skip: update CI 57 #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Auto-testing | |
# Controls when the workflow will run | |
on: | |
push: | |
branches: | |
- 'feature/auto_policy_testing' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
resource_priority_list: | |
type: string | |
description: Priority list for resources (you can remove unnecessary resources during testing) | |
default: '["vm"]' | |
#'["storage", "webapp", "vnet", "networkinterface", "networksecuritygroup", "vm"]' | |
required: true | |
# limits to only one workflow in time | |
concurrency: | |
group: ${{ github.workflow }} | |
env: | |
AUTO_TEST_DIR: "auto_policy_testing" | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }} | |
default_resource_priority_list: '["vm"]' | |
#default_resource_priority_list: '["storage", "webapp", "vnet", "networkinterface", "networksecuritygroup", "vm"]' | |
TF_VAR_project: ${{ secrets.TF_VAR_project }} | |
TF_VAR_region: ${{ secrets.AWS_REGION }} | |
TF_VAR_zone: ${{ secrets.TF_VAR_zone }} | |
TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }} | |
TF_CLI_ARGS: "-no-color" | |
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
# A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
jobs: | |
deploy_common_resources: | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
compliance: ['green', 'red'] | |
env: | |
COMPLINCE: ${{ matrix.compliance }} | |
RESOURCE: common_resources | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: ./.github/workflows/actions/set-up-cloud-creds | |
with: | |
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }} | |
step: common_${{ matrix.compliance }} | |
client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Clean old S3 logs | |
shell: bash | |
run: | | |
cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2) | |
aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/logs --recursive | |
aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/policy_output --recursive | |
- name: Deploy common resources | |
uses: ./.github/workflows/actions/tf-init-apply | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs" | |
remote_path: "logs" | |
prepare_matrix_resources: | |
runs-on: ubuntu-22.04 | |
needs: [ deploy_common_resources ] | |
outputs: | |
parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.parallel_resources_to_scan }} | |
not_parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.not_parallel_resources_to_scan }} | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- id: pass-resource-priority-list-to-matrix | |
shell: bash | |
working-directory: ${{ env.AUTO_TEST_DIR }}/scripts | |
run: | | |
if [ "${{ inputs.resource_priority_list }}" != '' ]; then | |
resource_priority_list="${{ inputs.resource_priority_list }}" | |
else | |
resource_priority_list="$default_resource_priority_list" | |
fi | |
cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2) | |
not_parallel_resources="$(python -c "import exception_rules; print(exception_rules.$cloud.get('not-parallel',[]))")" | |
source resources_to_scan.sh | |
parallel_resources_to_scan="$(get_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")" | |
not_parallel_resources_to_scan="$(get_not_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")" | |
echo "parallel_resources_to_scan=$parallel_resources_to_scan" | |
echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" | |
echo "parallel_resources_to_scan=$parallel_resources_to_scan" >> "$GITHUB_OUTPUT" | |
echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" >> "$GITHUB_OUTPUT" | |
deploy_and_scan_parallel_resources: | |
runs-on: ubuntu-22.04 | |
needs: [ deploy_common_resources, prepare_matrix_resources] | |
strategy: | |
max-parallel: 10 | |
fail-fast: false | |
matrix: | |
compliance: ['green', 'red'] | |
resource: ${{fromJson(needs.prepare_matrix_resources.outputs.parallel_resources_list)}} | |
env: | |
COMPLINCE: ${{ matrix.compliance }} | |
RESOURCE: ${{ matrix.resource }} | |
TF_VAR_remote_state_key: "azure/states/common_resources/${{ matrix.compliance }}.tfstate" | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: ./.github/workflows/actions/set-up-cloud-creds | |
with: | |
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }} | |
client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
step: common_${{ matrix.compliance }} | |
- uses: ./.github/workflows/actions/install-dependencies | |
- name: Deploy terraform resources | |
uses: ./.github/workflows/actions/tf-init-apply | |
- name: Custodian scan | |
uses: ./.github/workflows/actions/c7n-scan | |
- name: Destroy terraform resources | |
uses: ./.github/workflows/actions/tf-destroy | |
if: ${{ always() }} | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs" | |
remote_path: "logs" | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output" | |
remote_path: "policy_output/${{ matrix.compliance }}" | |
deploy_and_scan_not_parallel_resources: | |
runs-on: ubuntu-22.04 | |
needs: [ deploy_common_resources, prepare_matrix_resources] | |
if: ${{ needs.prepare_matrix_resources.outputs.not_parallel_resources_list != '[]' }} | |
strategy: | |
max-parallel: 1 | |
fail-fast: false | |
matrix: | |
compliance: ['green', 'red'] | |
resource: ${{fromJson(needs.prepare_matrix_resources.outputs.not_parallel_resources_list)}} | |
env: | |
COMPLINCE: ${{ matrix.compliance }} | |
RESOURCE: ${{ matrix.resource }} | |
TF_VAR_remote_state_key: "aws/states/common_resources/${{ matrix.compliance }}.tfstate" | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: ./.github/workflows/actions/set-up-cloud-creds | |
with: | |
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }} | |
client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
step: common_${{ matrix.compliance }} | |
- uses: ./.github/workflows/actions/install-dependencies | |
- name: Deploy terraform resources | |
uses: ./.github/workflows/actions/tf-init-apply | |
- name: Custodian scan | |
uses: ./.github/workflows/actions/c7n-scan | |
- name: Destroy terraform resources | |
uses: ./.github/workflows/actions/tf-destroy | |
if: ${{ always() }} | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs" | |
remote_path: "logs" | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output" | |
remote_path: "policy_output/${{ matrix.compliance }}" | |
destroy_common_resources: | |
runs-on: ubuntu-22.04 | |
needs: [deploy_common_resources, deploy_and_scan_parallel_resources,deploy_and_scan_not_parallel_resources] | |
if: ${{ always() }} | |
strategy: | |
max-parallel: 10 | |
fail-fast: false | |
matrix: | |
compliance: ['green', 'red'] | |
env: | |
COMPLINCE: ${{ matrix.compliance }} | |
RESOURCE: common_resources | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: ./.github/workflows/actions/set-up-cloud-creds | |
with: | |
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }} | |
client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
step: common_${{ matrix.compliance }} | |
- name: Destroy common resources | |
if: ${{ always() }} | |
uses: ./.github/workflows/actions/tf-destroy | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs" | |
remote_path: "logs" |