Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add terrascan atlantis container files, scripts and doc. #684

Merged
merged 2 commits into from
May 5, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions atlantis/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
FROM runatlantis/atlantis:v0.16.1
ENV DEFAULT_TERRASCAN_VERSION=1.5.1
ENV PLANFILE tfplan
ADD setup.sh terrascan.sh launch-atlantis.sh entrypoint.sh /usr/local/bin/
RUN mkdir -p /etc/atlantis/ && \
chmod +x /usr/local/bin/*.sh && \
/usr/local/bin/setup.sh
ADD terrascan-workflow.yaml /etc/atlantis/workflow.yaml
USER atlantis
RUN terrascan init
ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
CMD ["server"]
26 changes: 26 additions & 0 deletions atlantis/data/terrascan-workflow.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright (C) 2020 Accurics, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

repos:
- id: "/.*/"
workflow: terrascan
workflows:
terrascan:
plan:
steps:
- run: terraform init -input=false -no-color
- run: terraform workspace select -no-color $WORKSPACE
- run: terraform plan -input=false -refresh -no-color -out $PLANFILE
- run: terraform show -no-color -json $PLANFILE > ${PLANFILE}.json
- run: terrascan.sh
50 changes: 50 additions & 0 deletions atlantis/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Copyright (C) 2020 Accurics, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#!/bin/bash
set -e
jlk marked this conversation as resolved.
Show resolved Hide resolved
count=1
declare config_file
declare copy
function fetch_configfile() {
for i in "${@:1}"
do
if [[ "$i" == "-c"* ]]; then
if [[ $i =~ -c=(.+) ]]; then
eval config_file="${BASH_REMATCH[1]}"
copy=${@/"$i"}
elif [[ $i =~ -c(.+) ]]; then
echo "unacceptable argument : $i"
exit 1
else
eval var='$'$(( count + 1 ))
eval config_file="$var"
copy=$(echo "$@" | sed "s/ -c//")
copy=${copy/$config_file}
fi
fi
(( count += 1 ))
done
}

fetch_configfile "$@"
if [[ ! -z $config_file ]]; then
export TERRASCAN_CONFIG=$config_file
fi

if [[ -z $copy ]]; then
launch-atlantis.sh $@
else
launch-atlantis.sh $copy
fi
81 changes: 81 additions & 0 deletions atlantis/launch-atlantis.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# Copyright (C) 2020 Accurics, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#!/bin/bash
set -e

declare flag

function lookup_repo_config_flag() {
for i in "$@"
do
if [[ "$i" == "--repo-config"* ]]; then
flag="true"
fi
done
}

# Modified: https://github.com/hashicorp/docker-consul/blob/2c2873f9d619220d1eef0bc46ec78443f55a10b5/0.X/docker-entrypoint.sh

# If the user is trying to run atlantis directly with some arguments, then
# pass them to atlantis.
if [ "${1:0:1}" = '-' ]; then
set -- atlantis "$@"
fi

# If the user is running an atlantis subcommand (ex. server) then we want to prepend
# atlantis as the first arg to exec. To detect if they're running a subcommand
# we take the potential subcommand and run it through atlantis help {subcommand}.
# If the output contains "atlantis subcommand" then we know it's a subcommand
# since the help output contains that string. For anything else (ex. sh)
# it won't contain that string.
# NOTE: We use grep instead of the exit code since help always returns 0.
if atlantis help "$1" 2>&1 | grep -q "atlantis $1"; then
# We can't use the return code to check for the existence of a subcommand, so
# we have to use grep to look for a pattern in the help output.
set -- atlantis "$@"
fi

# If the current uid running does not have a user create one in /etc/passwd
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/atlantis:/sbin/nologin" >> /etc/passwd
fi
fi

# If we're running as root and we're trying to execute atlantis then we use
# gosu to step down from root and run as the atlantis user.
# In OpenShift, containers are run as a random users so we don't need to use gosu.
if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then
# If requested, set the capability to bind to privileged ports before
# we drop to the non-root user. Note that this doesn't work with all
# storage drivers (it won't work with AUFS).
if [ ! -z ${ATLANTIS_ALLOW_PRIVILEGED_PORTS+x} ]; then
setcap "cap_net_bind_service=+ep" /bin/atlantis
fi

set -- gosu atlantis "$@"
fi

to_exec=""

lookup_repo_config_flag $@

if [[ $flag != "true" ]] && [[ "$@" == *"atlantis"* ]] && [[ "$@" == *"server"* ]] && [[ -f /etc/atlantis/workflow.yaml ]]; then
to_exec="$@ --repo-config=/etc/atlantis/workflow.yaml"
else
to_exec="$@"
fi

exec $to_exec
31 changes: 31 additions & 0 deletions atlantis/setup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Copyright (C) 2020 Accurics, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#!/bin/bash
set -ex

