bridgecrewio · jluevan13 · Mar 7, 2023 · Mar 7, 2023 · Mar 7, 2023 · Mar 7, 2023
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,54 @@
+name: Prisma Cloud IaC Scan
+on:
+      pull_request:
+            types:
+                  - closed
+jobs:
+      scan:
+            runs-on: ubuntu-latest
+            strategy:
+                  matrix:
+                        python-version: [3.8]
+            steps:
+            - name: Checkout repo
+              uses: actions/checkout@v2
+            - name: Run Bridgecrew 
+              id: Bridgecrew
+              uses: bridgecrewio/bridgecrew-action@master 
+              env:
+                PRISMA_API_URL: https://api0.prismacloud.io
+              with:
+                api-key: ${{ secrets.BC_API_KEY }}
+                directory: terraform/azure/
+                use_enforcement_rules: true
+
+
+# name: Prisma Cloud IaC Scan with checkov
+# on:
+#       pull_request:
+#             types:
+#                   - closed
+# jobs:
+# #       if_merged:
+# #             if: github.event.pull_request.merged == true
+# #             runs-on: ubuntu-latest
+# #             steps:
+# #                   - run: |
+# #                         echo The PR was merged
+#       scan:
+#             runs-on: ubuntu-latest
+#             strategy:
+#                   matrix:
+#                         python-version: [3.8]
+#             defaults:
+#                   run:
+#                         working-directory: ./terraform
+#             steps:
+#                   - name: Checkout repo
+#                     uses: actions/checkout@v2
+#                   - name: Install checkov
+#                     run: pip3 install checkov
+#                   - name: Run checkov
+#                     run: |
+#                         export PRISMA_API_URL=https://api4.prismacloud.io
+#                         checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf
@@ -1,11 +1,12 @@
 resource "aws_instance" "web_host" {
   # ec2 have plain text secrets in user data
-  ami           = "${var.ami}"
+  # test change
+  ami           = var.ami
   instance_type = "t2.nano"
 
   vpc_security_group_ids = [
   "${aws_security_group.web-node.id}"]
-  subnet_id = "${aws_subnet.web_subnet.id}"
+  subnet_id = aws_subnet.web_subnet.id
   user_data = <<EOF
 #! /bin/bash
 sudo apt-get update
@@ -16,6 +17,7 @@ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
 export AWS_SECRET_ACCESS_KEY=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
 export AWS_DEFAULT_REGION=us-west-2
 echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
+d
 EOF
   tags = merge({
     Name = "${local.resource_prefix.value}-ec2"
@@ -31,8 +33,10 @@ EOF
   })
 }
 
+
 resource "aws_ebs_volume" "web_host_storage" {
   # unencrypted volume
+  # delete this
   availability_zone = "${var.region}a"
   #encrypted         = false  # Setting this causes the volume to be recreated on apply 
   size = 1
@@ -48,11 +52,15 @@ resource "aws_ebs_volume" "web_host_storage" {
     git_repo             = "terragoat"
     yor_trace            = "c5509daf-10f0-46af-9e03-41989212521d"
   })
+
+
 }
 
+
+
 resource "aws_ebs_snapshot" "example_snapshot" {
   # ebs snapshot without encryption
-  volume_id   = "${aws_ebs_volume.web_host_storage.id}"
+  volume_id   = aws_ebs_volume.web_host_storage.id
   description = "${local.resource_prefix.value}-ebs-snapshot"
   tags = merge({
     Name = "${local.resource_prefix.value}-ebs-snapshot"
@@ -70,8 +78,8 @@ resource "aws_ebs_snapshot" "example_snapshot" {
 
 resource "aws_volume_attachment" "ebs_att" {
   device_name = "/dev/sdh"
-  volume_id   = "${aws_ebs_volume.web_host_storage.id}"
-  instance_id = "${aws_instance.web_host.id}"
+  volume_id   = aws_ebs_volume.web_host_storage.id
+  instance_id = aws_instance.web_host.id
 }
 
 resource "aws_security_group" "web-node" {

diff --git a/terraform/aws/eks.tf b/terraform/aws/eks.tf
@@ -4,7 +4,7 @@ locals {
   }
 }
 
-data aws_iam_policy_document "iam_policy_eks" {
+data "aws_iam_policy_document" "iam_policy_eks" {
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
@@ -15,7 +15,7 @@ data aws_iam_policy_document "iam_policy_eks" {
   }
 }
 
-resource aws_iam_role "iam_for_eks" {
+resource "aws_iam_role" "iam_for_eks" {
   name               = "${local.resource_prefix.value}-iam-for-eks"
   assume_role_policy = data.aws_iam_policy_document.iam_policy_eks.json
   tags = {
@@ -30,17 +30,17 @@ resource aws_iam_role "iam_for_eks" {
   }
 }
 
-resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSClusterPolicy" {
+resource "aws_iam_role_policy_attachment" "policy_attachment-AmazonEKSClusterPolicy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
   role       = aws_iam_role.iam_for_eks.name
 }
 
-resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSServicePolicy" {
+resource "aws_iam_role_policy_attachment" "policy_attachment-AmazonEKSServicePolicy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
   role       = aws_iam_role.iam_for_eks.name
 }
 
-resource aws_vpc "eks_vpc" {
+resource "aws_vpc" "eks_vpc" {
   cidr_block           = "10.10.0.0/16"
   enable_dns_hostnames = true
   enable_dns_support   = true
@@ -58,7 +58,7 @@ resource aws_vpc "eks_vpc" {
   })
 }
 
