[Add] Updated conftest to latest version, policies updated, precommit hook also updated

.gitlab-ci.yml

@@ -0,0 +1,115 @@
+stages:
+  - validate
+  - plan
+  - apply
+
+# Cache modules between jobs
+cache:
+  key: ${CI_COMMIT_REF_SLUG}
+  paths:
+    - .terraform
+
+variables:
+  TERRAFORM_VERSION: "1.10.5"
+  TF_STATE_NAME: ${CI_PROJECT_NAME}
+
+before_script:
+  - cd terraform
+  - apk add --update curl jq python3 py3-pip
+  - pip install checkov
+  - curl -LO "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip"
+  - unzip "terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -d /usr/local/bin/
+  - curl -L "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_$(uname -s)_$(uname -m).tar.gz" | tar xz
+  - mv trivy /usr/local/bin/
+  - curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
+
+# Validate syntax and formatting
+terraform-validate:
+  stage: validate
+  image: hashicorp/terraform:${TERRAFORM_VERSION}
+  script:
+    - terraform init -backend=false
+    - terraform validate
+    - terraform fmt -check -recursive
+  only:
+    changes:
+      - "terraform/**/*.tf"
+
+# Security check with trivy
+trivy:
+  stage: validate
+  image: alpine:latest
+  script:
+    - trivy config --format junit --output trivy.test.xml --check-namespaces proxmox .
+  only:
+    changes:
+      - "terraform/**/*.tf"
+  artifacts:
+    reports:
+      junit: "trivy.test.xml"
+    paths:
+      - "trivy.test.xml"
+
+# Security check with checkov
+checkov:
+  stage: validate
+  image: alpine:latest
+  script:
+    - checkov -d . --quiet
+  only:
+    changes:
+      - "terraform/**/*.tf"
+
+# Policy validation with conftest
+policy-check:
+  stage: validate
+  image: alpine:latest
+  script:
+    - terraform init -backend=false
+    - terraform plan -out=tfplan
+    - terraform show -json tfplan > tfplan.json
+    - conftest test tfplan.json -p policies/
+  only:
+    changes:
+      - "terraform/**/*.tf"
+      - "terraform/policies/**/*.rego"
+
+# Create Terraform plan
+terraform-plan:
+  stage: plan
+  image: hashicorp/terraform:${TERRAFORM_VERSION}
+  script:
+    - terraform init
+    - terraform plan -out=tfplan
+    # Save the plan as an artifact
+    - terraform show -json tfplan > tfplan.json
+  artifacts:
+    paths:
+      - terraform/tfplan
+      - terraform/tfplan.json
+    expire_in: 1 week
+  only:
+    changes:
+      - "terraform/**/*.tf"
+  when: manual
+  needs:
+    - terraform-validate
+    - trivy
+    - checkov
+    - policy-check
+
+# Apply the changes
+terraform-apply:
+  stage: apply
+  image: hashicorp/terraform:${TERRAFORM_VERSION}
+  script:
+    - terraform init
+    - terraform apply -auto-approve tfplan
+  dependencies:
+    - terraform-plan
+  only:
+    changes:
+      - "terraform/**/*.tf"
+  when: manual
+  needs:
+    - terraform-plan