Skip to content

Refactor CDR and CIS workflows #139

Refactor CDR and CIS workflows

Refactor CDR and CIS workflows #139

Workflow file for this run

name: GCP Deployment Manager Test
on:
pull_request:
branches:
- main
- "[0-9]+.[0-9]+"
types: [opened, synchronize, reopened]
paths:
- ".github/workflows/test-gcp-dm.yml"
- "deploy/deployment-manager/compute_engine.py"
- "deploy/deployment-manager/compute_engine.py.schema"
- "deploy/deployment-manager/deploy.sh"
- "deploy/deployment-manager/set_env.sh"
- "deploy/deployment-manager/deploy_service_account.sh"
- "deploy/deployment-manager/service_account.py"
- "deploy/deployment-manager/service_account.py.schema"
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
TEST_ENVS_DIR: deploy/test-environments
INTEGRATIONS_SETUP_DIR: tests/integrations_setup
DEPLOYMENT_MANAGER_DIR: deploy/deployment-manager
TF_VAR_ec_api_key: ${{ secrets.EC_API_KEY }}
TF_VAR_ess_region: gcp-us-west2 # default region for testing deployments
GCP_LABELS: "ci=integration,owner=${{ github.actor }}"
jobs:
# Test a GCP Deployment Manager deployment using Application Default Credentials
gcp_dm_adc:
name: CSPM GCP with ADC
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Set up unique deployment names
run: |
suffix="$(date +%s | tail -c 3)"
echo "TF_VAR_deployment_name=gcp-dm-ci-test-$suffix" >> $GITHUB_ENV
echo "GCP_DEPLOYMENT_NAME=ea-cspm-ci-dm-test-$suffix" >> $GITHUB_ENV
- name: Check out the repo
uses: actions/checkout@v4
- name: Init Hermit
run: ./bin/hermit env -r >> $GITHUB_ENV
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Install Poetry
run: |
curl -sSL https://install.python-poetry.org | python3 -
poetry --version
- id: google-auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} # this also sets the project name
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: set TF_VAR_stack_version
run: |
version=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"")
echo "TF_VAR_stack_version=$version" >> $GITHUB_ENV
- name: Provision Test Environment (EC)
id: apply
if: success()
working-directory: ${{ env.TEST_ENVS_DIR }}
run: |
./manage_infrastructure.sh "elk-stack" "apply"
./manage_infrastructure.sh "elk-stack" "output"
- name: Install CSPM GCP integration
id: cspm-gcp-integration
working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }}
env:
STACK_VERSION: ${{ env.ELK_VERSION }}
DEPLOYMENT_NAME: ${{env.GCP_DEPLOYMENT_NAME}}
run: |
poetry install
poetry run python ./install_cspm_gcp_integration.py
- name: Deploy CSPM GCP agent
id: cspm-gcp-agent
working-directory: deploy/deployment-manager
env:
DEPLOYMENT_LABELS: ${{ env.GCP_DEFAULT_TAGS }}
DEPLOYMENT_NAME: ${{env.GCP_DEPLOYMENT_NAME}}
run: |
. ./set_env.sh && ./deploy.sh && gcloud deployment-manager deployments update "${DEPLOYMENT_NAME}" --update-labels "${GCP_LABELS}"
- name: Check for findings
working-directory: ./tests
env:
USE_K8S: false
run: |
poetry install
poetry run pytest -k "cspm_gcp" --alluredir=./allure/results/ --clean-alluredir --maxfail=4
- name: Destory EC deployment
if: always()
working-directory: ${{ env.TEST_ENVS_DIR }}
run: |
./manage_infrastructure.sh "elk-stack" "destroy"
- name: Set up GCP Cloud SDK
if: always()
uses: "google-github-actions/setup-gcloud@v2"
