New pre commit hook

.githooks/pre-commit

@@ -0,0 +1,208 @@
+#!/bin/bash
+#set -x
+
+#the name of the program to be used in messages
+PREFIX="$(basename $0)"
+# the filename used to hold the latest results of any tfsec scan
+RESULTS_FILE="tfsec-scan-output.txt"
+# the directory where the tfscan results file is written
+TFSEC_RESULTS_DIR="/tmp/tfsec-results"
+# the directory where all the terraform files that are to be scanned, are copied to.
+TFSEC_WORKING_DIR="/tmp/tfsec-files"
+
+# *****************************************************************************************
+# initialise()
+#   This function initialises the directories, and resets any global variables.
+# *****************************************************************************************
+initialise() { 
+  create-directory "$TFSEC_WORKING_DIR"
+  create-directory "$TFSEC_RESULTS_DIR"
+  ALLOW_TFSEC_ISSUES="no"
+  if [ x"${TFSEC_PRECOMMIT_ARGS}" == "x" ];
+  then
+    show-msg "TFSEC_PRECOMMIT_ARGS variable not set. So we will call tfsec with no additional arguments.."
+  else
+    show-msg "TFSEC_PRECOMMIT_ARGS variable IS set. So we will call tfsec with these additional ARGS of $TFSEC_PRECOMMIT_ARGS"
+  fi
+}
+
+# *****************************************************************************************
+# create-directory()
+#   This function creates a new directory afresh, deleting any existing directory first.
+# *****************************************************************************************
+create-directory() {
+  # first check if working directory already exists
+  if [[ -d ${1} ]]
+  then
+    #remove directory and any contents
+    rm -r "${1}"
+  fi
+  # now freshly create the directory
+  mkdir -p "${1}"
+}
+
+# *****************************************************************************************
+# check-staged-files-to-populate-global-vars()
+#   This function gets the list of GIT staged files, and populates global variables 
+#   that ares used throughout the script.
+# *****************************************************************************************
+check-staged-files-to-populate-global-vars() {
+  STAGED_FILE_LIST="$(git diff --diff-filter=d --cached --name-only)"
+  TF_FILE_LIST="$(echo "$STAGED_FILE_LIST" | grep -E '\.(tf)$')"
+  if [[ ! -z "$TF_FILE_LIST" ]] && [[ ${#TF_FILE_LIST[@]} -gt 0 ]]
+  then
+    TERRAFORM_FILES_STAGED="yes"
+  else
+    TERRAFORM_FILES_STAGED="no"
+  fi
+}
+
+# *****************************************************************************************
+# copy-tf-files-to-be-scanned()
+#   This function copies the staged Terraform files to a working diretory.
+#   It also checks if the $RESULTS_FILE has been staged too. If so, this means that 
+#   the user wants to let the commit through despite any tfsec issues. 
+#   A global flag is therefore set accordingly in that case. 
+# *****************************************************************************************
+copy-tf-files-to-be-scanned() {
+  show-msg "Performing a tfsec scan on the terraform files you have staged (only terraform .tf files will be parsed)."
+  show-msg "The list of files to be scanned by tfsec will be as follows.."
+
+  # browse through ALL files , not only the TF files
+  for VALUE in ${STAGED_FILE_LIST}
+  do
+    # copy all TF files to /tmp/tfsec-files
+    if [[ $VALUE == *.tf ]]
+    then
+      show-msg "FILE: $VALUE"
+      cp "${VALUE}" "${TFSEC_WORKING_DIR}"
+    fi
+
+    # check if the tfsec-scan-output file has been staged
+    if [[ $VALUE == $RESULTS_FILE ]]
+    then
+      # by staging this file, the user has indicated that they want to allow through the commit despite the tfsec issues.
+      ALLOW_TFSEC_ISSUES="yes"
+      # also copy this to the same directory so that a diff can take place later between this staged file and the latest scan output
+      cp "${VALUE}" "${TFSEC_WORKING_DIR}"
+    fi
+  done
+}
+
+# *****************************************************************************************
+# remove-timing-stats-from-scan-output()
+#   This function removes any lines showing timing stats from the tfsec results.
+#   This then means that 2 tfsec results files can be compared easily.
+# *****************************************************************************************
+remove-timing-stats-from-scan-output() {
+  # remove any timing stats from the file, as these are problematic when doing a diff
+  # firstly, save the file before any sed replacement just in case we wish to troubleshoot
+  cp "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}" "${TFSEC_RESULTS_DIR}"/tfsec-scan-output-orig.txt
+  sed -i '/^  disk i/d' "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}"
+  sed -i '/^  parsing/d' "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}"
+  sed -i '/^  adaptation/d' "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}"
+  sed -i '/^  checks/d' "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}"
+  sed -i '/^  total/d' "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}"
+}
+
