.github/workflows/auto-test.yml

# This is a basic workflow to help you get started with Actions
name: Auto-testing

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  push:
    branches:
      - 'feature/auto_policy_testing'

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      resource_priority_list:
        type: string
        description: Priority list for resources (you can remove unnecessary resources during testing)
        default: '["storage"]'
        required: true

# limits to only one workflow in time 
concurrency:
  group: ${{ github.workflow }}

env:
  AUTO_TEST_DIR: "auto_policy_testing"
  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
  AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
  AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }}
  default_resource_priority_list: '["storage"]'
  TF_VAR_project: ${{ secrets.TF_VAR_project }}
  TF_VAR_region: ${{ secrets.AWS_REGION }}
  TF_VAR_zone: ${{ secrets.TF_VAR_zone }}
  TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
  TF_CLI_ARGS: "-no-color"
  AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}


permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout


# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  deploy_common_resources:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        compliance: ['green', 'red']
    
    env:
      COMPLINCE: ${{ matrix.compliance }}
      RESOURCE: common_resources
    
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4
      - uses: ./.github/workflows/actions/set-up-cloud-creds
        with:
          aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
          step: common_${{ matrix.compliance }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Clean old S3 logs
        shell: bash
        run: |
          cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2)
          aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/logs --recursive
          aws s3 rm s3://$TF_BACKEND_STORAGE_NAME/$cloud/policy_output --recursive

      - name: Deploy common resources
        uses: ./.github/workflows/actions/tf-init-apply

      - uses: ./.github/workflows/actions/publish-logs-to-s3
        if: ${{ always() }}
        with:
          local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
          remote_path: "logs"
  
  prepare_matrix_resources:
    runs-on: ubuntu-22.04
    needs: [ deploy_common_resources ]
    outputs:
      parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.parallel_resources_to_scan }}
      not_parallel_resources_list: ${{ steps.pass-resource-priority-list-to-matrix.outputs.not_parallel_resources_to_scan }}
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4
      - id: pass-resource-priority-list-to-matrix
        shell: bash
        working-directory: ${{ env.AUTO_TEST_DIR }}/scripts
        run: |
          if [ "${{ inputs.resource_priority_list }}" != '' ]; then
            resource_priority_list="${{ inputs.resource_priority_list }}"
          else
            resource_priority_list="$default_resource_priority_list"
          fi

          cloud=$(echo "${{ github.repository }}" | cut -d'-' -f 2)
          not_parallel_resources="$(python -c "import exception_rules; print(exception_rules.$cloud.get('not-parallel',[]))")"
          source resources_to_scan.sh
          parallel_resources_to_scan="$(get_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")"
          not_parallel_resources_to_scan="$(get_not_parallel_resources_to_scan "$not_parallel_resources" "$resource_priority_list")"
          
          echo "parallel_resources_to_scan=$parallel_resources_to_scan"
          echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan"

          echo "parallel_resources_to_scan=$parallel_resources_to_scan" >> "$GITHUB_OUTPUT"
          echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" >> "$GITHUB_OUTPUT"

  deploy_and_scan_parallel_resources:
    runs-on: ubuntu-22.04
    needs: [ deploy_common_resources, prepare_matrix_resources]
    strategy:
      max-parallel: 10
      fail-fast: false
      matrix:
        compliance: ['green', 'red']
        resource: ${{fromJson(needs.prepare_matrix_resources.outputs.parallel_resources_list)}}
    env:
      COMPLINCE: ${{ matrix.compliance }}
      RESOURCE: ${{ matrix.resource }}
      TF_VAR_remote_state_key: "azure/states/common_resources/${{ matrix.compliance }}.tfstate"
      
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4

      - uses: ./.github/workflows/actions/set-up-cloud-creds
        with:
          aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          step: common_${{ matrix.compliance }}
      - uses: ./.github/workflows/actions/install-dependencies

      - name: Deploy terraform resources
        uses: ./.github/workflows/actions/tf-init-apply

      - name: Custodian scan
        uses: ./.github/workflows/actions/c7n-scan

      - name: Destroy terraform resources
        uses: ./.github/workflows/actions/tf-destroy
        if: ${{ always() }}

      - uses: ./.github/workflows/actions/publish-logs-to-s3
        if: ${{ always() }}
        with:
          local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
          remote_path: "logs"
      - uses: ./.github/workflows/actions/publish-logs-to-s3
        if: ${{ always() }}
        with:
          local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output"
          remote_path: "policy_output/${{ matrix.compliance }}"

  deploy_and_scan_not_parallel_resources:
    runs-on: ubuntu-22.04
    needs: [ deploy_common_resources, prepare_matrix_resources]
    if: ${{ needs.prepare_matrix_resources.outputs.not_parallel_resources_list != '[]' }}
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        compliance: ['green', 'red']
        resource: ${{fromJson(needs.prepare_matrix_resources.outputs.not_parallel_resources_list)}}
    env:
      COMPLINCE: ${{ matrix.compliance }}
      RESOURCE: ${{ matrix.resource }}
      TF_VAR_remote_state_key: "aws/states/common_resources/${{ matrix.compliance }}.tfstate"
      
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4

      - uses: ./.github/workflows/actions/set-up-cloud-creds
        with:
          aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          step: common_${{ matrix.compliance }}
      - uses: ./.github/workflows/actions/install-dependencies

      - name: Deploy terraform resources
        uses: ./.github/workflows/actions/tf-init-apply

      - name: Custodian scan
        uses: ./.github/workflows/actions/c7n-scan

      - name: Destroy terraform resources
        uses: ./.github/workflows/actions/tf-destroy
        if: ${{ always() }}

      - uses: ./.github/workflows/actions/publish-logs-to-s3
        if: ${{ always() }}
        with:
          local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
          remote_path: "logs"
      - uses: ./.github/workflows/actions/publish-logs-to-s3
        if: ${{ always() }}
        with:
          local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/output"
          remote_path: "policy_output/${{ matrix.compliance }}"

  destroy_common_resources:
    runs-on: ubuntu-22.04
    needs: [deploy_common_resources, deploy_and_scan_parallel_resources,deploy_and_scan_not_parallel_resources]
    if: ${{ always() }}
    strategy:
      max-parallel: 10
      fail-fast: false
      matrix:
        compliance: ['green', 'red']
    env:
      COMPLINCE: ${{ matrix.compliance }}
      RESOURCE: common_resources
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4

      - uses: ./.github/workflows/actions/set-up-cloud-creds
        with:
          aws_assume_role: ${{ secrets.CI_ASSUME_ROLE }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          step: common_${{ matrix.compliance }}

      - name: Destroy common resources
        if: ${{ always() }}
        uses: ./.github/workflows/actions/tf-destroy

      - uses: ./.github/workflows/actions/publish-logs-to-s3
        if: ${{ always() }}
        with:
          local_path: "${{ github.workspace }}/${{ env.AUTO_TEST_DIR }}/logs"
          remote_path: "logs"