|
|
@@ -16,6 +16,13 @@
|
|
|
# Variables
|
|
|
# ---------------------------------------------------------------------------------------------------------------------
|
|
|
locals {
|
|
|
+ # Globally ignore the checks for tfsec
|
|
|
+ ignored_tfsec = [
|
|
|
+ "aws-iam-no-policy-wildcards", # We use wildcards in policies
|
|
|
+ "aws-lambda-enable-tracing", # We do not enable X-Ray Tracing for Lambda
|
|
|
+ "aws-s3-enable-bucket-logging", # TODO: We do not currently log s3 access. We should. MSOCI-
|
|
|
+ ]
|
|
|
+
|
|
|
# Automatically load account-level variables
|
|
|
account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
|
|
|
|
|
|
@@ -57,6 +64,70 @@ locals {
|
|
|
# (Conversely, inputs are not automatically available to the hcl files)
|
|
|
}
|
|
|
|
|
|
+# ---------------------------------------------------------------------------------------------------------------------
|
|
|
+# Apply Static Code Analysis
|
|
|
+# - 2022-04-23 - MSOCI-2143 - Comment out until ready
|
|
|
+# ---------------------------------------------------------------------------------------------------------------------
|
|
|
+# OS X Users, run:
|
|
|
+# brew install lint
|
|
|
+# brew install tfsec
|
|
|
+# brew install checkov
|
|
|
+
|
|
|
+# This can remain uncommented. The file won't hurt anything.
|
|
|
+generate "tflint_configuration" {
|
|
|
+ path = "tflint.hcl"
|
|
|
+ if_exists = "overwrite_terragrunt"
|
|
|
+ contents = <<EOF
|
|
|
+plugin "aws" {
|
|
|
+ enabled = true
|
|
|
+ version = "0.13.3"
|
|
|
+ source = "github.com/terraform-linters/tflint-ruleset-aws"
|
|
|
+ deep_check = true
|
|
|
+}
|
|
|
+EOF
|
|
|
+}
|
|
|
+
|
|
|
+# uncomment the following to enable static code analysis
|
|
|
+#terraform {
|
|
|
+# before_hook "tflintinit" {
|
|
|
+# commands = ["plan", "apply"]
|
|
|
+# execute = [
|
|
|
+# "tflint",
|
|
|
+# "--config=tflint.hcl",
|
|
|
+# "--init"
|
|
|
+# ]
|
|
|
+# }
|
|
|
+#
|
|
|
+# before_hook "tflint" {
|
|
|
+# commands = ["plan", "apply"]
|
|
|
+# execute = [
|
|
|
+# "tflint",
|
|
|
+# "--config=tflint.hcl",
|
|
|
+# ".",
|
|
|
+# ]
|
|
|
+# }
|
|
|
+#
|
|
|
+# before_hook "tfsec" {
|
|
|
+# commands = ["plan", "apply"]
|
|
|
+# execute = [
|
|
|
+# "tfsec",
|
|
|
+# "--concise-output",
|
|
|
+# "--exclude", join(",", local.ignored_tfsec),
|
|
|
+# ]
|
|
|
+# }
|
|
|
+#
|
|
|
+## before_hook "checkov" {
|
|
|
+## commands = ["plan", "apply"]
|
|
|
+## execute = [
|
|
|
+## "checkov",
|
|
|
+## "-d", ".",
|
|
|
+## "--quiet",
|
|
|
+## "--framework", "terraform",
|
|
|
+## "--skip-check", "CKV_AWS_150", # We do not enable deletion protection for LBs
|
|
|
+## ]
|
|
|
+## }
|
|
|
+#}
|
|
|
+
|
|
|
# ---------------------------------------------------------------------------------------------------------------------
|
|
|
# Generate a required providers block
|
|
|
# -- Allows override on a per-module basis
|
Frederick Damstra