Skip to content

Commit dff44b7

Browse files
committed
Add Terraform configurations for Azure resources and update CI/CD workflows
1 parent ef101b7 commit dff44b7

19 files changed

+602
-3
lines changed

.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ env:
2222

2323
permissions:
2424
contents: read
25-
issues: write # to create issues for alerts
25+
#issues: write # to create issues for alerts
2626

2727
jobs:
2828
zap_scan:
@@ -49,5 +49,14 @@ jobs:
4949
uses: zaproxy/[email protected]
5050
id: zap
5151
with:
52-
allow_issue_writing: true
52+
allow_issue_writing: false
5353
target: "${{ env.ZAP_TARGET }}"
54+
# - name: ZAP Scan
55+
# uses: zaproxy/[email protected]
56+
# with:
57+
# target: "${{ env.ZAP_TARGET }}"
58+
- uses: SvanBoxel/zaproxy-to-ghas@main
59+
- name: Upload SARIF file
60+
uses: github/codeql-action/upload-sarif@v3
61+
with:
62+
sarif_file: results.sarif
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
# https://github.com/aquasecurity/tfsec
2+
# https://github.com/aquasecurity/tfsec-sarif-action
3+
4+
name: IaC Scanning (Terraform) with Aqua Security tfsec
5+
6+
on:
7+
push:
8+
branches: [main]
9+
pull_request:
10+
branches: [main]
11+
schedule:
12+
- cron: '15 03 * * 5'
13+
14+
permissions:
15+
contents: read # for actions/checkout to fetch code
16+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
17+
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
18+
19+
jobs:
20+
tfsec-scan:
21+
name: Run tfsec sarif report
22+
runs-on: ubuntu-latest
23+
24+
steps:
25+
- name: Checkout code
26+
uses: actions/checkout@v4
27+
28+
- name: Run tfsec
29+
uses: aquasecurity/[email protected]
30+
with:
31+
sarif_file: tfsec.sarif
32+
33+
- name: Upload SARIF file to GitHub Security tab
34+
uses: github/codeql-action/upload-sarif@v3
35+
with:
36+
sarif_file: tfsec.sarif
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# https://github.com/Checkmarx/kics
2+
# https://github.com/Checkmarx/kics/blob/master/docs/integrations_ghactions.md
3+
# https://github.com/Checkmarx/kics-github-action
4+
5+
name: IaC Scanning with Checkmarx KICS
6+
7+
on:
8+
push:
9+
branches: [main]
10+
pull_request:
11+
branches: [main]
12+
schedule:
13+
- cron: '15 03 * * 5'
14+
15+
permissions:
16+
contents: read # for actions/checkout to fetch code
17+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
18+
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
19+
20+
jobs:
21+
kics-scan:
22+
name: Run KICS scan
23+
runs-on: ubuntu-latest
24+
25+
steps:
26+
- name: Checkout code
27+
uses: actions/checkout@v4
28+
29+
- name: Mkdir results-dir
30+
# make sure results dir is created
31+
run: mkdir -p results-dir
32+
33+
- name: Run kics Scan
34+
uses: checkmarx/[email protected]
35+
with:
36+
path: 'terraform'
37+
# when provided with a directory on output_path
38+
# it will generate the specified reports file named 'results.{extension}'
39+
# in this example it will generate:
40+
# - results-dir/results.json
41+
# - results-dir/results.sarif
42+
ignore_on_exit: results
43+
output_path: results-dir
44+
platform_type: terraform
45+
output_formats: 'json,sarif'
46+
enable_comments: true
47+
48+
- name: Show results
49+
run: |
50+
cat results-dir/results.sarif
51+
cat results-dir/results.json
52+
53+
- name: Upload SARIF file to GitHub Security tab
54+
uses: github/codeql-action/upload-sarif@v3
55+
with:
56+
sarif_file: results-dir/results.sarif