+# *****************************************************************************************
+# allow-commit-despite-tfsec-issues()
+#   This function outputs messages indicating that the commit has been allowed,
+#   even though there may be tfsec issues reported.
+# *****************************************************************************************
+allow-commit-despite-tfsec-issues() {
+  show-msg "Your Commit is being let through despite tfsec issues!!!"
+  show-msg "You have indicated that we should let the commit go through, but please review the tfsec issues detected with the team!"
+  show-msg "The tfsec-scan-output.txt file has details of these tfsec issues shown and has been committed too"
+}
+
+# *****************************************************************************************
+# deny-commit-tfsec-not-up-to-date()
+#   This function outputs messages indicating that the commit has been denied,
+#   due to the program detecting differences in the tfsec results file staged, and the most recent run
+# *****************************************************************************************
+deny-commit-tfsec-not-up-to-date() {
+  show-err "Your Commit is disallowed and has been aborted!!!"
+  show-err "Even though you have GIT add(ed) your $RESULTS_FILE file, it is not up to date."
+  show-msg "Please check the latest issues in $TFSEC_RESULTS_DIR/$RESULTS_FILE and see if you wish to still ignore"
+  show-msg "If you still wish to ignore issues, please GIT add the latest file $TFSEC_RESULTS_DIR/$RESULTS_FILE"
+}
+
+# *****************************************************************************************
+# deny-commit-outstanding-tfsec-issues()
+#   This function outputs messages indicating that the commit has been denied,
+#   because there are outstanding tfsec issues identified.
+# *****************************************************************************************
+deny-commit-outstanding-tfsec-issues() {
+  show-err "Your Commit is disallowed and has been aborted!!!"
+  show-err "You should aim to fix the above reported tfsec issues."
+  show-err "The output of the tfsec scan was also written to the file $TFSEC_RESULTS_DIR/$RESULTS_FILE"
+  show-msg "NOTE : If you cannot fix and instead want these to be reviewed, please GIT add the following file"
+  show-msg "NOTE : (The file to GIT add is $RESULTS_FILE)"
+  show-msg "NOTE : (Please copy to your home directory from $TFSEC_RESULTS_DIR/$RESULTS_FILE)"
+  show-msg "NOTE : If you GIT add the above file, the commit will be allowed through"
+}
+
+# *****************************************************************************************
+# show-msg()
+#   This function shows an INFO level message to stdout.
+# *****************************************************************************************
+show-msg() {
+  echo "${PREFIX} - INFO - ${1}"
+}
+
+# *****************************************************************************************
+# show-err()
+#   This function shows an ERROR level message to stdout
+# *****************************************************************************************
+show-err() {
+  echo "${PREFIX} - ERROR - ${1}"
+}
+
+# *****************************************************************************************
+# MAIN STARTING POINT OF PROGRAM.
+#   The start of the main program.
+#   This is a pre-commit hook performing tfsec scan of terraform files that have been staged.
+#
+# *****************************************************************************************
+
+# set up working directories
+initialise
+
+# get the list of files staged as part of this commit.
+check-staged-files-to-populate-global-vars
+
+# if there are staged terraform files then run the tfsec scan, and decide whether to allow or deny the commit accordingly.
+if [[ "$TERRAFORM_FILES_STAGED" = "yes" ]]
+then
+  # copy the terraform files to the working directory
+  copy-tf-files-to-be-scanned
+
+  # do the latest tfsec scan on the files that have been staged
+  if ! tfsec "$TFSEC_WORKING_DIR" $TFSEC_PRECOMMIT_ARGS --no-colour --out "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}";
+  then
+    # remove the timing stats from the results so that any two results files can be compared
+    remove-timing-stats-from-scan-output
+
+    # if user has indicated that he/she wants to allow through teh commit despite the issues..
+    if [[ "$ALLOW_TFSEC_ISSUES" = "yes" ]]
+    then
+      # check that the file added is exactly the same as the latest tfsec issues. They must be identical in order for the commit to be allowed through
+      DIFF_RESULT="$(diff "${TFSEC_RESULTS_DIR}/${RESULTS_FILE}" "${TFSEC_WORKING_DIR}/${RESULTS_FILE}")"
+      if [ $? -eq 0 ]
+      then
+        # allow the commit
+        allow-commit-despite-tfsec-issues
+        exit 0
+      else
+        # deny the commit
+        deny-commit-tfsec-not-up-to-date
+        exit 1
+      fi
+    else
+      # deny the commit
+      deny-commit-outstanding-tfsec-issues
+      exit 1
+    fi
+  fi
+fi

