From 7d0ac3a502cac0783a631149b2047e4c7e827bb7 Mon Sep 17 00:00:00 2001 From: Jashwanth Date: Thu, 25 Jun 2026 19:29:37 +0530 Subject: [PATCH 1/4] feat: add TerraSecure IaC scanning workflow --- .github/workflows/terrasecure-scan.yml | 55 ++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/terrasecure-scan.yml diff --git a/.github/workflows/terrasecure-scan.yml b/.github/workflows/terrasecure-scan.yml new file mode 100644 index 0000000..3a3f17a --- /dev/null +++ b/.github/workflows/terrasecure-scan.yml @@ -0,0 +1,55 @@ +name: TerraSecure IaC Security Scan +# only runs when infra code changes. +# this is separate from app build/test workflows. +on: + push: + branches: [main, develop] + paths: + - 'infra/terraform/**' + - '.github/workflows/terrasecure-scan.yml' + pull_request: + branches: [main, develop] + paths: + - 'infra/terraform/**' + workflow_dispatch: {} + +permissions: + contents: read + security-events: write + +concurrency: + group: terrasecure-${{ github.ref }} + cancel-in-progress: true + +jobs: + terrasecure-scan: + name: Scan infra/terraform with TerraSecure + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run TerraSecure + uses: JashwanthMU/TerraSecure@v2.0.0 + with: + path: 'infra/terraform' + format: 'sarif' + fail-on: 'high' + upload-sarif: 'true' + + - name: Re-run for human-readable JSON artifact + if: always() + uses: JashwanthMU/TerraSecure@v2.0.0 + with: + path: 'infra/terraform' + format: 'json' + fail-on: 'none' + upload-sarif: 'false' + + - name: Upload JSON scan report as artifact + if: always() + uses: actions/upload-artifact@v4 + with: + name: terrasecure-report + path: '**/report.json' + retention-days: 30 \ No newline at end of file From 5596b73841fd97643e1870773d96d9475bbfb5f4 Mon Sep 17 00:00:00 2001 From: Jashwanth Date: Thu, 25 Jun 2026 19:56:04 +0530 Subject: [PATCH 2/4] added a error free Iac tool scaning --- .github/workflows/terrasecure-scan.yml | 38 +++++++++++++++----------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/workflows/terrasecure-scan.yml b/.github/workflows/terrasecure-scan.yml index 3a3f17a..8d2565e 100644 --- a/.github/workflows/terrasecure-scan.yml +++ b/.github/workflows/terrasecure-scan.yml @@ -1,6 +1,4 @@ name: TerraSecure IaC Security Scan -# only runs when infra code changes. -# this is separate from app build/test workflows. on: push: branches: [main, develop] @@ -11,11 +9,12 @@ on: branches: [main, develop] paths: - 'infra/terraform/**' - workflow_dispatch: {} + - '.github/workflows/terrasecure-scan.yml' + workflow_dispatch: {} permissions: contents: read - security-events: write + security-events: write concurrency: group: terrasecure-${{ github.ref }} @@ -29,27 +28,34 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Run TerraSecure + - name: Run TerraSecure (SARIF) uses: JashwanthMU/TerraSecure@v2.0.0 with: - path: 'infra/terraform' + path: '${{ github.workspace }}/infra/terraform' format: 'sarif' - fail-on: 'high' - upload-sarif: 'true' + output: '${{ github.workspace }}/terrasecure-results.sarif' + fail-on: 'critical' + + - name: Upload SARIF to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: '${{ github.workspace }}/terrasecure-results.sarif' - - name: Re-run for human-readable JSON artifact - if: always() + - name: Run TerraSecure (JSON report) + if: always() + continue-on-error: true uses: JashwanthMU/TerraSecure@v2.0.0 with: - path: 'infra/terraform' + path: '${{ github.workspace }}/infra/terraform' format: 'json' - fail-on: 'none' - upload-sarif: 'false' - - - name: Upload JSON scan report as artifact + output: '${{ github.workspace }}/terrasecure-report.json' + fail-on: 'critical' + + - name: Upload JSON report artifact if: always() uses: actions/upload-artifact@v4 with: name: terrasecure-report - path: '**/report.json' + path: '${{ github.workspace }}/terrasecure-report.json' retention-days: 30 \ No newline at end of file From ae1bd9517868c5f214cf4359e75968f9986b6a1a Mon Sep 17 00:00:00 2001 From: Jashwanth Date: Fri, 26 Jun 2026 11:22:52 +0530 Subject: [PATCH 3/4] =?UTF-8?q?feat:=20ArgoCD=20GitOps=20setup=20=E2=80=94?