search

jfrog / terraform-provider-xray

Terraform provider to manage JFrog Xray
https://jfrog.com/xray/
Apache License 2.0
146 stars 12 forks source link
artifactory configuration-as-code golang infrastructure-as-code jfrog terraform terraform-provider xray

readme

Terraform Provider Xray

Terraform & OpenTofu Acceptance Tests Actions Status Go Report Card

To use this provider in your Terraform module, follow the documentation here.

Xray general information

Xray API Documentation

Quick Start

Create a new Terraform file with xray resource (and artifactory resource as well):

HCL Example ```terraform # Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html) terraform { required_providers { artifactory = { source = "jfrog/artifactory" version = "10.1.2" } project = { source = "jfrog/project" version = "1.3.4" } xray = { source = "jfrog/xray" version = "2.2.0" } } } provider "artifactory" { // supply ARTIFACTORY_USERNAME, ARTIFACTORY_PASSWORD and ARTIFACTORY_URL as env vars } provider "project" { // supply PROJECT_URL, PROJECT_ACCESS_TOKEN as env vars url = "${var.project_url}" access_token = "${var.project_access_token}" } provider "xray" { // Also user can supply the following env vars: // JFROG_URL or XRAY_URL // XRAY_ACCESS_TOKEN or JFROG_ACCESS_TOKEN } resource "random_id" "randid" { byte_length = 2 } resource "artifactory_user" "user1" { name = "user1" email = "test-user1@artifactory-terraform.com" groups = ["readers"] password = "Passw0rd!" } resource "artifactory_local_docker_v2_repository" "docker-local" { key = "docker-local" description = "hello docker-local" tag_retention = 3 max_unique_tags = 5 xray_index = true # must be set to true to be able to assign the watch to the repo } resource "artifactory_local_gradle_repository" "local-gradle-repo" { key = "local-gradle-repo-basic" checksum_policy_type = "client-checksums" snapshot_version_behavior = "unique" max_unique_snapshots = 10 handle_releases = true handle_snapshots = true suppress_pom_consistency_checks = true xray_index = true # must be set to true to be able to assign the watch to the repo } resource "project" "myproject" { key = "test" display_name = "My Project" description = "My Project" admin_privileges { manage_members = true manage_resources = true index_resources = true } } resource "project" "myproject1" { key = "test1" display_name = "My Project" description = "My Project" admin_privileges { manage_members = true manage_resources = true index_resources = true } } resource "xray_security_policy" "security1" { name = "test-security-policy-severity-${random_id.randid.dec}" description = "Security policy description" type = "security" rule { name = "rule-name-severity" priority = 1 criteria { min_severity = "High" } actions { webhooks = [] mails = ["test@email.com"] block_release_bundle_distribution = true fail_build = true notify_watch_recipients = true notify_deployer = true create_ticket_enabled = false // set to true only if Jira integration is enabled build_failure_grace_period_in_days = 5 // use only if fail_build is enabled block_download { unscanned = true active = true } } } } resource "xray_security_policy" "security2" { name = "test-security-policy-cvss-${random_id.randid.dec}" description = "Security policy description" type = "security" rule { name = "rule-name-cvss" priority = 1 criteria { cvss_range { from = 1.5 to = 5.3 } } actions { webhooks = [] mails = ["test@email.com"] block_release_bundle_distribution = true fail_build = true notify_watch_recipients = true notify_deployer = true create_ticket_enabled = false // set to true only if Jira integration is enabled build_failure_grace_period_in_days = 5 // use only if fail_build is enabled block_download { unscanned = true active = true } } } } resource "xray_license_policy" "license1" { name = "test-license-policy-allowed-${random_id.randid.dec}" description = "License policy, allow certain licenses" type = "license" rule { name = "License_rule" priority = 1 criteria { allowed_licenses = ["Apache-1.0", "Apache-2.0"] allow_unknown = false multi_license_permissive = true } actions { webhooks = [] mails = ["test@email.com"] block_release_bundle_distribution = false fail_build = true notify_watch_recipients = true notify_deployer = true create_ticket_enabled = false // set to true only if Jira integration