ECGALAXY-119: add tflint and tfsec

765d9dfd · Nicola LIMONGI · a20bd1d3 · 765d9dfd · 765d9dfd · 765d9dfd
Commit 765d9dfd authored 3 years ago by Nicola LIMONGI
--- a/README.md
+++ b/README.md
 ECGALAXY terraform role
 =======================

-Installs HashiCorp Terraform - https://www.terraform.io/
+The role installs HashiCorp Terraform - https://www.terraform.io/
+The following additional tools are also installed:
+- `tflint`: performs the linting of the code.
+- `tfsec`: performs static code analysis of terraform files.

 Requirements
 ------------
@@ -11,19 +14,20 @@ None.
 Role Variables
 --------------

-See `vars` folder.
+See `vars` and `defaults` folders.

 Dependencies
 ------------

-None.
+- ecgalaxy.common_packages

 Example Playbook
 ----------------

    - hosts: all
      roles:
-        - terraform
+        - ecgalaxy.common_packages
+        - ecgalaxy.terraform

 License
 -------

--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+
+terraform_tflint_install: True
+terraform_tflint_version: 0.33.1
+terraform_tflint_url: "https://github.com/terraform-linters/tflint/releases/download/v{{ terraform_tflint_version }}/tflint_linux_amd64.zip"
+terraform_tflint_checksum: "sha256:312435bc332df0bd986346adb6819bac7b3918e8d3b2ada6a54cf6899753ad48"
+terraform_tflint_install_basedir: "/opt/tflint"
+terraform_tflint_install_path: "{{ terraform_tflint_install_basedir }}/{{ terraform_tflint_version }}"
+terraform_tflint_bin: "/usr/local/bin/tflint"
+terraform_tflint_remove_previous_versions: False
+
+terraform_tfsec_install: True
+terraform_tfsec_version: 0.58.15
+terraform_tfsec_url: "https://github.com/aquasecurity/tfsec/releases/download/v{{ terraform_tfsec_version }}/tfsec-linux-amd64"
+terraform_tfsec_checksum: "sha256:a93eba5bf04fb9b60b2932bd72fe19dd5d8c180317ac0317a135b9d64e1cde7e"
+terraform_tfsec_install_basedir: "/opt/tfsec"
+terraform_tfsec_install_path: "{{ terraform_tfsec_install_basedir }}/{{ terraform_tfsec_version }}"
+terraform_tfsec_bin: "/usr/local/bin/tfsec"
+terraform_tfsec_remove_previous_versions: False
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -19,4 +19,5 @@ galaxy_info:
    - bionic
    - focal
  galaxy_tags: []
-dependencies: []
+dependencies:
+    - role: common_packages
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
 ---
 - name: Converge
  hosts: all
-  tasks:
-    - name: "Include terraform"
-      include_role:
-        name: "terraform"
+  roles:
+    - role: common_packages
+    - role: terraform
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') }}"
    https_proxy: "{{ lookup('env', 'https_proxy') }}"

--- a/molecule/default/requirements.yml
+++ b/molecule/default/requirements.yml
+---
+- src: "https://citnet.tech.ec.europa.eu/CITnet/stash/scm/ecgalaxy/common_packages.git"
+  scm: git
+  name: common_packages
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -3,11 +3,15 @@
  hosts: all
  gather_facts: false
  tasks:
-    - name: Check binary file
+    - name: Include role defaults vars
+      with_first_found:
+        - "../../defaults/main.yml"
+      include_vars: "{{ item }}"
+    - name: Check terraform binary file
      stat:
        path: /usr/bin/terraform
      register: bin
-    - name: Assert that terraform is installed
+    - name: Assert that terraform binary is installed
      assert:
        that:
          - "bin.stat.exists"
@@ -18,3 +22,33 @@
      assert:
        that:
        - "'Terraform' in output.stdout"
+    - name: Check tflint binary file
+      stat:
+        path: "{{ terraform_tflint_install_path }}/tflint"
+      register: bin
+    - name: Assert that tflint is installed
+      assert:
+        that:
+          - "bin.stat.exists"
+    - name: Check tflint execution
+      command: tflint --version
+      register: output
+    - name: Assert that tflint is installed
+      assert:
+        that:
+        - "'TFLint version {{ terraform_tflint_version }}' in output.stdout"
+    - name: Check tfsec binary file
+      stat:
+        path: "{{ terraform_tfsec_bin | dirname }}/tfsec"
+      register: bin
+    - name: Assert that tfsec is installed
+      assert:
+        that:
+          - "bin.stat.exists"
+    - name: Check tfsec execution
+      command: tfsec --version
+      register: output
+    - name: Assert that tfsec is installed
+      assert:
+        that:
+        - "'{{ terraform_tfsec_version }}' in output.stdout"
--- a/tasks/install_extras.yml
+++ b/tasks/install_extras.yml
+---
+
+- name: Tflint remove previous version
+  file:
+    path: "{{ terraform_tflint_install_basedir }}" 
+    state: absent
+  become: yes
+  when: terraform_tflint_remove_previous_versions
+
+- name: Tfsec remove previous version
+  file:
+    path: "{{ terraform_tfsec_install_basedir }}" 
+    state: absent
+  become: yes
+  when: terraform_tfsec_remove_previous_versions
+
+- name: Download tflint
+  get_url:
+    dest: /tmp
+    url: "{{ terraform_tflint_url }}"
+    checksum: "{{ terraform_tflint_checksum }}" 
+    mode: 0755 
+  register: tflint_download
+  when: terraform_tflint_install
+  changed_when: False
+
+- name: Create tflint installation dir.
+  file:
+    path: "{{ terraform_tflint_install_path }}" 
+    state: directory
+    owner: "root"  
+    group: "root"  
+    mode: "u=rwx,go=rx"  
+  become: true
+
+- name: Extract tflint archive
+  unarchive:
+    src: "{{ tflint_download.dest }}"
+    dest: "{{ terraform_tflint_install_path }}"
+    remote_src: yes
+  when: terraform_tflint_install
+  become: true
+
+- name: Create tflint symlink
+  file:
+    src: "{{ terraform_tflint_install_path }}/tflint"
+    dest: "{{ terraform_tflint_bin }}"
+    owner: root
+    group: root
+    state: link
+    force: true
+  become: true
+
+- name: Create tfsec installation dir.
+  file:
+    path: "{{ terraform_tfsec_install_path }}" 
+    state: directory
+    owner: "root"  
+    group: "root"  
+    mode: "u=rwx,go=rx"  
+  become: true
+
+- name: Download and install tfsec
+  get_url:
+    dest: "{{ terraform_tfsec_install_path }}/tfsec"
+    url: "{{ terraform_tfsec_url }}"
+    checksum: "{{ terraform_tfsec_checksum }}"
+    mode: 0755 
+  register: tfsec_download
+  when: terraform_tfsec_install
+  become: true
+
+- name: Create tfsec symlink
+  file:
+    src: "{{ terraform_tfsec_install_path }}/tfsec"
+    dest: "{{ terraform_tfsec_bin }}"
+    owner: root
+    group: root
+    state: link
+    force: true
+  become: true
+
+- name: Cleaning up downloaded files.
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ tflint_download.dest }}" 
+  changed_when: False
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -37,3 +37,6 @@
    name: terraform
    state: present
  become: true
+
+- name: Include extras
+  include_tasks: ./install_extras.yml