From fe845b8ee56cf34fbca2634a8efb0662cb373ac2 Mon Sep 17 00:00:00 2001 From: Robi Nino Date: Wed, 23 Aug 2023 11:51:58 +0300 Subject: [PATCH 1/3] Update go.mod (#2147) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index adfe3fa2c..ca267805a 100644 --- a/go.mod +++ b/go.mod @@ -124,7 +124,7 @@ require ( replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb -replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230820173924-42a2e0e230ad +replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 diff --git a/go.sum b/go.sum index 95da8c2cd..57f6f2d3c 100644 --- a/go.sum +++ b/go.sum @@ -241,8 +241,8 @@ github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb h1:Y6ZxvUkUu github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb/go.mod h1:t31QRpH5xUJKw8XkQlAA+Aq7aanyS1rrzpcK8xSNVts= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= -github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230820173924-42a2e0e230ad h1:waKR0ESxEht8TWc69oAAvqYQjFt7a5/urlIVadEp6vY= -github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230820173924-42a2e0e230ad/go.mod h1:HQLbuRqHCrbZpTiANY1bTwBpgetEeQ1dXQL2ssXg66I= +github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a h1:vCji0S/QJgLmZ8mUWoo/6DocbjsMpXgvzwhdDhbQ3bE= +github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a/go.mod h1:HQLbuRqHCrbZpTiANY1bTwBpgetEeQ1dXQL2ssXg66I= github.com/jfrog/jfrog-client-go v1.31.4 h1:jUKwQ68yBBHQlwNzN6bY8sh1Ey8PbqOqh9mzkzp+yHc= github.com/jfrog/jfrog-client-go v1.31.4/go.mod h1:Yyz+Qjorop0CycJAjk67y6UbyLK5b7dQaPMcy1THIJw= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= From 469a41d250be443aca939239a9031a87d5f371c1 Mon Sep 17 00:00:00 2001 From: Eyal Ben Moshe Date: Thu, 24 Aug 2023 02:25:15 +0300 Subject: [PATCH 2/3] Promoted version to 2.46.0 (#2152) --- build/npm/v2-jf/package-lock.json | 2 +- build/npm/v2-jf/package.json | 2 +- build/npm/v2/package-lock.json | 2 +- build/npm/v2/package.json | 2 +- go.mod | 10 +++++----- go.sum | 12 ++++++------ utils/cliutils/cli_consts.go | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/build/npm/v2-jf/package-lock.json b/build/npm/v2-jf/package-lock.json index 919a6d4a5..13ae6698a 100644 --- a/build/npm/v2-jf/package-lock.json +++ b/build/npm/v2-jf/package-lock.json @@ -1,5 +1,5 @@ { "name": "jfrog-cli-v2-jf", - "version": "2.45.0", + "version": "2.46.0", "lockfileVersion": 1 } diff --git a/build/npm/v2-jf/package.json b/build/npm/v2-jf/package.json index c751c0afd..b73a6b898 100644 --- a/build/npm/v2-jf/package.json +++ b/build/npm/v2-jf/package.json @@ -1,6 +1,6 @@ { "name": "jfrog-cli-v2-jf", - "version": "2.45.0", + "version": "2.46.0", "description": "🐸 Command-line interface for JFrog Artifactory, Xray, Distribution, Pipelines and Mission Control 🐸", "homepage": "https://github.com/jfrog/jfrog-cli", "preferGlobal": true, diff --git a/build/npm/v2/package-lock.json b/build/npm/v2/package-lock.json index 7b054c99e..723e0eba5 100644 --- a/build/npm/v2/package-lock.json +++ b/build/npm/v2/package-lock.json @@ -1,5 +1,5 @@ { "name": "jfrog-cli-v2", - "version": "2.45.0", + "version": "2.46.0", "lockfileVersion": 1 } diff --git a/build/npm/v2/package.json b/build/npm/v2/package.json index 3f80b24f4..b61ede03f 100644 --- a/build/npm/v2/package.json +++ b/build/npm/v2/package.json @@ -1,6 +1,6 @@ { "name": "jfrog-cli-v2", - "version": "2.45.0", + "version": "2.46.0", "description": "🐸 Command-line interface for JFrog Artifactory, Xray, Distribution, Pipelines and Mission Control 🐸", "homepage": "https://github.com/jfrog/jfrog-cli", "preferGlobal": true, diff --git a/go.mod b/go.mod index ca267805a..704bc729b 100644 --- a/go.mod +++ b/go.mod @@ -7,10 +7,10 @@ require ( github.com/buger/jsonparser v1.1.1 github.com/go-git/go-git/v5 v5.8.1 github.com/gocarina/gocsv v0.0.0-20230616125104-99d496ca653d - github.com/jfrog/build-info-go v1.9.7 + github.com/jfrog/build-info-go v1.9.8 github.com/jfrog/gofrog v1.3.0 - github.com/jfrog/jfrog-cli-core/v2 v2.40.1 - github.com/jfrog/jfrog-client-go v1.31.4 + github.com/jfrog/jfrog-cli-core/v2 v2.41.0 + github.com/jfrog/jfrog-client-go v1.31.5 github.com/jszwec/csvutil v1.8.0 github.com/mholt/archiver/v3 v3.5.1 github.com/stretchr/testify v1.8.4 @@ -122,9 +122,9 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect ) -replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb +// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb -replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a +// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 diff --git a/go.sum b/go.sum index 57f6f2d3c..039d9558e 100644 --- a/go.sum +++ b/go.sum @@ -237,14 +237,14 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.4.6 h1:v6aG9h6Uby3IusSSEjHaZNXpHFhzqMmjXcPq1Rjl9Jw= github.com/jedib0t/go-pretty/v6 v6.4.6/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs= -github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb h1:Y6ZxvUkUukRqI2otvOlDIfWTVttmapizKAAllEETB44= -github.com/jfrog/build-info-go v1.8.9-0.20230820165857-52ff32c4d8eb/go.mod h1:t31QRpH5xUJKw8XkQlAA+Aq7aanyS1rrzpcK8xSNVts= +github.com/jfrog/build-info-go v1.9.8 h1:D8/ga+YgQpqp/CJj2zteS4/twmSy8zvm1v9lCd2Kv1M= +github.com/jfrog/build-info-go v1.9.8/go.mod h1:t31QRpH5xUJKw8XkQlAA+Aq7aanyS1rrzpcK8xSNVts= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= -github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a h1:vCji0S/QJgLmZ8mUWoo/6DocbjsMpXgvzwhdDhbQ3bE= -github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230823084658-46b57ad6ca5a/go.mod h1:HQLbuRqHCrbZpTiANY1bTwBpgetEeQ1dXQL2ssXg66I= -github.com/jfrog/jfrog-client-go v1.31.4 h1:jUKwQ68yBBHQlwNzN6bY8sh1Ey8PbqOqh9mzkzp+yHc= -github.com/jfrog/jfrog-client-go v1.31.4/go.mod h1:Yyz+Qjorop0CycJAjk67y6UbyLK5b7dQaPMcy1THIJw= +github.com/jfrog/jfrog-cli-core/v2 v2.41.0 h1:M2z/BuZKZc4DHtmO3Jx49bf5qCLyfLG8jJ9/iKpkALs= +github.com/jfrog/jfrog-cli-core/v2 v2.41.0/go.mod h1:YqB9rEJF1P7uGLIPUvF5qdDDf1zM5f4DneIQNkqyAfs= +github.com/jfrog/jfrog-client-go v1.31.5 h1:dYVgIJzMwX+EU9GEELKPSHFLyfW6UrrjZWMEZtAyx6A= +github.com/jfrog/jfrog-client-go