if [[ -z "${TERRASCAN_VERSION}" ]]; then
TERRASCAN_VERSION=${DEFAULT_TERRASCAN_VERSION}
fi

VERSION=${TERRASCAN_VERSION}

curl -LOs https://github.com/accurics/terrascan/releases/download/v${VERSION}/terrascan_${VERSION}_Linux_x86_64.tar.gz
mkdir /usr/local/bin/terrascan_${VERSION}
tar -C /usr/local/bin/terrascan_${VERSION} -xzf terrascan_${VERSION}_Linux_x86_64.tar.gz

mv /usr/local/bin/terrascan_${VERSION}/terrascan /usr/local/bin/terrascan

rm terrascan_${VERSION}_Linux_x86_64.tar.gz
rm -rf /usr/local/bin/terrascan_${VERSION}/
26 changes: 26 additions & 0 deletions atlantis/terrascan-workflow.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright (C) 2020 Accurics, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

repos:
- id: "/.*/"
workflow: terrascan
workflows:
terrascan:
plan:
steps:
- run: terraform init -input=false -no-color
- run: terraform workspace select -no-color $WORKSPACE
- run: terraform plan -input=false -refresh -no-color -out $PLANFILE
- run: terraform show -no-color -json $PLANFILE > ${PLANFILE}.json
- run: terrascan.sh
36 changes: 36 additions & 0 deletions atlantis/terrascan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Copyright (C) 2020 Accurics, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#!/bin/bash

terrascan scan -i tfplan --iac-version v1 -f ${PLANFILE}.json -l error > output
exitcode=$?

if [[ ! $exitcode -eq 0 ]]; then
echo
echo '- Terrascan identified IAC policy violations:'
echo
echo 'Scan Results:'
cat output
echo
echo '```'
echo '</details>'
echo '<p><strong>Further atlantis details below:</strong></p>'
echo '<details>'
echo
echo '```diff'
echo
fi

exit $exitcode
47 changes: 44 additions & 3 deletions docs/integrations/atlantis-integration.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ In either scenario, the configuration of Atlantis is a diverse topic which will
Through this method, you will modify or create a custom workflow for atlantis so your repositories will be scanned by terrascan as part of the pull request automation.

**Requirements**

* The atlantis server must have TCP connectivity to where the terrascan server is running.
* The `curl` command needs to be installed on the system so the `terrascan-remote-scan.sh` script can make the scan request. Atlantis's [docker image](https://hub.docker.com/r/runatlantis/atlantis/) has curl preinstalled.

Expand Down Expand Up @@ -74,6 +73,48 @@ terrascan server

Once the systems are running, when atlantis is called via pull request, or a comment of `atlantis plan`, terrascan will be called as part of the atlantis plan flow. Scan results will be placed in a comment on the pull request, and if issues are found the test will be marked as failed.

## Custom Atlantis Contaier
(coming soon...)
## Custom Atlantis Container

We have come up with a custom container built on top of the official atlantis container image, that will allow users to
run IaC scans with terrascan, besides the usual atlantis usage. There's a default atlantis workflow setup inside in the
container to be used. Users may also override that default workflow using the --repo-config flag.

### Usage

On the code repository's end, usage is exactly the same as atlantis, you comment `atlantis plan` and `atlantis plan` on
your Pull Requests to trigger the custom atlantis-terrascan workflow.

##### To use our container image:
```
docker pull accurics/terrascan_atlantis
```
##### To build your own container image:
```
docker build ./atlantis -t <image_name>
```
###### Running the container:
```bash
docker run \
--env-file=<.env-file> \
-p 4141:4141 \
-v <pwd>/config_data/:/etc/terrascan/ \
accurics/terrascan_atlantis server \
--gh-user="$USERNAME" --gh-token="$TOKEN" --gh-webhook-secret="$SECRET" \
--repo-allowlist="$REPO_ALLOWLIST" \
-c /etc/terrascan/config.toml
```

The syntax of the atlantis server command here is same as in [atlantis docs](https://www.runatlantis.io/docs/),
except for an optional `-c` flag which can be used to pass in the toml config filepath for terrascan.
Another way to provide the toml config filepath would be the TERRASCAN_CONFIG environment variable.

You need to provide all the environment variables that terraform requires to operate with your respective cloud providers.
It's a good practice to use a [specific tag](https://hub.docker.com/r/accurics/terrascan_atlantis/tags) of the container
image rather than the latest tag.

The default workflow.yaml file used is the `atlantis/workflow.yaml` in this repo. You can override the default workflow
using the `--repo-config` flag. It will be up to you how you want to trigger `terrascan` for your usage. You can do
something along the lines of `atlantis/workflow.yaml` and `atlantis/terrascan.sh` itself.