This repository has been archived by the owner on Nov 15, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 48
/
Copy path.gitlab-ci(blocking_mode).yml
98 lines (90 loc) · 2.53 KB
/
.gitlab-ci(blocking_mode).yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
stages:
- checkov-test-files
- tfplan
- checkov-test-tfplan
- tf-apply
#Checkov test terrafrom files
checkov-test-files:
stage: checkov-test-files
allow_failure: false # True for AutoDevOps compatibility
image:
name: bridgecrew/checkov:latest
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
rules:
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.yml'
- '**/*.yaml'
- '**/*.json'
- '**/*.template'
- '**/*.tf'
- '**/serverless.yml'
- '**/serverless.yaml'
script:
# Use `script` to emulate `tty` for colored output.
- script -q -c 'checkov -d . ; echo $? > CKVEXIT'
- exit $(cat CKVEXIT)
#Terraform generate plan
tfplan:
stage: tfplan
allow_failure: false # True for AutoDevOps compatibility
image:
name: hashicorp/terraform:light
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
script:
# Use `script` to emulate `tty` for colored output.
- terraform --version
- cp ./.terraformrc ~/.terraformrc
- terraform init
- terraform plan -out tf.plan
- terraform show -json tf.plan > tf_plan.json
artifacts:
paths:
- tf_plan.json
name: tf_plan.json
#Checkov test terrafrom plan file
checkov-test-tfplan:
stage: checkov-test-tfplan
allow_failure: false # True for AutoDevOps compatibility
image:
name: bridgecrew/checkov:latest
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
rules:
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.yml'
- '**/*.yaml'
- '**/*.json'
- '**/*.template'
- '**/*.tf'
- '**/serverless.yml'
- '**/serverless.yaml'
script:
# Use `script` to emulate `tty` for colored output.
- script -q -c 'checkov -f ./tf_plan.json; echo $? > CKVEXIT'
- exit $(cat CKVEXIT)
#Terraform apply
tf-apply:
stage: tf-apply
allow_failure: false # True for AutoDevOps compatibility
image:
name: hashicorp/terraform:light
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
script:
# Use `script` to emulate `tty` for colored output.
- terraform --version
- cp ./.terraformrc ~/.terraformrc
- terraform init
- terraform plan # change to apply in prod