-
Notifications
You must be signed in to change notification settings - Fork 9
193 lines (168 loc) · 7.25 KB
/
nightly_sonar_poc_basic_cli.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
name: 'Nightly Sonar POC Basic CLI'
on:
workflow_call:
inputs:
branch:
required: true
type: string
workspace:
required: true
type: string
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
SLACK_WEBHOOK_URL:
required: true
JUMP_SERVER_KEY:
required: false
DEPLOYMENT_TAGS:
required: true
workflow_dispatch:
inputs:
branch:
required: true
type: string
workspace:
required: true
type: choice
options:
- simple_cli_dev_nightly
- simple_cli_master_nightly
env:
TF_CLI_ARGS: "-no-color"
TF_INPUT: 0
TF_VAR_gw_count: 2
EXAMPLE_DIR: ./examples/aws/poc/sonar_basic_deployment
AWS_REGION: eu-west-2
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
TF_WORKSPACE: ${{ inputs.workspace }}
TF_VAR_additional_tags: ${{ secrets.DEPLOYMENT_TAGS }}
permissions:
contents: read
jobs:
terraform:
name: 'Terraform ${{ inputs.branch }}'
runs-on: ubuntu-latest
environment: test
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
run:
shell: bash
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ inputs.branch }}
- name: Change the modules source to local
run: |
echo '${{ toJSON(github) }}'
find ./examples/ -type f -exec sed -i -f sed.expr {} \;
- name: Create terraform backend file
run: |
cat << EOF > $EXAMPLE_DIR/backend.tf
terraform {
backend "s3" {
bucket = "terraform-state-bucket-dsfkit-github-tests"
key = "states/terraform.tfstate"
dynamodb_table = "terraform-state-lock"
region = "us-east-1"
}
}
EOF
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
terraform_version: ~1.7.0
- name: Setup jq
uses: sergeysova/jq-action@v2
- name: Set DB Types To Onboard
run: |
echo "TF_VAR_simulation_db_types_for_agentless=[\"RDS MySQL\", \"RDS MsSQL\", \"RDS PostgreSQL\"]" >> $GITHUB_ENV
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform -chdir=$EXAMPLE_DIR init
- name: Cleaning environment
run: |
mv $EXAMPLE_DIR/main.tf{,_}
mv $EXAMPLE_DIR/outputs.tf{,_}
terraform -chdir=$EXAMPLE_DIR destroy -auto-approve
mv $EXAMPLE_DIR/main.tf{_,}
mv $EXAMPLE_DIR/outputs.tf{_,}
# On push to "main", build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Validate
run: terraform -chdir=$EXAMPLE_DIR validate
# Generates an execution plan for Terraform
- name: Terraform Plan
run: terraform -chdir=$EXAMPLE_DIR plan
- name: Terraform Apply
# if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: terraform -chdir=$EXAMPLE_DIR apply -auto-approve
- name: Terraform Output
if: always()
run: terraform -chdir=$EXAMPLE_DIR output -json
- name: Collect Artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: collected-keys-${{ env.TF_WORKSPACE }}
path: |
${{ env.EXAMPLE_DIR }}/ssh_keys
- name: Set Environment Variables
run: |
echo hub_ip=$(terraform -chdir=$EXAMPLE_DIR output -json | jq -r '.dsf_hub.value.public_dns') >> $GITHUB_ENV
echo agentless_gw_ip=$(terraform -chdir=$EXAMPLE_DIR output -json | jq -r '.dsf_agentless_gw.value."agentless-gw-0".private_dns') >> $GITHUB_ENV
echo dsf_ssh_key_file_name=$EXAMPLE_DIR/$(terraform -chdir=$EXAMPLE_DIR output -json | jq -r '.dsf_private_ssh_key_file_path.value') >> $GITHUB_ENV
# Test the ssh connectivity to the Hub and GW, it checks both of them because the connection to the GW is allowed from the Hub only via proxy
- name: Check SSH Connectivity - Hub & GW
uses: appleboy/[email protected]
with:
proxy_host: ${{ env.hub_ip }}
proxy_username: ec2-user
proxy_key_path: ${{ env.dsf_ssh_key_file_name }}
proxy_port: 22
host: ${{ env.agentless_gw_ip }}
username: ec2-user
key_path: ${{ env.dsf_ssh_key_file_name }}
port: 22
script: ip addr | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'
- name: Check Aduit data
uses: appleboy/[email protected]
id: test_audit
with:
host: ${{ env.hub_ip }}
username: ec2-user
key_path: ${{ env.dsf_ssh_key_file_name }}
port: 22
command_timeout: "2h"
script: |
sleep 35m
for run in {1..8}; do sleep 5m; res=$(sudo curl --cert "${JSONAR_LOCALDIR}/ssl/client/admin/cert.pem" --key "${JSONAR_LOCALDIR}/ssl/client/admin/key.pem" -X POST -k -H 'sonarg-user: admin.admin' https://localhost:8088/sonargd-session/_count | jq .count); echo $res; if [ $res -gt 0 ]; then exit 0; fi; done
if [ $res -le 0 ]; then exit 1; fi
- name: Terraform Destroy
# if: always()
run: terraform -chdir=$EXAMPLE_DIR destroy -auto-approve
- name: Check how was the workflow run
id: check-trigger
if: ${{ failure() }}
run: |
if [ "${{ github.event_name }}" == "schedule" ]; then
echo "run-by=Automation" >> $GITHUB_OUTPUT
else
echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT
fi
# Send job failure to Slack
- name: Send Slack When Failure
run: |
if [ ${{ inputs.branch }} == 'master' ]; then
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*Sonar Basic Prod ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#dsfkit-prod"}' ${{ secrets.SLACK_WEBHOOK_URL }}
else
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*Sonar Basic Dev nightly ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
fi
if: ${{ failure() }}