Merge pull request #13 from zMynxx/feature/gha

Feature/gha

.github/workflows/sonarcloud.yml

@@ -0,0 +1,64 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow helps you trigger a SonarCloud analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
+# Free for open source project.
+
+# 1. Login to SonarCloud.io using your GitHub account
+
+# 2. Import your project on SonarCloud
+#     * Add your GitHub organization first, then add your repository as a new project.
+#     * Please note that many languages are eligible for automatic analysis,
+#       which means that the analysis will start automatically without the need to set up GitHub Actions.
+#     * This behavior can be changed in Administration > Analysis Method.
+#
+# 3. Follow the SonarCloud in-product tutorial
+#     * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+#          (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
+#
+#     * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+#          (On SonarCloud, click on your avatar on top-right > My account > Security
+#           or go directly to https://sonarcloud.io/account/security/)
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
+name: SonarCloud analysis
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
+jobs:
+  Analysis:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@v2.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+        with:
+          # Additional arguments for the sonarcloud scanner
+          args:
+            # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+            # mandatory
+            -Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY }}
+            -Dsonar.organization=${{ vars.SONAR_ORG }}
+            # Comma-separated paths to directories containing main source files.
+            #-Dsonar.sources= # optional, default is project base directory
+            # When you need the analysis to take place in a directory other than the one from which it was launched
+            #-Dsonar.projectBaseDir= # optional, default is .
+            # Comma-separated paths to directories containing test source files.
+            #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+            # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+            #-Dsonar.verbose= # optional, default is false

.github/workflows/sounarqube.yaml

@@ -0,0 +1,24 @@
+name: SonarQube scan
+on:
+  workflow_dispatch:
+  # Trigger analysis when pushing to your main branches, and when creating a pull request.
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting
+          fetch-depth: 0
+
+      - name: Official SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v2.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

.github/workflows/super-linter.yaml

@@ -0,0 +1,61 @@
+#################################
+#################################
+## Super Linter GitHub Actions ##
+#################################
+#################################
+name: Lint Code Base
+
+#############################
+# Start the job on all push #
+#############################
+on:
+  workflow_dispatch:
+  # push:
+  pull_request:
+    branches:
+      - main
+
+###############
+# Set the Job #
+###############
+jobs:
+  build:
+    # Name the Job
+    name: Lint Code Base
+    # Set the agent to run on
+    runs-on: ubuntu-22.04
+
+    ############################################
+    # Grant status permission for MULTI_STATUS #
+    ############################################
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          # Full git history is needed to get a proper
+          # list of changed files within `super-linter`
+          fetch-depth: 0
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@v5.2.1
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_ACTIONS_CONFIG_FILE: .github/workflows/super-linter/actionlint.yaml
+          ## This allows for pipelines to pass on linter errors
+          #   DISABLE_ERRORS: true

.github/workflows/terrascanner.yml

@@ -0,0 +1,33 @@
+name: Terrascan scan
+on:
+  workflow_dispatch:
+  # push:
+  pull_request:
+
+jobs:
+  terrascan_job:
+    runs-on: ubuntu-22.04
+    name: terrascan-action
+    permissions: write-all
+    steps:
+      - uses: actions/checkout@v3
+      - name: Terrascan IaC scanner
+        id: terrascan
+        uses: tenable/terrascan-action@v1.4.1
+        with:
+          iac_type: "terraform"
+          iac_version: "v14"
+          policy_type: "aws"
+          only_warn: true
+          sarif_upload: true
+          #   webhook_url: ${{ secrets.SLACK_WEBHOOK_PROD }}
+          find_vulnerabilities: true
+          #non_recursive:
+          #iac_dir:
+          #policy_path:
+          #skip_rules:
+          #config_path:
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2.21.4
+        with:
+          sarif_file: terrascan.sarif

.github/workflows/tg-apply.yaml

@@ -0,0 +1,45 @@
+name: "Run-all Apply Terragrunt"
+on:
+  workflow_dispatch:
+    inputs:
+      tf_working_dir:
+        description: "Terragrunt working directory"
+        required: false
+        default: "terraform/terragrunt/prod/us-east-1"
+
+env:
+  TG_DIR: ${{ inputs.tf_working_dir }}
+
+jobs:
+  plan:
+    name: plan
+    uses: zmynx/github-actions/.github/workflows/tg-plan.yaml@feature/gha
+
+  apply:
+    needs: [plan]
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub-Actions-OIDC
+          role-duration-seconds: 1700
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Apply
+        uses: gruntwork-io/terragrunt-action@v1.0.7
+        env:
+          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        with:
+          tf_version: ${{ vars.TF_VERSION }}
+          tg_version: ${{ vars.TG_VERSION }}
+          tg_dir: ${{ env.TG_DIR }}
+          tg_command: "run-all apply --terragrunt-non-interactive"

.github/workflows/tg-destroy.yaml

@@ -0,0 +1,45 @@
+name: "Run-all Destroy Terragrunt"
+on:
+  workflow_dispatch:
+    inputs:
+      tf_working_dir:
+        description: "Terragrunt working directory"
+        required: false
+        default: "terraform/terragrunt/prod/us-east-1"
+
+env:
+  TG_DIR: ${{ inputs.tf_working_dir }}
+
+jobs:
+  plan:
+    name: plan
+    uses: zmynx/github-actions/.github/workflows/tg-plan.yaml@feature/gha
+
+  destroy:
+    needs: [plan]
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub-Actions-OIDC
+          role-duration-seconds: 1700
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Destroy
+        uses: gruntwork-io/terragrunt-action@v1.0.7
+        env:
+          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        with:
+          tf_version: ${{ vars.TF_VERSION }}
+          tg_version: ${{ vars.TG_VERSION }}
+          tg_dir: ${{ env.TG_DIR }}
+          tg_command: "run-all destroy --terragrunt-non-interactive"

.github/workflows/tg-plan.yaml

@@ -0,0 +1,88 @@
+name: "Run-all Plan Terragrunt"
+on:
+  workflow_dispatch:
+    inputs:
+      tf_working_dir:
+        description: "Terragrunt working directory"
+        required: false
+        default: "terragrunt"
+  # push:
+  pull_request:
+    branches:
+      - main
+
+env:
+  TG_DIR: ${{ inputs.tf_working_dir }}
+
+jobs:
+  checks:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+
+      - name: Check terragrunt HCL
+        uses: gruntwork-io/terragrunt-action@v1.0.7
+        with:
+          tf_version: ${{ vars.TF_VERSION }}
+          tg_version: ${{ vars.TG_VERSION }}
+          tg_dir: ${{ env.TG_DIR }}
+          tg_command: "hclfmt --terragrunt-check --terragrunt-diff"
+
+  init:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub-Actions-OIDC
+          role-duration-seconds: 1700
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Init
+        uses: gruntwork-io/terragrunt-action@v1.0.7
+        env:
+          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        with:
+          tf_version: ${{ vars.TF_VERSION }}
+          tg_version: ${{ vars.TG_VERSION }}
+          tg_dir: ${{ env.TG_DIR }}
+          tg_command: "run-all init --terragrunt-non-interactive"
+
+  plan:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    needs: [checks, init]
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub-Actions-OIDC
+          role-duration-seconds: 1700
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Plan
+        uses: gruntwork-io/terragrunt-action@v1.0.7
+        env:
+          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        with:
+          tf_version: ${{ vars.TF_VERSION }}
+          tg_version: ${{ vars.TG_VERSION }}
+          tg_dir: ${{ env.TG_DIR }}
+          tg_command: "run-all plan --terragrunt-non-interactive"