v1.31.5/go.mod h1:icb00ZJN/mMMNkQduHDkzpqsXH9Flwi3f3COYexq3Nc= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jszwec/csvutil v1.8.0 h1:G7vS2LGdpZZDH1HmHeNbxOaJ/ZnJlpwGFvOkTkJzzNk= diff --git a/utils/cliutils/cli_consts.go b/utils/cliutils/cli_consts.go index da90a6a15..cb926179e 100644 --- a/utils/cliutils/cli_consts.go +++ b/utils/cliutils/cli_consts.go @@ -4,7 +4,7 @@ import "time" const ( // General CLI constants - CliVersion = "2.45.0" + CliVersion = "2.46.0" ClientAgent = "jfrog-cli-go" // CLI base commands constants: From 9845a7c1f329d46abec42e42add50ecb52a5d576 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Thu, 24 Aug 2023 09:27:36 +0300 Subject: [PATCH 3/3] Add JAS integration tests (#2123) --- testdata/xray/jas/iac/azure/vpc/module.tf | 116 ++++++++++ testdata/xray/jas/iac/azure/vpc/outputs.tf | 79 +++++++ testdata/xray/jas/iac/azure/vpc/variables.tf | 39 ++++ testdata/xray/jas/iac/azure/vpc/versions.tf | 4 + testdata/xray/jas/iac/azure/vpc_pp/module.tf | 34 +++ testdata/xray/jas/iac/azure/vpc_pp/outputs.tf | 62 ++++++ .../xray/jas/iac/azure/vpc_pp/variables.tf | 40 ++++ .../xray/jas/iac/azure/vpc_pp/versions.tf | 4 + .../jas/iac/gcp/k8s-oss/files/chk_k8s_nat | 17 ++ testdata/xray/jas/iac/gcp/k8s-oss/module.tf | 158 +++++++++++++ testdata/xray/jas/iac/gcp/k8s-oss/outputs.tf | 54 +++++ .../xray/jas/iac/gcp/k8s-oss/variables.tf | 102 +++++++++ testdata/xray/jas/iac/gcp/k8s-oss/versions.tf | 4 + .../gcp/k8s-pipelines-bp/files/chk_k8s_nat | 17 ++ .../jas/iac/gcp/k8s-pipelines-bp/module.tf | 207 ++++++++++++++++++ .../jas/iac/gcp/k8s-pipelines-bp/outputs.tf | 54 +++++ .../xray/jas/iac/gcp/k8s-pipelines-bp/rbac.tf | 61 ++++++ .../jas/iac/gcp/k8s-pipelines-bp/variables.tf | 137 ++++++++++++ .../jas/iac/gcp/k8s-pipelines-bp/versions.tf | 4 + testdata/xray/jas/main.py | 5 + testdata/xray/jas/requirements.txt | 1 + testdata/xray/jas/secrets/more_secrets/key | 7 + .../xray/jas/secrets/more_secrets/sequence | 2 + .../xray/jas/secrets/secret_generic/blacklist | 9 + .../xray/jas/secrets/secret_generic/gibberish | 10 + xray_test.go | 59 ++++- 26 files changed, 1283 insertions(+), 3 deletions(-) create mode 100644 testdata/xray/jas/iac/azure/vpc/module.tf create mode 100644 testdata/xray/jas/iac/azure/vpc/outputs.tf create mode 100644 testdata/xray/jas/iac/azure/vpc/variables.tf create mode 100644 testdata/xray/jas/iac/azure/vpc/versions.tf create mode 100644 testdata/xray/jas/iac/azure/vpc_pp/module.tf create mode 100644 testdata/xray/jas/iac/azure/vpc_pp/outputs.tf create mode 100644 testdata/xray/jas/iac/azure/vpc_pp/variables.tf create mode 100644 testdata/xray/jas/iac/azure/vpc_pp/versions.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-oss/files/chk_k8s_nat create mode 100644 testdata/xray/jas/iac/gcp/k8s-oss/module.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-oss/outputs.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-oss/variables.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-oss/versions.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-pipelines-bp/files/chk_k8s_nat create mode 100644 testdata/xray/jas/iac/gcp/k8s-pipelines-bp/module.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-pipelines-bp/outputs.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-pipelines-bp/rbac.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-pipelines-bp/variables.tf create mode 100644 testdata/xray/jas/iac/gcp/k8s-pipelines-bp/versions.tf create mode 100644 testdata/xray/jas/main.py create mode 100644 testdata/xray/jas/requirements.txt create mode 100644 testdata/xray/jas/secrets/more_secrets/key create mode 100644 testdata/xray/jas/secrets/more_secrets/sequence create mode 100644 testdata/xray/jas/secrets/secret_generic/blacklist create mode 100644 testdata/xray/jas/secrets/secret_generic/gibberish diff --git a/testdata/xray/jas/iac/azure/vpc/module.tf b/testdata/xray/jas/iac/azure/vpc/module.tf new file mode 100644 index 000000000..9bdbab532 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc/module.tf @@ -0,0 +1,116 @@ + +#Azure Generic vNet Module +resource "azurerm_resource_group" "network" { + count = var.module_enabled ? 1 : 0 + name = var.short_region != " " ? var.short_region : "${var.deploy_name}-${var.region}" + location = var.region + + tags = { + environment = var.environment + } +} + +resource "azurerm_virtual_network" "vnet" { + count = var.module_enabled ? 1 : 0 + name = "${var.deploy_name}-${var.region}" + location = var.region + address_space = [var.vpc_cidr] + resource_group_name = azurerm_resource_group.network[0].name + + tags = { + environment = var.environment + costcenter = "${var.deploy_name}-${var.region}" + } +} + +resource "azurerm_subnet" "subnet" { + count = var.module_enabled ? length(var.subnet_names) : 0 + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet[0].name + resource_group_name = azurerm_resource_group.network[0].name + address_prefixes = [var.subnet_prefixes[count.index]] +# service_endpoints = [ +# "Microsoft.KeyVault" +# ] + + dynamic "delegation"{ + for_each =var.subnet_names[count.index] == "flexible-dbs" ? ["exec"] : [] + content { + name = "dlg-Microsoft.DBforPostgreSQL-flexibleServers" + service_delegation { + name = "Microsoft.DBforPostgreSQL/flexibleServers" + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action" + ] + } + } + } + + enforce_private_link_endpoint_network_policies = var.subnet_names[count.index] == "data" + enforce_private_link_service_network_policies = var.subnet_names[count.index] == "private" && var.enforce_pl_svc_net_private + lifecycle { + ignore_changes = [ + service_endpoints, + delegation[0].name + ] + } +} + + +resource "azurerm_private_dns_zone" "postgres_private_dns" { + count = var.module_enabled ? 1 : 0 + name = "privatelink.postgres.database.azure.com" + resource_group_name = azurerm_resource_group.network[0].name +} + +resource "random_string" "postgres_private_dns_net_link_name" { + count = var.module_enabled ? 