Pre-commit 工具是一種用於代碼版本控制的工具,它的主要作用是在提交代碼到 Git Repository 之前自動運行一系列預先定義的檢查和操作。這些檢查和操作可以包括代碼格式化、靜態代碼分析、單元測試、安全性檢查等等。
使用 pre-commit 工具有許多好處,以下是一些好處:
$ brew install pre-commit tflint tfsec checkov
.pre-commit-config.yaml
檔案,並貼上以下內容:repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
hooks:
- id: check-yaml
- id: check-merge-conflict
- id: detect-aws-credentials
- id: end-of-file-fixer
exclude: (checkov.outputs/results_cli.txt)
- id: trailing-whitespace
- repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.22 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
hooks:
- id: tflint
args:
- "--module"
- "--config=.tflint.hcl"
- "--filter=modules/*"
- id: terraform-validate
exclude: 'modules/.*'
- id: terraform-fmt
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.83.4 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_tfsec
args:
- --args=--exclude=__GIT_WORKING_DIR__/modules/.*
- id: terraform_docs
- id: terraform_checkov
args:
- "--args=--output-file __GIT_WORKING_DIR__/checkov.outputs --skip-path __GIT_WORKING_DIR__/configs --skip-path __GIT_WORKING_DIR__/modules/my_karpenter/cloudformation.yaml --skip-path __GIT_WORKING_DIR__/my-ingress-node-red.yaml"
.tflint.hcl
檔案,並貼上以下內容:plugin "aws" {
enabled = true
version = "0.27.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
$ pre-commit install
pre-commit installed at .git/hooks/pre-commit
TFLint
,它是一個用於檢查 Terraform 程式碼的靜態分析工具。TFLint 可以捕獲潛在的問題和錯誤,例如資源配置錯誤、不安全的配置等,通過在提交之前運行它,可以提高 Terraform 程式碼的質量和安全性。tfsec
,它是一個用於檢查 Terraform 程式碼的安全性的工具。tfsec 可以識別和警告潛在的安全風險和漏洞,例如不安全的訪問控制規則或未加密的敏感資料,這有助於確保 Terraform 配置的安全性。Checkov
,這是一個用於檢查基礎設施即程式碼(IaC)的安全性和合規性的工具。Checkov 可以識別和修復雲基礎設施中的安全漏洞和合規性問題,通過在提交之前運行 Checkov,可以提高 IaC 代碼的安全性和合規性。
Checkov
的結果輸出到目錄 checkov.outputs
可以方便查找。 - repo: git://github.com/antonbabenko/pre-commit-terraform
hooks:
...
- id: checkov
args: [--output-file, 'checkov.outputs', --skip-path, 'configs']
checkov:skip=
設定。 Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: module.eks.aws_eks_cluster.eks_cluster
File: /modules/my_eks/eks_cluster.tf:1-24
Calling File: /main.tf:289-363
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
1 | resource "aws_eks_cluster" "eks_cluster" {
2 | # checkov:skip=CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
3 | # checkov:skip=CKV_AWS_81: "Ensure MSK Cluster encryption in rest and transit is enabled"
4 |
5 | name = var.cluster_name
6 | enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
7 | role_arn = var.cluster_role_arn
8 |
9 | vpc_config {
10 | endpoint_private_access = var.endpoint_private_access
11 | public_access_cidrs = var.public_access_cidrs
12 | subnet_ids = concat(var.public_subnets, var.private_subnets)
13 | }
14 |
15 | version = var.eks_version
16 |
17 | tags = {
18 | Name = var.cluster_name
19 | }
20 |
21 | depends_on = [
22 | var.cluster_role_arn
23 | ]
24 | }
加上忽略檢查設定
resource "aws_eks_cluster" "eks_cluster" {
# checkov:skip=CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
# checkov:skip=CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
# checkov:skip=CKV_AWS_81: "Ensure MSK Cluster encryption in rest and transit is enabled"
name = var.cluster_name
enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
role_arn = var.cluster_role_arn
vpc_config {
endpoint_private_access = var.endpoint_private_access
public_access_cidrs = var.public_access_cidrs
subnet_ids = concat(var.public_subnets, var.private_subnets)
}
version = var.eks_version
tags = {
Name = var.cluster_name
}
depends_on = [
var.cluster_role_arn
]
}
data "tls_certificate" "certificate" {
url = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "oidc_provider" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.certificate.certificates[0].sha1_fingerprint]
url = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
}
下一篇將介紹如何 Code Review for Terrafor 執行計畫 by Atlantis。