Implemented GitHub composite action and linters to meet the requirements

of the lightweight secure terraform project.

Author: bradegler

.github/actions/secure-setup-terraform/action.yml

@@ -0,0 +1,61 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'secure-setup-terraform action'
+description: 'Verify that the installed terraform binary matches a pre-computed hash. Ensure that there is a checked in provider lock file and that it is read only so that terraform cannot update it.'
+inputs:
+  terraform_version:
+    description: 'The terraform version to install'
+    default: '1.3.2'
+    required: false
+  terraform_checksum:
+    description: 'The pinned terraform checksum for the specified version'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'checkout'
+      uses: 'actions/checkout@v3'
+    - name: 'download-linters'
+      shell: 'bash'
+      env:
+        release_version: '0.0.10'
+        release_location: 'https://github.com/bradegler/secure-setup-terraform/releases/tag'
+      run: |-
+        curl -H "Authorization: token ${{ github.token }}" -O "${{env.release_location}}/v${{env.release_version}}/secure-setup-terraform_${{env.release_version}}_linux_amd64.tar.gz"
+        tar xf secure-setup-terraform_${{env.release_version}}_linux_amd64.tar.gz
+
+    # Recursively search for terraform files in the current repo and run a linter that fails when it finds calls to 'local-exec'
+    - name: 'lint-local-exec'
+      shell: 'bash'
+      run: ./lint-local-exec ./
+
+    # Search the .github/workflows for this project and run a linter that fails if it finds a direct call to the 'hashicorp/setup-terraform' action
+    - name: 'lint-setup-terraform'
+      shell: 'bash'
+      run: ./lint-setup-terraform ./.github/workflows
+
+    - name: 'setup-terraform'
+      uses: 'hashicorp/setup-terraform@v2'
+      with:
+        terraform_version: '${{ inputs.terraform_version }}'
+    - 
+      name: 'verify-binary-checksum'
+      shell: 'bash'
+      run: |-
+        echo "${{ inputs.terraform_checksum }}  $(which terraform)" > terraform.sha256
+        shasum --algorithm 256 --check terraform.sha256
+
+

.github/workflows/generate-terraform-checksum.yml

@@ -0,0 +1,87 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'generate terraform checksum'
+
+on:
+  workflow_dispatch:
+    inputs:
+      terraform_version:
+        type: string
+        description: Terraform version (e.g 1.3.2)
+        required: false
+        default: '1.3.2'
+
+jobs:
+  get_and_verify_checksum:
+    runs-on: 'ubuntu-latest'
+    env:
+      VERSION: ${{ inputs.terraform_version }}
+    outputs:
+      binary_checksum: '${{ steps.verify-checksum.outputs.binary_checksum }}'
+      archive_checksum: '${{ steps.verify-checksum.outputs.archive_checksum }}'
+    steps:
+      - 
+        name: 'verify-checksum'
+        run: |-
+          # Set a local gnupg home so as not to pollute the environment
+          export GNUPGHOME=./.gnupg
+
+          # Terraform variables
+          export ARCH=darwin_amd64
+          export RELEASE_URL=https://releases.hashicorp.com/terraform/${VERSION}
+          export BIN_FILE=terraform_${VERSION}_${ARCH}.zip
+          export SHA_FILE=terraform_${VERSION}_SHA256SUMS
+          export SIG_FILE=terraform_${VERSION}_SHA256SUMS.sig
+
+          # Generate a temporary key to use for verification
+          gpg --batch --quick-generate-key --batch --passphrase "" [email protected]
+
+          # Retrieve the hashicorp key
+          curl --remote-name https://keybase.io/hashicorp/pgp_keys.asc
+
+          # Import the key from hashicorp
+          echo "importing key"
+          gpg --batch --import pgp_keys.asc
+
+          # Sign the hashicorp key with our key
+          echo "signing key"
+          gpg --batch --yes --trust-model always --sign-key 34365D9472D7468F
+
+          # Download the archive, sha file and signature
+          curl --remote-name ${RELEASE_URL}/${BIN_FILE}
+          curl --remote-name ${RELEASE_URL}/${SHA_FILE}
+          curl --remote-name ${RELEASE_URL}/${SIG_FILE}
+
+          # Verify the signature against the sha file
+          echo "verifying shas"
+          gpg --batch --verify ${SIG_FILE} ${SHA_FILE}
+
+          # Verify the archive's checksum
+          shasum --algorithm 256 --check --ignore-missing ${SHA_FILE}
+
+          # Extract the binary from the archive
+          unzip -o ${BIN_FILE}
+
+          # Extract only the shasum for the archive we care about
+          ARCH_SUM=$(grep ${BIN_FILE} ${SHA_FILE} | cut -d' ' -f1)
+
+          # Produce a checksum of the binary
+          BIN_SUM=$(shasum -a 256 terraform | cut -d' ' -f1)
+
+          # Store the binary and the archive checksums as outputs
+          echo "archive_checksum=${ARCH_SUM}"
+          echo "binary_checksum=${BIN_SUM}"
+
+          unset GNUPGHOME

