Workflows and tests

.config/sast_terraform_checkov_cli.yml

@@ -0,0 +1,8 @@
+download-external-modules: true
+skip-download: true
+evaluate-variables: true
+framework:
+  - terraform
+output:
+  - cli
+quiet: true

.config/sast_terraform_checkov_json.yml

@@ -0,0 +1,5 @@
+skip-download: true
+evaluate-variables: true
+framework:
+  - terraform
+soft-fail: true

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/workflows/checkov.yml

@@ -0,0 +1,44 @@
+name: Checkov security test
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**/*.tf"
+      - ".github/workflows/checkov.yml"
+
+jobs:
+  checkov_security:
+    name: Checkov security tests
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+      checks: write
+      security-events: write
+      actions: read
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: prepare reports dir
+        run: mkdir --parents ${{runner.temp}}/reports_sast_terraform/
+
+      - name: install checkov
+        run: |
+          pip3 install --upgrade checkov
+          echo $PATH
+          checkov --version
+          which checkov
+
+      - name: generate json report
+        run: >
+          checkov
+          --config-file .config/sast_terraform_checkov_json.yml
+          --directory .
+          --output cli
+          --output json
+          --output sarif
+          --output-file-path console,checkov-terraform-results.json,checkov-terraform-results.sarif

.github/workflows/deploy.yml

@@ -0,0 +1,176 @@
+name: Deploy Cloud CA
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**/*.py"
+      - "**/*.tf"
+      - ".github/workflows/deploy.yml"
+    branches:
+      - main
+
+jobs:
+  terraform_validate:
+    name: Terraform validate
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
+      checks: write
+    steps:
+      - name: Terraform setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.1
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Terraform validate
+        id: fmt
+        run: terraform fmt -check -recursive
+
+  secret_scan:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install GitLeaks
+        run: |
+          wget https://github.com/gitleaks/gitleaks/releases/download/v8.16.1/gitleaks_8.16.1_linux_x64.tar.gz && \
+          tar -xf gitleaks_8.16.1_linux_x64.tar.gz
+          sudo mv gitleaks /usr/local/bin/gitleaks && \
+          sudo chmod +x /usr/local/bin/gitleaks
+      - name: Run GitLeaks Scan
+        run: |
+          gitleaks detect --source . -v
+
+  terraform_plan_apply:
+    name: Terraform plan & apply
+    runs-on: ubuntu-latest
+    needs:
+      - terraform_validate
+      - secret_scan
+    defaults:
+      run:
+        working-directory: ./examples/default
+
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+      checks: write
+    steps:
+      - name: Terraform setup
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.1
+
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Display Python version
+        run: python -c "import sys; print(sys.version)"
+
+      - name: Install virtualenv
+        run: pip install virtualenv
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN}}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Clone terraform-aws-ca
+        uses: actions/checkout@v4
+        with:
+          repository: serverless-ca/terraform-aws-ca
+          token: ${{secrets.GITHUB_READ_ONLY_TOKEN}}
+          path: terraform-aws-ca
+
+      - name: Terraform initialise
+        run: >
+          terraform init 
+          -backend-config=bucket=${{ secrets.TERRAFORM_STATE_BUCKET}} 
+          -backend-config=key=${{ secrets.TERRAFORM_STATE_KEY}} 
+          -backend-config=region=${{ secrets.TERRAFORM_STATE_REGION}}
+
+      - name: terraform plan
+        run: terraform plan -out tfplan
+
+      - name: terraform apply
+        run: terraform apply -auto-approve tfplan
+
+  start_ca:
+    name: Start CA
+    runs-on: ubuntu-latest
+    needs:
+      - terraform_plan_apply
+    permissions:
+      id-token: write
+      contents: read
+      checks: write
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Display Python version
+        run: python -c "import sys; print(sys.version)"
+
+      - name: Install dependencies
+        run: |
+          pip install -r tests/scripts/requirements.txt
+
+      - name: Configure AWS Credentials - Dev
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN}}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Start CA
+        run: |
+          python tests/scripts/start_ca_step_function.py
+
+  integration_tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: start_ca
+    permissions:
+      id-token: write
+      contents: read
+      checks: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          pip install -r tests/requirements-dev.txt
+
+      - name: Configure AWS Credentials - Dev
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN}}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Integration tests
+        run: |
+          pytest -v tests

.github/workflows/python.yml

@@ -0,0 +1,56 @@
+name: Python tests
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**/*.py"
+      - ".github/workflows/python.yml"
+
+jobs:
+  python_tests:
+    name: Python tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.11 # update to 3.12 once Prospector includes Pylint v3.x
+        uses: actions/setup-python@v5 # update to 3.12 once Prospector includes Pylint v3.x
+        with:
+          python-version: "3.11"
+
+      - name: Display Python version
+        run: python -c "import sys; print(sys.version)"
+
+      - name: Install dependencies
+        run: |
+          pip install -r tests/requirements-dev.txt
+          
+      - name: Black
+        run: |
+          black --check --line-length 120 .
+
+      - name: Prospector
+        run: |
+          prospector
+
+      - name: prepare reports dir
+        run: mkdir --parents ${{runner.temp}}/reports_sast_python/
+
+      - name: generate json report
+        run: >
+          bandit -r modules/terraform-aws-ca-lambda/lambda_code modules/terraform-aws-ca-lambda/utils scripts tests
+          --exit-zero
+          --ini .config/sast_python_bandit_json.yml
+          1> ${{runner.temp}}/reports_sast_python/${RANDOM}.json
+
+      - name: save json report
+        uses: actions/upload-artifact@v4
+        with:
+          name: sast_python
+          if-no-files-found: error
+          path: ${{runner.temp}}/reports_sast_python/
+
+      - name: Bandit
+        run: >
+          bandit -r src --ini .config/sast_python_bandit_cli.yml 

.github/workflows/secrets.yml

@@ -0,0 +1,21 @@
+name: Scan for secrets
+on:
+  workflow_dispatch:
+  push:
+
+jobs:
+  secret_scan:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install GitLeaks
+        run: |
+          wget https://github.com/gitleaks/gitleaks/releases/download/v8.16.1/gitleaks_8.16.1_linux_x64.tar.gz && \
+          tar -xf gitleaks_8.16.1_linux_x64.tar.gz
+          sudo mv gitleaks /usr/local/bin/gitleaks && \
+          sudo chmod +x /usr/local/bin/gitleaks
+      - name: Run GitLeaks Scan
+        run: |
+          gitleaks detect --source . -v