1 : 0 + length = 8 + special = false + number = false + upper = false +} + +resource "azurerm_private_dns_zone_virtual_network_link" "postgres_private_dns_net_link" { + count = var.module_enabled ? 1 : 0 + name = random_string.postgres_private_dns_net_link_name[0].result + resource_group_name = azurerm_resource_group.network[0].name + private_dns_zone_name = azurerm_private_dns_zone.postgres_private_dns[0].name + virtual_network_id = azurerm_virtual_network.vnet[0].id +} + +//resource "azurerm_network_security_group" "nsg" { +// count = "${var.module_enabled ? length(var.subnet_names) : 0}" +// name = "${var.subnet_names[count.index]}-sg" +// location = "${var.region}" +// resource_group_name = "${var.deploy_name}-${var.region}" +//} +// +//resource "azurerm_subnet_network_security_group_association" "nsg" { +// count = "${var.module_enabled ? length(var.subnet_names) : 0}" +// subnet_id = "${element(azurerm_subnet.subnet.*.id, count.index)}" +// network_security_group_id = "${element(azurerm_network_security_group.nsg.*.id, count.index)}" +//} +//resource "azurerm_subnet_route_table_association" "nat" { +// count = "${var.module_enabled ? length(var.nat_subnets) : 0}" +// subnet_id = "${element(azurerm_subnet.subnet.*.id, count.index + 1)}" +// route_table_id = "${azurerm_route_table.nattable.id}" +//} +# UDR +//resource "azurerm_route_table" "nattable" { +// count = "${var.module_enabled}" +// name = "${var.deploy_name}-${var.region}" +// location = "${var.region}" +// resource_group_name = "${azurerm_resource_group.network.name}" +// +// route { +// name = "all-traffic-via-nat" +// address_prefix = "0.0.0.0/0" +// next_hop_type = "VirtualAppliance" +// next_hop_in_ip_address = "${var.natgw_private_ip}" +// } +// +// tags = { +// environment = "${var.environment}" +// } +//} diff --git a/testdata/xray/jas/iac/azure/vpc/outputs.tf b/testdata/xray/jas/iac/azure/vpc/outputs.tf new file mode 100644 index 000000000..62a693aa7 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc/outputs.tf @@ -0,0 +1,79 @@ +################################################################################## +# OUTPUT +################################################################################## + +output "resource_group_id" { + value = azurerm_resource_group.network[0].id +} + +output "resource_group_name" { + value = azurerm_resource_group.network[0].name +} + +output "vnet_id" { + value = element(concat(azurerm_virtual_network.vnet.*.id, [""]), 0) +} + +output "vnet_location" { + value = element(concat(azurerm_virtual_network.vnet.*.location, [""]), 0) +} + +output "vnet_name" { + value = element(concat(azurerm_virtual_network.vnet.*.name, [""]), 0) +} + +output "private_dns_id" { + value = element( + concat(azurerm_private_dns_zone.postgres_private_dns.*.id, [""]), + 0, + ) +} + +output "private_dns_name" { + value = element( + concat(azurerm_private_dns_zone.postgres_private_dns.*.name, [""]), + 0, + ) +} + +//output "vnet_subnets" { +// value = "${azurerm_subnet.subnet.*.id}" +//} + +### subnets ids ### +output "public_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 0) +} + +output "private_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 1) +} +output "flexible_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 4) +} +output "data_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 2) +} + +output "mgmt_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 3) +} + +### subnets names ### +output "public_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 0) +} + +output "private_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 1) +} + +output "data_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 2) +} + +output "mgmt_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 3) +} + + diff --git a/testdata/xray/jas/iac/azure/vpc/variables.tf b/testdata/xray/jas/iac/azure/vpc/variables.tf new file mode 100644 index 000000000..e04fd5f78 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc/variables.tf @@ -0,0 +1,39 @@ +variable "module_enabled" { + default = true +} + +variable "region" { +} + +variable "deploy_name" { +} + +variable "vpc_cidr" { +} + +variable "short_region" { + default = " " +} + +variable "subnet_prefixes" { + type = list(string) +} + +variable "ssh_source_ranges" { + type = list(string) +} + +variable "environment" { +} + +variable "subnet_names" { + type = list(string) +} + +variable "enforce_pl_svc_net_private" { + default = false +} +//variable "natgw_private_ip" {} +//variable "nat_subnets" { +// type = "list" +//} diff --git a/testdata/xray/jas/iac/azure/vpc/versions.tf b/testdata/xray/jas/iac/azure/vpc/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/testdata/xray/jas/iac/azure/vpc_pp/module.tf b/testdata/xray/jas/iac/azure/vpc_pp/module.tf new file mode 100644 index 000000000..5caae96c7 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc_pp/module.tf @@ -0,0 +1,34 @@ + +#Azure Generic vNet Module +resource "azurerm_resource_group" "network" { + count = var.module_enabled ? 1 : 0 + name = var.short_region != " " ? var.short_region : "${var.deploy_name}-${var.region}" + location = var.region + + tags = { + environment = var.environment + } +} + +resource "azurerm_virtual_network" "vnet" { + count = var.module_enabled ? 1 : 0 + name = "${var.deploy_name}-${var.region}" + location = var.region + address_space = [var.vpc_cidr] + resource_group_name = azurerm_resource_group.network[0].name + + tags = { + environment = var.environment + costcenter = "${var.deploy_name}-${var.region}" + } +} + +resource "azurerm_subnet" "subnet" { + count = var.module_enabled ? length(var.subnet_names) : 0 + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet[0].name + resource_group_name = azurerm_resource_group.network[0].name + address_prefixes = [var.subnet_prefixes[count.index]] + enforce_private_link_endpoint_network_policies = var.subnet_names[count.index] == "private" && var.enforce_private_subnet + +} \ No newline at end of file diff --git a/testdata/xray/jas/iac/azure/vpc_pp/outputs.tf b/testdata/xray/jas/iac/azure/vpc_pp/outputs.tf new file mode 100644 index 000000000..7e1472580 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc_pp/outputs.tf @@ -0,0 +1,62 @@ +################################################################################## +# OUTPUT +################################################################################## + +output "resource_group_id" { + value = azurerm_resource_group.network[0].id +} + +output "resource_group_name" { + value = azurerm_resource_group.network[0].name +} + +output "vnet_id" { + value = element(concat(azurerm_virtual_network.vnet.