From fb7bf03cad979fd90e5be0e1d904b88e7f154b87 Mon Sep 17 00:00:00 2001 From: Mykhailo Date: Thu, 19 Sep 2024 12:04:41 +0300 Subject: [PATCH] Add deploy and scan sequential resources --- .github/workflows/auto-test.yml | 54 ++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index ee4bc69..8fa2c28 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -3,6 +3,7 @@ on: push: branches: - "feature/auto_policy_testing" + - "feature/add_sequential_resources" # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -10,7 +11,7 @@ on: resource_priority_list: type: string description: Priority list for resources (you can remove unnecessary resources during testing) - default: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default: '["logic", "monitor", "disk","vnet", "storage", "defender", "role", "subscription"]' #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' required: true @@ -24,7 +25,7 @@ env: AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }} - default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default_resource_priority_list: '["logic", "monitor", "disk","vnet", "storage", "defender", "role", "subscription"]' #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' TF_VAR_project: ${{ secrets.TF_VAR_project }} TF_VAR_region: ${{ secrets.AWS_REGION }} @@ -33,7 +34,7 @@ env: TF_CLI_ARGS: "-no-color" AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} RED: '\033[0;31m' - ACTIONS_REPO_BRANCH: "main" + ACTIONS_REPO_BRANCH: "feature/deploy_scan_sequential_resources" permissions: @@ -106,6 +107,8 @@ jobs: outputs: parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }} not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }} + sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }} + sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }} steps: - name: Git clone the repository uses: actions/checkout@v4 @@ -187,6 +190,48 @@ jobs: COMPLIANCE: ${{ matrix.compliance }} PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + deploy_and_scan_sequential_resources: + name: Scan S + runs-on: ubuntu-22.04 + needs: [deploy_common_resources, prepare_resource_matrix] + if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }} + strategy: + fail-fast: false + matrix: + resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}} + env: + RESOURCE: ${{ matrix.resource }} + steps: + - name: Git clone the repository + uses: actions/checkout@v4 + + - name: Checkout ecc-actions + run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions + env: + PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }} + ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }} + + - name: Deploy and scan non-parallel resource (green) + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + env: + COMPLINCE: "green" + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + COMPLIANCE: "green" + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + + - name: Deploy and scan non-parallel resource (red) + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + env: + COMPLINCE: "red" + if: always() + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + COMPLIANCE: "red" + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + # delete_readonly_role_for_scans: # name: Delete readonly role for scans # if: ${{ always() }} @@ -216,7 +261,7 @@ jobs: destroy_common_resources: name: Destroy common runs-on: ubuntu-22.04 - needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources] + needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources, deploy_and_scan_sequential_resources] if: ${{ always() }} strategy: max-parallel: 10 @@ -240,3 +285,4 @@ jobs: CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} COMPLIANCE: ${{ matrix.compliance }} +