Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jneytchev at panw patch 1 #471

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions .github/workflows/prisma.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# A sample workflow that checks for security issues using
# the Prisma Cloud Infrastructure as Code Scan Action on
# the IaC files present in the repository.
# The results are uploaded to GitHub Security Code Scanning
#
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action

name: Prisma Cloud IaC Scan

on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
schedule:
- cron: '22 21 * * 5'

permissions:
contents: read

jobs:
prisma_cloud_iac_scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v3
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
with:
# You will need Prisma Cloud API Access Token
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
# Scan sources on Prisma Cloud are uniquely identified by their name
asset_name: 'my-asset-name'
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
# And alternative it to add `continue-on-error: true` to the previous step
if: success() || failure()
with:
# The SARIF Log file name is configurable on scan action
# therefore the file name is best read from the steps output
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
9 changes: 9 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
steps:
- name: Checkout repo
uses: actions/checkout@v2

- name: Run Bridgecrew
id: Bridgecrew
uses: bridgecrewio/bridgecrew-action@master
with:
api-key: ${{ secrets.BC_API_KEY }}
2 changes: 1 addition & 1 deletion terraform/aws/ec2.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ resource "aws_instance" "web_host" {
# ec2 have plain text secrets in user data
ami = "${var.ami}"
instance_type = "t2.nano"

# this should go boom
vpc_security_group_ids = [
"${aws_security_group.web-node.id}"]
subnet_id = "${aws_subnet.web_subnet.id}"
Expand Down
69 changes: 69 additions & 0 deletions terraform/aws/s3.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,28 @@ resource "aws_s3_bucket" "data" {
})
}


resource "aws_s3_bucket" "data_log_bucket" {
bucket = "data-log-bucket"
}

resource "aws_s3_bucket_logging" "data" {
bucket = aws_s3_bucket.data.id

target_bucket = aws_s3_bucket.data_log_bucket.id
target_prefix = "log/"
}



resource "aws_s3_bucket_versioning" "data" {
bucket = aws_s3_bucket.data.id

versioning_configuration {
status = "Enabled"
}
}

resource "aws_s3_bucket_object" "data_object" {
bucket = aws_s3_bucket.data.id
key = "customer-master.xlsx"
Expand Down Expand Up @@ -62,6 +84,28 @@ resource "aws_s3_bucket" "financials" {

}


resource "aws_s3_bucket" "financials_log_bucket" {
bucket = "financials-log-bucket"
}

resource "aws_s3_bucket_logging" "financials" {
bucket = aws_s3_bucket.financials.id

target_bucket = aws_s3_bucket.financials_log_bucket.id
target_prefix = "log/"
}



resource "aws_s3_bucket_versioning" "financials" {
bucket = aws_s3_bucket.financials.id

versioning_configuration {
status = "Enabled"
}
}

resource "aws_s3_bucket" "operations" {
# bucket is not encrypted
# bucket does not have access logs
Expand All @@ -86,6 +130,19 @@ resource "aws_s3_bucket" "operations" {
})
}


resource "aws_s3_bucket" "operations_log_bucket" {
bucket = "operations-log-bucket"
}

resource "aws_s3_bucket_logging" "operations" {
bucket = aws_s3_bucket.operations.id

target_bucket = aws_s3_bucket.operations_log_bucket.id
target_prefix = "log/"
}


resource "aws_s3_bucket" "data_science" {
# bucket is not encrypted
bucket = "${local.resource_prefix.value}-data-science"
Expand Down Expand Up @@ -139,3 +196,15 @@ resource "aws_s3_bucket" "logs" {
yor_trace = "01946fe9-aae2-4c99-a975-e9b0d3a4696c"
})
}


resource "aws_s3_bucket" "logs_log_bucket" {
bucket = "logs-log-bucket"
}

resource "aws_s3_bucket_logging" "logs" {
bucket = aws_s3_bucket.logs.id

target_bucket = aws_s3_bucket.logs_log_bucket.id
target_prefix = "log/"
}
Loading