Terraform rules working

terraform/scripts/pre-commit

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Pre-commit hook for Terraform security checks
+# Place this file in .git/hooks/pre-commit and make it executable
+
+# Colors for output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+NC='\033[0m' # No Color
+
+echo -e "${YELLOW}Running Terraform security pre-commit checks...${NC}"
+
+# Only run checks if terraform files have changed
+TERRAFORM_FILES_CHANGED=$(git diff --cached --name-only | grep -E '\.tf$|\.tfvars$')
+
+if [ -z "$TERRAFORM_FILES_CHANGED" ]; then
+    echo -e "${GREEN}No Terraform files changed. Skipping security checks.${NC}"
+    exit 0
+fi
+
+# Store current directory
+CURRENT_DIR=$(pwd)
+
+# Check if scripts/run_security_checks.sh exists
+if [ -f "terraform/scripts/run_security_checks.sh" ]; then
+    # Change to terraform directory and run the security checks
+    cd terraform
+    if bash scripts/run_security_checks.sh --pre-commit; then
+        cd "$CURRENT_DIR"
+        echo -e "${GREEN}Terraform security checks passed!${NC}"
+        exit 0
+    else
+        cd "$CURRENT_DIR"
+        echo -e "${RED}Terraform security checks failed!${NC}"
+        echo -e "${YELLOW}You can bypass this check with git commit --no-verify, but this is NOT recommended.${NC}"
+        exit 1
+    fi
+else
+    echo -e "${RED}Security check script not found at terraform/scripts/run_security_checks.sh${NC}"
+    echo -e "${YELLOW}Skipping security checks. Please set up the security check script.${NC}"
+    exit 0
+fi 

terraform/scripts/run_security_checks.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# Security Check Script for Terraform
+# This script runs all security checks on your Terraform configuration
+
+set -e
+
+# Colors for output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+NC='\033[0m' # No Color
+
+echo -e "${YELLOW}Starting Terraform Security Checks...${NC}"
+
+# Check if we're in the terraform directory
+if [ ! -f "main.tf" ]; then
+    echo -e "${RED}Error: Please run this script from the terraform directory${NC}"
+    exit 1
+fi
+
+# Function to check if a command exists
+command_exists() {
+    command -v "$1" >/dev/null 2>&1
+}
+
+# Check for required tools
+echo -e "\n${YELLOW}Checking for required tools...${NC}"
+
+MISSING_TOOLS=0
+
+if ! command_exists terraform; then
+    echo -e "${RED}❌ terraform not found. Please install terraform.${NC}"
+    MISSING_TOOLS=1
+fi
+
+if ! command_exists conftest; then
+    echo -e "${RED}❌ conftest not found. Please install conftest.${NC}"
+    echo "   curl -L https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz | tar xz"
+    echo "   sudo mv conftest /usr/local/bin/"
+    MISSING_TOOLS=1
+fi
+
+if ! command_exists tfsec; then
+    echo -e "${RED}❌ tfsec not found. Please install tfsec.${NC}"
+    echo "   curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash"
+    MISSING_TOOLS=1
+fi
+
+if ! command_exists checkov; then
+    echo -e "${RED}❌ checkov not found. Please install checkov.${NC}"
+    echo "   pip install checkov"
+    MISSING_TOOLS=1
+fi
+
+if [ $MISSING_TOOLS -eq 1 ]; then
+    echo -e "${RED}Please install missing tools before running security checks.${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}✅ All required tools are installed.${NC}"
+
+# Step 1: Terraform validation
+echo -e "\n${YELLOW}Running Terraform validation...${NC}"
+terraform validate
+if [ $? -eq 0 ]; then
+    echo -e "${GREEN}✅ Terraform validation passed.${NC}"
+else
+    echo -e "${RED}❌ Terraform validation failed.${NC}"
+    exit 1
+fi
+
+# Step 2: Run tfsec
+echo -e "\n${YELLOW}Running tfsec security scanner...${NC}"
+tfsec .
+TFSEC_EXIT=$?
+if [ $TFSEC_EXIT -eq 0 ]; then
+    echo -e "${GREEN}✅ tfsec scan passed.${NC}"
+else
+    echo -e "${RED}❌ tfsec found security issues.${NC}"
+    # We continue execution to run all checks
+fi
+
+# Step 3: Run checkov
+echo -e "\n${YELLOW}Running checkov security scanner...${NC}"
+checkov -d .
+CHECKOV_EXIT=$?
+if [ $CHECKOV_EXIT -eq 0 ]; then
+    echo -e "${GREEN}✅ checkov scan passed.${NC}"
+else
+    echo -e "${RED}❌ checkov found security issues.${NC}"
+    # We continue execution to run all checks
+fi
+
+# Step 4: Generate plan and run OPA policies
+echo -e "\n${YELLOW}Generating Terraform plan...${NC}"
+terraform plan -var-file="variables.tfvars" -out=tfplan
+terraform show -json tfplan > tfplan.json
+
+echo -e "\n${YELLOW}Running OPA policy checks...${NC}"
+if [ -d "policies" ]; then
+    conftest test tfplan.json -p policies/
+    CONFTEST_EXIT=$?
+    if [ $CONFTEST_EXIT -eq 0 ]; then
+        echo -e "${GREEN}✅ OPA policy checks passed.${NC}"
+    else
+        echo -e "${RED}❌ OPA policy checks found issues.${NC}"
+        # We continue execution to show summary
+    fi
+else
+    echo -e "${RED}❌ Policies directory not found. Skipping OPA checks.${NC}"
+    CONFTEST_EXIT=1
+fi
+
+# Summary
+echo -e "\n${YELLOW}Security Check Summary:${NC}"
+echo -e "Terraform Validation: $([ $? -eq 0 ] && echo -e "${GREEN}PASSED${NC}" || echo -e "${RED}FAILED${NC}")"
+echo -e "TFSec Security Scan: $([ $TFSEC_EXIT -eq 0 ] && echo -e "${GREEN}PASSED${NC}" || echo -e "${RED}FAILED${NC}")"
+echo -e "Checkov Security Scan: $([ $CHECKOV_EXIT -eq 0 ] && echo -e "${GREEN}PASSED${NC}" || echo -e "${RED}FAILED${NC}")"
+echo -e "OPA Policy Checks: $([ $CONFTEST_EXIT -eq 0 ] && echo -e "${GREEN}PASSED${NC}" || echo -e "${RED}FAILED${NC}")"
+
+# Final result
+if [ $TFSEC_EXIT -eq 0 ] && [ $CHECKOV_EXIT -eq 0 ] && [ $CONFTEST_EXIT -eq 0 ]; then
+    echo -e "\n${GREEN}All security checks passed!${NC}"
+    exit 0
+else
+    echo -e "\n${RED}Some security checks failed. Please address the issues before proceeding.${NC}"
+    exit 1
+fi