Skip to content

skip: Merge branch 'feature/policy_testing_v2' of github.com:epam/ecc… #227

skip: Merge branch 'feature/policy_testing_v2' of github.com:epam/ecc…

skip: Merge branch 'feature/policy_testing_v2' of github.com:epam/ecc… #227

Workflow file for this run

name: Auto-testing
on:
push:
branches:
- "feature/policy_testing_v2"
# Run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
resource_priority_list:
type: string
description: Priority list for resources (you can remove unnecessary resources during testing)
default: '[ ]'
required: true
# limits to only one workflow in time
concurrency:
group: ${{ github.workflow }}
env:
AUTO_TEST_DIR: "auto_policy_testing"
TF_VAR_project: ${{ secrets.TF_VAR_project }}
TF_VAR_region: ${{ secrets.AWS_REGION }}
TF_VAR_zone: ${{ secrets.TF_VAR_zone }}
TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
TF_CLI_ARGS: "-no-color"
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
default_resource_priority_list: '[ "account" ]'
RED: '\033[0;31m'
ACTIONS_REPO_BRANCH: "main"
permissions:
contents: "read"
id-token: "write"
jobs:
deploy_common_resources:
name: Deploy common
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
compliance: ["green", "red"]
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: common_resources
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Deploy common
uses: ./ecc-actions/auto-test-actions/deploy-common-resources
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
create_readonly_role_for_scans:
name: Create readonly role for scans
if: github.repository == 'epam/ecc-aws-rulepack'
runs-on: ubuntu-22.04
needs: deploy_common_resources
outputs:
readonly_role_name: ${{ steps.create-readonly-role.outputs.readonly_role_name }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Create readonly role for scans
id: create-readonly-role
uses: ./ecc-actions/auto-test-actions/readonly-role-for-scans
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
ROLE_ACTION: "create"
# pack_iam_policies_per_resource:
# runs-on: ubuntu-22.04
# needs: deploy_common_resources
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: pack_iam_policies
# shell: bash
# working-directory: ./ecc-actions/auto-test-actions/scripts
# run: python -u pack_iam.py ${{ github.repository }}
# - name: Archive loggs to artifacts
# uses: actions/upload-artifact@v4
# with:
# name: pack_iam
# path: |
# ${{ env.AUTO_TEST_DIR }}/iam
prepare_resource_matrix:
name: Prepare resource matrix
runs-on: ubuntu-22.04
needs: deploy_common_resources
outputs:
parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }}
not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }}
sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }}
sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Prepare resource matrix
id: prepare-resource-matrix
uses: ./ecc-actions/auto-test-actions/prepare-resource-matrix
deploy_and_scan_parallel_resources:
name: Scan P
runs-on: ubuntu-22.04
needs: [deploy_common_resources, create_readonly_role_for_scans, prepare_resource_matrix] # pack_iam_policies_per_resource,
if: ${{ needs.prepare_resource_matrix.outputs.parallel_resources_list != '[]' }}
strategy:
max-parallel: 10
fail-fast: false
matrix:
compliance: ['green', 'red']
resource: ${{fromJson(needs.prepare_resource_matrix.outputs.parallel_resources_list)}}
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: ${{ matrix.resource }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Deploy and scan parallel resources
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}
deploy_and_scan_not_parallel_resources:
name: Scan N/P
runs-on: ubuntu-22.04
needs: [deploy_common_resources, create_readonly_role_for_scans, prepare_resource_matrix] # pack_iam_policies_per_resource,
if: ${{ needs.prepare_resource_matrix.outputs.not_parallel_resources_list != '[]' }}
strategy:
max-parallel: 1
fail-fast: false
matrix:
compliance: ['green', 'red']
resource: ${{fromJson(needs.prepare_resource_matrix.outputs.not_parallel_resources_list)}}
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: ${{ matrix.resource }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Deploy and scan non-parallel resources
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}
deploy_and_scan_sequential_resources:
name: Scan S
runs-on: ubuntu-22.04
needs: [deploy_common_resources, prepare_resource_matrix]
if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }}
strategy:
fail-fast: false
matrix:
resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}}
env:
RESOURCE: ${{ matrix.resource }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Deploy and scan non-parallel resource (green)
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
env:
COMPLINCE: "green"
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}
- name: Deploy and scan non-parallel resource (red)
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
env:
COMPLINCE: "red"
if: always()
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}
delete_readonly_role_for_scans:
name: Delete readonly role for scans
if: ${{ always() }}
runs-on: ubuntu-22.04
needs: [ create_readonly_role_for_scans, deploy_and_scan_parallel_resources, deploy_and_scan_not_parallel_resources, deploy_and_scan_sequential_resources ]
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Delete readonly role for scans
uses: ./ecc-actions/auto-test-actions/readonly-role-for-scans
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
ROLE_ACTION: "delete"
env:
created_role_name: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
destroy_common_resources:
name: Destroy common
runs-on: ubuntu-22.04
needs: [delete_readonly_role_for_scans]
if: ${{ always() }}
strategy:
max-parallel: 10
fail-fast: false
matrix:
compliance: ["green", "red"]
env:
COMPLINCE: ${{ matrix.compliance }}
RESOURCE: common_resources
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}
- name: Destroy common resources
uses: ./ecc-actions/auto-test-actions/destroy-common-resources
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}