false
+  path:
+    description: Path to the Terraform working directory.
+    required: true
+  score-threshold:
+    description: >-
+      Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).
+    default: "0"
+    required: false
+  service-account-credentials:
+    description: "Base64 encoded service account credentials used to authenticate with Mondoo Platform"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install Mondoo Client
+      shell: bash
+      run: |
+        echo Installing Mondoo Client...
+        echo ${{ inputs.service-account-credentials }} | base64 -d > mondoo.json
+        curl -sSL https://mondoo.com/install.sh | bash
+    - name: Mondoo status
+      shell: bash
+      run: mondoo status --config mondoo.json
+    - name: Scan Terraform
+      shell: bash
+      run: >
+        mondoo scan terraform plan "${{ inputs.path }}"
+        --log-level "${{ inputs.log-level }}"
+        --output "${{ inputs.output }}"
+        --score-threshold "${{ inputs.score-threshold }}"
+        --config mondoo.json
+        ${{ inputs.args }}

terraform/README.md → terraform-state/README.md

@@ -1,6 +1,6 @@
-# Mondoo Terraform Action
+# Mondoo Terraform State Action
 
-A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) code for security misconfigurations.
+A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) state files for security misconfigurations.
 
 ## Properties
 
@@ -20,7 +20,7 @@ The Terraform Action has properties which are passed to the underlying image. Th
 You can use the Action as follows:
 
 ```yaml
-name: Mondoo Terraform scan
+name: Mondoo Terraform State scan
 on:
   push:
     paths: