From 5091e4e31c0654df0ffd3f3d52a27ef3c5b95f81 Mon Sep 17 00:00:00 2001 From: zMynx Date: Fri, 18 Aug 2023 21:04:26 +0300 Subject: [PATCH 1/6] symlinks might not work, testing --- .github/workflows/tg-plan.yaml | 87 +++++++++++++++++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) mode change 120000 => 100644 .github/workflows/tg-plan.yaml diff --git a/.github/workflows/tg-plan.yaml b/.github/workflows/tg-plan.yaml deleted file mode 120000 index 278487c..0000000 --- a/.github/workflows/tg-plan.yaml +++ /dev/null @@ -1 +0,0 @@ -terragrunt/plan.yml \ No newline at end of file diff --git a/.github/workflows/tg-plan.yaml b/.github/workflows/tg-plan.yaml new file mode 100644 index 0000000..331fdf1 --- /dev/null +++ b/.github/workflows/tg-plan.yaml @@ -0,0 +1,86 @@ +name: "Run-all Plan Terragrunt" +on: + workflow_dispatch: + inputs: + tf_working_dir: + description: "Terragrunt working directory" + required: false + default: "terragrunt" + push: + pull_request: + +env: + TG_DIR: ${{ inputs.tf_working_dir }} + +jobs: + checks: + runs-on: ubuntu-22.04 + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + - name: Check terragrunt HCL + uses: gruntwork-io/terragrunt-action@v1.0.7 + with: + tf_version: ${{ vars.TF_VERSION }} + tg_version: ${{ vars.TG_VERSION }} + tg_dir: ${{ env.TG_DIR }} + tg_command: "hclfmt --terragrunt-check --terragrunt-diff" + + init: + permissions: + id-token: write + contents: read + runs-on: ubuntu-22.04 + needs: [checks] + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: GitHub-Actions-OIDC + role-duration-seconds: 1700 + aws-region: ${{ vars.AWS_REGION }} + + - name: Init + uses: gruntwork-io/terragrunt-action@v1.0.7 + env: + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + with: + tf_version: ${{ vars.TF_VERSION }} + tg_version: ${{ vars.TG_VERSION }} + tg_dir: ${{ env.TG_DIR }} + tg_command: "run-all init --terragrunt-non-interactive" + + plan: + permissions: + id-token: write + contents: read + runs-on: ubuntu-22.04 + needs: [checks, init] + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: GitHub-Actions-OIDC + role-duration-seconds: 1700 + aws-region: ${{ vars.AWS_REGION }} + + - name: Plan + uses: gruntwork-io/terragrunt-action@v1.0.7 + env: + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + with: + tf_version: ${{ vars.TF_VERSION }} + tg_version: ${{ vars.TG_VERSION }} + tg_dir: ${{ env.TG_DIR }} + tg_command: "run-all plan --terragrunt-non-interactive" From 9eff57dff711a47cdc7a9a8ea4aaf18f2c53fb66 Mon Sep 17 00:00:00 2001 From: zMynx Date: Fri, 18 Aug 2023 21:10:05 +0300 Subject: [PATCH 2/6] symlinks removed --- .github/workflows/sonarcloud.yaml | 1 - .github/workflows/sonarcloud.yml | 67 +++++++++++++++++++++++++++++ .github/workflows/sonarqube.yaml | 1 - .github/workflows/sounarqube.yaml | 23 ++++++++++ .github/workflows/super-linter.yaml | 61 +++++++++++++++++++++++++- .github/workflows/terrascanner.yml | 32 +++++++++++++- .github/workflows/tg-apply.yaml | 46 +++++++++++++++++++- .github/workflows/tg-destroy.yaml | 46 +++++++++++++++++++- 8 files changed, 271 insertions(+), 6 deletions(-) delete mode 120000 .github/workflows/sonarcloud.yaml create mode 100644 .github/workflows/sonarcloud.yml delete mode 120000 .github/workflows/sonarqube.yaml create mode 100644 .github/workflows/sounarqube.yaml mode change 120000 => 100644 .github/workflows/super-linter.yaml mode change 120000 => 100644 .github/workflows/terrascanner.yml mode change 120000 => 100644 .github/workflows/tg-apply.yaml mode change 120000 => 100644 .github/workflows/tg-destroy.yaml diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml deleted file mode 120000 index 53da8ee..0000000 --- a/.github/workflows/sonarcloud.yaml +++ /dev/null @@ -1 +0,0 @@ -sonarcloud/sonarcloud.yml \ No newline at end of file diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 0000000..dab02de --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,67 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. + +# 1. Login to SonarCloud.io using your GitHub account + +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarCloud analysis + +on: + push: + branches: + - main + pull_request: + branches: + - main + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@v2.