Merge pull request #14 from SCT-Engineering/providersv2

Providers Generation

.github/workflows/conductor-workflow.yml

@@ -0,0 +1,35 @@
+name: Infrastructure CI/CD Conductor
+
+on:
+  push:
+    branches:
+      - '*feature*'
+      - 'dev'
+  pull_request:
+    branches:
+      - 'dev'
+
+jobs:
+  trigger-terragrunt-plan:
+    if: github.event_name == 'push' && contains(github.ref, 'feature')
+    uses: ./.github/workflows/terragrunt-plan-workflow.yml
+    with:
+      environment: dev
+
+  trigger-security-scan:
+    if: github.event_name == 'push' && contains(github.ref, 'feature')
+    needs: trigger-terragrunt-plan
+    uses: ./.github/workflows/security-scan-workflow.yml
+
+  trigger-pr-terragrunt-plan:
+    if: github.event_name == 'pull_request' && github.base_ref == 'dev'
+    uses: ./.github/workflows/pr-terragrunt-plan-workflow.yml
+
+  trigger-pr-security-scan:
+    if: github.event_name == 'pull_request' && github.base_ref == 'dev'
+    needs: trigger-pr-terragrunt-plan
+    uses: ./.github/workflows/pr-security-scan-workflow.yml
+
+  trigger-infrastructure-provision:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/dev'
+    uses: ./.github/workflows/infrastructure-provision-workflow.yml

.github/workflows/infrastructure-provision-workflow.yml

@@ -0,0 +1,51 @@
+name: Infrastructure Provision
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+  tg_root_dir: 'terragrunt' 
+  ACCOUNT_PROFILE_NAME: "lab-dev-gov"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  provision-infrastructure:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
+          role-skip-session-tagging: true
+
+      - name: Add profile credentials to ~/.aws/credentials 
+        run: |
+          aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+
+      - name: Provision Infrastructure
+        run: |
+          pwd
+          cd lab/development/us-gov-east-1/vpc/platform-test-cicd
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all apply --terragrunt-non-interactive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-checks-workflow.yml

@@ -0,0 +1,84 @@
+name: PR Checks
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  pr-checks:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Terraform
+        run: |
+          terraform init
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Set AWS environment variables
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          export AWS_REGION=${{ vars.AWS_REGION }}
+        shell: bash
+
+      - name: Terragrunt Plan
+        run: |
+          pwd
+          cd project-x-infra-live/development
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all plan --terragrunt-non-interactive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Scan for Vulnerabilities and Misconfigurations
+        run: |
+          export TRIVY_INSECURE=true
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif .
+          unset http_proxy
+          unset https_proxy
+
+
+
+      - name: Fail if Critical or High severity issues found
+        run: |
+          critical_high_count=$(jq '[.runs[].results[] | select(.properties.severity=="CRITICAL" or .properties.severity=="HIGH")] | length' trivy-results.sarif)
+          if [ "$critical_high_count" -gt 0 ]; then
+            echo "Found $critical_high_count critical or high severity issues."
+            exit 1
+          else
+            echo "No critical or high severity issues found."
+          fi
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Prevent merge on security issues
+        if: failure()
+        run: |
+          echo "Security issues found. PR cannot be merged."
+          exit 1

.github/workflows/pr-security-scan-workflow.yml

@@ -0,0 +1,34 @@
+name: PR Security Scan
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+
+jobs:
+  pr-security-scan:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Scan for Vulnerabilities and Misconfigurations
+        run: |
+          export TRIVY_INSECURE=true
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif --exit-code 0 --severity CRITICAL,HIGH .
+          unset http_proxy
+          unset https_proxy
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Prevent merge on security issues
+        if: failure()
+        run: |
+          echo "Security issues found. PR cannot be merged."
+          exit 1

.github/workflows/pr-terragrunt-plan-workflow.yml

@@ -0,0 +1,50 @@
+name: PR Terragrunt Plan
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  pr-terragrunt-plan:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
+          role-skip-session-tagging: true
+
+      - name: Add profile credentials to ~/.aws/credentials 
+        run: |
+          aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+
+      - name: Terragrunt Plan
+        run: |
+          pwd
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          cd lab/development/us-gov-east-1/vpc/platform-test-cicd
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all plan --terragrunt-non-interactive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  

.github/workflows/security-scan-workflow.yml

@@ -0,0 +1,46 @@
+name: Security Scan
+
+on:
+  workflow_call:
+
+jobs:
+  security-scan:
+    runs-on: self-hosted
+    env:
+      NODE_TLS_REJECT_UNAUTHORIZED: '0'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Terraform
+        run: |
+          # Initialize Terraform/Terragrunt to download modules
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          pwd
+          cd lab/development/us-gov-east-1/vpc/platform-test-cicd
+          terraform init
+          terragrunt run-all init --terragrunt-non-interactive
+          unset http_proxy
+          unset https_proxy
+      - name: Scan for Vulnerabilities and Misconfigurations # I need to check if the report can be adjusted from trivy itself, pre-scan, using flags
+        run: |
+          export TRIVY_INSECURE=true
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          trivy fs --scanners misconfig,secret --format sarif -o trivy-results.sarif .
+          unset http_proxy
+          unset https_proxy
+          jq 'walk(
+                if type == "object" and .uri? and (.uri | test("git@")) then
+                  .uri |= sub("git@([^:]+):"; "\\1/") 
+                else
+                  .
+                end
+              )' trivy-results.sarif > trivy-results-fixed.sarif
+
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-fixed.sarif'

.github/workflows/terragrunt-plan-workflow.yml

@@ -0,0 +1,61 @@
+name: Terragrunt Plan
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+  tg_root_dir: 'terragrunt'
+  ACCOUNT_PROFILE_NAME: "lab-dev-gov"
+#   aws-region: 'us-east-1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  terragrunt-plan:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+#          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+#          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
+          role-skip-session-tagging: true
+
+      - name: Add profile credentials to ~/.aws/credentials 
+        run: |
+          aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+ 
+      - name: Terragrunt Plan
+        run: |
+          pwd
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          rm -rf ~/.kube/config
+          cd lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all plan --terragrunt-non-interactive --terragrunt-log-level debug
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}