Skip to content

Commit

Permalink
Updates Terraform plan action (#57)
Browse files Browse the repository at this point in the history
  • Loading branch information
@scottford-io
scottford-io authored Feb 2, 2023
1 parent 7c34fc3 commit ffd3716
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 20 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/terraform-plan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,5 @@ jobs:
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
path: ".github/test_files/tfplan/plan.json"
path: ".github/test_files/tfplan/"
plan-file: plan.json
57 changes: 42 additions & 15 deletions terraform-plan/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,42 +1,69 @@
# Mondoo Terraform Plan Action

A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) code for security misconfigurations. Mondoo policies will verity [Terraform's HCL syntax](https://www.terraform.io/language/syntax/configuration).
A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) plan files for security misconfigurations. Plan files must be saved in JSON format before they are scanned.

## Properties

The Terraform Action has properties which are passed to the underlying image. These are passed to the action using `with`.

| Property | Required | Default | Description |
| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") |
| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") |
| `path` | true | | Path to the Terraform working directory. |
| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |
| `service-account-credentials` | false | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform. You can also use the environment variable mentioned below. |
| Property | Required | Default | Description |
| ----------------------------- | -------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") |
| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") |
| `path` | false | ./terraform | Path to the Terraform working directory (default "./terraform") |
| `path-file` | false | plan.json | Name of plan file to scan (default "plan.json") |
| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). |
| `service-account-credentials` | false | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform. You can also use the environment variable mentioned below. |

Additionally, you need to specify the service account credentials as an environment variable.

| Environment | Required | Default | Description |
| ---------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `MONDOO_CONFIG_BASE64` | true | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform |

## Scan Terraform working directory
## Scan Terraform plan file

You can use the Action as follows:
The following example uses HashiCorp's [setup-terraform](https://github.com/hashicorp/setup-terraform) to generate a Terraform plan file and convert it to JSON before running scan with cnspec.

```yaml
name: Mondoo Terraform Plan scan
name: Mondoo Terraform plan security scan

on:
pull_request:
push:
paths:
- "terraform/main.tf"
branches: [main]

defaults:
run:
working-directory: ./terraform

jobs:
scan-tf:
generate-and-scan-terraform-plan:
steps:
- uses: actions/checkout@v3
- uses: mondoohq/actions/[email protected]
- uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false

- name: Terraform Init
id: terraform-init
run: terraform init

- name: Convert Terraform plan to json
id: plan-to-json
run: |
terraform plan -no-color -out plan.tfplan
terraform show -json plan.tfplan >> plan.json
continue-on-error: true

- name: Scan Terraform plan file for security misconfigurations
id: scan-tf-plan
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_CONFIG_BASE64 }}
- uses: mondoohq/actions/[email protected]
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
with:
path: terraform
plan-file: plan.json
```
13 changes: 9 additions & 4 deletions terraform-plan/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: "Mondoo Terraform Plan GitHub Action"
description: "Scan HashiCorp Terraform Plan for misconfigurations with Mondoo"
description: "Scan HashiCorp Terraform Plan (JSON) for misconfigurations with Mondoo"
branding:
icon: "shield"
color: "purple"
Expand All @@ -15,8 +15,13 @@ inputs:
default: compact
required: false
path:
description: Path to the Terraform working directory.
required: true
description: Path to the directory containing the plan file.
default: terraform
required: false
plan-file:
description: JSON plan file to scan.
default: plan.json
required: false
score-threshold:
description: >-
Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan).
Expand All @@ -32,7 +37,7 @@ runs:
- scan
- terraform
- plan
- ${{ inputs.path }}
- ${{ inputs.path }}/${{ inputs.plan-file }}
- --output
- ${{ inputs.output }}
- --score-threshold
Expand Down

0 comments on commit ffd3716

Please sign in to comment.