chore: add trivy and tflint

Orkuncakilkaya · Orkuncakilkaya · commit b444ac10a075 · 2025-06-30T14:47:23.000+03:00
diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml
@@ -0,0 +1,30 @@
+name: TFlint
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - rc
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.58.0
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+
+      - name: Run TFLint
+        run: tflint -f compact
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,23 @@
+name: Run Trivy
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - rc
+
+jobs:
+  build:
+    name: Scan
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in config mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          exit-code: '1'
+          trivy-config: trivy.yaml
diff --git a/.trivyignore b/.trivyignore
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Prerequisites
 
-* Create a `terraform.tfvars` file, fill your `fastly_api_key`, `integration_domain`, `main_host`, `get_result_path`, `agent_script_download_path`
+* Create a `terraform.tfvars` file, fill your `fastly_api_key`, `integration_domain`, `get_result_path`, `agent_script_download_path`
 * Create an empty Fastly Compute service and copy the id
 * Paste the id in `terraform.tfvars` file like this:
 ```terraform
diff --git a/main.tf b/main.tf
@@ -1,4 +1,5 @@
 terraform {
+  required_version = ">=1.5"
   required_providers {
     fastly = {
       source  = "fastly/fastly"
@@ -14,10 +15,10 @@ provider "fastly" {
 module "compute_asset" {
   count                        = var.download_asset ? 1 : 0
   source                       = "./modules/download_asset"
-  asset_version_min            = var.asset_version_min
+  asset_version            = var.asset_version
   compute_asset_name           = var.compute_asset_name
-  repository_name              = var.repository_name
-  repository_organization_name = var.repository_organization_name
+  repository_name              = var.asset_repository_name
+  repository_organization_name = var.asset_repository_organization_name
 }
 
 locals {
diff --git a/modules/download_asset/main.tf b/modules/download_asset/main.tf
@@ -10,7 +10,7 @@ terraform {
 data "github_release" "selected" {
   repository  = var.repository_name
   owner       = var.repository_organization_name
-  retrieve_by = var.asset_version_min
+  retrieve_by = var.asset_version
 }
 
 locals {
diff --git a/modules/download_asset/variables.tf b/modules/download_asset/variables.tf
@@ -8,7 +8,7 @@ variable "repository_name" {
   default = "fingerprint-pro-fastly-compute-proxy-integration"
 }
 
-variable "asset_version_min" {
+variable "asset_version" {
   type    = string
   default = "latest"
 }
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -1,6 +1,5 @@
 fastly_api_key = "" # Your Fastly API Key comes here
 integration_domain = "metrics.mydomain.com" # Set here to the subdomain you have chosen for the integration, for example metrics.yourwebsite.com. Avoid terms commonly blocked by ad blockers like fingerprint, fpjs, etc.
-main_host = "metrics-origin.mydomain.com" # Set here to something like metrics-origin.yourwebsite.com. This origin does not need to exist because the VCL template will forward all valid requests to the appropriate Fingerprint servers.
 integration_path = "" # Main path to serve this proxy integration from. Please use random string minimum 6 characters long, no special characters like `w2kz84h`
 agent_script_download_path = "" # Fingerprint Javascript Agent download path. Please use random string minimum 6 characters long, no special characters like `w2kz84h`
 get_result_path = "" # Fingerprint Identification endpoint path. Please use random string minimum 6 characters long, no special characters like `w2kz84h`
diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,18 @@
+timeout: 10m
+format: table
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+severity:
+  # - LOW
+  # - MEDIUM
+  - HIGH
+  - CRITICAL
+scan:
+  skip-dirs:
+    - assets/
+
+config:
+  misconfig-scanners: Terraform
+
+ignorefile: .trivyignore
diff --git a/variables.tf b/variables.tf
@@ -1,51 +1,72 @@
 variable "integration_domain" {
   type = string
-}
-
-variable "main_host" {
-  type = string
+  nullable = false
 }
 
 variable "integration_name" {
   type = string
   default = "fingerprint-fastly-compute-proxy-integration"
+  nullable = false
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.integration_name))
+    error_message = "value should only consist of alphanumeric values and dashes"
+  }
 }
 
 variable "config_store_prefix" {
   type = string
   default = "Fingerprint_Compute_Config_Store_"
+  nullable = false
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\_])+$", var.config_store_prefix))
+    error_message = "value should only consist of alphanumeric values and underscores"
+  }
 }
 
 variable "secret_store_prefix" {
   type = string
   default = "Fingerprint_Compute_Secret_Store_"
+  nullable = false
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\_])+$", var.secret_store_prefix))
+    error_message = "value should only consist of alphanumeric values and underscores"
+  }
 }
 
 variable "fastly_api_key" {
   type = string
+  nullable = false
 }
 
 variable "agent_script_download_path" {
   type = string
-  default = "agent"
+  nullable = false
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.agent_script_download_path))
+    error_message = "value should only consist of alphanumeric values and dashes"
+  }
 }
 
 variable "get_result_path" {
   type = string
-  default = "result"
+  nullable = false
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.get_result_path))
+    error_message = "value should only consist of alphanumeric values and dashes"
+  }
 }
 
-variable "repository_organization_name" {
+variable "asset_repository_organization_name" {
   type    = string
   default = "fingerprintjs"
 }
 
-variable "repository_name" {
+variable "asset_repository_name" {
   type    = string
   default = "fingerprint-pro-fastly-compute-proxy-integration"
 }
 
-variable "asset_version_min" {
+variable "asset_version" {
   type    = string
   default = "latest"
 }

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ terraform {`
`10`	`10`	`data "github_release" "selected" {`
`11`	`11`	`repository = var.repository_name`
`12`	`12`	`owner = var.repository_organization_name`
`13`		`- retrieve_by = var.asset_version_min`
	`13`	`+ retrieve_by = var.asset_version`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`locals {`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ variable "repository_name" {`
`8`	`8`	`default = "fingerprint-pro-fastly-compute-proxy-integration"`
`9`	`9`	`}`
`10`	`10`
`11`		`-variable "asset_version_min" {`
	`11`	`+variable "asset_version" {`
`12`	`12`	`type = string`
`13`	`13`	`default = "latest"`
`14`	`14`	`}`