Merge branch 'master' into update_versions

.github/workflows/on-demand_terraform.yml

@@ -0,0 +1,60 @@
+---
+# Copyright 2022 Samsung Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Check Terraform scripts
+# yamllint disable-line rule:truthy
+on: 
+  push:
+    branches:
+      - master
+    paths:
+      - '**.tf'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - '**.tf'
+
+jobs:
+  check-checkov:
+    name: Check static code (checkov)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run Checkov action
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./deployment/terraform/aws
+          quiet: true
+          soft_fail: true
+          framework: terraform
+          download_external_modules: true
+  check-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Lint Terraform
+        uses: actionshub/terraform-lint@main
+  check-terrascan:
+    runs-on: ubuntu-latest
+    name: terrascan-action
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run Terrascan
+        id: terrascan
+        uses: accurics/terrascan-action@main
+        with:
+          iac_type: 'terraform'
+          only_warn: true

deployment/terraform/aws/main.tf

@@ -1,93 +1,93 @@
 provider "aws" {
-    alias   = "region_1"
-    region  = var.region_1
+  alias  = "region_1"
+  region = var.region_1
 }
 
 provider "aws" {
-    alias  = "region_2"
-    region = var.region_2
+  alias  = "region_2"
+  region = var.region_2
 }
 
 # Validator
 module "validator" {
-    source    = "./validator"
-    providers = {
-        aws = aws.region_1
-    }
+  source = "./validator"
+  providers = {
+    aws = aws.region_1
+  }
 }
 
 # Private Sentries
 module "private_sentries" {
-    source      = "./private-sentries"
+  source = "./private-sentries"
 
-    providers = {
-        aws = aws.region_1
-        aws.peer = aws.region_1
-    }
+  providers = {
+    aws      = aws.region_1
+    aws.peer = aws.region_1
+  }
 
-    peer_vpc = module.validator.vpc
+  peer_vpc = module.validator.vpc
 }
 
 # Public Sentries region 1
 module "public_sentries_1" {
-    source      = "./public-sentries"
-    nodes_count  = 1
-    
-    # enable_ipv6 = false
-
-    providers = {
-        aws = aws.region_1
-        aws.peer = aws.region_1
-    }
-
-    region_index = 1
-    peer_vpc = module.private_sentries.vpc
+  source      = "./public-sentries"
+  nodes_count = 1
+
+  # enable_ipv6 = false
+
+  providers = {
+    aws      = aws.region_1
+    aws.peer = aws.region_1
+  }
+
+  region_index = 1
+  peer_vpc     = module.private_sentries.vpc
 }
 
 # Public Sentries region 2
 module "public_sentries_2" {
-    source      = "./public-sentries"
-    nodes_count  = 1
+  source      = "./public-sentries"
+  nodes_count = 1
 
-    # enable_ipv6 = false
+  # enable_ipv6 = false
 
-    providers = {
-        aws = aws.region_2
-        aws.peer = aws.region_1
-    }
+  providers = {
+    aws      = aws.region_2
+    aws.peer = aws.region_1
+  }
 
-    region_index = 2
-    peer_vpc = module.private_sentries.vpc
+  region_index = 2
+  peer_vpc     = module.private_sentries.vpc
 }
 
 # Observers region 1
 module "observers_1" {
-    source      = "./observers"
-    
-    providers = {
-        aws = aws.region_1
-        aws.peer = aws.region_1
-    }
-
-    root_domain_name    = var.root_domain_name
-    enable_tls          = var.enable_tls
-
-    region_index = 1
-    peer_vpc = module.private_sentries.vpc
+  source = "./observers"
+
+  providers = {
+    aws      = aws.region_1
+    aws.peer = aws.region_1
+  }
+
+  root_domain_name = var.root_domain_name
+  enable_tls       = var.enable_tls
+
+  region_index = 1
+  peer_vpc     = module.private_sentries.vpc
 }
 
 # Observers region 2
 module "observers_2" {
-    source      = "./observers"
-    
-    providers = {
-        aws = aws.region_2
-        aws.peer = aws.region_1
-    }
-
-    root_domain_name    = var.root_domain_name
-    enable_tls          = var.enable_tls
-
-    region_index = 2
-    peer_vpc = module.private_sentries.vpc
+  source = "./observers"
+
+  providers = {
+    aws      = aws.region_2
+    aws.peer = aws.region_1
+  }
+
+  root_domain_name = var.root_domain_name
+  enable_tls       = var.enable_tls
+
+  region_index = 2
+  peer_vpc     = module.private_sentries.vpc
 }

deployment/terraform/aws/observers/acm.tf

@@ -1,25 +1,25 @@
 resource "aws_acm_certificate" "this_acm_cert" {
-    count = local.enable_tls ? 1 : 0
+  count = local.enable_tls ? 1 : 0
 
-    domain_name       = "on.${data.aws_route53_zone.this_zone[0].name}"
-    validation_method = "DNS"
+  domain_name       = "on.${data.aws_route53_zone.this_zone[0].name}"
+  validation_method = "DNS"
 }
 
 resource "aws_route53_record" "this_acm_val_records" {
-    count = local.enable_tls ? length(aws_acm_certificate.this_acm_cert[0].domain_validation_options) : 0
+  count = local.enable_tls ? length(aws_acm_certificate.this_acm_cert[0].domain_validation_options) : 0
 
-    name            = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_name
-    records         = [tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_value]
-    type            = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_type
+  name    = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_name
+  records = [tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_value]
+  type    = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_type
 
-    allow_overwrite = true
-    ttl             = 60
-    zone_id         = data.aws_route53_zone.this_zone[0].zone_id
+  allow_overwrite = true
+  ttl             = 60
+  zone_id         = data.aws_route53_zone.this_zone[0].zone_id
 }
 
 resource "aws_acm_certificate_validation" "this_acm_cert_validation" {
-    count = local.enable_tls ? 1 : 0
+  count = local.enable_tls ? 1 : 0
 
-    certificate_arn         = aws_acm_certificate.this_acm_cert[0].arn
-    validation_record_fqdns = aws_route53_record.this_acm_val_records[*].fqdn
+  certificate_arn         = aws_acm_certificate.this_acm_cert[0].arn
+  validation_record_fqdns = aws_route53_record.this_acm_val_records[*].fqdn
 }