.github/workflows/cicd.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ jobs:
7575
container-build-publish:
7676
name: Build and Publish Container Image
7777
needs: []
78-
uses: advanced-security/reusable-workflows/.github/workflows/[email protected]
78+
uses: githubabcs-devops/devsecops-reusable-workflows/.github/workflows/[email protected]
7979
with:
8080
# This is used for tagging the container image
8181
version: v1.0.0

terraform/azure/aks.tf

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
resource azurerm_kubernetes_cluster "k8s_cluster" {
2+
dns_prefix = "terragoat-${var.environment}"
3+
location = var.location
4+
name = "terragoat-aks-${var.environment}"
5+
resource_group_name = azurerm_resource_group.example.name
6+
identity {
7+
type = "SystemAssigned"
8+
}
9+
default_node_pool {
10+
name = "default"
11+
vm_size = "Standard_D2_v2"
12+
node_count = 2
13+
}
14+
addon_profile {
15+
oms_agent {
16+
enabled = false
17+
}
18+
kube_dashboard {
19+
enabled = true
20+
}
21+
}
22+
role_based_access_control {
23+
enabled = false
24+
}
25+
}

terraform/azure/app_service.tf

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
resource azurerm_app_service_plan "example" {
2+
name = "terragoat-app-service-plan-${var.environment}"
3+
location = azurerm_resource_group.example.location
4+
resource_group_name = azurerm_resource_group.example.name
5+
6+
sku {
7+
tier = "Dynamic"
8+
size = "S1"
9+
}
10+
}
11+
12+
resource azurerm_app_service "app-service1" {
13+
app_service_plan_id = azurerm_app_service_plan.example.id
14+
location = var.location
15+
name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
16+
resource_group_name = azurerm_resource_group.example.name
17+
https_only = false
18+
site_config {
19+
min_tls_version = "1.1"
20+
}
21+
}
22+
23+
resource azurerm_app_service "app-service2" {
24+
app_service_plan_id = azurerm_app_service_plan.example.id
25+
location = var.location
26+
name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
27+
resource_group_name = azurerm_resource_group.example.name
28+
https_only = true
29+
30+
auth_settings {
31+
enabled = false
32+
}
33+
}
34+

terraform/azure/instance.tf

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
resource random_string "password" {
2+
length = 16
3+
special = false
4+
min_lower = 1
5+
min_numeric = 1
6+
min_upper = 1
7+
}
8+
9+
resource azurerm_linux_virtual_machine "linux_machine" {
10+
admin_username = "terragoat-linux"
11+
admin_password = random_string.password.result
12+
location = var.location
13+
name = "terragoat-linux"
14+
network_interface_ids = [azurerm_network_interface.ni_linux.id]
15+
resource_group_name = azurerm_resource_group.example.name
16+
size = "Standard_F2"
17+
disable_password_authentication = false
18+
source_image_reference {
19+
publisher = "Canonical"
20+
offer = "UbuntuServer"
21+
sku = "16.04-LTS"
22+
version = "latest"
23+
}
24+
os_disk {
25+
caching = "ReadWrite"
26+
storage_account_type = "Standard_LRS"
27+
}
28+
29+
tags = {
30+
terragoat = true
31+
environment = var.environment
32+
}
33+
}
34+
35+
resource azurerm_windows_virtual_machine "windows_machine" {
36+
admin_password = random_string.password.result
37+
admin_username = "tg-${var.environment}"
38+
location = var.location
39+
name = "tg-win"
40+
network_interface_ids = [azurerm_network_interface.ni_win.id]
41+
resource_group_name = azurerm_resource_group.example.name
42+
size = "Standard_F2"
43+
os_disk {
44+
caching = "ReadWrite"
45+
storage_account_type = "Standard_LRS"
46+
}
47+
48+
source_image_reference {
49+
publisher = "MicrosoftWindowsServer"
50+
offer = "WindowsServer"
51+
sku = "2016-Datacenter"
52+
version = "latest"
53+
}
54+
55+
tags = {
56+
terragoat = true
57+
environment = var.environment
58+
}
59+
}

