diff --git a/README.md b/README.md index b4e54d0..401a7b6 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ Migrate workloads from other platforms to [StackGuardian Platform](https://app.s - [sg-cli](https://github.com/StackGuardian/sg-cli/tree/main/shell) ### Perform terraform login + Perform `terraform login` to ensure that your local Terraform can interact with your Terraform Cloud/Enterprise account. ### Export the resource definitions and Terraform state @@ -37,8 +38,11 @@ terraform apply -auto-approve -var-file=terraform.tfvars A new `export` folder should have been created. The `sg-payload.json` file contains the definition for each workflow that will be created for each Terraform Workspace, and the `states` folder contains the files for the Terraform state for each of your workspaces, if the state export was enabled. After completing the export , edit the `sg-payload.json` file to provide tune each workflow configuration with the following: -### Use the example_payload.jsonc file as a reference and edit the schema of the `sg-payload.json` + +### Use the example_payload.jsonc file as a reference and edit the schema of the `sg-payload.json` + - `DeploymentPlatformConfig` - This is used to authenticate against a cloud provider using a StackGuardian Integration. Create the relevant integration in StackGuardian platform and update `DeploymentPlatformConfig.kind` from the following "AZURE_STATIC", "AWS_STATIC","GCP_STATIC", "AWS_RBAC". Update `DeploymentPlatformConfig.config.integrationId` with "/integrations/INTEGRATION_NAME" and `DeploymentPlatformConfig.config.profileName` with the name of the integration used upon creation. + ``` DeploymentPlatformConfig: [ { @@ -50,27 +54,27 @@ After completing the export , edit the `sg-payload.json` file to provide tune ea } ] ``` + - `VCSConfig` - Provide full path to the `repo` like as well the relevant `sourceConfigDestKind` from the following "GITHUB_COM", "BITBUCKET_ORG", "GITLAB_COM", "AZURE_DEVOPS" - - `config.auth` - - `config.isPrivate` - + - `config.auth` + - `config.isPrivate` - `ResourceName` - name of your StackGuardian Workflow - `wfgrpName` - this corresponds to the labelling of workflow group name in the StackGuardian platform - `Description` - description for the workflows created in the StackGuardian platform -- `Tags` - list of tags for the workflows created in the StackGuardian platform +- `Tags` - list of tags for the workflows created in the StackGuardian platform - `EnvironmentVariables` - environment variables for the workflows created in the StackGuardian platform - `RunnerConstraints` - Runner description for the workflows in the StackGuardian platform - - Private runners - ``` - "RunnerConstraints": { - "type": "private", - "names": [ - "sg-runner" - ] - }``` - - Shared runners - ``` - "RunnerConstraints": { - "type": "shared" - }``` + - Private runners - ` +"RunnerConstraints": { + "type": "private", + "names": [ + "sg-runner" + ] +}` + - Shared runners - ` +"RunnerConstraints": { + "type": "shared" +}` - `Approvers` - Approvers for the workflow to run it successfully - `TerraformConfig` - Terraform configuration for the workflows created in the StackGuardian platform - `UserSchedules` - Scheduled workflow run configuration for the workflow in the StackGuardian platform @@ -80,7 +84,10 @@ After completing the export , edit the `sg-payload.json` file to provide tune ea - Fetch [sg-cli](https://github.com/StackGuardian/sg-cli.git) and set it up locally (documentation present in repo) - Run the following commands and pass the `sg-payload.json` as payload (represented below) -- Get your SG API Key here: https://app.stackguardian.io/orchestrator/orgs//settings?tab=api_key +- Get your SG API Key here: + - Login to Stackguardian. + - Go to profile at the bottom left. Click on the eamil or the username. + - Click API key and click on view. ```shell cd ../../export @@ -92,6 +99,16 @@ wget -q "$(wget -qO- "https://api.github.com/repos/stackguardian/sg-cli/releases ``` if you want to update a workflow with different details, please re-run the sg-cli command with the modified sg-payload.json and your workflow will be updated with the new details, as long as the ResourceName (Workflow name) remains the same. + ```shell ./sg-cli workflow create --bulk --org "" -- sg-payload.json ``` + +## Convert hcl variables to json + +HCL variables in terraform cloud appear as strings in sg-payload.json, which needs to be converted to json.
