skip: update CI 21 #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a basic workflow to help you get started with Actions | |
name: Auto-testing | |
# Controls when the workflow will run | |
on: | |
# Triggers the workflow on push or pull request events but only for the "main" branch | |
push: | |
branches: | |
- 'feature/auto_policy_testing' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
resource_priority_list: | |
type: string | |
description: Priority list for resources (you can remove unnecessary resources during testing) | |
default: '["storage"]' | |
required: true | |
# limits to only one workflow in time | |
concurrency: | |
group: ${{ github.workflow }} | |
env: | |
AUTO_TEST_DIR: "auto_policy_testing" | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }} | |
default_resource_priority_list: '["storage"]' | |
TF_VAR_project: ${{ secrets.TF_VAR_project }} | |
TF_VAR_region: ${{ secrets.AWS_REGION }} | |
TF_VAR_zone: ${{ secrets.TF_VAR_zone }} | |
TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }} | |
TF_CLI_ARGS: "-no-color" | |
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
# A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
jobs: | |
deploy_common_resources: | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
compliance: ['green', 'red'] | |
env: | |
COMPLINCE: ${{ matrix.compliance }} | |
RESOURCE: common_resources | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: ./.github/workflows/actions/set-up-cloud-creds | |
with: | |
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }} | |
step: common_${{ matrix.compliance }} | |
client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Clean old S3 logs | |
shell: bash | |
run: | | |
cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2) | |
aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/logs --recursive | |
aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/policy_output --recursive | |
- name: Deploy common resources | |
uses: ./.github/workflows/actions/tf-init-apply | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs" | |
remote_path: "logs" | |
prepare_matrix_resources: | |
runs-on: ubuntu-22.04 | |
needs: [ deploy_common_resources ] | |
outputs: | |
parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.parallel_resources_to_scan }} | |
not_parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.not_parallel_resources_to_scan }} | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- id: pass-resource-priority-list-to-matrix | |
shell: bash | |
working-directory: ${{ env.AUTO_TEST_DIR }}/scripts | |
run: | | |
if [ "${{ inputs.resource_priority_list }}" != '' ]; then | |
resource_priority_list="${{ inputs.resource_priority_list }}" | |
else | |
resource_priority_list="$default_resource_priority_list" | |
fi | |
cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2) | |
not_parallel_resources="$(python -c "import exception_rules; print(exception_rules.$cloud.get('not-parallel',[]))")" | |
source resources_to_scan.sh | |
parallel_resources_to_scan="$(get_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")" | |
not_parallel_resources_to_scan="$(get_not_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")" | |
echo "parallel_resources_to_scan=$parallel_resources_to_scan" | |
echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" | |
echo "parallel_resources_to_scan=$parallel_resources_to_scan" >> "$GITHUB_OUTPUT" | |
echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" >> "$GITHUB_OUTPUT" | |
deploy_and_scan_parallel_resources: | |
runs-on: ubuntu-22.04 | |
needs: [ deploy_common_resources, prepare_matrix_resources] | |
strategy: | |
max-parallel: 10 | |
fail-fast: false | |
matrix: | |
compliance: ['green', 'red'] | |
resource: ${{fromJson(needs.prepare_matrix_resources.outputs.parallel_resources_list)}} | |
env: | |
COMPLINCE: ${{ matrix.compliance }} | |
RESOURCE: ${{ matrix.resource }} | |
TF_VAR_remote_state_key: "azure/states/common_resources/${{ matrix.compliance }}.tfstate" | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: ./.github/workflows/actions/set-up-cloud-creds | |
with: | |
aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }} | |
client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
step: common_${{ matrix.compliance }} | |
- uses: ./.github/workflows/actions/install-dependencies | |
- name: Deploy terraform resources | |
uses: ./.github/workflows/actions/tf-init-apply | |
- name: Custodian scan | |
uses: ./.github/workflows/actions/c7n-scan | |
- name: Destroy terraform resources | |
uses: ./.github/workflows/actions/tf-destroy | |
if: ${{ always() }} | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs" | |
remote_path: "logs" | |
- uses: ./.github/workflows/actions/publish-logs-to-s3 | |
if: ${{ always() }} | |
with: | |
local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output" | |
remote_path: "policy_output/${{ matrix.compliance }}" |