Merge branch 'main' of https://github.com/The-DevSec-Blueprint/aws-devsecops-pipeline

Author: damienjburks

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 The DevSec Blueprint (DSB)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,11 +1,11 @@
 # AWS DevSecOps Pipeline - Terraform
 
-![License](https://img.shields.io/github/license/The-DevSec-Blueprint/dsb-blogging-assistant?logo=license)
+![License](https://img.shields.io/github/license/The-DevSec-Blueprint/aws-devsecops-pipeline?logo=license)
 ![Terraform Cloud](https://img.shields.io/badge/Terraform-Registry-purple?logo=terraform)
-![GitHub Issues](https://img.shields.io/github/issues/The-DevSec-Blueprint/dsb-blogging-assistant?logo=github)
-![GitHub Forks](https://img.shields.io/github/forks/The-DevSec-Blueprint/dsb-blogging-assistant?logo=github)
-![GitHub Stars](https://img.shields.io/github/stars/The-DevSec-Blueprint/dsb-blogging-assistant?logo=github)
-![GitHub Last Commit](https://img.shields.io/github/last-commit/The-DevSec-Blueprint/dsb-blogging-assistant?logo=github)
+![GitHub Issues](https://img.shields.io/github/issues/The-DevSec-Blueprint/aws-devsecops-pipeline?logo=github)
+![GitHub Forks](https://img.shields.io/github/forks/The-DevSec-Blueprint/aws-devsecops-pipeline?logo=github)
+![GitHub Stars](https://img.shields.io/github/stars/The-DevSec-Blueprint/aws-devsecops-pipeline?logo=github)
+![GitHub Last Commit](https://img.shields.io/github/last-commit/The-DevSec-Blueprint/aws-devsecops-pipeline?logo=github)
 ![CI Status](https://github.com/The-DevSec-Blueprint/aws-devsecops-pipeline/actions/workflows/main.yml/badge.svg)
 
 ## Overview

terraform/pipelines/modules/codepipeline/buildspecs/formatcheck.yml

@@ -0,0 +1,26 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.12  # Specify the desired Python version
+    commands:
+      - echo "Installing required dependencies..."
+      - pip install --upgrade pip
+      - pip install -r requirements.txt
+      - pip install black  # Install black
+  pre_build:
+    commands:
+      - echo "Starting format check with black..."
+  build:
+    commands:
+      - echo "Running black format check..."
+      - black --check .  # Check formatting without modifying files
+  post_build:
+    commands:
+      - echo "Format check completed."
+
+artifacts:
+  files:
+    - "**/*"  # Include all files
+  discard-paths: yes

terraform/pipelines/modules/codepipeline/buildspecs/lintcheck.yml

@@ -0,0 +1,27 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.12  # Specify the desired Python version
+    commands:
+      - echo "Installing required dependencies..."
+      - pip install --upgrade pip
+      - pip install -r requirements.txt
+      - pip install pylint  # Install pylint
+  pre_build:
+    commands:
+      - echo "Starting pylint checks..."
+  build:
+    commands:
+      - echo "Running pylint documentation check..."
+      - pylint . # Check for missing docstrings
+      - echo "Documentation check completed."
+  post_build:
+    commands:
+      - echo "Pylint documentation check completed successfully."
+
+artifacts:
+  files:
+    - "**/*"  # Include all files
+  discard-paths: yes

terraform/pipelines/modules/codepipeline/buildspecs/ossdepscan.yml

@@ -3,7 +3,7 @@ version: 0.2
 phases:
   install:
     runtime-versions:
-      python: 3.9
+      python: 3.12
     commands:
       - echo "Installing container scanning tools..."
       - pip install --upgrade pip

terraform/pipelines/modules/codepipeline/buildspecs/sastscanning.yml

@@ -12,6 +12,7 @@ phases:
   pre_build:
     commands:
       - echo "Installing dependencies..."
+      - pip install --upgrade pip
       - pip install -r requirements.txt
   build:
     commands:

terraform/pipelines/modules/codepipeline/buildspecs/unittests.yml

@@ -0,0 +1,27 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.12  # Specify the desired Python version
+    commands:
+      - echo "Installing required dependencies..."
+      - pip install --upgrade pip
+      - pip install -r requirements.txt
+      - pip install pytest pytest-cov  # Install pytest and pytest-cov for coverage reporting
+  pre_build:
+    commands:
+      - echo "Starting unit test process..."
+  build:
+    commands:
+      - echo "Running pytest with coverage reporting..."
+      # Run tests and generate coverage report
+      - pytest tests/ --cov=. --cov-report=xml --cov-report=term-missing --cov-fail-under=80
+  post_build:
+    commands:
+      - echo "Unit testing and coverage reporting completed."
+
+artifacts:
+  files:
+    - "coverage.xml"  # Include the coverage report as an artifact
+  discard-paths: yes

