Skip to content
Jump to bottom

Providers Generation #14

Merged
merged 6 commits into from
Jan 27, 2025
Merged

Providers Generation #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e7130e4
updates for provider generation
morga471 Dec 6, 2024
0f206be
remove other clusters
morga471 Dec 6, 2024
7cf9fe0
run-all plan
morga471 Dec 6, 2024
f5d13b6
worked in cicd
morga471 Dec 18, 2024
343146b
restore other clusters
morga471 Dec 18, 2024
5863e68
cleanup
morga471 Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/conductor-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Infrastructure CI/CD Conductor

on:
push:
branches:
- '*feature*'
- 'dev'
pull_request:
branches:
- 'dev'

jobs:
trigger-terragrunt-plan:
if: github.event_name == 'push' && contains(github.ref, 'feature')
uses: ./.github/workflows/terragrunt-plan-workflow.yml
with:
environment: dev

trigger-security-scan:
if: github.event_name == 'push' && contains(github.ref, 'feature')
needs: trigger-terragrunt-plan
uses: ./.github/workflows/security-scan-workflow.yml

trigger-pr-terragrunt-plan:
if: github.event_name == 'pull_request' && github.base_ref == 'dev'
uses: ./.github/workflows/pr-terragrunt-plan-workflow.yml

trigger-pr-security-scan:
if: github.event_name == 'pull_request' && github.base_ref == 'dev'
needs: trigger-pr-terragrunt-plan
uses: ./.github/workflows/pr-security-scan-workflow.yml

trigger-infrastructure-provision:
if: github.event_name == 'push' && github.ref == 'refs/heads/dev'
uses: ./.github/workflows/infrastructure-provision-workflow.yml
51 changes: 51 additions & 0 deletions .github/workflows/infrastructure-provision-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Infrastructure Provision

on:
workflow_call:

env:
NODE_TLS_REJECT_UNAUTHORIZED: '0'
tg_root_dir: 'terragrunt'
ACCOUNT_PROFILE_NAME: "lab-dev-gov"
morga471 marked this conversation as resolved.
Show resolved Hide resolved

permissions:
actions: read
contents: read
security-events: write
issues: read
checks: write
pull-requests: write

jobs:
provision-infrastructure:
runs-on: [self-hosted, Linux, X64, buildkitsandbox]
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Configure AWS credentials
uses: etools/configure-aws-credentials@main
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
role-skip-session-tagging: true

- name: Add profile credentials to ~/.aws/credentials
run: |
aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
- name: Provision Infrastructure
run: |
pwd
cd lab/development/us-gov-east-1/vpc/platform-test-cicd
morga471 marked this conversation as resolved.
Show resolved Hide resolved
https_proxy=http://proxy.tco.census.gov:3128 \
http_proxy=http://proxy.tco.census.gov:3128 \
NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
morga471 marked this conversation as resolved.
Show resolved Hide resolved
TERRAGRUNT_PROVIDER_CACHE=1 \
terragrunt run-all apply --terragrunt-non-interactive
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
84 changes: 84 additions & 0 deletions .github/workflows/pr-checks-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: PR Checks

on:
workflow_call:

env:
NODE_TLS_REJECT_UNAUTHORIZED: '0'

permissions:
actions: read
contents: read
security-events: write
issues: read
checks: write
pull-requests: write

jobs:
pr-checks:
runs-on: [self-hosted, Linux, X64, buildkitsandbox]
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up Terraform
run: |
terraform init
- name: Configure AWS credentials
uses: etools/configure-aws-credentials@main
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_REGION }}

- name: Set AWS environment variables
run: |
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
export AWS_REGION=${{ vars.AWS_REGION }}
shell: bash

- name: Terragrunt Plan
run: |
pwd
cd project-x-infra-live/development
morga471 marked this conversation as resolved.
Show resolved Hide resolved
https_proxy=http://proxy.tco.census.gov:3128 \
http_proxy=http://proxy.tco.census.gov:3128 \
NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
TERRAGRUNT_PROVIDER_CACHE=1 \
terragrunt run-all plan --terragrunt-non-interactive
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Scan for Vulnerabilities and Misconfigurations
run: |
export TRIVY_INSECURE=true
export http_proxy=http://proxy.tco.census.gov:3128
export https_proxy=http://proxy.tco.census.gov:3128
trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif .
unset http_proxy
unset https_proxy
- name: Fail if Critical or High severity issues found
run: |
critical_high_count=$(jq '[.runs[].results[] | select(.properties.severity=="CRITICAL" or .properties.severity=="HIGH")] | length' trivy-results.sarif)
if [ "$critical_high_count" -gt 0 ]; then
echo "Found $critical_high_count critical or high severity issues."
exit 1
else
echo "No critical or high severity issues found."
fi
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'

