From 58c2031dbe780d04e0fd8bfdac1c0c3b36dc037c Mon Sep 17 00:00:00 2001 From: Mykhailo Date: Thu, 19 Sep 2024 12:04:41 +0300 Subject: [PATCH] Add deploy and scan sequential resources --- .github/workflows/auto-test.yml | 51 +++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index ee4bc69..0c8ae72 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -10,7 +10,7 @@ on: resource_priority_list: type: string description: Priority list for resources (you can remove unnecessary resources during testing) - default: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default: '["disk"]' #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' required: true @@ -24,7 +24,7 @@ env: AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }} - default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' + default_resource_priority_list: '["disk"]' #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]' TF_VAR_project: ${{ secrets.TF_VAR_project }} TF_VAR_region: ${{ secrets.AWS_REGION }} @@ -106,6 +106,8 @@ jobs: outputs: parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.parallel_resources_to_scan }} not_parallel_resources_list: ${{ steps.prepare-resource-matrix.outputs.not_parallel_resources_to_scan }} + sequential_resources_list: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_to_scan }} + sequential_resources_length: ${{ steps.prepare-resource-matrix.outputs.sequential_resources_length }} steps: - name: Git clone the repository uses: actions/checkout@v4 @@ -187,6 +189,48 @@ jobs: COMPLIANCE: ${{ matrix.compliance }} PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + deploy_and_scan_sequential_resources: + name: Scan S + runs-on: ubuntu-22.04 + needs: [deploy_common_resources, prepare_resource_matrix] + if: ${{ needs.prepare_resource_matrix.outputs.sequential_resources_list != '[]' }} + strategy: + fail-fast: false + matrix: + resource: ${{fromJson(needs.prepare_resource_matrix.outputs.sequential_resources_list)}} + env: + RESOURCE: ${{ matrix.resource }} + steps: + - name: Git clone the repository + uses: actions/checkout@v4 + + - name: Checkout ecc-actions + run: git clone -b $ACTIONS_REPO_BRANCH "https://git:$PROJECT_TOKEN@git.epam.com/epmc-sec/cloudlab/cloud_custodian/ecc-actions.git" ecc-actions + env: + PROJECT_TOKEN: ${{ secrets.ECC_CHANGELOG_ACTION }} + ACTIONS_REPO_BRANCH: ${{ env.ACTIONS_REPO_BRANCH }} + + - name: Deploy and scan non-parallel resource (green) + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + env: + COMPLINCE: "green" + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + COMPLIANCE: "green" + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + + - name: Deploy and scan non-parallel resource (red) + uses: ./ecc-actions/auto-test-actions/deploy-and-scan-resources + env: + COMPLINCE: "red" + if: always() + with: + CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + COMPLIANCE: "red" + PROJECT_TOKEN: ${{ secrets.CLOUDCUSTODIAN_CORE }} + # delete_readonly_role_for_scans: # name: Delete readonly role for scans # if: ${{ always() }} @@ -216,7 +260,7 @@ jobs: destroy_common_resources: name: Destroy common runs-on: ubuntu-22.04 - needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources] + needs: [deploy_and_scan_not_parallel_resources, deploy_and_scan_parallel_resources, deploy_and_scan_sequential_resources] if: ${{ always() }} strategy: max-parallel: 10 @@ -240,3 +284,4 @@ jobs: CI_ASSUME_ROLE: ${{ secrets.CI_ASSUME_ROLE }} AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} COMPLIANCE: ${{ matrix.compliance }} +