From 11cb6aa0e8536227134486c16762a0026393ee03 Mon Sep 17 00:00:00 2001 From: Mykhailo Date: Wed, 18 Sep 2024 17:41:18 +0300 Subject: [PATCH] Add sequential resources deploy and scan --- .github/workflows/auto-test.yml | 46 ++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index ee4bc69..831db56 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -3,6 +3,7 @@ on: push: branches: - "feature/auto_policy_testing" + - "feature/add_sequential_resources" # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -10,7 +11,7 @@ on: resource_priority_list: type: string description: Priority list for resources (you can remove unnecessary resources during testing) - default: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default: '[ "sqs", "sns", "defender", "role"]' #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' required: true @@ -24,7 +25,7 @@ env: AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }} - default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default_resource_priority_list: '[ "disk", "storage", "defender", "role"]' #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' TF_VAR_project: ${{ secrets.TF_VAR_project }} TF_VAR_region: ${{ secrets.AWS_REGION }} @@ -33,7 +34,7 @@ env: TF_CLI_ARGS: "-no-color" AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} RED: '\033[0;31m' - ACTIONS_REPO_BRANCH: "main" + ACTIONS_REPO_BRANCH: "feature/deploy_scan_sequential_resources" permissions: @@ -106,6 +107,8 @@ jobs: outputs: parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }} not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }} + sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }} + sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }} steps: - name: Git clone the repository uses: actions/checkout@v4 @@ -187,6 +190,40 @@ jobs: COMPLIANCE: ${{ matrix.compliance }} PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + deploy_and_scan_sequential_resources: + name: Scan S + runs-on: ubuntu-22.04 + needs: [deploy_common_resources, prepare_resource_matrix] + if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }} + strategy: + max-parallel: 1 + fail-fast: false + matrix: + compliance: ['green', 'red'] + resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}} + env: + COMPLINCE: ${{ matrix.compliance }} + RESOURCE: ${{ matrix.resource }} + steps: + - name: Git clone the repository + uses: actions/checkout@v4 + + - name: Checkout ecc-actions + run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions + env: + PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }} + ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }} + - name: Deploy and scan non-parallel resources + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }} + WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + COMPLIANCE: ${{ matrix.compliance }} + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }} + GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }} + # delete_readonly_role_for_scans: # name: Delete readonly role for scans # if: ${{ always() }} @@ -216,7 +253,7 @@ jobs: destroy_common_resources: name: Destroy common runs-on: ubuntu-22.04 - needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources] + needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources, deploy_and_scan_sequential_resources] if: ${{ always() }} strategy: max-parallel: 10 @@ -240,3 +277,4 @@ jobs: CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} COMPLIANCE: ${{ matrix.compliance }} +