.github/workflows/release.yml

@@ -0,0 +1,44 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'release'
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    permissions:
+      contents: 'write'
+      packages: 'write'
+    runs-on: 'ubuntu-latest'
+    steps:
+      - uses: 'actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8' # ratchet:actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: 'actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f' # ratchet:actions/setup-go@v3
+        with:
+          go-version: '1.19'
+      - uses: 'docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a' # ratchet:docker/login-action@v2
+        with:
+          registry: 'ghcr.io'
+          username: '${{ github.actor }}'
+          password: '${{ secrets.GITHUB_TOKEN }}'
+      - uses: 'goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757' # ratchet:goreleaser/goreleaser-action@v3
+        with:
+          version: 'latest'
+          args: 'release --rm-dist'
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/test.yml

@@ -0,0 +1,36 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'test'
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+  workflow_dispatch:
+concurrency:
+  group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
+  cancel-in-progress: true
+jobs:
+  test:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - uses: 'actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8' # ratchet:actions/checkout@v3
+      - uses: 'actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f' # ratchet:actions/setup-go@v3
+        with:
+          go-version: '1.18'
+      - run: |-
+          go test -count=1 -shuffle=on -timeout=10m -race ./...

.github/workflows/verify-secure-terraform.yml

@@ -0,0 +1,42 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'verify-secure-terraform'
+
+on:
+  workflow_dispatch:
+    inputs:
+      terraform_version:
+        type: string
+        description: Terraform version (e.g 1.3.2)
+        required: false
+        default: '1.3.2'
+      terraform_checksum:
+        type: string
+        description: Terraform version binary checksum
+        required: false
+        default: '5ae22d509e1f3c1644d4c8a905742e53598ec9f3cb12687bb1575f3f35c80830'
+
+jobs:
+  secure-setup-terraform:
+    runs-on: 'ubuntu-latest'
+    steps:
+    - name: 'checkout'
+      uses: 'actions/checkout@v3'
+    -
+      name: 'secure-setup-terraform'
+      uses: './.github/actions/secure-setup-terraform'
+      with:
+        terraform_version: ${{env.terraform_version}}
+        terraform_checksum: ${{env.terraform_checksum}}

.gitignore

@@ -22,5 +22,6 @@ go.work
 
 .terraform
 
-lint-local-exec
-lint-setup-terraform
+dist/
+
+verify-terraform

.goreleaser.yaml

@@ -0,0 +1,89 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+project_name: secure-setup-terraform
+
+env:
+  # Global env vars for go build
+  - 'CGO_ENABLED=0'
+  - 'GO111MODULE=on'
+  - 'GOPROXY=https://proxy.golang.org,direct'
+
+before:
+  hooks:
+    - 'go mod tidy'
+    - 'go mod verify'
+
+builds:
+  -
+    id: 'lint-local-exec'
+    main: './cmd/lint-local-exec'
+    binary: 'lint-local-exec'
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - '-a'
+      - '-trimpath'
+    ldflags:
+      - '-s'
+      - '-w'
+      - '-X={{ .ModulePath }}/cmd/lint-local-exec/version.Name=lint-local-exec'
+      - '-X={{ .ModulePath }}/cmd/lint-local-exec/version.Version={{ .Version }}'
+      - '-X={{ .ModulePath }}/cmd/lint-local-exec/version.Commit={{ .Commit }}'
+      - '-extldflags=-static'
+    goos:
+      - 'darwin'
+      - 'linux'
+    goarch:
+      - 'amd64'
+      - 'arm64'
+  -
+    id: 'lint-setup-terraform'
+    main: './cmd/lint-setup-terraform'
+    binary: 'lint-setup-terraform'
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - '-a'
+      - '-trimpath'
+    ldflags:
+      - '-s'
+      - '-w'
+      - '-X={{ .ModulePath }}/cmd/lint-setup-terraform/version.Name=lint-setup-terraform'
+      - '-X={{ .ModulePath }}/cmd/lint-setup-terraform/version.Version={{ .Version }}'
+      - '-X={{ .ModulePath }}/cmd/lint-setup-terraform/version.Commit={{ .Commit }}'
+      - '-extldflags=-static'
+    goos:
+      - 'darwin'
+      - 'linux'
+    goarch:
+      - 'amd64'
+      - 'arm64'
+
+archives:
+  - format: 'tar.gz'
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+    format_overrides:
+      - goos: 'windows'
+        format: 'zip'
+
+checksum:
+  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA512SUMS'
+  algorithm: 'sha512'
+
+changelog:
+  use: 'github'
+  sort: 'asc'
+
+release:
+  draft: false
+  mode: 'replace'