Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
cloudrail: indeni/cloudrail@2.0.2
Use cloudrail
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
An example where Cloudrail is used to produce a JUnit-formatted output file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
version: '2.1'
orbs:
cloudrail: indeni/cloudrail@2.0.0
jobs:
some_job_that_creates_a_tf_plan:
docker:
- image: hashicorp/terraform:latest
steps:
- checkout
- terraform init
- terraform plan -out terraform.plan
- persist_to_workspace:
paths:
- ./
root: .
workflows:
use_cloudrail:
jobs:
- some_job_that_creates_a_tf_plan
- cloudrail/scan_terraform:
cloud-account-id: '123456789012'
cloudrail_api_key: CLOUDRAIL_API_KEY
junit-output: true
plan_output_file: location_of_tf_plan_file_created_in_previous_job
pre-steps:
- some_step_that_loads_tf_directory_and_plan
requires:
- some_job_that_creates_a_tf_plan
tf_directory: directory_where_tf_files_are
Simple example where Terraform and Cloudrail are used.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
version: '2.1'
orbs:
cloudrail: indeni/cloudrail@2.0.0
jobs:
some_job_that_creates_a_tf_plan:
docker:
- image: hashicorp/terraform:latest
steps:
- checkout
- terraform init
- terraform plan -out terraform.plan
- persist_to_workspace:
paths:
- ./
root: .
workflows:
use_cloudrail:
jobs:
- some_job_that_creates_a_tf_plan
- cloudrail/scan_terraform:
cloud-account-id: '123456789012'
cloudrail_api_key: CLOUDRAIL_API_KEY
plan_output_file: /tmp/workspace/terraform.plan
pre-steps:
- attach_workspace:
at: /tmp/workspace
requires:
- some_job_that_creates_a_tf_plan
tf_directory: /tmp/workspace/
A job for running Cloudrail scanning of a Terraform plan which was created in a previous job.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
cloud-account-id | The ID of the cloud account you would like to run Cloudrail against. This is generally the same acccount the Terraform plan was created for.
| Yes | - | string |
cloudrail_api_key | The name of the environment variable containing the Cloudrail API key to use.
| Yes | - | env_var_name |
execution-source-identifier | An identifier that will be passed to the Cloudrail service to help identify this execution in the web user interface.
| No | $CIRCLE_PROJECT_REPONAME - $CIRCLE_BRANCH - $CIRCLE_BUILD_NUM | string |
junit-output | When set to true, the Cloudrail job will save a JUnit-formatted result output. Any rules set to MANDATE that fail will
generate failed tests which are then viewable in the CircleCI Test tab.
| No | true | boolean |
plan_output_file | The plan file that was created with "terraform plan -out=filename".
| Yes | - | string |
tf_directory | The directory where the Terraform code is located, must have a ".terraform" directory directly inside it (that is - a "terraform init" was run there).
| Yes | - | string |
working_directory | Where the Terraform init was done within the code.
| No | ~/project | string |
workspace | Where to attach a workspace - this is used to pass a Terraform plan (and any required files) from a previous job into this one.
| No | . | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Scan your Terraform code for security vulnerabilities before applying. With Cloudrail, you catch security mistakes before they ever make it to your cloud environment.
display:
home_url: https://indeni.com/cloudrail
source_url: https://github.com/indeni/cloudrail-circleci-orb
executors:
default:
docker:
- image: indeni/cloudrail-cli:latest
jobs:
scan_terraform:
description: |
A job for running Cloudrail scanning of a Terraform plan which was created in a previous job.
executor: default
parameters:
cloud-account-id:
description: |
The ID of the cloud account you would like to run Cloudrail against. This is generally the same acccount the Terraform plan was created for.
type: string
cloudrail_api_key:
description: |
The name of the environment variable containing the Cloudrail API key to use.
type: env_var_name
execution-source-identifier:
default: $CIRCLE_PROJECT_REPONAME - $CIRCLE_BRANCH - $CIRCLE_BUILD_NUM
description: |
An identifier that will be passed to the Cloudrail service to help identify this execution in the web user interface.
type: string
junit-output:
default: true
description: |
When set to true, the Cloudrail job will save a JUnit-formatted result output. Any rules set to MANDATE that fail will
generate failed tests which are then viewable in the CircleCI Test tab.
type: boolean
plan_output_file:
description: |
The plan file that was created with "terraform plan -out=filename".
type: string
tf_directory:
description: |
The directory where the Terraform code is located, must have a ".terraform" directory directly inside it (that is - a "terraform init" was run there).
type: string
working_directory:
default: ~/project
description: |
Where the Terraform init was done within the code.
type: string
workspace:
default: .
description: |
Where to attach a workspace - this is used to pass a Terraform plan (and any required files) from a previous job into this one.
type: string
steps:
- when:
condition: << parameters.junit-output >>
steps:
- run: mkdir -p "/tmp/junit/cloudrail"
- attach_workspace:
at: <<parameters.workspace>>
- run:
command: |
cloudrail run --directory "<<parameters.tf_directory>>" --tf-plan "<<parameters.plan_output_file>>" \
--origin ci --build-link "$CIRCLE_BUILD_URL" --execution-source-identifier "<<parameters.execution-source-identifier>>" \
--api-key ${<<parameters.cloudrail_api_key>>} --cloud-account-id "<<parameters.cloud-account-id>>" \
<<# parameters.junit-output >> --output-format junit --output-file /tmp/junit/cloudrail/results.xml <</ parameters.junit-output >> \
--auto-approve --no-fail-on-service-error
name: Analyze Terraform plan with Cloudrail
- when:
condition: << parameters.junit-output >>
steps:
- store_test_results:
path: /tmp/junit
working_directory: <<parameters.working_directory>>
examples:
junit-example:
description: |
An example where Cloudrail is used to produce a JUnit-formatted output file.
usage:
version: "2.1"
orbs:
cloudrail: indeni/cloudrail@2.0.0
jobs:
some_job_that_creates_a_tf_plan:
docker:
- image: hashicorp/terraform:latest
steps:
- checkout
- terraform init
- terraform plan -out terraform.plan
- persist_to_workspace:
paths:
- ./
root: .
workflows:
use_cloudrail:
jobs:
- some_job_that_creates_a_tf_plan
- cloudrail/scan_terraform:
cloud-account-id: "123456789012"
cloudrail_api_key: CLOUDRAIL_API_KEY
junit-output: true
plan_output_file: location_of_tf_plan_file_created_in_previous_job
pre-steps:
- some_step_that_loads_tf_directory_and_plan
requires:
- some_job_that_creates_a_tf_plan
tf_directory: directory_where_tf_files_are
simple-example:
description: |
Simple example where Terraform and Cloudrail are used.
usage:
version: "2.1"
orbs:
cloudrail: indeni/cloudrail@2.0.0
jobs:
some_job_that_creates_a_tf_plan:
docker:
- image: hashicorp/terraform:latest
steps:
- checkout
- terraform init
- terraform plan -out terraform.plan
- persist_to_workspace:
paths:
- ./
root: .
workflows:
use_cloudrail:
jobs:
- some_job_that_creates_a_tf_plan
- cloudrail/scan_terraform:
cloud-account-id: "123456789012"
cloudrail_api_key: CLOUDRAIL_API_KEY
plan_output_file: /tmp/workspace/terraform.plan
pre-steps:
- attach_workspace:
at: /tmp/workspace
requires:
- some_job_that_creates_a_tf_plan
tf_directory: /tmp/workspace/