mboisson · mboisson · Jun 12, 2025 · Mar 18, 2025 · Mar 26, 2025 · Mar 27, 2025
diff --git a/.github/actions/test_provider/action.yaml b/.github/actions/test_provider/action.yaml
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
diff --git a/.github/workflows/mkdocs_test.yml b/.github/workflows/mkdocs_test.yml
@@ -1,6 +1,13 @@
 # documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions
 name: build documentation
-on: [push, pull_request]
+on:
+  push:
+    paths:
+      - docs/*
+  pull_request:
+    paths:
+      - docs/*
+
 # Declare default permissions as read only.
 permissions: read-all
 jobs:

diff --git a/.github/workflows/mlc_config.json b/.github/workflows/mlc_config.json
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,16 +10,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@main
+        uses: actions/checkout@v4
 
       - name: Retrieve tag name
         id: tag_name
         run: |
           echo ::set-output name=SOURCE_TAG::${GITHUB_REF#refs/tags/}
 
-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: 1.4.0
+          terraform_version: 1.5.7
 
       - name: Create tarballs and zips
         if: startsWith(github.ref, 'refs/tags/')

diff --git a/.github/workflows/spelling.yaml b/.github/workflows/spelling.yaml
@@ -12,9 +12,9 @@ jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
-    - uses: codespell-project/actions-codespell@master
+    - uses: actions/checkout@v4
+    - uses: codespell-project/actions-codespell@v2.1
       with:
         check_filenames: true
-        ignore_words_list: keypair
+        ignore_words_list: keypair, te
         only_warn: 1
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -3,78 +3,157 @@ name: Validate Terraform code
 on:
   push:
     branches:
-      - '*'
+      - main
+    paths:
+      - aws/*
+      - azure/*
+      - common/*
+      - dns/*
+      - examples/*
+      - openstack/*
+      - ovh/*
+      - .github/workflows/test.yaml
   pull_request:
     branches:
       - main
+    paths:
+      - aws/*
+      - azure/*
+      - common/*
+      - dns/*
+      - examples/*
+      - openstack/*
+      - ovh/*
+      - .github/workflows/test.yaml
 
 jobs:
-  test:
-    env:
-      TF_VERSION: 1.4.0
-
+  validate_cloud_providers:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        provider: ['aws', 'azure', 'gcp', 'openstack', 'ovh']
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.5.7"
+      - run: terraform -chdir=${{ matrix.provider }} init
+      - run: terraform -chdir=${{ matrix.provider }} validate
 
+  validate_dns_providers:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        provider: ['cloudflare', 'gcloud', 'txt']
     steps:
       - name: Checkout code
-        uses: actions/checkout@main
-
-      - name: Cache Terraform
-        id: cache-terraform
-        uses: actions/cache@v4
+        uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
         with:
-          path: ~/bin
-          key: terraform-${{ env.TF_VERSION }}
+          terraform_version: "1.5.7"
+      - run: terraform -chdir=dns/${{ matrix.provider }} init
+      - run: terraform -chdir=dns/${{ matrix.provider }} validate
 
-      - name: Download terraform
-        if: steps.cache-terraform.outputs.cache-hit != 'true'
-        run: |
-          mkdir -p "${HOME}/bin"
-          curl -sSL -o terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip"
-          unzip terraform.zip
-          mv -v terraform "${HOME}/bin/terraform"
-          ~/bin/terraform version
-
-      - name: Create SSH keys
-        run: |
-          ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa
-
-      - name: Test AWS
-        uses: ./.github/actions/test_provider
+  validate_examples:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        example:
+          - aws
+          - azure
+          - gcp
+          - openstack
+          - ovh
+          # - advanced/spot_instances/aws
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
         with:
-          path: ~/bin
-          provider: 'aws'
+          terraform_version: "1.5.7"
+      - name: Generate an SSH key
+        run: ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa
+      - run: sed -i "s;git::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git//;../../;g" examples/${{ matrix.example }}/main.tf;
+      - run: terraform -chdir=examples/${{ matrix.example }} init
+      - run: terraform -chdir=examples/${{ matrix.example }} validate
 
-      - name: Test Azure
-        uses: ./.github/actions/test_provider
+  validate_advanced_examples:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        example:
+          - spot_instances/aws
+          - spot_instances/azure
+          - spot_instances/gcp
+          - basic_puppet/openstack
+          - elk/openstack
+          - k8s/openstack
+          - lustre/openstack
+          - spark/openstack
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
         with:
-          path: ~/bin
-          provider: 'azure'
+          terraform_version: "1.5.7"
+      - name: Generate an SSH key
+        run: ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa
+      - run: sed -i "s;git::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git//;../../../../;g" examples/advanced/${{ matrix.example }}/main.tf;
+      - run: terraform -chdir=examples/advanced/${{ matrix.example }} init
+      - run: terraform -chdir=examples/advanced/${{ matrix.example }} validate
 
-      - name: Test GCP
-        uses: ./.github/actions/test_provider
-        with:
-          path: ~/bin
-          provider: 'gcp'
+  trivy-vuln-scan:
+    name: Running Trivy Scan
+    runs-on: ubuntu-latest
+    needs: [validate_cloud_providers, validate_examples]
+    steps:
+      - uses: actions/checkout@v4
 