*.id, [""]), 0) +} + +output "vnet_location" { + value = element(concat(azurerm_virtual_network.vnet.*.location, [""]), 0) +} + +output "vnet_name" { + value = element(concat(azurerm_virtual_network.vnet.*.name, [""]), 0) +} + +//output "vnet_subnets" { +// value = "${azurerm_subnet.subnet.*.id}" +//} + +### subnets ids ### +output "public_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 0) +} + +output "private_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 1) +} + +output "data_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 2) +} + +output "mgmt_subnet" { + value = element(concat(azurerm_subnet.subnet.*.id, [""]), 3) +} + +### subnets names ### +output "public_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 0) +} + +output "private_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 1) +} + +output "data_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 2) +} + +output "mgmt_subnet_name" { + value = element(concat(azurerm_subnet.subnet.*.name, [""]), 3) +} + diff --git a/testdata/xray/jas/iac/azure/vpc_pp/variables.tf b/testdata/xray/jas/iac/azure/vpc_pp/variables.tf new file mode 100644 index 000000000..784782aa7 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc_pp/variables.tf @@ -0,0 +1,40 @@ +variable "module_enabled" { + default = true +} + +variable "region" { +} + +variable "deploy_name" { +} + +variable "vpc_cidr" { +} + +variable "short_region" { + default = " " +} + +variable "subnet_prefixes" { + type = list(string) +} + +variable "ssh_source_ranges" { + type = list(string) +} + +variable "environment" { +} + +variable "subnet_names" { + type = list(string) +} + +variable "enforce_private_subnet" { + default = true +} + +//variable "natgw_private_ip" {} +//variable "nat_subnets" { +// type = "list" +//} diff --git a/testdata/xray/jas/iac/azure/vpc_pp/versions.tf b/testdata/xray/jas/iac/azure/vpc_pp/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/testdata/xray/jas/iac/azure/vpc_pp/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/testdata/xray/jas/iac/gcp/k8s-oss/files/chk_k8s_nat b/testdata/xray/jas/iac/gcp/k8s-oss/files/chk_k8s_nat new file mode 100644 index 000000000..f4f318bbf --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-oss/files/chk_k8s_nat @@ -0,0 +1,17 @@ +#!/bin/bash + +# This script checks the functionality of the NAT gateway VM. + +tf_output=$(terraform output) +k8s_name=$(echo "$tf_output" | grep k8s_cluster_name | cut -d = -f 2) +k8s_project=$(echo "$tf_output" | grep k8s_project | cut -d = -f 2) +k8s_zone=$(echo "$tf_output" | grep k8s_zone | cut -d = -f 2) +k8s_ext_ip=$(echo "$tf_output" | grep external_ip | cut -d = -f 2) + +echo Testing k8s cluster connectivity to NAT.. +gcloud container clusters get-credentials $k8s_name --zone $k8s_zone --project $k8s_project > /dev/null + +chk_ext_ip=$(kubectl run test -it --restart=Never --image=centos:7 -- curl -s http://ipinfo.io/ip) +kubectl delete po test > /dev/null + +echo $k8s_ext_ip $chk_ext_ip diff --git a/testdata/xray/jas/iac/gcp/k8s-oss/module.tf b/testdata/xray/jas/iac/gcp/k8s-oss/module.tf new file mode 100644 index 000000000..53746b756 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-oss/module.tf @@ -0,0 +1,158 @@ +# Create new K8S cluster with autoscaling + +data "google_container_engine_versions" "region" { + location = var.region +} + +resource "random_string" "admin-password" { + count = var.module_enabled ? 1 : 0 + length = 16 + +// lifecycle { +// ignore_changes = [ +// initial_node_count, master_authorized_networks_config +// ] +// } +} + +# New K8s Cluster, if creation failed you'll need to cleanup manually before running again. +resource "google_container_cluster" "primary" { + count = var.module_enabled ? 1 : 0 + provider = google-beta + name = "${var.deploy_name}-${var.region}" + location = var.k8s_zonal == "" ? var.region : var.region_zone + min_master_version = var.k8s_master_version == "" ? data.google_container_engine_versions.region.latest_master_version : var.k8s_master_version + network = var.network + subnetwork = var.subnetwork + logging_service = var.logging_service + monitoring_service = var.monitoring_service + enable_legacy_abac = var.enable_legacy_abac + remove_default_node_pool = "true" + initial_node_count = 1 + enable_shielded_nodes = var.gke_auth.shielded_nodes + enable_intranode_visibility = var.gke_auth.enable_intranode_visibility + + master_auth { + username = var.gke_auth.basic_auth ? "basic-admin" : "" + password = var.gke_auth.basic_auth ? random_string.admin-password[0].result : "" + + client_certificate_config { + issue_client_certificate = var.client_certificate + } + } + + private_cluster_config { + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = var.subnet_cidr["k8s-private"] + } + + ip_allocation_policy { + cluster_secondary_range_name = "pods-private-range" + services_secondary_range_name = "services-private-range" + } + + # Authoroized networks allowed to access the Master + + master_authorized_networks_config { + cidr_blocks { + cidr_block = "82.81.195.5/32" + display_name = "jfrog-office" + } + cidr_blocks { + cidr_block = "52.8.67.255/32" + display_name = "GlobalVpn" + } + cidr_blocks { + cidr_block = "12.252.18.78/32" + display_name = "US Office HA Public" + } + cidr_blocks { + cidr_block = "52.9.243.19/32" + display_name = "US IT AWS-NATGW" + } + cidr_blocks { + cidr_block = "52.215.237.185/32" + display_name = "EU IT AWS-NATGW" + } + cidr_blocks { + cidr_block = "52.16.203.109/32" + display_name = "GlobalVpn" + } + cidr_blocks { + cidr_block = "146.148.8.199/32" + display_name = "GCP jfrog-dev NAT" + } + cidr_blocks { + cidr_block = "192.168.20.0/24" //should be 192.168.21.0/24 + display_name = "all_local" + } + cidr_blocks { + cidr_block = "${var.natgw_ip[0]}/32" + display_name = "natgw" + } + cidr_blocks { + cidr_block = "${var.natgw_ip[1]}/32" + display_name = "natgw" + } + } + lifecycle { + ignore_changes = [ + initial_node_count, master_authorized_networks_config, master_auth + ] + } +} + +# K8s cluster node pool creation +resource "google_container_node_pool" "worker" { + count = var.module_enabled ? 