Merge pull request #36 from githubabcs-devops/feature/update17

Add Terraform configurations for Azure resources and update CI/CD workflows

Author: CalinL

.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml

@@ -22,7 +22,7 @@ env:
 
 permissions:
   contents: read 
-  issues: write # to create issues for alerts
+  #issues: write # to create issues for alerts
 
 jobs:
   zap_scan:
@@ -49,5 +49,14 @@ jobs:
         uses: zaproxy/action-full-scan@v0.12.0
         id: zap
         with:
-          allow_issue_writing: true
+          allow_issue_writing: false
           target: "${{ env.ZAP_TARGET }}"
+      # - name: ZAP Scan
+      #   uses: zaproxy/action-baseline@v0.4.0
+      #   with:
+      #     target: "${{ env.ZAP_TARGET }}"
+      - uses: SvanBoxel/zaproxy-to-ghas@main
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.github/workflows/IACS-AquaSecurity-tfsec.yml

@@ -0,0 +1,36 @@
+# https://github.com/aquasecurity/tfsec
+# https://github.com/aquasecurity/tfsec-sarif-action
+
+name: IaC Scanning (Terraform) with Aqua Security tfsec 
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '15 03 * * 5'
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+jobs:
+  tfsec-scan:
+    name: Run tfsec sarif report
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run tfsec
+        uses: aquasecurity/tfsec-sarif-action@v0.1.0
+        with:
+          sarif_file: tfsec.sarif
+
+      - name: Upload SARIF file to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tfsec.sarif

.github/workflows/IACS-Checkmarx-kics.yml

@@ -0,0 +1,56 @@
+# https://github.com/Checkmarx/kics
+# https://github.com/Checkmarx/kics/blob/master/docs/integrations_ghactions.md
+# https://github.com/Checkmarx/kics-github-action
+
+name: IaC Scanning with Checkmarx KICS
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '15 03 * * 5'
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+jobs:
+  kics-scan:
+    name: Run KICS scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Mkdir results-dir
+        # make sure results dir is created
+        run: mkdir -p results-dir
+
+      - name: Run kics Scan
+        uses: checkmarx/kics-github-action@v2.1.7
+        with:
+            path: 'terraform'
+            # when provided with a directory on output_path
+            # it will generate the specified reports file named 'results.{extension}'
+            # in this example it will generate:
+            # - results-dir/results.json
+            # - results-dir/results.sarif
+            ignore_on_exit: results
+            output_path: results-dir
+            platform_type: terraform
+            output_formats: 'json,sarif'
+            enable_comments: true
+      
+      - name: Show results
+        run: |
+          cat results-dir/results.sarif
+          cat results-dir/results.json
+
+      - name: Upload SARIF file to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results-dir/results.sarif

.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml

@@ -24,5 +24,5 @@ jobs:
         with:
           comment-summary-in-pr: always
           fail-on-severity: 'moderate'
-          allow-licenses: MIT, Apache-2.0
+          allow-licenses: MIT, Apache-2.0, GPL-3.0
 

.github/workflows/cicd.yml

@@ -75,7 +75,7 @@ jobs:
   container-build-publish:
     name: Build and Publish Container Image
     needs: []
-    uses: advanced-security/reusable-workflows/.github/workflows/container.yml@v0.2.0
+    uses: githubabcs-devops/devsecops-reusable-workflows/.github/workflows/container.yml@v0.2.0
     with:
       # This is used for tagging the container image
       version: v1.0.0

terraform/azure/aks.tf

@@ -0,0 +1,25 @@
+resource azurerm_kubernetes_cluster "k8s_cluster" {
+  dns_prefix          = "terragoat-${var.environment}"
+  location            = var.location
+  name                = "terragoat-aks-${var.environment}"
+  resource_group_name = azurerm_resource_group.example.name
+  identity {
+    type = "SystemAssigned"
+  }
+  default_node_pool {
+    name       = "default"
+    vm_size    = "Standard_D2_v2"
+    node_count = 2
+  }
+  addon_profile {
+    oms_agent {
+      enabled = false
+    }
+    kube_dashboard {
+      enabled = true
+    }
+  }
+  role_based_access_control {
+    enabled = false
+  }
+}

terraform/azure/app_service.tf

@@ -0,0 +1,34 @@
+resource azurerm_app_service_plan "example" {
+  name                = "terragoat-app-service-plan-${var.environment}"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  sku {
+    tier = "Dynamic"
+    size = "S1"
+  }
+}
+
+resource azurerm_app_service "app-service1" {
+  app_service_plan_id = azurerm_app_service_plan.example.id
+  location            = var.location
+  name                = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
+  resource_group_name = azurerm_resource_group.example.name
+  https_only          = false
+  site_config {
+    min_tls_version = "1.1"
+  }
+}
+
+resource azurerm_app_service "app-service2" {
+  app_service_plan_id = azurerm_app_service_plan.example.id
+  location            = var.location
+  name                = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
+  resource_group_name = azurerm_resource_group.example.name
+  https_only          = true
+
+  auth_settings {
+    enabled = false
+  }
+}
+

terraform/azure/instance.tf

@@ -0,0 +1,59 @@
+resource random_string "password" {
+  length      = 16
+  special     = false
+  min_lower   = 1
+  min_numeric = 1
+  min_upper   = 1
+}
+
+resource azurerm_linux_virtual_machine "linux_machine" {
+  admin_username                  = "terragoat-linux"
+  admin_password                  = random_string.password.result
+  location                        = var.location
+  name                            = "terragoat-linux"
+  network_interface_ids           = [azurerm_network_interface.ni_linux.id]
+  resource_group_name             = azurerm_resource_group.example.name
+  size                            = "Standard_F2"
+  disable_password_authentication = false
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  tags = {
+    terragoat   = true
+    environment = var.environment
+  }
+}
+
+resource azurerm_windows_virtual_machine "windows_machine" {
+  admin_password        = random_string.password.result
+  admin_username        = "tg-${var.environment}"
+  location              = var.location
+  name                  = "tg-win"
+  network_interface_ids = [azurerm_network_interface.ni_win.id]
+  resource_group_name   = azurerm_resource_group.example.name
+  size                  = "Standard_F2"
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  source_image_reference {
+    publisher = "MicrosoftWindowsServer"
+    offer     = "WindowsServer"
+    sku       = "2016-Datacenter"
+    version   = "latest"
+  }
+
+  tags = {
+    terragoat   = true
+    environment = var.environment
+  }
+}

terraform/azure/key_vault.tf

@@ -0,0 +1,43 @@
+resource "azurerm_key_vault" "example" {
+  name                = "terragoat-key-${var.environment}${random_integer.rnd_int.result}"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+    key_permissions = [
+      "create",
+      "get",
+    ]
+    secret_permissions = [
+      "set",
+    ]
+  }
+  tags = {
+    environment = var.environment
+    terragoat   = true
+  }
+}
+
+resource "azurerm_key_vault_key" "generated" {
+  name         = "terragoat-generated-certificate-${var.environment}"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_secret" "secret" {
+  key_vault_id = azurerm_key_vault.example.id
+  name         = "terragoat-secret-${var.environment}"
+  value        = random_string.password.result
+}

terraform/azure/logging.tf

@@ -0,0 +1,10 @@
+resource azurerm_monitor_log_profile "logging_profile" {
+  storage_account_id = azurerm_storage_account.example.id
+  categories         = ["Action"]
+  locations          = [var.location]
+  name               = "terragoat-${var.environment}"
+  retention_policy {
+    enabled = true
+    days    = 30
+  }
+}