1. indeni/cloudrail@2.0.2

indeni/cloudrail@2.0.2

Partner
Sections
Scan your Terraform code for security vulnerabilities before applying. With Cloudrail, you catch security mistakes before they ever make it to your cloud environment.
Created: November 18, 2020Version Published: March 19, 2021Releases: 13
Org Usage:
< 25
Categories:

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: cloudrail: indeni/cloudrail@2.0.2

Use cloudrail elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

junit-example

An example where Cloudrail is used to produce a JUnit-formatted output file.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 version: '2.1' orbs: cloudrail: indeni/cloudrail@2.0.0 jobs: some_job_that_creates_a_tf_plan: docker: - image: hashicorp/terraform:latest steps: - checkout - terraform init - terraform plan -out terraform.plan - persist_to_workspace: paths: - ./ root: . workflows: use_cloudrail: jobs: - some_job_that_creates_a_tf_plan - cloudrail/scan_terraform: cloud-account-id: '123456789012' cloudrail_api_key: CLOUDRAIL_API_KEY junit-output: true plan_output_file: location_of_tf_plan_file_created_in_previous_job pre-steps: - some_step_that_loads_tf_directory_and_plan requires: - some_job_that_creates_a_tf_plan tf_directory: directory_where_tf_files_are

simple-example

Simple example where Terraform and Cloudrail are used.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 version: '2.1' orbs: cloudrail: indeni/cloudrail@2.0.0 jobs: some_job_that_creates_a_tf_plan: docker: - image: hashicorp/terraform:latest steps: - checkout - terraform init - terraform plan -out terraform.plan - persist_to_workspace: paths: - ./ root: . workflows: use_cloudrail: jobs: - some_job_that_creates_a_tf_plan - cloudrail/scan_terraform: cloud-account-id: '123456789012' cloudrail_api_key: CLOUDRAIL_API_KEY plan_output_file: /tmp/workspace/terraform.plan pre-steps: - attach_workspace: at: /tmp/workspace requires: - some_job_that_creates_a_tf_plan tf_directory: /tmp/workspace/

Jobs

scan_terraform

A job for running Cloudrail scanning of a Terraform plan which was created in a previous job.

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
cloud-account-id
The ID of the cloud account you would like to run Cloudrail against. This is generally the same acccount the Terraform plan was created for.
Yes
-
string
cloudrail_api_key
The name of the environment variable containing the Cloudrail API key to use.
Yes
-
env_var_name
execution-source-identifier
An identifier that will be passed to the Cloudrail service to help identify this execution in the web user interface.
No
$CIRCLE_PROJECT_REPONAME - $CIRCLE_BRANCH - $CIRCLE_BUILD_NUM
string
junit-output
When set to true, the Cloudrail job will save a JUnit-formatted result output. Any rules set to MANDATE that fail will generate failed tests which are then viewable in the CircleCI Test tab.
No
true
boolean
plan_output_file
The plan file that was created with "terraform plan -out=filename".
Yes
-
string
tf_directory
The directory where the Terraform code is located, must have a ".terraform" directory directly inside it (that is - a "terraform init" was run there).
Yes
-
string
working_directory
Where the Terraform init was done within the code.
No
~/project
string
workspace
Where to attach a workspace - this is used to pass a Terraform plan (and any required files) from a previous job into this one.
No
.
string

Executors

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing version: 2.1 description: | Scan your Terraform code for security vulnerabilities before applying. With Cloudrail, you catch security mistakes before they ever make it to your cloud environment. display: home_url: https://indeni.com/cloudrail source_url: https://github.com/indeni/cloudrail-circleci-orb executors: default: docker: - image: indeni/cloudrail-cli:latest jobs: scan_terraform: description: | A job for running Cloudrail scanning of a Terraform plan which was created in a previous job. executor: default parameters: cloud-account-id: description: | The ID of the cloud account you would like to run Cloudrail against. This is generally the same acccount the Terraform plan was created for. type: string cloudrail_api_key: description: | The name of the environment variable containing the Cloudrail API key to use. type: env_var_name execution-source-identifier: default: $CIRCLE_PROJECT_REPONAME - $CIRCLE_BRANCH - $CIRCLE_BUILD_NUM description: | An identifier that will be passed to the Cloudrail service to help identify this execution in the web user interface. type: string junit-output: default: true description: | When set to true, the Cloudrail job will save a JUnit-formatted result output. Any rules set to MANDATE that fail will generate failed tests which are then viewable in the CircleCI Test tab. type: boolean plan_output_file: description: | The plan file that was created with "terraform plan -out=filename". type: string tf_directory: description: | The directory where the Terraform code is located, must have a ".terraform" directory directly inside it (that is - a "terraform init" was run there). type: string working_directory: default: ~/project description: | Where the Terraform init was done within the code. type: string workspace: default: . description: | Where to attach a workspace - this is used to pass a Terraform plan (and any required files) from a previous job into this one. type: string steps: - when: condition: << parameters.junit-output >> steps: - run: mkdir -p "/tmp/junit/cloudrail" - attach_workspace: at: <<parameters.workspace>> - run: command: | cloudrail run --directory "<<parameters.tf_directory>>" --tf-plan "<<parameters.plan_output_file>>" \ --origin ci --build-link "$CIRCLE_BUILD_URL" --execution-source-identifier "<<parameters.execution-source-identifier>>" \ --api-key ${<<parameters.cloudrail_api_key>>} --cloud-account-id "<<parameters.cloud-account-id>>" \ <<# parameters.junit-output >> --output-format junit --output-file /tmp/junit/cloudrail/results.xml <</ parameters.junit-output >> \ --auto-approve --no-fail-on-service-error name: Analyze Terraform plan with Cloudrail - when: condition: << parameters.junit-output >> steps: - store_test_results: path: /tmp/junit working_directory: <<parameters.working_directory>> examples: junit-example: description: | An example where Cloudrail is used to produce a JUnit-formatted output file. usage: version: "2.1" orbs: cloudrail: indeni/cloudrail@2.0.0 jobs: some_job_that_creates_a_tf_plan: docker: - image: hashicorp/terraform:latest steps: - checkout - terraform init - terraform plan -out terraform.plan - persist_to_workspace: paths: - ./ root: . workflows: use_cloudrail: jobs: - some_job_that_creates_a_tf_plan - cloudrail/scan_terraform: cloud-account-id: "123456789012" cloudrail_api_key: CLOUDRAIL_API_KEY junit-output: true plan_output_file: location_of_tf_plan_file_created_in_previous_job pre-steps: - some_step_that_loads_tf_directory_and_plan requires: - some_job_that_creates_a_tf_plan tf_directory: directory_where_tf_files_are simple-example: description: | Simple example where Terraform and Cloudrail are used. usage: version: "2.1" orbs: cloudrail: indeni/cloudrail@2.0.0 jobs: some_job_that_creates_a_tf_plan: docker: - image: hashicorp/terraform:latest steps: - checkout - terraform init - terraform plan -out terraform.plan - persist_to_workspace: paths: - ./ root: . workflows: use_cloudrail: jobs: - some_job_that_creates_a_tf_plan - cloudrail/scan_terraform: cloud-account-id: "123456789012" cloudrail_api_key: CLOUDRAIL_API_KEY plan_output_file: /tmp/workspace/terraform.plan pre-steps: - attach_workspace: at: /tmp/workspace requires: - some_job_that_creates_a_tf_plan tf_directory: /tmp/workspace/
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.