# This template implements a generic set of terraform-related testing/linting jobs. It is usually included in product # pipelines via the /auto-devops/terraform-pipeline.yml template. However, in some situations it might be necessary to # include this template directly, for example if a specific repository is not suitable for CI pipeline deployments but # you still wish to test/lint the Terraform code. # # This template includes four jobs in the test stage, terraform-validate, terraform-fmt, tflint, and trivy. By default, # the jobs run on every commit pushed or if a merge request is open. However, this can be changed by overriding # .test-job-rules in your local .gitlab-ci.yml file if required. For more info see the comments alongside each of these # job definitions below. # # Disabling jobs # # Following the AutoDevOps model, if the following variables are defined, the associated jobs will be disabled: # # - TERRAFORM_VALIDATE_DISABLED # - TERRAFORM_FMT_DISABLED # - TFLINT_DISABLED # - TRIVY_DISABLED # Rules which only run test jobs on commit pipelines if there is not an active MR. This avoids duplicate jobs being # created. .test-job-rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS" when: never - if: "$CI_COMMIT_BRANCH || $CI_COMMIT_TAG" terraform-validate: stage: test image: ${TERRAFORM_DEPLOY_IMAGE}:${TERRAFORM_DEPLOY_VERSION} script: | terraform init -backend=false terraform validate rules: - if: $TERRAFORM_VALIDATE_DISABLED when: never - !reference [.test-job-rules] tags: - $GKE_RUNNER_TAG needs: [] terraform-fmt: stage: test image: ${TERRAFORM_DEPLOY_IMAGE}:${TERRAFORM_DEPLOY_VERSION} script: terraform fmt -diff -recursive -check rules: - if: $TERRAFORM_FMT_DISABLED when: never - !reference [.test-job-rules] tags: - $GKE_RUNNER_TAG needs: [] # The tflint (https://github.com/terraform-linters/tflint) tool contains many linting rules and is basically the # community standard. We are enabling almost all available rules. tflint: stage: test image: name: ghcr.io/terraform-linters/tflint:latest entrypoint: [""] before_script: | if [ ! -f .tflint.hcl ]; then cat > .tflint.hcl <<EOL plugin "terraform" { enabled = true preset = "all" } EOL fi script: | tflint --init tflint --recursive --disable-rule=terraform_standard_module_structure rules: - if: $TFLINT_DISABLED when: never - !reference [.test-job-rules] tags: - $GKE_RUNNER_TAG needs: [] # Trivy (https://aquasecurity.github.io/trivy) is a comprehensive and versatile security scanner. Trivy has scanners # that look for security issues, and targets where it can find those issues. This job uploads a junit report of the test # results which is viewable in the merge request UI. To ignore specific checks see - # https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#trivyignoreyaml. By default, we're ignoring # certain checks which we have decided to allow due to our boilerplate template design. # Excluded general checks: # - name: AVD-GCP-0017 # link: https://avd.aquasec.com/misconfig/google/sql/avd-gcp-0017/ # description: Ensure that Cloud SQL Database Instances are not publicly exposed # severity: High # reason: It is recommended that database instances should be configured so that they are not available over # the public internet, but to internal compute resources that access them. Valid recommendation, but not # always applicable due to our system design limitations. # - name: AVD-GCP-0029 # link: https://avd.aquasec.com/misconfig/google/compute/avd-gcp-0029/ # description: VPC flow logs should be enabled for all subnetworks # severity: Low # reason: Just a recommendation to have this feature enabled as VPC flow logs record # information about all traffic, which can help with reviewing anomalous traffic. # - name: AVD-GCP-0066 # link: https://avd.aquasec.com/misconfig/google/storage/avd-gcp-0066/ # description: Cloud Storage buckets should be encrypted with a customer-managed key # severity: Low # reason: It is recommended to use customer-managed keys. Using unmanaged keys makes rotation and general management # difficult. However, in our case, it might bring additional operational overhead so this check is disabled. # Excluded PostgreSQL configuration-related checks: # - name: AVD-GCP-0014 # link: https://avd.aquasec.com/misconfig/google/sql/avd-gcp-0014/ # description: Temporary file logging should be enabled for all temporary files # severity: Medium # reason: Trivy suggests setting `settings.database_flags["log_temp_files"]` to "0" for sql instance. Default value in # PostgreSQL is "-1" (i.e. disabled). See https://pgpedia.info/l/log_temp_files.html for more information. # - name: AVD-GCP-0016 # link: https://avd.aquasec.com/misconfig/google/sql/avd-gcp-0016/ # description: Ensure that logging of connections is enabled # severity: Medium # reason: Trivy suggests setting `settings.database_flags["log_connections"]` to "on" for sql instance. # Default value in PostgreSQL is "off" (i.e. disabled). By default, PostgreSQL only logs the errors # generated by unsuccessful connections. Setting this option to "on" will log all. # See https://pgpedia.info/l/log_connections.html for more information. # - name: AVD-GCP-0020 # link: https://avd.aquasec.com/misconfig/google/sql/avd-gcp-0020/ # description: Ensure that logging of lock waits is enabled. # severity: Medium # reason: Trivy suggests setting `settings.database_flags["log_lock_waits"]` to "on" for sql instance. # Default value in PostgreSQL is "off" (i.e. disabled). A configuration parameter determining whether a log # message is produced when a session waits longer than deadlock_timeout to acquire a lock. # See https://pgpedia.info/l/log_lock_waits.html for more information. # - name: AVD-GCP-0022 # link: https://avd.aquasec.com/misconfig/google/sql/avd-gcp-0022/ # description: Ensure that logging of disconnections is enabled. # severity: Medium # reason: Trivy suggests setting `settings.database_flags["log_disconnections"]` to "on" for sql instance. # Default value in PostgreSQL is "off" (i.e. disabled). Logging disconnections provides useful diagnostic # data such as session length, which can identify performance issues in an application and # potential DoS vectors. See https://pgpedia.info/l/log_connections.html for more information. # - name: AVD-GCP-0025 # link: https://avd.aquasec.com/misconfig/google/sql/avd-gcp-0025/ # description: Ensure that logging of checkpoints is enabled # severity: Medium # reason: Trivy suggests setting `settings.database_flags["log_checkpoints"]` to "on" for sql instance. # This is disabled in PostgreSQL 8.3 ~ PostgreSQL 14 and enabled by default since PostgreSQL 15. # Different projects use different versions so this check is disabled. # See https://pgpedia.info/l/log_checkpoints.html for more information. trivy: stage: test image: name: aquasec/trivy:latest entrypoint: [""] variables: TRIVY_IGNORE: |- AVD-GCP-0014 AVD-GCP-0016 AVD-GCP-0017 AVD-GCP-0020 AVD-GCP-0022 AVD-GCP-0025 AVD-GCP-0029 AVD-GCP-0066 before_script: | mkdir ${TF_DATA_DIR} for i in $TRIVY_IGNORE; do echo $i >> .trivyignore; done script: | trivy fs --scanners misconfig --format json --output trivy.json --exit-code 1 . after_script: | trivy convert --format template --template "@/contrib/junit.tpl" --output ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-trivy.junit trivy.json trivy convert --format table --output trivy.out trivy.json && cat trivy.out rules: - if: $TRIVY_DISABLED when: never - !reference [.test-job-rules] tags: - $GKE_RUNNER_TAG allow_failure: true artifacts: expire_in: 1 week when: always reports: junit: ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-trivy.junit needs: []