Merge pull request #125 from bschaatsbergen/add-checkov

bschaatsbergen · web-flow · commit cd50c1339f64 · 2023-10-19T07:36:56.000+02:00
feat: add checkov
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,38 @@
+name: precommit
+on:
+  pull_request:
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash
+jobs:
+  precommit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+      - name: Create virtual environment
+        run: python3 -m venv venv && source venv/bin/activate
+      - name: Install pre-commit and checkov
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install pre-commit==3.5.0 checkov==2.5.10
+      - name: install terraform-docs
+        run: |
+          curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+          tar -xzf terraform-docs.tar.gz
+          chmod +x terraform-docs
+          mv terraform-docs /usr/local/bin/
+      - name: Cache packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Run pre-commit
+        run: pre-commit run --show-diff-on-failure --color=always --all-files
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,6 +2,12 @@ repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.74.1
     hooks:
+      - id: terraform_checkov
+        args:
+          - --args=--quiet
+          - --args=--compact
+          - --args=--framework=terraform
+          - --args=--skip-check=CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18
       - id: terraform_fmt
         exclude: ^examples/
       - id: terraform_validate
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -33,17 +33,25 @@ resource "google_project_iam_member" "atlantis_metric_writer" {
 }
 
 resource "google_compute_network" "default" {
-  name                    = "example-network"
-  auto_create_subnetworks = false
-  project                 = local.project_id
+  name                            = "example-network"
+  auto_create_subnetworks         = false
+  project                         = local.project_id
 }
 
 resource "google_compute_subnetwork" "default" {
-  name          = "example-subnetwork"
-  ip_cidr_range = "10.2.0.0/16"
-  region        = local.region
-  network       = google_compute_network.default.id
-  project       = local.project_id
+  name                       = "example-subnetwork"
+  ip_cidr_range              = "10.2.0.0/16"
+  region                     = local.region
+  network                    = google_compute_network.default.id
+  project                    = local.project_id
+  private_ip_google_access   = true
+  private_ipv6_google_access = "ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE"
+
+  log_config {
+    aggregation_interval = "INTERVAL_5_SEC"
+    flow_sampling        = 0.5
+    metadata             = "INCLUDE_ALL_METADATA"
+  }
 }
 
 # Create a router, which we associate the Cloud NAT too