is enabled custom_severity = "High" build_failure_grace_period_in_days = 5 // use only if fail_build is enabled block_download { unscanned = true active = true } } } } resource "xray_license_policy" "license2" { name = "test-license-policy-banned-${random_id.randid.dec}" description = "License policy, block certain licenses" type = "license" rule { name = "License_rule" priority = 1 criteria { banned_licenses = ["Apache-1.1", "APAFML"] allow_unknown = false multi_license_permissive = false } actions { webhooks = [] mails = ["test@email.com"] block_release_bundle_distribution = false fail_build = true notify_watch_recipients = true notify_deployer = true create_ticket_enabled = false // set to true only if Jira integration is enabled custom_severity = "Medium" build_failure_grace_period_in_days = 5 // use only if fail_build is enabled block_download { unscanned = true active = true } } } } resource "xray_watch" "all-repos" { name = "all-repos-watch-${random_id.randid.dec}" description = "Watch for all repositories, matching the filter" active = true watch_resource { type = "all-repos" filter { type = "regex" value = ".*" } } assigned_policy { name = xray_security_policy.security1.name type = "security" } assigned_policy { name = xray_license_policy.license1.name type = "license" } watch_recipients = ["test@email.com", "test1@email.com"] } resource "xray_watch" "repository" { name = "repository-watch-${random_id.randid.dec}" description = "Watch a single repo or a list of repositories" active = true watch_resource { type = "repository" bin_mgr_id = "default" name = artifactory_local_docker_v2_repository.docker-local.key filter { type = "regex" value = ".*" } } watch_resource { type = "repository" bin_mgr_id = "default" name = artifactory_local_gradle_repository.local-gradle-repo.key filter { type = "package-type" value = "Docker" } } assigned_policy { name = xray_security_policy.security1.name type = "security" } assigned_policy { name = xray_license_policy.license1.name type = "license" } watch_recipients = ["test@email.com", "test1@email.com"] } resource "xray_watch" "build" { name = "build-watch-${random_id.randid.dec}" description = "Watch a single build or a list of builds" active = true watch_resource { type = "build" bin_mgr_id = "default" name = "your-build-name" } watch_resource { type = "build" bin_mgr_id = "default" name = "your-other-build-name" } assigned_policy { name = xray_security_policy.security1.name type = "security" } assigned_policy { name = xray_license_policy.license1.name type = "license" } watch_recipients = ["test@email.com", "test1@email.com"] } resource "xray_watch" "all-projects" { name = "all-projects-watch-${random_id.randid.dec}" description = "Watch all the projects" active = true watch_resource { type = "all-projects" bin_mgr_id = "default" } assigned_policy { name = xray_security_policy.security1.name type = "security" } assigned_policy { name = xray_license_policy.license1.name type = "license" } watch_recipients = ["test@email.com", "test1@email.com"] } resource "xray_watch" "project" { name = "project-watch-${random_id.randid.dec}" description = "Watch selected projects" active = true watch_resource { type = "project" name = project.myproject.key } watch_resource { type = "project" name = project.myproject1.key } assigned_policy { name = xray_security_policy.security1.name type = "security" } assigned_policy { name = xray_license_policy.license1.name type = "license" } watch_recipients = ["test@email.com", "test1@email.com"] } ```

License requirements:

This provider requires Xray to be added to your Artifactory installation. Xray requires minimum Pro Team license (Public Marketplace version or SaaS) or Pro X license (Self-hosted). See the details here You can determine which license you have by accessing the following Artifactory URL ${host}/artifactory/api/system/licenses/

Limitations of functionality

Currently, Xray provider is not supporting JSON objects in the Watch filter value. We are working on adding this functionality.

Versioning

In general, this project follows semver as closely as we can for tagging releases of the package. We've adopted the following versioning policy:

Contributors

See the contribution guide.

License

Copyright (c) 2024 JFrog.

Apache 2.0 licensed, see LICENSE file.