1 : 0 + name = var.override_ng_name == "" ? "${var.deploy_name}-${var.region}-ng-1" : var.override_ng_name + location = var.k8s_zonal == "" ? var.region : var.region_zone + cluster = google_container_cluster.primary[0].name + node_count = 1 + version = var.k8s_node_version == "" ? data.google_container_engine_versions.region.latest_node_version : var.k8s_node_version + + autoscaling { + min_node_count = var.min_node_count + max_node_count = var.max_node_count + } + + management { + auto_repair = lookup(var.node_config, "node_auto_repair") + auto_upgrade = lookup(var.node_config, "node_auto_upgrade" ) + } + + node_config { + machine_type = var.worker_machine_type + image_type = var.image_type + disk_size_gb = var.ng_disk_size_gb + disk_type = "pd-ssd" + + shielded_instance_config { + enable_secure_boot = lookup(var.node_config, "enable_secure_boot" ) + } +// workload_metadata_config { +// node_metadata = "GKE_METADATA_SERVER" +// } +// oauth_scopes = [ +// "https://www.googleapis.com/auth/compute", +// "https://www.googleapis.com/auth/devstorage.read_only", +// "https://www.googleapis.com/auth/logging.write", +// "https://www.googleapis.com/auth/monitoring", +// ] + +// labels = { +// cluster = var.label +// } +// metadata = { +// ssh-keys = "ubuntu:${var.ssh_key} ubuntu" +// disable-legacy-endpoints = "true" +// } + tags = var.instance_tags + } + lifecycle { + ignore_changes = [ + autoscaling.0.max_node_count, node_count + ] + } +} \ No newline at end of file diff --git a/testdata/xray/jas/iac/gcp/k8s-oss/outputs.tf b/testdata/xray/jas/iac/gcp/k8s-oss/outputs.tf new file mode 100644 index 000000000..7d3cea754 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-oss/outputs.tf @@ -0,0 +1,54 @@ +# The following outputs allow authentication and connectivity to the GKE Cluster. +output "client_certificate" { + value = google_container_cluster.primary.*.master_auth.0.client_certificate +} + +output "client_key" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.client_key, + [""], + ), + 0, + ) +} + +output "cluster_ca_certificate" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.cluster_ca_certificate, + [""], + ), + 0, + ) +} + +output "cluster_name" { + value = element(concat(google_container_cluster.primary.*.name, [""]), 0) +} + +output "cluster_ip" { + value = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0) +} + +output "cluster_username" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.username, + [""], + ), + 0, + ) +} + +output "cluster_password" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.password, + [""], + ), + 0, + ) + sensitive = true +} + diff --git a/testdata/xray/jas/iac/gcp/k8s-oss/variables.tf b/testdata/xray/jas/iac/gcp/k8s-oss/variables.tf new file mode 100644 index 000000000..1124605c7 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-oss/variables.tf @@ -0,0 +1,102 @@ +variable "module_enabled" { + default = true +} + +variable "project_name" { +} + +variable "region" { +} + +variable "region_zone" { +} + +variable "deploy_name" { +} + +variable "network" { +} + +variable "subnetwork" { +} + +variable "instance_tags" { + type = list(string) +} + +variable "subnet_cidr" { + type = map(string) +} + +variable "min_node_count" { +} + +variable "max_node_count" { +} + +variable "logging_service" { +} + +variable "monitoring_service" { +} + +variable "enable_legacy_abac" { +} + +variable "worker_machine_type" { +} + +variable "ft_machine_type" { +} + +variable "image_type" { +} + +variable "ng_disk_size_gb" { +} +variable "ft_disk_size_gb" { +} + +variable "label" { +} + +variable "natgw_ip" { +} + +variable "gcp_azs" { + type = map(string) + default = { + us-east1 = "us-east1-c,us-east1-d" + us-west1 = "us-west1-c,us-west1-a" + us-central1 = "us-central1-c,us-central1-f" + europe-west2 = "europe-west2-a,europe-west2-c" + europe-west1 = "europe-west1-c,europe-west1-d" + } +} + +variable "ssh_key" { +} + +variable "k8s_master_version" { +} + +variable "k8s_node_version" { +} + +variable "client_certificate" { +} + +variable "k8s_zonal" { +} + +variable "override_ft_name" { +} + +variable "override_ng_name" { +} + +variable "gke_auth" { +} + +variable "node_config" { +} \ No newline at end of file diff --git a/testdata/xray/jas/iac/gcp/k8s-oss/versions.tf b/testdata/xray/jas/iac/gcp/k8s-oss/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-oss/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/files/chk_k8s_nat b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/files/chk_k8s_nat new file mode 100644 index 000000000..f4f318bbf --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/files/chk_k8s_nat @@ -0,0 +1,17 @@ +#!/bin/bash + +# This script checks the functionality of the NAT gateway VM. + +tf_output=$(terraform output) +k8s_name=$(echo "$tf_output" | grep k8s_cluster_name | cut -d = -f 2) +k8s_project=$(echo "$tf_output" | grep k8s_project | cut -d = -f 2) +k8s_zone=$(echo "$tf_output" | grep k8s_zone | cut -d = -f 2) +k8s_ext_ip=$(echo "$tf_output" | grep external_ip | cut -d = -f 2) + +echo Testing k8s cluster connectivity to NAT.. +gcloud container clusters get-credentials $k8s_name --zone $k8s_zone --project $k8s_project > /dev/null + +chk_ext_ip=$(kubectl run test -it --restart=Never --image=centos:7 -- curl -s http://ipinfo.io/ip) +kubectl delete po test > /dev/null + +echo $k8s_ext_ip $chk_ext_ip diff --git a/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/module.tf b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/module.tf new file mode 100644 index 000000000..f2d68663c --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/module.tf @@ -0,0 +1,207 @@ +# Create new K8S cluster with autoscaling + +data "google_container_engine_versions" "region" { + location = var.region +} + +resource "random_string" "admin-password" { + count = var.module_enabled ? 