- name: Delete GCP Deployment Manager deployment
if: always()
working-directory: ${{ env.TEST_ENVS_DIR }}
env:
DEPLOYMENT_NAME: ${{env.GCP_DEPLOYMENT_NAME}}
run: |
DEPLOYMENT="${DEPLOYMENT_NAME}"
PROJECT_NAME=$(gcloud config get-value core/project)
PROJECT_NUMBER=$(gcloud projects list --filter="${PROJECT_NAME}" --format="value(PROJECT_NUMBER)")
./delete_gcp_env.sh $PROJECT_NAME $PROJECT_NUMBER $DEPLOYMENT
# Test a GCP Deployment Manager deployment using a Service Account
gcp_dm_sa:
needs: gcp_dm_adc
name: CSPM GCP with SA
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Set up unique deployment names
run: |
suffix="$(date +%s | tail -c 3)"
echo "TF_VAR_deployment_name=gcp-dm-ci-sa-test-$suffix" >> $GITHUB_ENV
echo "GCP_AGENT_DEPLOYMENT_NAME=ea-cspm-gcp-ci-test-$suffix" >> $GITHUB_ENV
echo "GCP_SA_DEPLOYMENT_NAME=sa-cspm-gcp-ci-test-$suffix" >> $GITHUB_ENV
- name: Check out the repo
uses: actions/checkout@v4
- name: Init Hermit
run: ./bin/hermit env -r >> $GITHUB_ENV
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Install Poetry
run: |
curl -sSL https://install.python-poetry.org | python3 -
poetry --version
- id: google-auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} # this also sets the project name
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: set TF_VAR_stack_version
run: |
version=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"")
echo "TF_VAR_stack_version=$version" >> $GITHUB_ENV
- name: Provision Test Environment (EC)
id: deploy_ec
if: success()
working-directory: ${{ env.TEST_ENVS_DIR }}
run: |
./manage_infrastructure.sh "elk-stack" "apply"
./manage_infrastructure.sh "elk-stack" "output"
- name: Set up GCP Cloud SDK
if: always()
uses: "google-github-actions/setup-gcloud@v2"
- name: Deploy GCP Service Account and Agent
id: gcp_deploy
env:
STACK_VERSION: ${{ env.ELK_VERSION }}
run: |
# Deploys a GCP Service Account
cd "${DEPLOYMENT_MANAGER_DIR}"
export DEPLOYMENT_NAME="${GCP_SA_DEPLOYMENT_NAME}"
export SERVICE_ACCOUNT_NAME="${GCP_SA_DEPLOYMENT_NAME}-sa"
./deploy_service_account.sh
mv KEY_FILE.json "../../${INTEGRATIONS_SETUP_DIR}"
# Installs CSPM GCP integration
cd "../../${INTEGRATIONS_SETUP_DIR}"
export SERVICE_ACCOUNT_JSON_PATH="KEY_FILE.json"
export DEPLOYMENT_NAME="${GCP_AGENT_DEPLOYMENT_NAME}"
poetry install
poetry run python ./install_cspm_gcp_integration.py
# Deploys the agent using an existing service account (SERVICE_ACCOUNT_NAME)
cd "../../${DEPLOYMENT_MANAGER_DIR}"
. ./set_env.sh && ./deploy.sh && gcloud deployment-manager deployments update "${DEPLOYMENT_NAME}" --update-labels "${GCP_LABELS}"
- name: Check for findings
working-directory: ./tests
env:
USE_K8S: false
run: |
poetry install
poetry run pytest -k "cspm_gcp" --alluredir=./allure/results/ --clean-alluredir --maxfail=4
- name: Destory EC deployment
if: always()
working-directory: ${{ env.TEST_ENVS_DIR }}
run: |
./manage_infrastructure.sh "elk-stack" "destroy"
- name: Delete GCP Deployments
if: always()
working-directory: ${{ env.TEST_ENVS_DIR }}
run: |
PROJECT_NAME=$(gcloud config get-value core/project)
PROJECT_NUMBER=$(gcloud projects list --filter="${PROJECT_NAME}" --format="value(PROJECT_NUMBER)")
./delete_gcp_env.sh $PROJECT_NAME $PROJECT_NUMBER "${GCP_SA_DEPLOYMENT_NAME}" "${GCP_AGENT_DEPLOYMENT_NAME}"