Add trivy terraform configuration scan to GH actions lint workflow, a…

…nd pre-commit (#214)

* feat: add trivy workflow

* fix: add trivy testing branch for lint workflow conditions

* fix: update trivy action

* fix: erroneous action version number

* fix: formatting of trivyignore file corrected

* fix: update trivyignore to ignore all found errors for now

* feat: add trivy terraform scan to pre-commit checks

* fix: pre-commit trivy script was missing path

* fix: specify working dir for trivy precommit check

* fix: update README.md

* fix: remove dev branch from lint workflow condition

* fix: pin trivy github action version

* fix: modify trivy in pre-commit hook as an attempt to fix CICD behaviour

* fix: only run trivy checks as part of pre-commit

* fix: try to specify working directory

* fix: revert previous change

* fix: add pass_filenames: false to local trivy check

* fix: change script to Leo's suggestion

* fix: exclude fixtures module from trivy scan

.gitignore

@@ -4,3 +4,4 @@ terraform.tfstate
 terraform.tfstate.backup
 .terraform
 .terraform.lock.hcl
+trivyreport.txt

.lint/trivy/trivy-scan.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euxo pipefail
+
+# list of the folders that we want to parse, only if a README.md exists and no .trivy_ignore
+for dir in $(find modules -type d -maxdepth 1) $(find examples -type d -maxdepth 1); do
+  if [ -f "$dir/README.md" ] && ! [ -e "$dir/.trivy_ignore" ]; then
+      echo "Scanning terraform module with trivy: $dir"
+      trivy config --config .lint/trivy/trivy.yaml --ignorefile .trivyignore "$dir"
+  fi
+done

.lint/trivy/trivy.yaml

@@ -0,0 +1,9 @@
+---
+quiet: false
+debug: false
+format: table
+exit-code: 1
+
+misconfiguration:
+    scanners:
+        - terraform

.pre-commit-config.yaml

@@ -71,3 +71,12 @@ repos:
       rev: 0.2.3
       hooks:
           - id: yamlfmt
+
+    - repo: local
+      hooks:
+          - id: trivy-scan
+            name: Trivy Scan
+            entry: .lint/trivy/trivy-scan.sh
+            language: script
+            types: [terraform]
+            pass_filenames: false

.tool-versions

@@ -33,3 +33,5 @@ terraform-docs 0.19.0
 tflint 0.55.0
 
 tfsec 1.28.13
+
+trivy 0.58.1

.trivyignore

@@ -0,0 +1,10 @@
+AVD-AWS-0040 #(CRITICAL): Public cluster access is enabled.
+AVD-AWS-0041 #(CRITICAL): Cluster allows access from a public CIDR: 0.0.0.0/0
+AVD-AWS-0104 #(CRITICAL): Security group rule allows egress to multiple public internet addresses.
+
+AVD-AWS-0343 #(MEDIUM): Cluster does not have Deletion Protection enabled
+AVD-AWS-0178 #(MEDIUM): VPC does not have VPC Flow Logs enabled.
+AVD-AWS-0038 #(MEDIUM): Control plane scheduler logging is not enabled.
+AVD-AWS-0077 #(MEDIUM): Cluster instance has very low backup retention period.
+
+AVD-AWS-0133 #(LOW): Instance does not have performance insights enabled.

README.md

@@ -6,7 +6,7 @@
 
 Terraform module which creates AWS EKS (Kubernetes) resources with an opinionated configuration targeting Camunda 8, an AWS Aurora RDS cluster and an OpenSearch domain.
 
-**⚠️ Warning:** This project is not intended for production use but rather for demonstration purposes only. There are no guarantees or warranties provided.
+**⚠️ Warning:** This project is not intended for production use but rather for demonstration purposes only. There are no guarantees or warranties provided. As such certain Terraform configuration warnings from Trivy have deliberately been ignored. For more details, see the [.trivyignore](./.trivyignore) file in the repository root.
 
 ## Documentation