Skip to content

skip: update CI 46

skip: update CI 46 #46

Workflow file for this run

name: Auto-testing
# Controls when the workflow will run
on:
push:
branches:
- 'feature/auto_policy_testing'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
resource_priority_list:
type: string
description: Priority list for resources (you can remove unnecessary resources during testing)
default: '["vnet"]'
#'["storage", "webapp", "vnet"]'
required: true
# limits to only one workflow in time
concurrency:
group: ${{ github.workflow }}
env:
AUTO_TEST_DIR: "auto_policy_testing"
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }}
default_resource_priority_list: '["vnet"]'
#default_resource_priority_list: '["storage", "webapp", "vnet"]'
TF_VAR_project: ${{ secrets.TF_VAR_project }}
TF_VAR_region: ${{ secrets.AWS_REGION }}
TF_VAR_zone: ${{ secrets.TF_VAR_zone }}
TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
TF_CLI_ARGS: "-no-color"
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
deploy_common_resources:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
compliance: ['green', 'red']
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: common_resources
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- uses: ./.github/workflows/actions/set-up-cloud-creds
with:
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
step: common_${{ matrix.compliance }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Clean old S3 logs
shell: bash
run: |
cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2)
aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/logs --recursive
aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/policy_output --recursive
- name: Deploy common resources
uses: ./.github/workflows/actions/tf-init-apply
- uses: ./.github/workflows/actions/publish-logs-to-s3
if: ${{ always() }}
with:
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
remote_path: "logs"
prepare_matrix_resources:
runs-on: ubuntu-22.04
needs: [ deploy_common_resources ]
outputs:
parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.parallel_resources_to_scan }}
not_parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.not_parallel_resources_to_scan }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- id: pass-resource-priority-list-to-matrix
shell: bash
working-directory: ${{ env.AUTO_TEST_DIR }}/scripts
run: |
if [ "${{ inputs.resource_priority_list }}" != '' ]; then
resource_priority_list="${{ inputs.resource_priority_list }}"
else
resource_priority_list="$default_resource_priority_list"
fi
cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2)
not_parallel_resources="$(python -c "import exception_rules; print(exception_rules.$cloud.get('not-parallel',[]))")"
source resources_to_scan.sh
parallel_resources_to_scan="$(get_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")"
not_parallel_resources_to_scan="$(get_not_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")"
echo "parallel_resources_to_scan=$parallel_resources_to_scan"
echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan"
echo "parallel_resources_to_scan=$parallel_resources_to_scan" >> "$GITHUB_OUTPUT"
echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" >> "$GITHUB_OUTPUT"
deploy_and_scan_parallel_resources:
runs-on: ubuntu-22.04
needs: [ deploy_common_resources, prepare_matrix_resources]
strategy:
max-parallel: 10
fail-fast: false
matrix:
compliance: ['green', 'red']
resource: ${{fromJson(needs.prepare_matrix_resources.outputs.parallel_resources_list)}}
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: ${{ matrix.resource }}
TF_VAR_remote_state_key: "azure/states/common_resources/${{ matrix.compliance }}.tfstate"
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- uses: ./.github/workflows/actions/set-up-cloud-creds
with:
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
step: common_${{ matrix.compliance }}
- uses: ./.github/workflows/actions/install-dependencies
- name: Deploy terraform resources
uses: ./.github/workflows/actions/tf-init-apply
- name: Custodian scan
uses: ./.github/workflows/actions/c7n-scan
- name: Destroy terraform resources
uses: ./.github/workflows/actions/tf-destroy
if: ${{ always() }}
- uses: ./.github/workflows/actions/publish-logs-to-s3
if: ${{ always() }}
with:
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
remote_path: "logs"
- uses: ./.github/workflows/actions/publish-logs-to-s3
if: ${{ always() }}
with:
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output"
remote_path: "policy_output/${{ matrix.compliance }}"
deploy_and_scan_not_parallel_resources:
runs-on: ubuntu-22.04
needs: [ deploy_common_resources, prepare_matrix_resources]
if: ${{ needs.prepare_matrix_resources.outputs.not_parallel_resources_list != '[]' }}
strategy:
max-parallel: 1
fail-fast: false
matrix:
compliance: ['green', 'red']
resource: ${{fromJson(needs.prepare_matrix_resources.outputs.not_parallel_resources_list)}}
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: ${{ matrix.resource }}
TF_VAR_remote_state_key: "aws/states/common_resources/${{ matrix.compliance }}.tfstate"
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- uses: ./.github/workflows/actions/set-up-cloud-creds
with:
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
step: common_${{ matrix.compliance }}
- uses: ./.github/workflows/actions/install-dependencies
- name: Deploy terraform resources
uses: ./.github/workflows/actions/tf-init-apply
- name: Custodian scan
uses: ./.github/workflows/actions/c7n-scan
- name: Destroy terraform resources
uses: ./.github/workflows/actions/tf-destroy
if: ${{ always() }}
- uses: ./.github/workflows/actions/publish-logs-to-s3
if: ${{ always() }}
with:
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
remote_path: "logs"
- uses: ./.github/workflows/actions/publish-logs-to-s3
if: ${{ always() }}
with:
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output"
remote_path: "policy_output/${{ matrix.compliance }}"
destroy_common_resources:
runs-on: ubuntu-22.04
needs: [deploy_common_resources, deploy_and_scan_parallel_resources,deploy_and_scan_not_parallel_resources]
if: ${{ always() }}
strategy:
max-parallel: 10
fail-fast: false
matrix:
compliance: ['green', 'red']
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: common_resources
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- uses: ./.github/workflows/actions/set-up-cloud-creds
with:
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
step: common_${{ matrix.compliance }}
- name: Destroy common resources
if: ${{ always() }}
uses: ./.github/workflows/actions/tf-destroy
- uses: ./.github/workflows/actions/publish-logs-to-s3
if: ${{ always() }}
with:
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
remote_path: "logs"