1 : 0 + length = 16 + +// lifecycle { +// ignore_changes = [ +// initial_node_count, master_authorized_networks_config +// ] +// } +} + +# New K8s Cluster, if creation failed you'll need to cleanup manually before running again. +resource "google_container_cluster" "primary" { + count = var.module_enabled ? 1 : 0 + provider = google-beta + name = "${var.deploy_name}-${var.region}" + location = var.k8s_zonal == "" ? var.region : var.region_zone + min_master_version = var.k8s_master_version == "" ? data.google_container_engine_versions.region.latest_master_version :lookup(var.gke_map.override,"k8s_master_version") + network = var.network + subnetwork = var.subnetwork + logging_service = var.logging_service + monitoring_service = var.monitoring_service + enable_legacy_abac = var.enable_legacy_abac + remove_default_node_pool = "true" + initial_node_count = 1 + enable_shielded_nodes = var.gke_auth.shielded_nodes + enable_intranode_visibility = var.enable_intranode_visibility + + master_auth { + username = var.gke_auth.basic_auth ? "basic-admin" : "" + password = var.gke_auth.basic_auth ? random_string.admin-password[0].result : "" + + client_certificate_config { + issue_client_certificate = var.client_certificate + } + } + + private_cluster_config { + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = var.subnet_cidr["k8s-private"] + } + + ip_allocation_policy { + cluster_secondary_range_name = "pods-private-range" + services_secondary_range_name = "services-private-range" + } + maintenance_policy { + recurring_window { + recurrence = var.maintenance_window.recurrence + start_time = var.maintenance_window.start_time + end_time = var.maintenance_window.end_time + } + } + + # Authoroized networks allowed to access the Master + + # master_authorized_networks_config { + + # cidr_blocks { + # cidr_block = "${var.natgw_ip[0]}/32" + # display_name = "natgw" + # } + # cidr_blocks { + # cidr_block = "${var.natgw_ip[1]}/32" + # display_name = "natgw" + # } + # } + master_authorized_networks_config { + dynamic "cidr_blocks" { + for_each = var.gke_map.override["public_access_cidrs"] + iterator = authorized_network + content { + cidr_block = authorized_network.value.cidr_block + display_name = authorized_network.value.display_name + } + } + } + + dynamic "resource_usage_export_config" { + for_each = toset(var.resource_usage_export_config_parameters != null ? ["exec"] : []) + content { + enable_network_egress_metering = lookup(var.resource_usage_export_config_parameters, "enable_network_egress_metering") + enable_resource_consumption_metering = lookup(var.resource_usage_export_config_parameters, "enable_resource_consumption_metering") + bigquery_destination { + dataset_id = lookup(var.resource_usage_export_config_parameters, "bigquery_destination.dataset_id") + } + } + } + + lifecycle { + ignore_changes = [ + initial_node_count, master_auth + ] + } +} + +# K8s cluster node pool creation +resource "google_container_node_pool" "worker" { + count = contains(keys(var.gke_map),"ng") ? 1 : 0 + name = lookup(var.gke_map.ng, "name", "${var.deploy_name}-${var.region}-ng-1" ) + location = var.k8s_zonal == "" ? var.region : var.region_zone + cluster = google_container_cluster.primary[0].name + node_count = 1 + version = lookup(var.gke_map.override, "k8s_node_version", data.google_container_engine_versions.region.latest_node_version) + +dynamic "autoscaling" { + for_each = toset(var.autoscaling_parameters != null ? ["exec"] : []) + content { + min_node_count = lookup(var.autoscaling_parameters, "min_node_count") + max_node_count = lookup(var.autoscaling_parameters, "max_node_count") + } + } + management { + auto_repair = lookup(var.node_config, "node_auto_repair") + auto_upgrade = lookup(var.node_config, "node_auto_upgrade" ) + } + node_config { + machine_type = lookup(var.gke_map.ng, "instance_type", "n2-highmem-2") + image_type = lookup(var.gke_map.ng, "image_type","COS") + disk_size_gb = lookup(var.gke_map.ng, "disk_size", "2000") + disk_type = "pd-ssd" + oauth_scopes = var.oauth_scopes + + shielded_instance_config { + enable_secure_boot = lookup(var.node_config, "enable_secure_boot" ) + } +// workload_metadata_config { +// node_metadata = "GKE_METADATA_SERVER" +// } + + +// labels = { +// cluster = var.label +// } + metadata = { + ssh-keys = "${var.ssh_key}" + disable-legacy-endpoints = "true" + } + tags = var.instance_tags + } + lifecycle { + ignore_changes = [ + autoscaling.0.max_node_count, node_count + ] + } +} +###node group for devops### +resource "google_container_node_pool" "devops_nodegroup" { + count = contains(keys(var.gke_map),"devops") ? 