Merge pull request #2 from codebytes/slides

Slides

Author: codebytes

.devcontainer/devcontainer.json

@@ -8,10 +8,12 @@
 		"ghcr.io/devcontainers/features/powershell:1": {},
 		"ghcr.io/devcontainers/features/terraform:1": {},
 		"ghcr.io/devcontainers-contrib/features/terrascan:1": {},
+		"ghcr.io/devcontainers-contrib/features/checkov:1": {},
 		"ghcr.io/dhoeric/features/terraform-docs:1": {},
 		"ghcr.io/dhoeric/features/aztfy:1": {},
 		"ghcr.io/dhoeric/features/tfsec:1": {},
 		"ghcr.io/dhoeric/features/trivy:1": {},
+		"ghcr.io/devcontainers-contrib/features/pre-commit:2": {},
 		"ghcr.io/rocker-org/devcontainer-features/apt-packages:1": {
 			"packages": "chromium-browser"
 		}
@@ -26,6 +28,7 @@
 				"hashicorp.terraform",
 				"ms-azuretools.vscode-azureterraform",
 				"tfsec.tfsec",
+				"Bridgecrew.checkov",
 				"yzhang.markdown-all-in-one",
 				"marp-team.marp-vscode"
 			]

.github/workflows/checkov.yml

@@ -0,0 +1,28 @@
+on: [push]
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: demos/
+          file: #example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
+          check: #CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
+          skip_check: #CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
+          quiet: true # optional: display only failed checks
+          soft_fail: false # optional: do not return an error code if there are failed checks
+          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
+          output_format: junitxml # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
+            #output_file_path: reports/results.sarif # folder and name of results file
+          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
+            #var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
+            #log_level: DEBUG # optional: set log level. Default WARNING
+            #config_file: path/this_file
+            #baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
+          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues

.github/workflows/terrascan.yml

@@ -0,0 +1,28 @@
+on: [push]
+
+jobs:
+  terrascan_job:
+    runs-on: ubuntu-latest
+    name: terrascan-action
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+    - name: Run Terrascan
+      id: terrascan
+      uses: tenable/terrascan-action@main
+      with:
+        iac_type: 'terraform'
+        iac_version: 'v14'
+        policy_type: 'azure'
+        only_warn: true
+        #scm_token: ${{ secrets.ACCESS_TOKEN }}
+        #verbose: true
+        #sarif_upload: true
+        #non_recursive:
+        iac_dir: demos
+        #policy_path:
+        #skip_rules:
+        #config_path:
+        #find_vulnerabilities:
+        #webhook_url:
+        #webhook_token:

auth-setup.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+#set vars
+#codebytes
+githubOrganizationName=$(echo $(git remote get-url origin) | cut -f4 -d"/")
+#github-oidc-to-azure
+githubRepositoryName=$(basename -s .git `git config --get remote.origin.url`)
+
+#create app registration
+applicationRegistrationDetails=$(az ad app create --display-name "${githubRepositoryName}") 
+applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id') 
+applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId')
+
+#created federated creds
+az ad app federated-credential create \
+   --id $applicationRegistrationObjectId \
+   --parameters "{\"name\":\"${githubRepositoryName}-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
+az ad app federated-credential create \
+   --id $applicationRegistrationObjectId \
+   --parameters "{\"name\":\"${githubRepositoryName}-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
+az ad app federated-credential create \
+   --id $applicationRegistrationObjectId \
+   --parameters "{\"name\":\"${githubRepositoryName}-branch-main\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
+
+az ad sp create --id $applicationRegistrationObjectId 
+az role assignment create --assignee $applicationRegistrationAppId --role Contributor
+
+AZURE_CLIENT_ID=$applicationRegistrationAppId 
+AZURE_TENANT_ID=$(az account show --query tenantId --output tsv) 
+AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
+
+echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID" 
+echo "AZURE_TENANT_ID: $AZURE_TENANT_ID" 
+echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"
+
+gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID" 
+gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID" 
+gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"