https://www.runatlantis.io/ logo
Title
s

Sarath S Kumar

03/08/2023, 2:00 PM
Hi Guys Anybody using any IaC code scanning methods in your atlantis workflows?
r

RB

03/08/2023, 2:01 PM
Yes
tflint, tfsec, tf-summarize
s

Sarath S Kumar

03/08/2023, 2:01 PM
can you give more context about the flow
r

RB

03/08/2023, 2:07 PM
Custom container Install tools Custom workflow init tflint tfsec then plan and apply steps
s

Sarath S Kumar

03/08/2023, 2:11 PM
So this scan will do only the updated file in the PR or entire code?
r

RB

03/08/2023, 2:12 PM
It depends on the flags
Here is a container i use and customize. It may not be up to date tho https://github.com/nitrocode/atlantis-terraform-module
c

Chastity Blackwell

03/08/2023, 2:13 PM
I have tflint etc in a pre-commit hook and then just run that as a separate validate step in a github action
šŸ‘ 2
r

RB

03/08/2023, 2:13 PM
That's probably the best way to do it! :)
(referring to the separate gh action)
s

Sarath S Kumar

03/08/2023, 2:20 PM
@Chastity Blackwell Are you trigger the github action from the pre_commit_hook?
c

Chastity Blackwell

03/08/2023, 2:22 PM
No, the hook is triggered via a push to a PR
Actually, I think I stole it from a previous employer's public repo šŸ™‚
s

Sarath S Kumar

03/08/2023, 2:24 PM
Could you please paste it here for a reference šŸ™‚
c

Chastity Blackwell

03/08/2023, 2:24 PM
This is what I have here:
name: validate

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

# Pre-commit checking code was cribbed from trussworks/shared-actions
jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Set up homebrew
        uses: Homebrew/actions/setup-homebrew@master
      - name: Install prereqs for checks
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          brew install terraform-docs
          brew install gh
          pip install pre-commit
      - name: Cache
        uses: actions/cache@v3
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-dot-cache-{{ hashFiles('.pre-commit-config.yaml') }}
      - name: Pre-commit checks
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          pre-commit run --all-files --show-diff-on-failure
šŸ‘ 1
I think that one is only running terraform-docs and terraform fmt
the .pre-commit-config.yaml looks like this:
repos:
  - repo: <https://github.com/pre-commit/pre-commit-hooks>
    rev: v3.4.0
    hooks:
      - id: trailing-whitespace

  - repo: <https://github.com/antonbabenko/pre-commit-terraform>
    rev: v1.47.0
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
      # - id: terraform_validate

  - repo: <https://github.com/igorshubovych/markdownlint-cli>
    rev: v0.32.2
    hooks:
      - id: markdownlint
šŸ‘ 1
I can't remember why I'm not running validate, I need to probably take another look at that
But you should be able to do something pretty similar to add tflint or whatever else you want to add
w

wby

03/08/2023, 3:07 PM
We run these kinds of things in a CI pipeline (and also in pre-commit though that only works if people enable it)
c

Chastity Blackwell

03/08/2023, 3:07 PM
Yeah. Using precommit makes it easy to just throw it in a pipeline too though
w

wby

03/08/2023, 3:08 PM
For us, the pipeline is a lot more complex, but yeah.
current pre-commit config
šŸ‘ 1
note: Aqua is pushing folks from
tfsec
to
trivy
šŸ˜ž so far, I’m not liking working with trivy as much
c

Chastity Blackwell

03/08/2023, 3:11 PM
tfsec always drove me nuts because it scanned modules I pulled in from the registry
šŸ‘ 2
w

wby

03/08/2023, 3:12 PM
@Chastity Blackwell I had that problem too.
trivy
does that even worse.
tfsec
fixed at least most of the problems with that that I had in the past
c

Chastity Blackwell

03/08/2023, 3:13 PM
:blerg:
w

wby

03/08/2023, 3:13 PM
with tfsec, it at least seems to be smart enough to follow the chain of what’s actually included (most of the time).
trivy
uses the same scanning engine; I guess hopefully they fix all the remaining bugs, because they haven’t updated tfsec at all in a while
in CI, also have something that will auto run
tf fmt
and commit the results if there are unformatted files, and a daily integration test that tests core modules (using test kitchen)
and also added some simple checks for non-snake-case resource names
šŸ‘€ 1
c

Chastity Blackwell

03/08/2023, 3:19 PM
Care to share? šŸ™‚
s

Sarath S Kumar

03/08/2023, 3:21 PM
w

wby

03/08/2023, 3:36 PM
Absolutely. It’s dead simple, but is working pretty well so far. This is a Circle config, but the basic commands should work anywhere.
:thankyou: 1
I do something basically like this for the validate / init / tflint bits (in a project with a bunch of directories which are basically all terraform states) (first bit is specific to Circle’s parallel test splitting, but you could use a similar approach without it)
@Chastity Blackwell if you had issues w/ validate on the pre-commit hook before, maybe try with
- --hook-config=--retry-once-with-cleanup=true
if you didn’t already have it.
šŸ‘€ 1
c

Chastity Blackwell

03/08/2023, 3:45 PM
I'll give that a shot.
w

wby

03/08/2023, 3:49 PM
It deals with the issue where if the .terraform directory is stale, validation fails. Or something like that.
c

Chastity Blackwell

03/08/2023, 3:53 PM
ah...that might fix my issue then. Thanks!
w

wby

03/08/2023, 6:00 PM
to the OP’s original question: I’ve normally used the CI provider to run the checks, and then relied on the VCS provider’s required checks combined with things like Atlantis’s ā€œmergeableā€ requirement to enforce them. I don’t know of many cases where people are using atlantis to run / enforce those checks directly. it might be possible with some kind of custom workflow, but I think the other way is most typical, if it’s usable for you
ā˜ļø 1