https://github.com/datosh/tf-cloud-aws

Learn GH with TF Cloud on AWS
https://github.com/datosh/tf-cloud-aws

Last synced: about 1 month ago
JSON representation

Learn GH with TF Cloud on AWS

• Host: GitHub
• URL: https://github.com/datosh/tf-cloud-aws
• Owner: datosh
• License: mit
• Created: 2024-02-05T11:00:08.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-02-09T10:41:17.000Z (over 1 year ago)
• Last Synced: 2024-02-09T12:15:06.520Z (over 1 year ago)
• Language: HCL
• Homepage:
• Size: 24.4 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# tf-cloud-aws

Learn TF with TF Cloud on AWS, including best practices and code analysis via

GH actions.

## Auth Terraform Cloud <-> AWS

Hashicorp provides a [tutorial](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/aws-configuration)

to configure dynamics provider credentials for AWS when using Terraform Cloud.

We have copies their [AWS example code](https://github.com/hashicorp/terraform-dynamic-credentials-setup-examples/tree/main/aws)

to out local [oidc-bootstrap](./oidc-bootstrap/README.md) folder, and set the

configuration according our environment.

## Auth GitHub <-> Terraform Cloud

GitHub and Terraform Cloud may be connected [through different configurations](https://developer.hashicorp.com/terraform/tutorials/cloud/github-oauth):

* [per-GitHub-organization](https://developer.hashicorp.com/terraform/cloud-docs/vcs/github)

* [per Repository](https://developer.hashicorp.com/terraform/cloud-docs/vcs/github-app)

In any case, the connection is [owned by a single user and their token](https://github.com/hashicorp/terraform-provider-tfe/issues/96#issuecomment-1237220872).

Also [documented in Terraform docs (Step 2)](https://developer.hashicorp.com/terraform/cloud-docs/vcs/github)

## tfswitch

[The tfswitch command line tool lets you switch between different versions of terraform.](https://tfswitch.warrensbox.com/)

This allows you to use the same exact version of Terraform as the repository you are working in.

Especially in larger multi-repository code bases, updates often happend gradually.

Follow the [installation instructions](https://tfswitch.warrensbox.com/Install/).

Then run `tfswitch` from the root of this repository.

The required version will be discovered from the Terraform files, in this case [main.tf](main.tf).

There also exists [`tfenv`](https://github.com/tfutils/tfenv), but it has not been released since `tfenv` July 2022.

## tflint

[TFLint](https://github.com/terraform-linters/tflint), is a Pluggable Terraform Linter.

It provides plugins for use with Terraform cloud providers, e.g., [AWS](https://github.com/terraform-linters/tflint-ruleset-aws).

Follow the [installation instructions](https://github.com/terraform-linters/tflint?tab=readme-ov-file#installation).

See [.tflint.hcl](.tflint.hcl) on how to configure TFLint.

Run `tflint --init` to download any configured plugins.

Run `tflint` to check for any problems. For example when using an unknown EC2 instance type:

```sh

$ tflint

1 issue(s) found:

Error: "t2.mega" is an invalid value as instance_type (aws_instance_invalid_type)

  on main.tf line 41:

  41:   instance_type          = "t2.mega"

```

TFLint also provides a [setup GH Action](https://github.com/terraform-linters/setup-tflint).

See [tflint.yml](.github/workflows/tflint.yml).

## tfsec

[tfsec](https://aquasecurity.github.io/tfsec/latest/) is a static analysis security scanner for your Terraform code.

False positives can be ignored using [inline annotations](https://aquasecurity.github.io/tfsec/latest/guides/configuration/ignores/)

or a [config file](https://aquasecurity.github.io/tfsec/latest/guides/configuration/config/).

tfsec provides guidance to [integrate into GitHub actions](https://aquasecurity.github.io/tfsec/latest/guides/github-actions/github-action/) using SARIF files.

[GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) has to be [enabled for the repository](https://github.com/datosh/tf-cloud-aws/security/code-scanning).

Aqua encourages users to [migrate to Trivy](https://aquasecurity.github.io/tfsec/latest/guides/trivy/).

## TODO: checkov

https://github.com/bridgecrewio/checkov

## TODO: terrascan

https://github.com/tenable/terrascan

## TODO: OPA policies with Styra

A [Terraform Tutorial](https://developer.hashicorp.com/terraform/tutorials/automation/validation-enforcement)

explains how to enfore

[OPA policies](https://www.openpolicyagent.org/docs/latest/policy-language/)

in your Terraform files using

[Styra](https://signup.styra.com/).

## TODO: Is it possible to limit which VCS show up in TF Cloud?

I can see ControlPlane & WildWest when I

[link VCS](https://app.terraform.io/app/datosh/workspaces/tf-cloud-aws/settings/version-control).

Can I link it?

## TODO: Branching strategy

Currently I only commit to `main` this makes SCA in GH Action & Terraform Cloud deploy run in parallel.

Ideally, branch runs only plan & SCA, main runs only deploy.