falcosecurity · poiana · Mar 25, 2024 · Aug 10, 2023 · Aug 10, 2023 · Mar 21, 2024
diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
@@ -0,0 +1,49 @@
+name: Terraform apply
+
+on:
+  push:
+    branches:
+    - master
+    paths:
+    - 'config/clusters/**'
+
+concurrency:
+  group: master-CI
+  cancel-in-progress: false
+
+defaults:
+  run:
+    working-directory: config/clusters
+
+jobs:
+  plan:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: hashicorp/setup-terraform@v2
+
+    - name: Configure AWS credentials 🔧⚙️
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: "arn:aws:iam::292999226676:role/github_actions-test-infra-cluster"
+        aws-region: eu-west-1
+
+    - name: Terraform fmt
+      id: fmt
+      run: terraform fmt -check
+      continue-on-error: true
+
+    - name: Terraform Init
+      id: init
+      run: terraform init
+
+    - name: Terraform Validate
+      id: validate
+      run: terraform validate -no-color
+
+    - name: Terraform Apply
+      id: apply
+      run: terraform apply -auto-approve
+
diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml
@@ -0,0 +1,116 @@
+name: Terraform plan
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+    - 'config/clusters/**'
+
+defaults:
+  run:
+    working-directory: config/clusters
+
+jobs:
+  plan:
+    permissions:
+      pull-requests: write
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: hashicorp/setup-terraform@v2
+
+    - name: Configure AWS credentials 🔧⚙️
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: "arn:aws:iam::292999226676:role/github_actions-test-infra-reader"
+        aws-region: eu-west-1
+
+    - name: Terraform fmt
+      id: fmt
+      run: terraform fmt -check
+      continue-on-error: true
+
+    - name: Terraform Init
+      id: init
+      run: terraform init
+
+    - name: Terraform Validate
+      id: validate
+      run: terraform validate -no-color
+
+    - name: Run Terrascan
+      id: terrascan
+      uses: tenable/[email protected]
+      with:
+        iac_type: terraform
+        iac_version: v14
+        policy_type: aws
+        only_warn: true
+
+    - name: Terraform Plan
+      id: plan
+      run: terraform plan -no-color
+      continue-on-error: true
+
+    - name: Update PR
+      id: plan-comment
+      uses: actions/github-script@v6
+      if: github.event_name == 'pull_request'
+      env:
+        PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          // 1. Retrieve existing bot comments for the PR
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          })
+          const botComment = comments.find(comment => {
+            return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
+          })
+
+          // 2. Prepare format of the comment
+          const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+          #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+          #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+          <details><summary>Validation Output</summary>
+
+          \`\`\`\n
+          ${{ steps.validate.outputs.stdout }}
+          \`\`\`
+
+          </details>
+
+          #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+          <details><summary>Show Plan</summary>
+
+          \`\`\`\n
+          ${process.env.PLAN}
+          \`\`\`
+
+          </details>
+
+          *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
+
+          // 3. If we have a comment, update it, otherwise create a new one
+          if (botComment) {
+            github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+              body: output
+            })
+          } else {
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+          }
+
diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf
@@ -266,10 +266,31 @@ module "test-infra_reader" {
   name    = "github_actions-test-infra-reader"
   create  = true
   subjects = [
-    "falcosecurity/test-infra:ref:refs/heads/*"
+    "falcosecurity/test-infra:ref:*"
   ]
   policies = {
     test-infra_read_access = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+    test-infra_state_lock  = "${aws_iam_policy.test-infra_state_lock.arn}"
+  }
+}
+
+resource "aws_iam_policy" "test-infra_state_lock" {
+  name_prefix = "github_actions-test-infra-cluster"
+  description = "Access policy for test-infra Terraform remote state lock"
+  policy      = data.aws_iam_policy_document.test-infra_state_lock.json
+}
+
+data "aws_iam_policy_document" "test-infra_state_lock" {
+  statement {
+    sid    = "DeployTestInfraClusterAccess"
+    effect = "Allow"
+    actions = [
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem"
+    ]
+    resources = [
+      "arn:aws:dynamodb:::table/${var.state_dynamodb_table_name}"
+    ]
   }
 }
 

diff --git a/config/clusters/iam_variables.tf b/config/clusters/iam_variables.tf
@@ -0,0 +1,5 @@
+variable "state_dynamodb_table_name" {
+  type        = string
+  description = "The name of the DynamoDB table for the Terraform state"
+  default     = "falco-test-infra-state-lock"
+}
diff --git a/config/clusters/prow.tfvars → config/clusters/prow.auto.tfvars b/config/clusters/prow.tfvars → config/clusters/prow.auto.tfvars
@@ -13,3 +13,17 @@ eks_default_worker_group_asg_desired_capacity = 3
 eks_default_worker_group_asg_max_capacity  = 10
 eks_jobs_worker_group_asg_max_capacity     = 20
 eks_jobs_arm_worker_group_asg_max_capacity = 20
+
+eks_roles = [
+  {
+    rolearn  = "arn:aws:iam::292999226676:role/github_actions-test-infra-cluster"
+    username = "githubactions-test-infra-cluster"
+    groups   = ["system:masters"]
+  },
+  {
+    rolearn  = "arn:aws:iam::292999226676:role/github_actions-test-infra-reader"
+    username = "githubactions-test-infra-reader"
+    groups   = ["aws-config-readers"]
+  },
+]
+