= =?UTF-8?q?=20Week=2010?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - k8s/argocd/namespace.yaml: argocd namespace - k8s/argocd/crms-application.yaml: ArgoCD Application CRD - source: github.com/crms-devops/crms main branch k8s/base/ - auto-sync enabled: prune + selfHeal - CreateNamespace: true - docs/week-10-argocd-setup.md: setup guide GitOps flow: push to GitHub → ArgoCD auto-deploys to EKS --- docs/week-10-notes.md | 41 ++++++++++++++++++++++++++++++++ k8s/argocd/crms-application.yaml | 23 ++++++++++++++++++ k8s/argocd/namespace.yaml | 6 +++++ 3 files changed, 70 insertions(+) create mode 100644 docs/week-10-notes.md create mode 100644 k8s/argocd/crms-application.yaml create mode 100644 k8s/argocd/namespace.yaml diff --git a/docs/week-10-notes.md b/docs/week-10-notes.md new file mode 100644 index 0000000..98a8f7f --- /dev/null +++ b/docs/week-10-notes.md @@ -0,0 +1,41 @@ +# Week 10 — ArgoCD GitOps Setup + +## What ArgoCD does +ArgoCD watches your GitHub repo. When anything in k8s/base/ changes, +it automatically applies those changes to the EKS cluster. +No more manual kubectl apply. + +## To Install ArgoCD +winget install -e --id argoproj.argocd + +The official Argo CD CLI documentation also lists WinGet as a supported installation method. + +## I got this!! +PS C:\Projects\crms> argocd version --client +argocd: v3.4.4+443415b + BuildDate: 2026-06-18T09:15:00Z + GitCommit: 443415b5527ac55366e0760c93ef0e1abd0cf273 + GitTreeState: clean + GoVersion: go1.26.0 + Compiler: gc + Platform: windows/amd64 + +## Install ArgoCD on cluster +kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml + +## Access ArgoCD UI +kubectl port-forward svc/argocd-server -n argocd 8080:443 + +## Get initial admin password +kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d + +## Deploy CRMS Application +kubectl apply -f k8s/argocd/crms-application.yaml + +## GitOps flow after setup +1. Developer pushes code to GitHub +2. GitHub Actions builds new Docker image, pushes to GHCR +3. GitHub Actions updates image tag in k8s/base/backend-deployment.yaml +4. ArgoCD detects change in Git +5. ArgoCD automatically syncs to EKS cluster +6. New pods roll out with zero downtime \ No newline at end of file diff --git a/k8s/argocd/crms-application.yaml b/k8s/argocd/crms-application.yaml new file mode 100644 index 0000000..3be9b98 --- /dev/null +++ b/k8s/argocd/crms-application.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crms + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/crms-devops/crms.git + targetRevision: main + path: k8s/base + destination: + server: https://kubernetes.default.svc + namespace: crms + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true \ No newline at end of file diff --git a/k8s/argocd/namespace.yaml b/k8s/argocd/namespace.yaml new file mode 100644 index 0000000..28e81d7 --- /dev/null +++ b/k8s/argocd/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd + labels: + app: argocd \ No newline at end of file From e67d1363ac4786671ae575e090a07461cbdf96ea Mon Sep 17 00:00:00 2001 From: Jashwanth Date: Fri, 26 Jun 2026 12:43:30 +0530 Subject: [PATCH 4/4] =?UTF-8?q?chore:=20disable=20TerraSecure=20auto-trigg?= =?UTF-8?q?er=20=E2=80=94=20re-enable=20in=20Phase=202=20DevSecOps?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keeping workflow file for Phase 2 DevSecOps integration. Manual trigger only until full 19-gate pipeline is implemented. --- .github/workflows/terrasecure-scan.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/.github/workflows/terrasecure-scan.yml b/.github/workflows/terrasecure-scan.yml index 8d2565e..c45a6ff 100644 --- a/.github/workflows/terrasecure-scan.yml +++ b/.github/workflows/terrasecure-scan.yml @@ -1,16 +1,6 @@ name: TerraSecure IaC Security Scan on: - push: - branches: [main, develop] - paths: - - 'infra/terraform/**' - - '.github/workflows/terrasecure-scan.yml' - pull_request: - branches: [main, develop] - paths: - - 'infra/terraform/**' - - '.github/workflows/terrasecure-scan.yml' - workflow_dispatch: {} + workflow_dispatch: permissions: contents: read