updating codebase

Author: damienjburks

.github/workflows/main.yml

@@ -0,0 +1,12 @@
+on:
+    push:
+      branches:
+        - main
+    workflow_dispatch:
+
+jobs:
+    terraform-apply:
+        uses: ./.github/workflows/terraform-apply.yml
+        permissions:
+            contents: read
+        secrets: inherit

.github/workflows/terraform-apply.yml

@@ -0,0 +1,42 @@
+name: "Terraform Apply"
+
+on:
+  workflow_call:
+
+env:
+  TF_CLOUD_ORGANIZATION: "DSB"
+  TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
+  TF_WORKSPACE: "dsb-blogging-assistant"
+  CONFIG_DIRECTORY: "./"
+
+jobs:
+  terraform:
+    name: "Terraform Apply"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Upload Configuration
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: apply-upload
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+
+      - name: Create Apply Run
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: apply-run
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
+
+      - name: Apply
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
+        id: apply
+        with:
+          run: ${{ steps.apply-run.outputs.run_id }}
+          comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"

.github/workflows/terraform-lint.yml

@@ -0,0 +1,21 @@
+name: Terraform Linting and Formatting
+
+on:
+  workflow_call:
+
+jobs:
+  lint-and-format:
+    name: Lint and Format Terraform Files
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: latest
+
+      - name: Format Terraform files
+        run: terraform fmt -check

.gitignore

@@ -4,6 +4,7 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
+*.terraform.lock.hcl
 
 # Crash log files
 crash.log

README.md

@@ -0,0 +1,7 @@
+# AWS DevSecOps Pipeline - Terraform
+
+# Steps
+
+1. Setup Terraform Cloud and create API Key
+1. Save key as a token on your local machine and in your repository settings within GitHub
+1. Create your GitHub OAUTH Token and save it as an environment variable within Terraform Cloud.

buildspecs/buildproject.yml

@@ -0,0 +1,15 @@
+version: 0.2
+
+phases:
+  install:
+    commands:
+      - echo "Starting the install phase..."
+  pre_build:
+    commands:
+      - echo "Starting the pre-build phase..."
+  build:
+    commands:
+      - echo "Hello, World!"
+  post_build:
+    commands:
+      - echo "Build phase complete. Exiting..."

buildspecs/ossdepscan.yml

@@ -0,0 +1,15 @@
+version: 0.2
+
+phases:
+  install:
+    commands:
+      - echo "Starting the install phase..."
+  pre_build:
+    commands:
+      - echo "Starting the pre-build phase..."
+  build:
+    commands:
+      - echo "Hello, World!"
+  post_build:
+    commands:
+      - echo "Build phase complete. Exiting..."

buildspecs/sastscanning.yml

@@ -0,0 +1,15 @@
+version: 0.2
+
+phases:
+  install:
+    commands:
+      - echo "Starting the install phase..."
+  pre_build:
+    commands:
+      - echo "Starting the pre-build phase..."
+  build:
+    commands:
+      - echo "Hello, World!"
+  post_build:
+    commands:
+      - echo "Build phase complete. Exiting..."

main.tf

@@ -0,0 +1,194 @@
+resource "random_id" "id" {
+  byte_length = 8
+}
+
+resource "aws_s3_bucket" "codepipeline_artifacts" {
+  bucket = "codepipeline-artifacts-${random_id.id.hex}"
+
+  tags = {
+    Name        = "CodePipelineArtifactsBucket"
+    Environment = "DevSecOps"
+  }
+}
+
+resource "aws_secretsmanager_secret" "github_token" {
+  name        = "github-oauth-token"
+  description = "GitHub OAuth token for CodePipeline access"
+}
+
+resource "aws_secretsmanager_secret_version" "github_token" {
+  secret_id     = aws_secretsmanager_secret.github_token.id
+  secret_string = "your-personal-access-token" # Replace this with the GitHub Personal Access Token
+}
+
+resource "aws_iam_role" "codepipeline_role" {
+  name = "${var.resource_prefix}-pipeline-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "codepipeline.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "codepipeline_policy" {
+  name        = "CodePipelinePolicy-${random_id.id.hex}"
+  description = "Policy for CodePipeline"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:*",
+          "codebuild:*",
+          "iam:PassRole",
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "codepipeline_policy_attach" {
+  role       = aws_iam_role.codepipeline_role.name
+  policy_arn = aws_iam_policy.codepipeline_policy.arn
+}
+
+resource "aws_codepipeline" "pipeline" {
+  name     = "${var.resource_prefix}-devsecops-pipeline"
+  role_arn = aws_iam_role.codepipeline_role.arn
+
+  artifact_store {
+    type     = "S3"
+    location = aws_s3_bucket.codepipeline_artifacts.id
+  }
+
+  stage {
+    name = "Source"
+
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "ThirdParty"
+      provider         = "GitHub"
+      version          = "1"
+      output_artifacts = ["SourceArtifact"]
+
+      configuration = {
+        Owner      = "your-github-username"
+        Repo       = "your-repository-name"
+        Branch     = "main"
+        OAuthToken = aws_secretsmanager_secret_version.github_token.secret_string
+      }
+    }
+  }
+
+
+  stage {
+    name = "Build"
+
+    action {
+      name             = "Build"
+      category         = "Build"
+      owner            = "AWS"
+      provider         = "CodeBuild"
+      version          = "1"
+      input_artifacts  = ["SourceArtifact"]
+      output_artifacts = ["BuildArtifact"]
+
+      configuration = {
+        ProjectName = aws_codebuild_project.build_project.name
+      }
+    }
+  }
+
+  stage {
+    name = "Scan"
+
+    action {
+      name            = "StaticCodeAnalysis"
+      category        = "Test"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      version         = "1"
+      input_artifacts = ["BuildArtifact"]
+
+      configuration = {
+        ProjectName = aws_codebuild_project.static_analysis_project.name
+      }
+    }
+  }
+}
+
+resource "aws_codebuild_project" "build_project" {
+  name         = "${var.resource_prefix}-build-prj"
+  service_role = aws_iam_role.codepipeline_role.arn
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = "aws/codebuild/standard:5.0"
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("./buildspecs/buildproject.yml")
+  }
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+}
+
+resource "aws_codebuild_project" "static_analysis_project" {
+  name         = "${var.resource_prefix}-sast-scanning-prj"
+  service_role = aws_iam_role.codepipeline_role.arn
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = "aws/codebuild/standard:5.0"
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("./buildspecs/sastscanning.yml")
+  }
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+}
+
+resource "aws_codebuild_project" "oss_scanning_project" {
+  name         = "${var.resource_prefix}-oss-scanning-prj"
+  service_role = aws_iam_role.codepipeline_role.arn
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = "aws/codebuild/standard:5.0"
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("./buildspecs/ossdepscan.yml")
+  }
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+}

provider.tf

@@ -0,0 +1,13 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+  cloud {
+    organization = "DSB"
+
+    workspaces {
+      name = "dsb-aws-devsecops-pipelines"
+    }
+  }
+}