-resource aws_subnet "eks_subnet1" {
+resource "aws_subnet" "eks_subnet1" {
   vpc_id                  = aws_vpc.eks_vpc.id
   cidr_block              = "10.10.10.0/24"
   availability_zone       = "${var.region}a"
@@ -86,7 +86,7 @@ resource aws_subnet "eks_subnet1" {
   })
 }
 
-resource aws_subnet "eks_subnet2" {
+resource "aws_subnet" "eks_subnet2" {
   vpc_id                  = aws_vpc.eks_vpc.id
   cidr_block              = "10.10.11.0/24"
   availability_zone       = "${var.region}b"
@@ -114,9 +114,9 @@ resource aws_subnet "eks_subnet2" {
   })
 }
 
-resource aws_eks_cluster "eks_cluster" {
+resource "aws_eks_cluster" "eks_cluster" {
   name     = local.eks_name.value
-  role_arn = "${aws_iam_role.iam_for_eks.arn}"
+  role_arn = aws_iam_role.iam_for_eks.arn
 
   vpc_config {
     endpoint_private_access = true
@@ -140,9 +140,9 @@ resource aws_eks_cluster "eks_cluster" {
 }
 
 output "endpoint" {
-  value = "${aws_eks_cluster.eks_cluster.endpoint}"
+  value = aws_eks_cluster.eks_cluster.endpoint
 }
 
 output "kubeconfig-certificate-authority-data" {
-  value = "${aws_eks_cluster.eks_cluster.certificate_authority.0.data}"
+  value = aws_eks_cluster.eks_cluster.certificate_authority.0.data
 }
diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf
@@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" {
   # bucket is not encrypted
   # bucket does not have access logs
   # bucket does not have versioning
+  # test update
   bucket        = "${local.resource_prefix.value}-data"
   force_destroy = true
   tags = merge({
@@ -139,3 +140,27 @@ resource "aws_s3_bucket" "logs" {
     yor_trace            = "01946fe9-aae2-4c99-a975-e9b0d3a4696c"
   })
 }
+
+resource "aws_s3_bucket_policy" "allow_access_from_another_account" {
+  bucket = aws_s3_bucket.logs.id
+  policy = data.aws_iam_policy_document.allow_access_from_another_account.json
+}
+
+data "aws_iam_policy_document" "allow_access_from_another_account" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["123456789012"]
+    }
+
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      aws_s3_bucket.example.arn,
+      "${aws_s3_bucket.example.arn}/*",
+    ]
+  }
+}
diff --git a/terraform/azure/aks.tf b/terraform/azure/aks.tf
@@ -1,4 +1,4 @@
-resource azurerm_kubernetes_cluster "k8s_cluster" {
+resource "azurerm_kubernetes_cluster" "k8s_cluster" {
   dns_prefix          = "terragoat-${var.environment}"
   location            = var.location
   name                = "terragoat-aks-${var.environment}"
@@ -32,4 +32,4 @@ resource azurerm_kubernetes_cluster "k8s_cluster" {
     git_repo             = "terragoat"
     yor_trace            = "6103d111-864e-42e5-899c-1864de281fd1"
   }
-}
+}
diff --git a/terraform/azure/app_service.tf b/terraform/azure/app_service.tf
@@ -1,4 +1,4 @@
-resource azurerm_app_service_plan "example" {
+resource "azurerm_app_service_plan" "example" {
   name                = "terragoat-app-service-plan-${var.environment}"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
@@ -19,7 +19,7 @@ resource azurerm_app_service_plan "example" {
   }
 }
 
-resource azurerm_app_service "app-service1" {
+resource "azurerm_app_service" "app-service1" {
   app_service_plan_id = azurerm_app_service_plan.example.id
   location            = var.location
   name                = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
@@ -40,7 +40,7 @@ resource azurerm_app_service "app-service1" {
   }
 }
 
-resource azurerm_app_service "app-service2" {
+resource "azurerm_app_service" "app-service2" {
   app_service_plan_id = azurerm_app_service_plan.example.id
   location            = var.location
   name                = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"

diff --git a/terraform/azure/networking.tf b/terraform/azure/networking.tf
@@ -1,4 +1,6 @@
 resource "azurerm_virtual_network" "example" {
+  # commentzz
+  # new comment
   name                = "terragoat-vn-${var.environment}"
   address_space       = ["10.0.0.0/16"]
   location            = azurerm_resource_group.example.location
@@ -66,7 +68,7 @@ resource "azurerm_network_interface" "ni_win" {
   }
 }
 
-resource azurerm_network_security_group "bad_sg" {
+resource "azurerm_network_security_group" "bad_sg" {
   location            = var.location
   name                = "terragoat-${var.environment}"
   resource_group_name = azurerm_resource_group.example.name
@@ -106,7 +108,7 @@ resource azurerm_network_security_group "bad_sg" {
   }
 }
 
-resource azurerm_network_watcher "network_watcher" {
+resource "azurerm_network_watcher" "network_watcher" {
   location            = var.location
   name                = "terragoat-network-watcher-${var.environment}"
   resource_group_name = azurerm_resource_group.example.name
@@ -122,7 +124,8 @@ resource azurerm_network_watcher "network_watcher" {
   }
 }
 
-resource azurerm_network_watcher_flow_log "flow_log" {
+resource "azurerm_network_watcher_flow_log" "flow_log" {
+  name                      = "test-flow-log-name"
   enabled                   = false
   network_security_group_id = azurerm_network_security_group.bad_sg.id
   network_watcher_name      = azurerm_network_watcher.network_watcher.name
@@ -142,4 +145,4 @@ resource azurerm_network_watcher_flow_log "flow_log" {
     git_repo             = "terragoat"
     yor_trace            = "33a7212e-7f1a-49fc-af73-8e525c5546ec"
   }
-}
+}