From cd2add6bbda1bb955d8644ef7990213f5af395f8 Mon Sep 17 00:00:00 2001
From: Roi Klorin <roi.klorin@imperva.com>
Date: Wed, 13 Nov 2024 21:37:03 +0200
Subject: [PATCH] changed Set IP in AWS Security Group in
 sonar_single_account_cli.yml

---
 .../workflows/sonar_single_account_cli.yml    | 182 ++++++++++--------
 1 file changed, 107 insertions(+), 75 deletions(-)

diff --git a/.github/workflows/sonar_single_account_cli.yml b/.github/workflows/sonar_single_account_cli.yml
index 12e8cc16..1a77ec6c 100644
--- a/.github/workflows/sonar_single_account_cli.yml
+++ b/.github/workflows/sonar_single_account_cli.yml
@@ -11,6 +11,10 @@ on:
         type: string
 
     secrets:
+      AWS_ACCESS_KEY_ID:
+        required: true
+      AWS_SECRET_ACCESS_KEY:
+        required: true
       AWS_ACCESS_KEY_ID_STAGE:
         required: true
       AWS_SECRET_ACCESS_KEY_STAGE:
@@ -37,11 +41,13 @@ env:
   TF_CLI_ARGS: "-no-color"
   TF_INPUT: 0
   TF_VAR_gw_count: 1
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
-  JUMP_SERVER_KEY: ${{ secrets.JUMP_SERVER_KEY }}
+  EXAMPLE_DIR: ./examples/aws/installation/sonar_single_account_deployment
   AWS_REGION: ap-southeast-1
-  TF_WORKSPACE: sonar_single_account_cli
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  TF_WORKSPACE: "sonar_single_account_cli"
+  JUMP_SERVER_KEY: ${{ secrets.JUMP_SERVER_KEY }}
+  AWS_KEY_PATH: "jump_server_key.cer"
   DESTROY_DELAY_SECONDS: 10
   TF_VAR_additional_tags: ${{ secrets.DEPLOYMENT_TAGS }}
 
@@ -50,21 +56,8 @@ permissions:
 
 jobs:
   terraform:
-
-    strategy:
-      max-parallel: 1
-      matrix:
-        include:
-          - name: single account
-            example_dir: examples/aws/installation/sonar_single_account_deployment
-            target_dir: single_account
-
-    name: '${{ matrix.name }} ${{ inputs.branch }}'
+    name: 'Sonar Single Account ${{ inputs.branch }}'
     runs-on: ubuntu-latest
-    env:
-      EXAMPLE_DIR: ./${{ matrix.example_dir }}
-      REMOTE_EXAMPLE_DIR: ./${{ matrix.target_dir }}/dsfkit/${{ matrix.example_dir }}
-      TARGET_DIR: ${{ matrix.target_dir }}
     environment: test
 
     # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
@@ -79,48 +72,10 @@ jobs:
         with:
           ref: ${{ inputs.branch }}
 
-      - name: Setup jq
-        uses: sergeysova/jq-action@v2
-
-      - name: Get The Public IP
-        run: echo curr_ip=$(curl -s https://ipinfo.io/ip) >> $GITHUB_ENV
-
-      - name: Set IP in AWS Security Group
-        run: |
-          aws_sg=$(aws ec2 authorize-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --protocol tcp --port 22 --cidr $curr_ip/32)
-          echo sg_id=$(echo $aws_sg | jq '.SecurityGroupRules[0].SecurityGroupRuleId') >> $GITHUB_ENV
-
       - name: Change the modules source to local
         run: |
           find ./examples/ -type f -exec sed -i -f sed.expr {} \;
 
-      - name: Cleaning environment
-        continue-on-error: true
-        uses: appleboy/ssh-action@v1.0.0
-        with:
-          host: 54.179.25.83
-          username: ec2-user
-          key: ${{ env.JUMP_SERVER_KEY }}
-          port: 22
-          command_timeout: "2h"
-          envs: REMOTE_EXAMPLE_DIR,TF_WORKSPACE
-          script: |
-            terraform -chdir=$REMOTE_EXAMPLE_DIR destroy -auto-approve
-
-      - name: Delete Old Environment
-        uses: appleboy/ssh-action@v1.0.0
-        with:
-          host: 54.179.25.83
-          username: ec2-user
-          key: ${{ env.JUMP_SERVER_KEY }}
-          port: 22
-          command_timeout: "2h"
-          envs: TARGET_DIR
-          script: |
-            cd $TARGET_DIR
-            rm -rf dsfkit
-            rm -rf dsfkit.zip
-
       - name: Create terraform backend file
         run: |
           cat << EOF > $EXAMPLE_DIR/backend.tf
@@ -140,31 +95,56 @@ jobs:
           ${{ vars.TFVAR_PARAMETERS_SINGLE_ACCOUNT_AUTOMATION_V1 }}
           EOF
 
