fix: vault secrets

Signed-off-by: Martin Buchleitner <[email protected]>

.github/workflows/changelog.yml

@@ -11,4 +11,4 @@ jobs:
   changelog-automation:
     uses: ./.github/workflows/changelog-automation.yml
     secrets:
-      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
+      BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}"

.github/workflows/pr-valid.yml

@@ -21,4 +21,4 @@ jobs:
   pr-validation:
     uses: ./.github/workflows/pr-validation.yml
     secrets:
-      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
+      BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}"

.github/workflows/terraform-analyse/action.yml

@@ -0,0 +1,50 @@
+---
+
+name: 'Terraform Analyse'
+description: 'analyse terraform code'
+inputs:
+  tfdir:
+    description: 'Directory to scan'
+    required: true
+    default: '.'
+  mondoo_service_account:
+    description: 'Mondoo service account bas64 encoded'
+    required: true
+    default: ''
+outputs: {}
+runs:
+  using: "composite"
+  steps:
+    - name: mondoo terraform hcl scan
+      uses: mondoohq/actions/[email protected]
+      if: always()
+      env:
+          MONDOO_CONFIG_BASE64: ${{ inputs.mondoo_service_account }}
+      with:
+        path: ${{ inputs.tfdir }}
+        output: 'summary'
+
+    - name: kics scan
+      uses: checkmarx/kics-github-action@v2
+      if: always()
+      with:
+        path: ${{ inputs.tfdir }}
+        output_formats: "json"
+
+    - name: trivy scan
+      uses: aquasecurity/trivy-action@master
+      if: always()
+      with:
+        scan-type: 'fs'
+        scan-ref: ${{ inputs.tfdir }}
+        scanners: 'vuln,misconfig'
+        format: 'table'
+
+    - name: checkov scan
+      uses: bridgecrewio/checkov-action@v12
+      if: always()
+      with:
+        directory: ${{ inputs.tfdir }}
+        output_format: cli,sarif
+        quiet: false
+        skip_path: 'policies' # incorrect hcl handling in checkov

.github/workflows/terratest.yml

@@ -0,0 +1,32 @@
+---
+name: Analyze Terraform
+
+on:
+    workflow_call:
+        inputs:
+            tfdir:
+                description: 'Terraform directory to analyze'
+                required: true
+                default: '.'
+                type: string
+
+jobs:
+
+    terratest:
+        runs-on: ubuntu-latest
+
+        steps:
+        - name: Checkout repository
+          uses: actions/checkout@v4
+
+        - name: Check if ${{ inputs.tfdir }} changed
+          id: detect
+          uses: tj-actions/changed-files@v44
+          with:
+            path: ${{ inputs.tfdir }}
+
+        - name: Run Terratest
+          uses: cloudposse/github-action-terratest@main
+          if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch'
+          with:
+            sourceDir: ${{ inputs.tfdir }}

.github/workflows/tf-analyise.yml

@@ -0,0 +1,36 @@
+---
+name: Analyze Terraform
+
+on:
+    workflow_call:
+      inputs:
+          tfdir:
+              description: 'Terraform directory to analyze'
+              required: true
+              default: '.'
+              type: string
+      secrets:
+         MONDOO_SERVICE_ACCOUNT:
+            description: 'Mondoo Service Account'
+            required: true
+jobs:
+
+    analyze_tf:
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+
+            - name: Check if ${{ inputs.tfdir }} changed
+              id: detect
+              uses: tj-actions/changed-files@v44
+              with:
+                path: ${{ inputs.tfdir }}
+
+            - name: run terraform anlysis
+              if: ( steps.detect.outputs.all_changed_files != '' && always() ) || ( github.event_name == 'workflow_dispatch' && always() )
+              uses: ./.github/workflows/terraform-analyse
+              with:
+                tfdir: ${{ inputs.tfdir }}
+                mondoo_service_account: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}