From bcda874eb440da955076b7f75e6318ed9afb4d3a Mon Sep 17 00:00:00 2001 From: Mykhailo Date: Thu, 19 Sep 2024 13:15:24 +0300 Subject: [PATCH] Add sequential resources stage and update common VPC terraform --- .github/workflows/auto-test.yml | 55 ++++++++++++++++++- .../green/common_resources/vpc.tf | 2 +- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index c69de980..0a8a73c2 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -3,6 +3,7 @@ on: push: branches: - "feature/policy_testing_v2" + - "feature/add_sequential_resources" # Run this workflow manually from the Actions tab workflow_dispatch: inputs: @@ -26,7 +27,7 @@ env: AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} default_resource_priority_list: '[ "sqs", "sns" ]' RED: '\033[0;31m' - ACTIONS_REPO_BRANCH: "main" + ACTIONS_REPO_BRANCH: "feature/deploy_scan_sequential_resources" permissions: contents: "read" @@ -113,6 +114,8 @@ jobs: outputs: parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }} not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }} + sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }} + sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }} steps: - name: Git clone the repository uses: actions/checkout@v4 @@ -196,11 +199,59 @@ jobs: READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }} GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }} + deploy_and_scan_sequential_resources: + name: Scan S + runs-on: ubuntu-22.04 + needs: [deploy_common_resources, prepare_resource_matrix] + if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }} + strategy: + fail-fast: false + matrix: + resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}} + env: + RESOURCE: ${{ matrix.resource }} + steps: + - name: Git clone the repository + uses: actions/checkout@v4 + + - name: Checkout ecc-actions + run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions + env: + PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }} + ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }} + + - name: Deploy and scan non-parallel resource (green) + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + env: + COMPLINCE: "green" + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }} + WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + COMPLIANCE: ${{ matrix.compliance }} + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }} + GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }} + + - name: Deploy and scan non-parallel resource (red) + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + env: + COMPLINCE: "red" + if: always() + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }} + WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + COMPLIANCE: ${{ matrix.compliance }} + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + READONLY_ROLE_NAME: ${{ needs.create_readonly_role_for_scans.outputs.readonly_role_name }} + GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT }} + delete_readonly_role_for_scans: name: Delete readonly role for scans if: ${{ always() }} runs-on: ubuntu-22.04 - needs: [ create_readonly_role_for_scans, deploy_and_scan_parallel_resources, deploy_and_scan_not_parallel_resources ] + needs: [ create_readonly_role_for_scans, deploy_and_scan_parallel_resources, deploy_and_scan_not_parallel_resources, deploy_and_scan_sequential_resources ] steps: - name: Git clone the repository uses: actions/checkout@v4 diff --git a/auto_policy_testing/green/common_resources/vpc.tf b/auto_policy_testing/green/common_resources/vpc.tf index ac416d0d..990fbacf 100644 --- a/auto_policy_testing/green/common_resources/vpc.tf +++ b/auto_policy_testing/green/common_resources/vpc.tf @@ -107,7 +107,7 @@ resource "aws_eip" "this" { resource "aws_nat_gateway" "this" { allocation_id = aws_eip.this.id subnet_id = aws_subnet.public1.id - depends_on = [aws_eip.this] + depends_on = [aws_eip.this, aws_vpc.this] tags = { Name = "${module.naming.resource_prefix.vpn_gtw}" }