version: 0.2 env: variables: CODE_SRC_DIR: "." SCRIPT_DIR: "/scripts" SKIPVALIDATIONFAILURE: "Y" ENABLE_TFVALIDATE: "Y" ENABLE_TFFORMAT: "Y" ENABLE_TFCHECKOV: "Y" ENABLE_TFLINT: "Y" ENABLE_TFDOCS: "Y" ENABLE_TFSCAN: "Y" ENABLE_TFSEC: "Y" parameter-store: allocated_storage: /demo/dbdevops/target/db/allocated_storage backup_retention_period: /demo/dbdevops/target/db/backup_retention_period dbname: /demo/dbdevops/target/db/dbname engine: /demo/dbdevops/target/db/engine engine_version: /demo/dbdevops/target/db/engine_version family: /demo/dbdevops/target/db/family instace_class: /demo/dbdevops/target/db/instace_class max_allocated_storage: /demo/dbdevops/target/db/max_allocated_storage name: /demo/dbdevops/target/db/name parameter_group_name: /demo/dbdevops/target/db/parameter_group_name port: /demo/dbdevops/target/db/port transit: /demo/dbdevops/target/db/transit subnet_ids: /demo/dbdevops/target/infra/subnet_ids vpc_id: /demo/dbdevops/target/infra/vpc_id environment: /demo/dbdevops/target/environment region: /demo/dbdevops/target/infra/aws_region project_code: /demo/dbdevops/target/project_name client: /demo/dbdevops/target/client identifier: /demo/dbdevops/target/identifier sg_ports: /demo/dbdevops/target/db/sg_ports cidr_blocks: /demo/dbdevops/target/infra/cidr_blocks exported-variables: - allocated_storage - backup_retention_period - dbname - engine - engine_version - family - instace_class - max_allocated_storage - name - parameter_group_name - port - transit - subnet_ids - vpc_id - environment - region - project_code - client - identifier - sg_ports - cidr_blocks phases: install: commands: #Terraform Install - apt update - apt -y install curl - curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - - apt-add-repository "deb [arch=$(dpkg --print-architecture)] https://apt.releases.hashicorp.com $(lsb_release -cs) main" - apt update - apt -y install terraform=1.3.6 #Install Golang for Tflint - apt update - apt -y upgrade - apt install -y golang-go #Install tflint - curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash - tflint --init #Checkov - apt install -y software-properties-common - add-apt-repository ppa:deadsnakes/ppa - apt -y install python3.7 - apt -y install python3-pip - apt-get install python3.7-distutils -y - python3.7 -m pip install -U checkov - checkov -v - "pip3 install checkov" #Terraform Docs - curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz - tar -xzf terraform-docs.tar.gz - chmod +x terraform-docs - mv terraform-docs /usr/local/bin/terraform-docs # Terraform Scan - curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz - tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz - install terrascan /usr/local/bin && rm terrascan # Terraform Sec - curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash build: commands: - "cd ${CODEBUILD_SRC_DIR}" - "echo ## VALIDATION : Starting ..." - "mkdir -p ${CODEBUILD_SRC_DIR}/reports" - "/bin/bash ${CODEBUILD_SRC_DIR}/db-provisioning/db-provisioning-code/${SCRIPT_DIR}/tf_cicd_check.sh ${SKIPVALIDATIONFAILURE} ${ENABLE_TFVALIDATE} ${ENABLE_TFFORMAT} ${ENABLE_TFCHECKOV} ${ENABLE_TFLINT} ${ENABLE_TFDOCS} ${ENABLE_TFSCAN} ${ENABLE_TFSEC}" - "cp checkov.xml ${CODEBUILD_SRC_DIR}/reports/checkov.xml" - "cp tflint_report.xml ${CODEBUILD_SRC_DIR}/reports/tflint_report.xml" - "cp output.txt ${CODEBUILD_SRC_DIR}/reports/output.txt" - "cp tfscan.txt ${CODEBUILD_SRC_DIR}/reports/tfscan.txt" - "cp tfsec.txt ${CODEBUILD_SRC_DIR}/reports/tfsec.txt" reports: tflint: files: - tflint_report.xml checkov: files: - checkov.xml tfdocs: files: - output.txt tfscan: files: - tfscan.txt tfsec: files: - tfsec.txt