1 : 0 + name = lookup(var.gke_map.devops, "name", "${var.deploy_name}-${var.region}-ng-1" ) + location = var.k8s_zonal == "" ? var.region : var.region_zone + cluster = google_container_cluster.primary[0].name + node_count = 1 + version = lookup(var.gke_map.override, "k8s_node_version", data.google_container_engine_versions.region.latest_node_version) + management { + auto_repair = lookup(var.node_config, "node_auto_repair") + auto_upgrade = lookup(var.node_config, "node_auto_upgrade" ) + } + +dynamic "autoscaling" { + for_each = toset(var.gke_map.devops["autoscaling_parameters"] != {} ? ["exec"] : []) + content { + min_node_count = lookup(var.gke_map.devops["autoscaling_parameters"], "min_node_count") + max_node_count = lookup(var.gke_map.devops["autoscaling_parameters"], "max_node_count") + } + } + + node_config { + machine_type = lookup(var.gke_map.devops, "instance_type", "n2-standard-2") + labels = { + "k8s.jfrog.com/pool_type" = "devops" + } + image_type = var.image_type + disk_size_gb = lookup(var.gke_map.devops, "disk_size", "2000") + disk_type = "pd-ssd" + oauth_scopes= var.oauth_scopes + taint { + effect = "NO_SCHEDULE" + key = "pool_type" + value = "devops" + } + shielded_instance_config { + enable_secure_boot = lookup(var.node_config, "enable_secure_boot" ) + } +// workload_metadata_config { +// node_metadata = "GKE_METADATA_SERVER" +// } + + metadata = { + ssh-keys = "ubuntu:${var.ssh_key} ubuntu" + disable-legacy-endpoints = "true" + } + tags = var.instance_tags + } + lifecycle { + ignore_changes = [ + autoscaling.0.max_node_count, node_count + ] + } +} \ No newline at end of file diff --git a/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/outputs.tf b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/outputs.tf new file mode 100644 index 000000000..7d3cea754 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/outputs.tf @@ -0,0 +1,54 @@ +# The following outputs allow authentication and connectivity to the GKE Cluster. +output "client_certificate" { + value = google_container_cluster.primary.*.master_auth.0.client_certificate +} + +output "client_key" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.client_key, + [""], + ), + 0, + ) +} + +output "cluster_ca_certificate" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.cluster_ca_certificate, + [""], + ), + 0, + ) +} + +output "cluster_name" { + value = element(concat(google_container_cluster.primary.*.name, [""]), 0) +} + +output "cluster_ip" { + value = element(concat(google_container_cluster.primary.*.endpoint, [""]), 0) +} + +output "cluster_username" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.username, + [""], + ), + 0, + ) +} + +output "cluster_password" { + value = element( + concat( + google_container_cluster.primary.*.master_auth.0.password, + [""], + ), + 0, + ) + sensitive = true +} + diff --git a/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/rbac.tf b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/rbac.tf new file mode 100644 index 000000000..2b2c06dc2 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/rbac.tf @@ -0,0 +1,61 @@ +provider "kubernetes" { + host = try(var.gke_map.override["k8s_sdm"], "https://${google_container_cluster.primary.*.endpoint}") +} + +resource "kubernetes_cluster_role_binding" "sdm-roles" { +for_each = toset(var.rbac_admin_roles) + metadata { + name = "${each.value}" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-admin" + } + subject { + kind = "Group" + name = "${each.value}" + api_group = "rbac.authorization.k8s.io" + } +} + + +resource "kubernetes_cluster_role" "sdm-ro-roles" { + for_each = toset(var.rbac_readonly_roles) + metadata { + name = "${each.value}" + } + + rule { + api_groups = [""] + resources = ["*"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["extensions"] + resources = ["*"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["*"] + verbs = ["get", "list", "watch"] + } +} + +resource "kubernetes_cluster_role_binding" "sdm-ro-roles" { + for_each = toset(var.rbac_readonly_roles) + metadata { + name = "${each.value}" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "${each.value}" + } + subject { + kind = "Group" + name = "${each.value}" + api_group = "rbac.authorization.k8s.io" + } +} \ No newline at end of file diff --git a/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/variables.tf b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/variables.tf new file mode 100644 index 000000000..f025f6049 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/variables.tf @@ -0,0 +1,137 @@ +variable "module_enabled" { + default = true +} + +variable "project_name" { +} + +variable "region" { +} + +variable "region_zone" { +} + +variable "deploy_name" { +} + +variable "network" { +} +variable "subnetwork" { +} + +variable "instance_tags" { + type = list(string) +} + +variable "subnet_cidr" { + type = map(string) +} + +variable "min_node_count" { +} + +variable "max_node_count" { +} + +variable "logging_service" { +} + +variable "monitoring_service" { +} + +variable "enable_legacy_abac" { +} + +variable "worker_machine_type" { +} + +variable "ft_machine_type" { +} + +variable "image_type" { +} + +variable "ng_disk_size_gb" { +} +variable "ft_disk_size_gb" { +} + +variable "label" { +} + +variable "natgw_ip" { +} + +variable "gcp_azs" { + type = map(string) + default = { + us-east1 = "us-east1-c,us-east1-d" + us-west1 = "us-west1-c,us-west1-a" + us-central1 = "us-central1-c,us-central1-f" + europe-west2 = "europe-west2-a,europe-west2-c" + europe-west1 = "europe-west1-c,europe-west1-d" + } +} + +variable "ssh_key" { +} + +variable "k8s_master_version" { +} + +variable "k8s_node_version" { +} + +variable "client_certificate" { +} + +variable "k8s_zonal" { +} + +variable "override_ft_name" { +} + +variable "override_ng_name" { +} + +variable "autoscaling_parameters"{ +} + +variable "gke_map"{ + +} +variable "network_policy" { + default = false +} +variable "maintenance_window" { + default = { + recurrence = "FREQ=WEEKLY;BYDAY=SU" + start_time = "2021-11-21T01:00:00Z" + end_time = "2021-11-21T18:00:00Z" + } +} + +variable "gke_auth" { +} + +variable "oauth_scopes" { + default = [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + ] +} + +variable "node_config"{ +} +variable "enable_intranode_visibility" {} +variable "rbac_admin_roles"{ +default = [] +} + +variable "rbac_readonly_roles"{ +default = [] +} + +variable "resource_usage_export_config_parameters" { + default = null +} \ No newline at end of file diff --git a/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/versions.tf b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/testdata/xray/jas/iac/gcp/k8s-pipelines-bp/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/testdata/xray/jas/main.py b/testdata/xray/jas/main.py new file mode 100644 index 000000000..064571e46 --- /dev/null +++ b/testdata/xray/jas/main.py @@ -0,0 +1,5 @@ +import yaml + +with