-
-      - name: View The Vars
+      - name: Cat tfvars File
         run: cat $EXAMPLE_DIR/terraform.tfvars
 
-      - name: Create a ZIP File
-        run: zip -r dsfkit.zip ../dsfkit
+      - name: Add Profile Credentials to ~/.aws/credentials
+        run: |
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile ${{ vars.DEV_PROFILE_NAME }}
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile ${{ vars.DEV_PROFILE_NAME }}
+          aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }} --profile ${{ vars.STAGE_PROFILE_NAME }}
+          aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }} --profile ${{ vars.STAGE_PROFILE_NAME }}
+
+      - name: Get The Public IP
+        run: echo curr_ip=$(curl -s https://ipinfo.io/ip) >> $GITHUB_ENV
+
+      - name: Set IP in AWS Security Group
+        env:
+          AWS_REGION: ap-southeast-1
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
+        run: |
+          aws_sg=$(aws ec2 authorize-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --protocol tcp --port 22 --cidr $curr_ip/32)
+          echo sg_id=$(echo $aws_sg | jq '.SecurityGroupRules[0].SecurityGroupRuleId') >> $GITHUB_ENV
 
-      - name: View The ZIP File
+      - name: Create Key File
         run: |
-          ls -l
-          pwd
+          echo "${{ secrets.JUMP_SERVER_KEY }}" > $EXAMPLE_DIR/$AWS_KEY_PATH
+          sudo chmod 400 $EXAMPLE_DIR/$AWS_KEY_PATH
 
-      - name: SCP the ZIP File
-        uses: appleboy/scp-action@master
+      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
         with:
-          host: 54.179.25.83
-          username: ec2-user
-          key: ${{ env.JUMP_SERVER_KEY }}
-          port: 22
-          source: "dsfkit.zip"
-          timeout: "10m"
-          target: ${{ matrix.target_dir }}
-          overwrite: true
+          terraform_wrapper: false
+          terraform_version: ~1.7.0
 
-      - name: Unzip
+      - name: Setup jq
+        uses: sergeysova/jq-action@v2
+
+      # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+      - name: Terraform Init
+        run: terraform -chdir=$EXAMPLE_DIR init
+
+      - name: Cleaning environment
+        run: |
+          mv $EXAMPLE_DIR/main.tf{,_}
+          mv $EXAMPLE_DIR/outputs.tf{,_}
+          terraform -chdir=$EXAMPLE_DIR destroy -auto-approve
+          mv $EXAMPLE_DIR/main.tf{_,}
+          mv $EXAMPLE_DIR/outputs.tf{_,}
+
+      - name: Delete Old Environment
         uses: appleboy/ssh-action@v1.0.0
         with:
           host: 54.179.25.83
@@ -175,10 +155,62 @@ jobs:
           envs: TARGET_DIR
           script: |
             cd $TARGET_DIR
-            unzip -uq dsfkit.zip
+            rm -rf dsfkit
+            rm -rf dsfkit.zip
+
+      - name: Terraform Validate
+        run: terraform -chdir=$EXAMPLE_DIR validate
+
+      # Generates an execution plan for Terraform
+      - name: Terraform Plan
+        run: terraform -chdir=$EXAMPLE_DIR plan
+
+      - name: Terraform Apply
+        run: terraform -chdir=$EXAMPLE_DIR apply -auto-approve
+
+      - name: Terraform Output
+        if: always()
+        run: terraform -chdir=$EXAMPLE_DIR output -json
 
+      - name: Collect Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: collected-keys-${{ env.TF_WORKSPACE }}
+          path: |
+            ${{ env.EXAMPLE_DIR }}/ssh_keys
+
+      - name: Check how was the workflow run
+        id: check-trigger
+        if: ${{ failure() }}
+        run: |
+          if [ "${{ github.event_name }}" == "schedule" ]; then
+            echo "run-by=Automation" >> $GITHUB_OUTPUT
+          else
+            echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT
+          fi
+
+      # This step allows time for investigation of the failed resources before destroying them
+      - name: Conditional Delay
+        if: ${{ failure() }}
+        run: |
+          echo "delay_destroy: ${{ inputs.delay_destroy }}"
+          if [ "${{ inputs.delay_destroy }}" == "true" ]; then
+            echo "Terraform workspace: $TF_WORKSPACE"
+            curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
+            echo ""
+            echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment"
+            sleep $DESTROY_DELAY_SECONDS
+          fi
+
+      - name: Terraform Destroy
+        if: always()
+        run: terraform -chdir=$EXAMPLE_DIR destroy -auto-approve
 
       - name: Delete Security Group
+        env:
+          AWS_REGION: ap-southeast-1
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
         if: always()
         run: aws ec2 revoke-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --security-group-rule-ids ${{ env.sg_id }}