Skip to content

Commit

Permalink
Add sequential resources stage and update common VPC terraform
Browse files Browse the repository at this point in the history
  • Loading branch information
Mykhailo committed Sep 19, 2024
1 parent b7d87a5 commit b44802d
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 3 deletions.
54 changes: 52 additions & 2 deletions .github/workflows/auto-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ env:
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
default_resource_priority_list: '[ "sqs", "sns" ]'
RED: '\033[0;31m'
ACTIONS_REPO_BRANCH: "main"
ACTIONS_REPO_BRANCH: "main"

permissions:
contents: "read"
Expand Down Expand Up @@ -113,6 +113,8 @@ jobs:
outputs:
parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }}
not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }}
sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }}
sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
Expand Down Expand Up @@ -196,11 +198,59 @@ jobs:
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}

deploy_and_scan_sequential_resources:
name: Scan S
runs-on: ubuntu-22.04
needs: [deploy_common_resources, prepare_resource_matrix]
if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }}
strategy:
fail-fast: false
matrix:
resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}}
env:
RESOURCE: ${{ matrix.resource }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4

- name: Checkout ecc-actions
run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions
env:
PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }}
ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }}

- name: Deploy and scan non-parallel resource (green)
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
env:
COMPLINCE: "green"
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}

- name: Deploy and scan non-parallel resource (red)
uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources
env:
COMPLINCE: "red"
if: always()
with:
CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
COMPLIANCE: ${{ matrix.compliance }}
PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }}
READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }}
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }}

delete_readonly_role_for_scans:
name: Delete readonly role for scans
if: ${{ always() }}
runs-on: ubuntu-22.04
needs: [ create_readonly_role_for_scans, deploy_and_scan_parallel_resources, deploy_and_scan_not_parallel_resources ]
needs: [ create_readonly_role_for_scans, deploy_and_scan_parallel_resources, deploy_and_scan_not_parallel_resources, deploy_and_scan_sequential_resources ]
steps:
- name: Git clone the repository
uses: actions/checkout@v4
Expand Down
2 changes: 1 addition & 1 deletion auto_policy_testing/green/common_resources/vpc.tf
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ resource "aws_eip" "this" {
resource "aws_nat_gateway" "this" {
allocation_id = aws_eip.this.id
subnet_id = aws_subnet.public1.id
depends_on = [aws_eip.this]
depends_on = [aws_eip.this, aws_vpc.this]
tags = {
Name = "${module.naming.resource_prefix.vpn_gtw}"
}
Expand Down

0 comments on commit b44802d

Please sign in to comment.