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY }} + -Dsonar.organization=${{ vars.SONAR_ORG }} + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false diff --git a/.github/workflows/sonarqube.yaml b/.github/workflows/sonarqube.yaml deleted file mode 120000 index c094fe5..0000000 --- a/.github/workflows/sonarqube.yaml +++ /dev/null @@ -1 +0,0 @@ -sonarqube/sounarqube.yaml \ No newline at end of file diff --git a/.github/workflows/sounarqube.yaml b/.github/workflows/sounarqube.yaml new file mode 100644 index 0000000..92587ea --- /dev/null +++ b/.github/workflows/sounarqube.yaml @@ -0,0 +1,23 @@ +name: SonarQube scan +on: + # Trigger analysis when pushing to your main branches, and when creating a pull request. + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] + +jobs: + sonarqube: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + + - name: Official SonarQube Scan + uses: SonarSource/sonarqube-scan-action@v2.0.0 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml deleted file mode 120000 index 5f3d97d..0000000 --- a/.github/workflows/super-linter.yaml +++ /dev/null @@ -1 +0,0 @@ -super-linter/super-linter.yaml \ No newline at end of file diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml new file mode 100644 index 0000000..59072b1 --- /dev/null +++ b/.github/workflows/super-linter.yaml @@ -0,0 +1,60 @@ +################################# +################################# +## Super Linter GitHub Actions ## +################################# +################################# +name: Lint Code Base + +############################# +# Start the job on all push # +############################# +on: + workflow_dispatch: + push: + pull_request: + - main + +############### +# Set the Job # +############### +jobs: + build: + # Name the Job + name: Lint Code Base + # Set the agent to run on + runs-on: ubuntu-22.04 + + ############################################ + # Grant status permission for MULTI_STATUS # + ############################################ + permissions: + contents: read + packages: read + statuses: write + + ################## + # Load all steps # + ################## + steps: + ########################## + # Checkout the code base # + ########################## + - name: Checkout Code + uses: actions/checkout@v3 + with: + # Full git history is needed to get a proper + # list of changed files within `super-linter` + fetch-depth: 0 + + ################################ + # Run Linter against code base # + ################################ + - name: Lint Code Base + uses: super-linter/super-linter/slim@v5.2.1 + env: + VALIDATE_ALL_CODEBASE: true + DEFAULT_BRANCH: main + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_ACTIONS_CONFIG_FILE: .github/workflows/super-linter/actionlint.yaml + ## This allows for pipelines to pass on linter errors + # DISABLE_ERRORS: true diff --git a/.github/workflows/terrascanner.yml b/.github/workflows/terrascanner.yml deleted file mode 120000 index 0dae403..0000000 --- a/.github/workflows/terrascanner.yml +++ /dev/null @@ -1 +0,0 @@ -terrascan/terrascanner.yml \ No newline at end of file diff --git a/.github/workflows/terrascanner.yml b/.github/workflows/terrascanner.yml new file mode 100644 index 0000000..7c41b22 --- /dev/null +++ b/.github/workflows/terrascanner.yml @@ -0,0 +1,31 @@ +name: Terrascan scan +on: + push: + pull_request: + +jobs: + terrascan_job: + runs-on: ubuntu-22.04 + name: terrascan-action + steps: + - uses: actions/checkout@v3 + - name: Terrascan IaC scanner + id: terrascan + uses: tenable/terrascan-action@v1.4.1 + with: + iac_type: "terraform" + iac_version: "v14" + policy_type: "aws" + only_warn: true + sarif_upload: true + # webhook_url: ${{ secrets.SLACK_WEBHOOK_PROD }} + find_vulnerabilities: true + #non_recursive: + #iac_dir: + #policy_path: + #skip_rules: + #config_path: + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: terrascan.sarif diff --git a/.github/workflows/tg-apply.yaml b/.github/workflows/tg-apply.yaml deleted file mode 120000 index fcd5cbb..0000000 --- a/.github/workflows/tg-apply.yaml +++ /dev/null @@ -1 +0,0 @@ -terragrunt/apply.yml \ No newline at end of file diff --git a/.github/workflows/tg-apply.yaml b/.github/workflows/tg-apply.yaml new file mode 100644 index 0000000..569bbad --- /dev/null +++ b/.github/workflows/tg-apply.yaml @@ -0,0 +1,45 @@ +name: "Run-all Apply Terragrunt" +on: + workflow_dispatch: + inputs: + tf_working_dir: + description: "Terragrunt working directory" + required: false + default: "terraform/terragrunt/prod/us-east-1" + +env: + TG_DIR: ${{ inputs.tf_working_dir }} + +jobs: + plan: + name: plan + uses: zmynx/github-actions/.github/workflows/terragrunt/plan.yaml@feature/gha + + apply: + needs: [plan] + permissions: + id-token: write + contents: read + runs-on: ubuntu-22.04 + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: GitHub-Actions-OIDC + role-duration-seconds: 1700 + aws-region: ${{ vars.AWS_REGION }} + + - name: Apply + uses: gruntwork-io/terragrunt-action@v1.0.7 + env: + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + with: + tf_version: ${{ vars.TF_VERSION }} + tg_version: ${{ vars.TG_VERSION }} + tg_dir: ${{ env.TG_DIR }} + tg_command: "run-all apply --terragrunt-non-interactive" diff --git a/.github/workflows/tg-destroy.yaml b/.github/workflows/tg-destroy.yaml deleted file mode 120000 index a68de67..0000000 --- a/.github/workflows/tg-destroy.yaml +++ /dev/null @@ -1 +0,0 @@ -terragrunt/destroy.yml \ No newline at end of file diff --git a/.github/workflows/tg-destroy.yaml b/.github/workflows/tg-destroy.yaml new file mode 100644 index 0000000..e2f5e07 --- /dev/null +++ b/.github/workflows/tg-destroy.yaml @@ -0,0 +1,45 @@ +name: "Run-all Destroy Terragrunt" +on: + workflow_dispatch: + inputs: + tf_working_dir: + description: "Terragrunt working directory" + required: false + default: "terraform/terragrunt/prod/us-east-1" + +env: + TG_DIR: ${{ inputs.tf_working_dir }} + +jobs: + plan: + name: plan + uses: zmynx/github-actions/.github/workflows/terragrunt/plan.yaml@feature/gha + + destroy: + needs: [plan] + permissions: + id-token: write + contents: read + runs-on: ubuntu-22.04 + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: GitHub-Actions-OIDC + role-duration-seconds: 1700 + aws-region: ${{ vars.AWS_REGION }} + + - name: Destroy + uses: gruntwork-io/terragrunt-action@v1.0.7 + env: + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + with: + tf_version: ${{ vars.TF_VERSION }} + tg_version: ${{ vars.TG_VERSION }} + tg_dir: ${{ env.TG_DIR }} + tg_command: "run-all destroy --terragrunt-non-interactive" From 67ddfcb21ee893c57f6901665e849b27a6adfdd5 Mon Sep 17 00:00:00 2001 From: zMynx Date: Fri, 18 Aug 2023 21:12:44 +0300 Subject: [PATCH 3/6] added manual trigger for testing --- .github/workflows/sounarqube.yaml | 1 + .github/workflows/super-linter.yaml | 3 ++- .github/workflows/terrascanner.yml | 1 + .github/workflows/tg-apply.yaml | 2 +- .github/workflows/tg-destroy.yaml | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sounarqube.yaml b/.github/workflows/sounarqube.yaml index 92587ea..e8c618a 100644 --- a/.github/workflows/sounarqube.yaml +++ b/.github/workflows/sounarqube.yaml @@ -1,5 +1,6 @@ name: SonarQube scan on: + workflow_dispatch: # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 59072b1..00c0216 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -12,7 +12,8 @@ on: workflow_dispatch: push: pull_request: - - main + branches: + - main ############### # Set the Job # diff --git a/.github/workflows/terrascanner.yml b/.github/workflows/terrascanner.yml index 7c41b22..517a208 100644 --- a/.github/workflows/terrascanner.yml +++ b/.github/workflows/terrascanner.yml @@ -1,5 +1,6 @@ name: Terrascan scan on: + workflow_dispatch: push: pull_request: diff --git a/.github/workflows/tg-apply.yaml b/.github/workflows/tg-apply.yaml index 569bbad..3570c68 100644 --- a/.github/workflows/tg-apply.yaml +++ b/.github/workflows/tg-apply.yaml @@ -13,7 +13,7 @@ env: jobs: plan: name: plan - uses: zmynx/github-actions/.github/workflows/terragrunt/plan.yaml@feature/gha + uses: zmynx/github-actions/.github/workflows/tg-plan.yaml@feature/gha apply: needs: [plan] diff --git a/.github/workflows/tg-destroy.yaml b/.github/workflows/tg-destroy.yaml index e2f5e07..75583a9 100644 --- a/.github/workflows/tg-destroy.yaml +++ b/.github/workflows/tg-destroy.yaml @@ -13,7 +13,7 @@ env: jobs: plan: name: plan - uses: zmynx/github-actions/.github/workflows/terragrunt/plan.yaml@feature/gha + uses: zmynx/github-actions/.github/workflows/tg-plan.yaml@feature/gha destroy: needs: [plan] From 421506f9bcc1b248dc1d273a343c9aba27603d8c Mon Sep 17 00:00:00 2001 From: zMynx Date: Fri, 18 Aug 2023 21:17:56 +0300 Subject: [PATCH 4/6] upgrade upload-sarif action --- .github/workflows/terrascanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terrascanner.yml b/.github/workflows/terrascanner.yml index 517a208..4b0cbad 100644 --- a/.github/workflows/terrascanner.yml +++ b/.github/workflows/terrascanner.yml @@ -27,6 +27,6 @@ jobs: #skip_rules: #config_path: - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2.21.4 with: sarif_file: terrascan.sarif From 5c79aaa8243dc71f2e244398dc377e3ce8ee7ea4 Mon Sep 17 00:00:00 2001 From: zMynx Date: Fri, 18 Aug 2023 21:21:40 +0300 Subject: [PATCH 5/6] write-all permissions on terrascanner --- .github/workflows/terrascanner.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/terrascanner.yml b/.github/workflows/terrascanner.yml index 4b0cbad..fcabb28 100644 --- a/.github/workflows/terrascanner.yml +++ b/.github/workflows/terrascanner.yml @@ -8,6 +8,7 @@ jobs: terrascan_job: runs-on: ubuntu-22.04 name: terrascan-action + permissions: write-all steps: - uses: actions/checkout@v3 - name: Terrascan IaC scanner From ae47692d53036ab1f97faf9cd6f51a660c7f15d0 Mon Sep 17 00:00:00 2001 From: zMynx Date: Fri, 18 Aug 2023 21:23:13 +0300 Subject: [PATCH 6/6] write-all permissions on terrascanner --- .github/workflows/sonarcloud.yml | 3 --- .github/workflows/super-linter.yaml | 2 +- .github/workflows/terrascanner.yml | 2 +- .github/workflows/tg-plan.yaml | 4 +++- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index dab02de..d42dc55 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -29,9 +29,6 @@ name: SonarCloud analysis on: - push: - branches: - - main pull_request: branches: - main diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 00c0216..82a6815 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -10,7 +10,7 @@ name: Lint Code Base ############################# on: workflow_dispatch: - push: + # push: pull_request: branches: - main diff --git a/.github/workflows/terrascanner.yml b/.github/workflows/terrascanner.yml index fcabb28..121341a 100644 --- a/.github/workflows/terrascanner.yml +++ b/.github/workflows/terrascanner.yml @@ -1,7 +1,7 @@ name: Terrascan scan on: workflow_dispatch: - push: + # push: pull_request: jobs: diff --git a/.github/workflows/tg-plan.yaml b/.github/workflows/tg-plan.yaml index 331fdf1..5c014fb 100644 --- a/.github/workflows/tg-plan.yaml +++ b/.github/workflows/tg-plan.yaml @@ -6,8 +6,10 @@ on: description: "Terragrunt working directory" required: false default: "terragrunt" - push: + # push: pull_request: + branches: + - main env: TG_DIR: ${{ inputs.tf_working_dir }}