terraform/azure/key_vault.tf

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
resource "azurerm_key_vault" "example" {
2+
name = "terragoat-key-${var.environment}${random_integer.rnd_int.result}"
3+
location = azurerm_resource_group.example.location
4+
resource_group_name = azurerm_resource_group.example.name
5+
tenant_id = data.azurerm_client_config.current.tenant_id
6+
sku_name = "premium"
7+
access_policy {
8+
tenant_id = data.azurerm_client_config.current.tenant_id
9+
object_id = data.azurerm_client_config.current.object_id
10+
key_permissions = [
11+
"create",
12+
"get",
13+
]
14+
secret_permissions = [
15+
"set",
16+
]
17+
}
18+
tags = {
19+
environment = var.environment
20+
terragoat = true
21+
}
22+
}
23+
24+
resource "azurerm_key_vault_key" "generated" {
25+
name = "terragoat-generated-certificate-${var.environment}"
26+
key_vault_id = azurerm_key_vault.example.id
27+
key_type = "RSA"
28+
key_size = 2048
29+
key_opts = [
30+
"decrypt",
31+
"encrypt",
32+
"sign",
33+
"unwrapKey",
34+
"verify",
35+
"wrapKey",
36+
]
37+
}
38+
39+
resource "azurerm_key_vault_secret" "secret" {
40+
key_vault_id = azurerm_key_vault.example.id
41+
name = "terragoat-secret-${var.environment}"
42+
value = random_string.password.result
43+
}

terraform/azure/logging.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
resource azurerm_monitor_log_profile "logging_profile" {
2+
storage_account_id = azurerm_storage_account.example.id
3+
categories = ["Action"]
4+
locations = [var.location]
5+
name = "terragoat-${var.environment}"
6+
retention_policy {
7+
enabled = true
8+
days = 30
9+
}
10+
}

terraform/azure/networking.tf

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
resource "azurerm_virtual_network" "example" {
2+
name = "terragoat-vn-${var.environment}"
3+
address_space = ["10.0.0.0/16"]
4+
location = azurerm_resource_group.example.location
5+
resource_group_name = azurerm_resource_group.example.name
6+
}
7+
8+
resource "azurerm_subnet" "example" {
9+
name = "terragoat-${var.environment}"
10+
resource_group_name = azurerm_resource_group.example.name
11+
virtual_network_name = azurerm_virtual_network.example.name
12+
address_prefixes = ["10.0.0.0/24"]
13+
}
14+
15+
resource "azurerm_network_interface" "ni_linux" {
16+
name = "terragoat-linux-${var.environment}"
17+
location = azurerm_resource_group.example.location
18+
resource_group_name = azurerm_resource_group.example.name
19+
20+
ip_configuration {
21+
name = "internal"
22+
subnet_id = azurerm_subnet.example.id
23+
private_ip_address_allocation = "Dynamic"
24+
}
25+
}
26+
27+
resource "azurerm_network_interface" "ni_win" {
28+
name = "terragoat-win-${var.environment}"
29+
location = azurerm_resource_group.example.location
30+
resource_group_name = azurerm_resource_group.example.name
31+
32+
ip_configuration {
33+
name = "internal"
34+
subnet_id = azurerm_subnet.example.id
35+
private_ip_address_allocation = "Dynamic"
36+
}
37+
}
38+
39+
resource azurerm_network_security_group "bad_sg" {
40+
location = var.location
41+
name = "terragoat-${var.environment}"
42+
resource_group_name = azurerm_resource_group.example.name
43+
44+
security_rule {
45+
access = "Allow"
46+
direction = "Inbound"
47+
name = "AllowSSH"
48+
priority = 200
49+
protocol = "TCP"
50+
source_address_prefix = "*"
51+
source_port_range = "*"
52+
destination_port_range = "22-22"
53+
destination_address_prefix = "*"
54+
}
55+
56+
security_rule {
57+
access = "Allow"
58+
direction = "Inbound"
59+
name = "AllowRDP"
60+
priority = 300
61+
protocol = "TCP"
62+
source_address_prefix = "*"
63+
source_port_range = "*"
64+
destination_port_range = "3389-3389"
65+
destination_address_prefix = "*"
66+
}
67+
}
68+
69+
resource azurerm_network_watcher "network_watcher" {
70+
location = var.location
71+
name = "terragoat-network-watcher-${var.environment}"
72+
resource_group_name = azurerm_resource_group.example.name
73+
}
74+
75+
resource azurerm_network_watcher_flow_log "flow_log" {
76+
enabled = false
77+
network_security_group_id = azurerm_network_security_group.bad_sg.id
78+
network_watcher_name = azurerm_network_watcher.network_watcher.name
79+
resource_group_name = azurerm_resource_group.example.name
80+
storage_account_id = azurerm_storage_account.example.id
81+
retention_policy {
82+
enabled = false
83+
days = 10
84+
}
85+
}

0 commit comments

Comments
 (0)