Merge pull request #22 from sonikro/create-security-group

Automatically creates security group if no SgID is provided

Author: sonikro

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
           npm install
       - run: |
           npm run all
-  test: 
+  test-existing-sg: 
     runs-on: ubuntu-latest
     if: github.repository_owner == 'sonikro'
     permissions:
@@ -39,3 +39,26 @@ jobs:
             terraform -v
             echo "Hello World. I am ${{github.repository}}"
             echo "Testing $GITHUB_REPOSITORY variable"
+  test-new-sg: 
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'sonikro'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./
+        with:
+          role_arn: "${{secrets.TEST_ROLE_ARN}}"
+          image: hashicorp/terraform:latest
+          region: us-east-1
+          vpc_id: "${{secrets.TEST_VPC_ID}}"
+          subnet_ids: |
+            ${{secrets.TEST_SUBNET_ID}}
+          shell: sh
+          run: |
+            ls -la
+            terraform -v
+            echo "Hello World. I am ${{github.repository}}"
+            echo "Testing $GITHUB_REPOSITORY variable"

README.md

@@ -89,7 +89,13 @@ The policy attattched to this role must have at least these permissions:
                 "iam:PassRole",
                 "logs:CreateLogGroup",
                 "logs:GetLogEvents",
-                "s3:*"
+                "s3:*",
+                "ec2:DescribeSecurityGroups",
+				"ec2:DescribeSecurityGroupRules",
+				"ec2:AuthorizeSecurityGroupEgress",
+				"ec2:CreateSecurityGroup",
+				"ec2:AuthorizeSecurityGroupIngress",
+				"ec2:DeleteSecurityGroup"
             ],
             "Resource": "*"
         },
@@ -111,6 +117,36 @@ The policy attattched to this role must have at least these permissions:
 ```
 ### Usage in your workflow
 
+#### Easiest way to get started
+
+
+```yaml
+jobs:
+  terraform: 
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write 
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: sonikro/aws-run@v1
+        with:
+          role_arn: "${{secrets.ROLE_ARN}}"
+          image: hashicorp/terraform:latest
+          region: us-east-1
+          vpc_id: "${{secrets.VPC_ID}}"
+          subnet_ids: |
+            ${{secrets.SUBNBET_ID}}
+          shell: sh
+          run: |
+            terraform apply
+```
+
+#### Specifying a custom security group id
+
+If you don't want the action to create a temporary security-group for the remote execution (the security group blocks all incoming traffic and allows all outgoing traffic), you must specify the **security_group_id** argument
+
 ```yaml
 jobs:
   terraform: 
@@ -177,7 +213,7 @@ In the execution phase, the action will:
 - [X] Delete the Cloudwatch Logstream on Teardown
 - [X] Allow multiple Subnet IDs
 - [X] Stream the Cloudwatch logs as they happen, and not just at the end of the execution
-- [ ] Automatically create temporary security group if one is not provided
+- [X] Automatically create temporary security group if one is not provided
 - [ ] Automatically grab list of Subnets for VPC_ID, if Subnet_IDS are not provided
 - [ ] Mask secrets inside the Cloudwatch Logs
 - [X] Map all GitHub Contexts/ENVS into the ECS Container

action.yml

@@ -31,8 +31,8 @@ inputs:
     description: AWS Region to execute the operations
     default: us-east-1
   security_group_id:
-    required: true
-    description: Security Group to be used by the ECS Task
+    required: false
+    description: Security Group to be used by the ECS Task. If not informed, a temporary security group will be created with access to the internet
   run:
     required: true
     description: Script that will be executed in the remote environment