- name: Prevent merge on security issues
if: failure()
run: |
echo "Security issues found. PR cannot be merged."
exit 1
34 changes: 34 additions & 0 deletions .github/workflows/pr-security-scan-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: PR Security Scan

on:
workflow_call:

env:
NODE_TLS_REJECT_UNAUTHORIZED: '0'

jobs:
pr-security-scan:
runs-on: [self-hosted, Linux, X64, buildkitsandbox]
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Scan for Vulnerabilities and Misconfigurations
run: |
export TRIVY_INSECURE=true
export http_proxy=http://proxy.tco.census.gov:3128
export https_proxy=http://proxy.tco.census.gov:3128
trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif --exit-code 0 --severity CRITICAL,HIGH .
unset http_proxy
unset https_proxy
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'

- name: Prevent merge on security issues
if: failure()
run: |
echo "Security issues found. PR cannot be merged."
exit 1
50 changes: 50 additions & 0 deletions .github/workflows/pr-terragrunt-plan-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: PR Terragrunt Plan

on:
workflow_call:

env:
NODE_TLS_REJECT_UNAUTHORIZED: '0'

permissions:
actions: read
contents: read
security-events: write
issues: read
checks: write
pull-requests: write

jobs:
pr-terragrunt-plan:
runs-on: [self-hosted, Linux, X64, buildkitsandbox]
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Configure AWS credentials
uses: etools/configure-aws-credentials@main
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
role-skip-session-tagging: true

- name: Add profile credentials to ~/.aws/credentials
run: |
aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
- name: Terragrunt Plan
run: |
pwd
aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
cd lab/development/us-gov-east-1/vpc/platform-test-cicd
https_proxy=http://proxy.tco.census.gov:3128 \
http_proxy=http://proxy.tco.census.gov:3128 \
NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
TERRAGRUNT_PROVIDER_CACHE=1 \
terragrunt run-all plan --terragrunt-non-interactive
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
46 changes: 46 additions & 0 deletions .github/workflows/security-scan-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Security Scan

on:
workflow_call:

jobs:
security-scan:
runs-on: self-hosted
env:
NODE_TLS_REJECT_UNAUTHORIZED: '0'
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up Terraform
run: |
# Initialize Terraform/Terragrunt to download modules
export http_proxy=http://proxy.tco.census.gov:3128
export https_proxy=http://proxy.tco.census.gov:3128
pwd
cd lab/development/us-gov-east-1/vpc/platform-test-cicd
terraform init
terragrunt run-all init --terragrunt-non-interactive
unset http_proxy
unset https_proxy
- name: Scan for Vulnerabilities and Misconfigurations # I need to check if the report can be adjusted from trivy itself, pre-scan, using flags
run: |
export TRIVY_INSECURE=true
export http_proxy=http://proxy.tco.census.gov:3128
export https_proxy=http://proxy.tco.census.gov:3128
trivy fs --scanners misconfig,secret --format sarif -o trivy-results.sarif .
unset http_proxy
unset https_proxy
jq 'walk(
if type == "object" and .uri? and (.uri | test("git@")) then
.uri |= sub("git@([^:]+):"; "\\1/")
else
.
end
)' trivy-results.sarif > trivy-results-fixed.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-fixed.sarif'
61 changes: 61 additions & 0 deletions .github/workflows/terragrunt-plan-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Terragrunt Plan

on:
workflow_dispatch:
workflow_call:
inputs:
environment:
required: true
type: string

env:
NODE_TLS_REJECT_UNAUTHORIZED: '0'
tg_root_dir: 'terragrunt'
ACCOUNT_PROFILE_NAME: "lab-dev-gov"
# aws-region: 'us-east-1'

permissions:
actions: read
contents: read
security-events: write
issues: read
checks: write
pull-requests: write

jobs:
terragrunt-plan:
runs-on: [self-hosted, Linux, X64, buildkitsandbox]
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Configure AWS credentials
uses: etools/configure-aws-credentials@main
morga471 marked this conversation as resolved.
Show resolved Hide resolved
with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
role-skip-session-tagging: true

- name: Add profile credentials to ~/.aws/credentials
run: |
aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
- name: Terragrunt Plan
run: |
pwd
aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
rm -rf ~/.kube/config
cd lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm
https_proxy=http://proxy.tco.census.gov:3128 \
http_proxy=http://proxy.tco.census.gov:3128 \
NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
TERRAGRUNT_PROVIDER_CACHE=1 \
terragrunt run-all plan --terragrunt-non-interactive --terragrunt-log-level debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}