terraform/pipelines/modules/codepipeline/main.tf

@@ -245,25 +245,69 @@ resource "aws_codepipeline" "pipeline" {
     name = "Test"
 
     action {
-      name            = "StaticCodeAnalysis"
+      name            = "FormatCheck"
       category        = "Test"
       owner           = "AWS"
       provider        = "CodeBuild"
       version         = "1"
       input_artifacts = ["BuildArtifact"]
+      run_order       = 1
+
+      configuration = {
+        ProjectName = aws_codebuild_project.format_check_project.name
+      }
+    }
+
+    action {
+      name            = "LintCheck"
+      category        = "Test"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      version         = "1"
+      input_artifacts = ["BuildArtifact"]
+      run_order       = 1
+
+      configuration = {
+        ProjectName = aws_codebuild_project.lint_check_project.name
+      }
+    }
+
+    action {
+      name            = "RunUnitTests"
+      category        = "Test"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      version         = "1"
+      input_artifacts = ["BuildArtifact"]
+      run_order       = 2
+
+      configuration = {
+        ProjectName = aws_codebuild_project.unittest_project.name
+      }
+    }
+
+    action {
+      name            = "SnykSecurityScan"
+      category        = "Test"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      version         = "1"
+      input_artifacts = ["BuildArtifact"]
+      run_order       = 3
 
       configuration = {
         ProjectName = aws_codebuild_project.static_analysis_project.name
       }
     }
 
     action {
-      name            = "OSSDependencyScan"
+      name            = "ContainerSecurityScan"
       category        = "Test"
       owner           = "AWS"
       provider        = "CodeBuild"
       version         = "1"
       input_artifacts = ["BuildArtifact"]
+      run_order       = 3
 
       configuration = {
         ProjectName = aws_codebuild_project.oss_scanning_project.name
@@ -318,6 +362,88 @@ resource "aws_codebuild_project" "build_project" {
   }
 }
 
+resource "aws_codebuild_project" "format_check_project" {
+  name         = "${var.repo_name}-formatcheck-project"
+  service_role = aws_iam_role.codebuild_role.arn
+
+  environment {
+    compute_type    = var.compute_type
+    image           = var.build_image
+    type            = var.environment_type
+    privileged_mode = var.privileged_mode
+
+    environment_variable {
+      name  = "IMAGE_REPO_NAME"
+      value = aws_ecr_repository.this.name
+    }
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("${path.module}/buildspecs/formatcheck.yml")
+  }
+
+  artifacts {
+    type     = "S3"
+    location = var.s3_bucket_name
+  }
+}
+
+resource "aws_codebuild_project" "unittest_project" {
+  name         = "${var.repo_name}-unittest-project"
+  service_role = aws_iam_role.codebuild_role.arn
+
+  environment {
+    compute_type    = var.compute_type
+    image           = var.build_image
+    type            = var.environment_type
+    privileged_mode = var.privileged_mode
+
+    environment_variable {
+      name  = "IMAGE_REPO_NAME"
+      value = aws_ecr_repository.this.name
+    }
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("${path.module}/buildspecs/unittests.yml")
+  }
+
+  artifacts {
+    type     = "S3"
+    location = var.s3_bucket_name
+  }
+}
+
+
+resource "aws_codebuild_project" "lint_check_project" {
+  name         = "${var.repo_name}-lintcheck-project"
+  service_role = aws_iam_role.codebuild_role.arn
+
+  environment {
+    compute_type    = var.compute_type
+    image           = var.build_image
+    type            = var.environment_type
+    privileged_mode = var.privileged_mode
+
+    environment_variable {
+      name  = "IMAGE_REPO_NAME"
+      value = aws_ecr_repository.this.name
+    }
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("${path.module}/buildspecs/lintcheck.yml")
+  }
+
+  artifacts {
+    type     = "S3"
+    location = var.s3_bucket_name
+  }
+}
+
 resource "aws_codebuild_project" "deploy_project" {
   name         = "${var.repo_name}-deploy-prj"
   service_role = aws_iam_role.codebuild_role.arn