diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 7586e1c..8846329 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "ghcr.io/devcontainers/features/azure-cli:latest": {}, "ghcr.io/devcontainers/features/github-cli:latest": {}, "ghcr.io/devcontainers/features/terraform:latest": {}, - "ghcr.io/dhoeric/features/tfsec:latest": {} + "ghcr.io/dhoeric/features/trivy:1": {} }, "customizations": { "vscode": { diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 30fd1db..471a499 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -34,14 +34,14 @@ jobs: uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ matrix.terraform-version }} - - uses: terraform-linters/setup-tflint@v3 - name: Setup TFLint + - name: Setup TFLint + uses: terraform-linters/setup-tflint@v4 with: - tflint_version: v0.44.1 - - name: tfsec - uses: aquasecurity/tfsec-action@v1.0.0 + tflint_version: v0.52.0 + - name: Install Trivy + uses: aquasecurity/setup-trivy@v0.2.2 with: - version: latest + version: v0.57.0 - name: Run CI test run: | cd infra diff --git a/README.md b/README.md index adbeb9f..5b564e2 100644 --- a/README.md +++ b/README.md @@ -16,8 +16,8 @@ Baseline Environment on Azure in Terraform is a set of reference Terraform templ For development: -- [tflint](https://github.com/terraform-linters/tflint) -- [tfsec](https://github.com/aquasecurity/tfsec) +- [TFlint](https://github.com/terraform-linters/tflint) +- [Trivy](https://github.com/aquasecurity/trivy) ## Usage diff --git a/infra/Makefile b/infra/Makefile index 1e69dd2..28d7b6d 100644 --- a/infra/Makefile +++ b/infra/Makefile @@ -34,7 +34,7 @@ install-deps-dev: ## install dependencies for development @which az || echo "Please install Azure CLI: https://docs.microsoft.com/cli/azure/install-azure-cli" @which gh || echo "Please install GitHub CLI: https://cli.github.com/" @which tflint || echo "Please install tflint: https://github.com/terraform-linters/tflint#installation" - @which tfsec || echo "Please install tfsec: https://aquasecurity.github.io/tfsec/v1.4.2/getting-started/installation/" + @which trivy || echo "Please install Trivy: https://aquasecurity.github.io/trivy/v0.57/getting-started/installation/" .PHONY: clean clean: @@ -59,13 +59,13 @@ tflint: echo "tflint is not installed. Skipping..."; \ fi -.PHONY: tfsec -tfsec: - @if [ -x "$(shell command -v tfsec)" ]; then \ - echo "Running tfsec..."; \ - tfsec .; \ +.PHONY: trivy +trivy: + @if [ -x "$(shell command -v trivy)" ]; then \ + echo "Running trivy..."; \ + trivy config .; \ else \ - echo "tfsec is not installed. Skipping..."; \ + echo "trivy is not installed. Skipping..."; \ fi .PHONY: format @@ -84,7 +84,7 @@ test: init ## test codes _ci-test-base: install-deps-dev clean init lint test plan .PHONY: ci-test -ci-test: tflint tfsec ## ci test +ci-test: tflint trivy ## ci test @for dir in $(SCENARIO_DIR_LIST) ; do \ echo "Test: $$dir" ; \ make _ci-test-base SCENARIO=$$(basename $$dir) || exit 1 ; \ diff --git a/infra/modules/storage_account/main.tf b/infra/modules/storage_account/main.tf index 9a808f7..c746a26 100644 --- a/infra/modules/storage_account/main.tf +++ b/infra/modules/storage_account/main.tf @@ -16,7 +16,6 @@ resource "azurerm_storage_account" "storage_account" { account_tier = "Standard" account_replication_type = "LRS" allow_nested_items_to_be_public = false - min_tls_version = "TLS1_2" identity { type = "SystemAssigned"