README.md

@@ -1 +1,11 @@
-# tfsec-testing
+
+## Instructions on using git hooks in this repository.
+---
+*Please run the following command to set the git hooks directory as .githooks/*
+---
+git config --local core.hooksPath .githooks/
+
+*The pre-commit hook*
+---
+This pre-commit hooks runs *tfsec* on any Terraform (.tf) files included as part of the commit.
+If it finds *tfsec* issues reported, it will then disallow the commit. To override this, read the full instructions on what to do. This is output by the pre-commit hook 

main.tf

@@ -1,7 +1,8 @@
 variable "region" {
   default = "eu-west-2"
 }
-#raj added a new comment
+#raj added a new jhkhkjh fred comment
+#raj added another new comment
 provider "aws" {
   alias  = "sandbox"
   region = var.region
@@ -12,7 +13,7 @@ provider "aws" {
 
 resource "aws_s3_bucket" "foo-bucket" {
   region        = var.region
-  bucket        = local.bucket_name
+  bucket        = "fred"
   force_destroy = true
 
   tags = {
@@ -36,6 +37,8 @@ resource "aws_s3_bucket" "foo-bucket" {
   acl           = "private"
 }
 
+#call a module
+#fred is here
 #hello world
 module "raj_otherstuff" {
   source = "./modules/otherstuff"

modules/otherstuff/fred.tf

@@ -0,0 +1,42 @@
+variable "region" {
+  default = "eu-west-2"
+}
+#raj added a new comment
+provider "aws" {
+  alias  = "sandbox"
+  region = var.region
+  assume_role {
+    role_arn = "arn:aws:iam::${var.sandbox_account_id}:role/AdministratorAccess"
+  }
+}
+
+resource "aws_s3_bucket" "foo-bucket" {
+  region        = var.region
+  bucket        = local.bucket_name
+  force_destroy = true
+
+  tags = {
+    Name = "foo-${data.aws_caller_identity.current.account_id}"
+  }
+  versioning {
+    enabled = true
+  }
+  logging {
+    target_bucket = "${aws_s3_bucket.log_bucket.id}"
+    target_prefix = "log/"
+  }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = "${aws_kms_key.mykey.arn}"
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+  acl           = "private"
+}
+
+#call a module
+module "raj_otherstuff" {
+  source = "./modules/otherstuff"
+}

modules/otherstuff/main.tf

@@ -7,7 +7,7 @@ resource "aws_security_group" "bastion_sg" {
     name = "bastion_sg"
     vpc_id = aws_vpc.main.id
 }
-
+#tidy up comment
 resource "aws_security_group_rule" "bastion_sg_ingress" {
     security_group_id = aws_security_group.bastion_sg.id
 #rajk just adding harmless comment