Skip to content

test without other jobs #248

test without other jobs

test without other jobs #248

Workflow file for this run

name: Auto-testing
on:
push:
branches:
- "feature/auto_policy_testing"
- "feature/add_sequential_resources"
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
resource_priority_list:
type: string
description: Priority list for resources (you can remove unnecessary resources during testing)
default: '[ "sqs", "sns", "defender", "role"]'
#'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
required: true
# limits to only one workflow in time
concurrency:
group: ${{ github.workflow }}
env:
AUTO_TEST_DIR: "auto_policy_testing"
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }}
default_resource_priority_list: '[ "disk", "storage", "defender", "role"]'
#default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
TF_VAR_project: ${{ secrets.TF_VAR_project }}
TF_VAR_region: ${{ secrets.AWS_REGION }}
TF_VAR_zone: ${{ secrets.TF_VAR_zone }}
TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
TF_CLI_ARGS: "-no-color"
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
RED: '\033[0;31m'
ACTIONS_REPO_BRANCH: "feature/deploy_scan_sequential_resources"
MAX_PARALLEL: 1
permissions:
contents: read # This is required for actions/checkout
id-token: write # This is required for requesting the JWT
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# deploy_common_resources:
# name: Deploy common
# runs-on: ubuntu-22.04
# strategy:
# fail-fast: false
# matrix:
# compliance: ["green", "red"]
# env:
# COMPLINCE: ${{ matrix.compliance }}
# RESOURCE: common_resources
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: Checkout ecc-actions
# run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
# env:
# PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
# ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
# - name: Deploy common
# uses: ./ecc-actions/auto-test-actions/deploy-common-resources
# with:
# CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
# COMPLIANCE: ${{ matrix.compliance }}
# create_readonly_role_for_scans:
# name: Create readonly role for scans
# if: github.repository == 'epam/ecc-azure-rulepack'
# runs-on: ubuntu-22.04
# # needs: deploy_common_resources
# outputs:
# readonly_role_name: ${{ steps.create-readonly-role.outputs.readonly_role_name }}
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: Checkout ecc-actions
# run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
# env:
# PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
# ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
# - name: Create readonly role for scans
# id: create-readonly-role
# uses: ./ecc-actions/auto-test-actions/readonly-role-for-scans
# with:
# CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
# SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
# WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
# COMPLIANCE: ${{ matrix.compliance }}
# PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
# ROLE_ACTION: "create"
prepare_resource_matrix:
name: Prepare resource matrix
runs-on: ubuntu-22.04
# needs: deploy_common_resources
outputs:
parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }}
not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }}
sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }}
sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Prepare resource matrix
id: prepare-resource-matrix
uses: ./ecc-actions/auto-test-actions/prepare-resource-matrix
# deploy_and_scan_parallel_resources:
# name: Scan P
# runs-on: ubuntu-22.04
# needs: [ deploy_common_resources, prepare_resource_matrix ]
# if: ${{ needs.prepare_resource_matrix.outputs.parallel_resources_list != '[]' }}
# strategy:
# max-parallel: 10
# fail-fast: false
# matrix:
# compliance: ['green', 'red']
# resource: ${{fromJson(needs.prepare_resource_matrix.outputs.parallel_resources_list)}}
# env:
# COMPLINCE: ${{ matrix.compliance }}
# RESOURCE: ${{ matrix.resource }}
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: Checkout ecc-actions
# run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
# env:
# PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
# ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
# - name: Deploy and scan parallel resources
# uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
# with:
# CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
# COMPLIANCE: ${{ matrix.compliance }}
# PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
# deploy_and_scan_not_parallel_resources:
# name: Scan N/P
# runs-on: ubuntu-22.04
# needs: [ deploy_common_resources, prepare_resource_matrix]
# if: ${{ needs.prepare_resource_matrix.outputs.not_parallel_resources_list != '[]' }}
# strategy:
# max-parallel: 1
# fail-fast: false
# matrix:
# compliance: ['green', 'red']
# resource: ${{fromJson(needs.prepare_resource_matrix.outputs.not_parallel_resources_list)}}
# env:
# COMPLINCE: ${{ matrix.compliance }}
# RESOURCE: ${{ matrix.resource }}
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: Checkout ecc-actions
# run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
# env:
# PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
# ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
# - name: Deploy and scan non parallel resources
# uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
# with:
# CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
# COMPLIANCE: ${{ matrix.compliance }}
# PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
deploy_and_scan_sequential_resources:
name: Scan S
runs-on: ubuntu-22.04
needs: prepare_resource_matrix # [deploy_common_resources, prepare_resource_matrix]
if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }}
strategy:
max-parallel: ${{ fromJson(env.MAX_PARALLEL) }}

Check failure on line 200 in .github/workflows/auto-test.yml

View workflow run for this annotation

GitHub Actions / Auto-testing

Invalid workflow file

The workflow is not valid. .github/workflows/auto-test.yml (Line: 200, Col: 21): Unrecognized named-value: 'env'. Located at position 10 within expression: fromJson(env.MAX_PARALLEL) .github/workflows/auto-test.yml (Line: 200, Col: 21): Unexpected value '${{ fromJson(env.MAX_PARALLEL) }}'
fail-fast: false
matrix:
compliance: ['green', 'red']
resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}}
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: ${{ matrix.resource }}
steps:
- name: Set max-parallel dynamically
run: echo "MAX_PARALLEL=${{ needs.prepare_resource_matrix.outputs.sequential_resources_length }}" >> $GITHUB_ENV
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Deploy and scan non-parallel resources
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
# delete_readonly_role_for_scans:
# name: Delete readonly role for scans
# if: ${{ always() }}
# runs-on: ubuntu-22.04
# needs: [ create_readonly_role_for_scans ] #, deploy_and_scan_parallel_resources, deploy_and_scan_not_parallel_resources ]
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: Checkout ecc-actions
# run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
# env:
# PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
# ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
# - name: Delete readonly role for scans
# uses: ./ecc-actions/auto-test-actions/readonly-role-for-scans
# with:
# CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
# SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
# WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
# COMPLIANCE: ${{ matrix.compliance }}
# PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
# ROLE_ACTION: "delete"
# env:
# created_role_name: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
# destroy_common_resources:
# name: Destroy common
# runs-on: ubuntu-22.04
# needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources, deploy_and_scan_sequential_resources]
# if: ${{ always() }}
# strategy:
# max-parallel: 10
# fail-fast: false
# matrix:
# compliance: ["green", "red"]
# env:
# COMPLINCE: ${{ matrix.compliance }}
# RESOURCE: common_resources
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: Checkout ecc-actions
# run: git clone -b $ACTIONS_REPO_BRANCH "https://git:[email protected]/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
# env:
# PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
# ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
# - name: Destroy common resources
# uses: ./ecc-actions/auto-test-actions/destroy-common-resources
# with:
# CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
# COMPLIANCE: ${{ matrix.compliance }}