+It will change the file input file in place so that none of the other steps need any change. + +```shell +./convert_hcl_to_json.sh +``` diff --git a/convert_hcl_to_json.sh b/convert_hcl_to_json.sh new file mode 100755 index 0000000..f2dcf6e --- /dev/null +++ b/convert_hcl_to_json.sh @@ -0,0 +1,119 @@ +#!/bin/bash + +install_jq(){ + OS=$(uname -s) + if [[ "$OS" == "Darwin" ]]; then + OS="macos" + elif [[ "$OS" == "Linux" ]]; then + OS="linux" + else + echo "Unsupported OS: $OS" + exit 1 + fi + + ARCH=$(uname -m) + + JQ_BIN="/tmp/jq" + url="https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-${OS}-${ARCH}" + curl -L -o $JQ_BIN $url + chmod +x $JQ_BIN + +} + +install_hcl2json(){ + OS=$(uname -s) + if [[ "$OS" == "Darwin" ]]; then + OS="darwin" + elif [[ "$OS" == "Linux" ]]; then + OS="linux" + else + echo "Unsupported OS: $OS" + exit 1 + fi + + ARCH=$(uname -m) + + HCL2JSON_BIN="/tmp/hcl2json" + + url="https://github.com/tmccombs/hcl2json/releases/download/v0.6.7/hcl2json_${OS}_${ARCH}" + echo $url + curl -L -o $HCL2JSON_BIN $url + chmod +x $HCL2JSON_BIN +} + + +INPUT_FILE_JSON="$1" +if [ -z "$INPUT_FILE_JSON" ]; then + echo "Usage: $0 " + exit 1 +fi + +install_jq +install_hcl2json + +# Read entire JSON array into a variable +json_data=$(cat "$INPUT_FILE_JSON") + +# Use jq to get the length of array +length=$($JQ_BIN length <<<"$json_data") + +# Create a temporary file to store updated objects +tmpfile=$(mktemp) + +for ((i=0; i> "$tmpfile" + + continue + fi + + # Initialize new_val as empty object + new_val="{}" + + # Loop over key-value pairs in val + keys=$($JQ_BIN -r 'keys[]' <<<"$val") + for key in $keys; do + # Get the string value for the key + value=$($JQ_BIN --arg k "$key" '.[$k]' <<<"$val" | sed 's/\\"/"/g') + value="${value%\"}" + value="${value#\"}" + value="temp = $value" + + # Heuristic: if value contains '=', treat as HCL string + if [[ "$value" == *"="* ]]; then + # Convert HCL to JSON using hcl2json + parsed=$(echo -e "$value" | $HCL2JSON_BIN | $JQ_BIN -c '.temp') + if [[ $? -eq 0 && "$parsed" != "" ]]; then + # Add parsed json as the key's value + new_val=$($JQ_BIN --arg k "$key" --argjson v "$parsed" '. + {($k): $v}' <<<"$new_val") + else + # If parse fails, keep original string + echo "parsing failed: $value" + new_val=$($JQ_BIN --arg k "$key" --arg v "$value" '. + {($k): $v}' <<<"$new_val") + fi + else + # Not HCL, keep as string + new_val=$($JQ_BIN --arg k "$key" --arg v "$value" '. + {($k): $v}' <<<"$new_val") + fi + done + + # Update the object by assigning new_val back at JSON_PATH + updated_obj=$($JQ_BIN --argjson nv "$new_val" "$JSON_PATH = \$nv" <<<"$obj") + + # Save updated object + echo "$updated_obj" >> "$tmpfile" +done + +# Combine updated objects into an array and overwrite the original file +$JQ_BIN -s '.' "$tmpfile" > "$INPUT_FILE_JSON" + +rm "$tmpfile" $HCL2JSON_BIN $JQ_BIN \ No newline at end of file diff --git a/transformer/terraform-cloud/main.tf b/transformer/terraform-cloud/main.tf index 9b5a288..5ae44be 100644 --- a/transformer/terraform-cloud/main.tf +++ b/transformer/terraform-cloud/main.tf @@ -15,4 +15,4 @@ terraform { version = "~> 3.2.1" } } -} \ No newline at end of file +}