-      - name: Test OpenStack
-        uses: ./.github/actions/test_provider
-        with:
-          path: ~/bin
-          provider: 'openstack'
+      - name: Resolve symbolic links and fix source
+        run: |
+          rm {aws,azure,gcp,openstack}/{outputs.tf,variables.tf}
+          for cloud in aws azure gcp openstack; do
+            cp common/outputs.tf common/variables.tf $cloud/;
+          done
+          sed -i 's;git::https://github.com/ComputeCanada/magic_castle.git//;../../;g' examples/*/*.tf
 
-      - name: Test OVH
-        uses: ./.github/actions/test_provider
+      - name: Manual Trivy Setup
+        uses: aquasecurity/setup-trivy@v0.2.2
         with:
-          path: ~/bin
-          provider: 'ovh'
+          version: v0.61.1
+          cache: true
+
+      - name: Run Trivy on providers
+        run: trivy config --misconfig-scanners terraform --tf-exclude-downloaded-modules --skip-dirs examples/advanced --format json -o trivy-results.json .
 
-      - name: Test CloudFlare DNS
+      - name: Convert Trivy JSON output to SARIF and filter duplicated results
         run: |
-          ~/bin/terraform -chdir=dns/cloudflare init
-          ~/bin/terraform -chdir=dns/cloudflare validate
+          trivy convert --format sarif trivy-results.json --output trivy-results.sarif
+          # When converting from JSON to SARIF, some information, like origin of the misconfiguration, is lost.
+          # The lost information results in duplicated issues. We filter these issues with jq and create a new
+          # sarif file that will be uploaded to the security tab.
+          jq 'reduce .runs[0].results[] as $a ([]; if IN(.[]; $a) then . else . += [$a] end)' trivy-results.sarif > trivy-results-filtered.sarif
+          jq ".runs[0].results |= $(cat trivy-results-filtered.sarif)" trivy-results.sarif > trivy-results-final.sarif
+          mv trivy-results-final.sarif trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
 
-      - name: Test Google Cloud DNS
+      - name: Publish Trivy Output to Summary
         run: |
-          ~/bin/terraform -chdir=dns/gcloud init
-          ~/bin/terraform -chdir=dns/gcloud validate
+          if [[ -s trivy-results.json ]]; then
+          {
+            echo "### Trivy Misconfiguration Scan Output"
+            echo "<details><summary>Click to expand</summary>"
+            echo ""
+            echo '```console'
+            echo '$ trivy config --misconfig-scanners terraform --tf-exclude-downloaded-modules --skip-dirs examples/advanced .'
+            trivy convert --format table trivy-results.json
+            echo '```'
+            echo "</details>"
+          } >> $GITHUB_STEP_SUMMARY
+          fi
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,6 @@
+# Some instance should have public ip addresses
+AVD-GCP-0031
+
+# Magic Castle does not handle VPC flow logs
+AVD-GCP-0029
+AVD-AWS-0178
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,29 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [14.3.0] 2025-05-22
+
+### Added
+- [github] Added Trivy misconfiguration scan of Terraform code (PR #355)
+- [github] Added advanced examples to validation in CI/CD (PR #358)
+
+### Changed
+
+- [dns] The default list of vhost subdomains has been replaced by a `["*"]`.
+This simplifies configuration of new virtual hosts in the reverse proxy. (PR #347)
+- [common] Made sure ssh keys do not have whitespace prefix or suffix (PR #350)
+- [aws] Reduced choices of availablity zones in AWS (PR #351)
+- [common] Bumped terraform minimum version to 1.5.7
+- [common] Improved instance root disk size computation and warnings (PR #353)
+- [github] Modernized github workflows (PR #356)
+- [common] Made `count` optional in validation (PR #357)
+- [cloud-init] Enabled puppet prometheus reporting (PR #349)
+- [cloud-init] Moved puppet server inclusion in /etc/hosts to earlier steps
+
+### Removed
+
+- [aws] Removed key pair resource (PR #359)
+
 ## [14.2.1] 2025-02-21
 
 No changes to infrastructure code.
@@ -19,7 +42,7 @@ Refer to [puppet-magic_castle changelog](https://github.com/ComputeCanada/puppet
 
 - Generalized definition of instance's specs (PR #341)
 - Made tf user a system user (PR #343)
-- Splited sshd config so that Match directives are in their own files (PR #345)
+- Split sshd config so that Match directives are in their own files (PR #345)
 
 ## [14.1.3] 2025-01-29
 

diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ From these new possibilities emerged an open-source software project named Magic
 
 ## Setup
 
-- Install [Terraform](https://releases.hashicorp.com/terraform/) (>= 1.4.0)
+- Install [Terraform](https://releases.hashicorp.com/terraform/) (>= 1.5.7)
 - Download the [latest release of Magic Castle](https://github.com/ComputeCanada/magic_castle/releases) for the cloud provider you wish to use.
 - Uncompress the release
 - Follow the instructions