open('example.yaml') as f: + data = yaml.full_load(f) + print(data) \ No newline at end of file diff --git a/testdata/xray/jas/requirements.txt b/testdata/xray/jas/requirements.txt new file mode 100644 index 000000000..ddff94966 --- /dev/null +++ b/testdata/xray/jas/requirements.txt @@ -0,0 +1 @@ +PyYAML==5.2 \ No newline at end of file diff --git a/testdata/xray/jas/secrets/more_secrets/key b/testdata/xray/jas/secrets/more_secrets/key new file mode 100644 index 000000000..20edd3206 --- /dev/null +++ b/testdata/xray/jas/secrets/more_secrets/key @@ -0,0 +1,7 @@ +key:S3cr3t_K +Key:S3cr3t_K +key2:S3cr3t_K +search-key:S3cr3t_K +public-key:S3cr3t_K +publicKey:S3cr3t_K +KEY_public-key:S3cr3t_K diff --git a/testdata/xray/jas/secrets/more_secrets/sequence b/testdata/xray/jas/secrets/more_secrets/sequence new file mode 100644 index 000000000..1137d2d9e --- /dev/null +++ b/testdata/xray/jas/secrets/more_secrets/sequence @@ -0,0 +1,2 @@ +password: kmlkfxdngklfnl111111 +password: jnvkjcxnjvxnvk22222 \ No newline at end of file diff --git a/testdata/xray/jas/secrets/secret_generic/blacklist b/testdata/xray/jas/secrets/secret_generic/blacklist new file mode 100644 index 000000000..4ccd3ce0f --- /dev/null +++ b/testdata/xray/jas/secrets/secret_generic/blacklist @@ -0,0 +1,9 @@ +password=123456789 +password=0abcdef7 +common_token 81d7578788ec6b061029e875e01589xxxx2222e +API_KEY : DjyO8k7504YBl5lsGn2PDiV_testcABvnodnD +aws_access_key=ASIA2TEO6PMT6_test_4T4VM3J +aws_access_key=ASIA2TEO6PMT6_TEST_4T4VM3J +aws_access_key=ASIA2TEO6PMT6_sample_4T4VM3J +aws_access_key=ASIA2TEO6PMT6_sampLe_4T4VM3J +aws_access_key=ASIA2TEO6PMT6_example_4T4VM3J \ No newline at end of file diff --git a/testdata/xray/jas/secrets/secret_generic/gibberish b/testdata/xray/jas/secrets/secret_generic/gibberish new file mode 100644 index 000000000..bd7aef407 --- /dev/null +++ b/testdata/xray/jas/secrets/secret_generic/gibberish @@ -0,0 +1,10 @@ +secret_key=agwergartegbae123414 +client_secret 1557262894_291cd120eca3f3dcec3e77a66a2fc8c5_ +client_secret : QXfEexz9sVH-hTxsf7lq6P-LJhE +password:4fjNPloEVvrVj28BsVh3jI8t3pmv7Qg6 +client_secret=0FCEF92C008EC67540368586D10A3E09BC23D94F7D391A87CEC7650F1982C84A78175CBE3CAF98A3FC69EDD91B456CC1 +PAYMENT_TOKEN 381764678 +client_secret: nbhd-null +SECRET_KEY hgfu983ru6587yt10fjw83ft94847-3h4rgjh3yg490hg3745g4hr87gh5-276hg-9 +SECRET_KEY=12347502348 + diff --git a/xray_test.go b/xray_test.go index 961ede245..ab9a2f247 100644 --- a/xray_test.go +++ b/xray_test.go @@ -326,9 +326,15 @@ func TestXrayAuditMultiProjects(t *testing.T) { multiProject := filepath.Join(filepath.FromSlash(tests.GetTestResourcesPath()), "xray") // Copy the multi project from the testdata to a temp dir assert.NoError(t, fileutils.CopyDir(multiProject, tempDirPath, true, nil)) - workingDirsFlag := fmt.Sprintf("--working-dirs=%s, %s ,%s", filepath.Join(tempDirPath, "maven"), filepath.Join(tempDirPath, "nuget", "single"), filepath.Join(tempDirPath, "python", "pip")) - output := xrayCli.RunCliCmdWithOutput(t, "audit", "--format="+string(utils.SimpleJson), workingDirsFlag) - verifySimpleJsonScanResults(t, output, 30, 0) + workingDirsFlag := fmt.Sprintf("--working-dirs=%s, %s ,%s, %s", + filepath.Join(tempDirPath, "maven"), filepath.Join(tempDirPath, "nuget", "single"), + filepath.Join(tempDirPath, "python", "pip"), filepath.Join(tempDirPath, "jas")) + // Configure a new server named "default" + createJfrogHomeConfig(t, true) + defer cleanTestsHomeEnv() + output := xrayCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+string(utils.SimpleJson), workingDirsFlag) + verifySimpleJsonScanResults(t, output, 35, 0) + verifySimpleJsonJasResults(t, output, 9, 7, 0, 1) } func TestXrayAuditPipJson(t *testing.T) { @@ -660,6 +666,53 @@ func TestXrayOfflineDBSyncV3(t *testing.T) { assert.ErrorContains(t, err, "Invalid stream type") } +func TestXrayAuditJasSimpleJson(t *testing.T) { + output := testXrayAuditJas(t, string(utils.SimpleJson), "jas") + verifySimpleJsonJasResults(t, output, 9, 7, 2, 1) +} + +func TestXrayAuditJasNoViolationsSimpleJson(t *testing.T) { + output := testXrayAuditJas(t, string(utils.SimpleJson), "npm") + verifySimpleJsonScanResults(t, output, 2, 0) + verifySimpleJsonJasResults(t, output, 0, 0, 0, 1) +} + +func testXrayAuditJas(t *testing.T, format string, project string) string { + initXrayTest(t, commands.GraphScanMinXrayVersion) + tempDirPath, createTempDirCallback := coretests.CreateTempDirWithCallbackAndAssert(t) + defer createTempDirCallback() + projectDir := filepath.Join(filepath.FromSlash(tests.GetTestResourcesPath()), filepath.Join("xray", project)) + // Copy the multi project from the testdata to a temp dir + assert.NoError(t, fileutils.CopyDir(projectDir, tempDirPath, true, nil)) + // Configure a new server named "default" + createJfrogHomeConfig(t, true) + defer cleanTestsHomeEnv() + baseWd, err := os.Getwd() + assert.NoError(t, err) + chdirCallback := clientTestUtils.ChangeDirWithCallback(t, baseWd, tempDirPath) + defer chdirCallback() + return xrayCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+format) +} + +func verifySimpleJsonJasResults(t *testing.T, content string, minIacViolations, minSecrets, minApplicable, minNotApplicable int) { + var results formats.SimpleJsonResults + err := json.Unmarshal([]byte(content), &results) + if assert.NoError(t, err) { + assert.GreaterOrEqual(t, len(results.Secrets), minSecrets) + assert.GreaterOrEqual(t, len(results.Iacs), minIacViolations) + var applicableResults, notApplicableResults int + for _, vuln := range results.Vulnerabilities { + if vuln.Applicable == utils.NotApplicableStringValue { + notApplicableResults++ + } else if vuln.Applicable == utils.ApplicableStringValue { + applicableResults++ + } + } + assert.GreaterOrEqual(t, applicableResults, minApplicable) + assert.GreaterOrEqual(t, notApplicableResults, minNotApplicable) + } +} + func TestCurationAudit(t *testing.T) { initXrayTest(t, "") tempDirPath, createTempDirCallback := coretests.CreateTempDirWithCallbackAndAssert(t)