-
Notifications
You must be signed in to change notification settings - Fork 11
384 lines (344 loc) · 16.7 KB
/
Copy pathdsf_poc_cli.yml
File metadata and controls
384 lines (344 loc) · 16.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
name: 'DSF POC CLI - AWS'
on:
workflow_call:
inputs:
use_modules_from_terraform_registry:
required: true
type: boolean
explicit_ref:
required: true
type: string
deployment_type:
required: false
type: string
default: 'all-permutations'
version:
type: string
default: 'latest'
required: false
# defining secrets here is required since this yml is referenced by nightly_manager.yml
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
SLACK_WEBHOOK_URL:
required: true
DAM_LICENSE:
required: true
ALLOWED_SSH_CIDRS:
required: true
DEPLOYMENT_TAGS:
required: true
PASSWORD:
required: true
workflow_dispatch:
inputs:
use_modules_from_terraform_registry:
type: boolean
required: false
delay_destroy:
description: 'Delay the destroy step and subsequent steps to allow investigation'
type: boolean
default: false
required: false
deployment_type:
description: 'Choose the type of deployments to run: sonar-with-fam, all-products or all-permutations'
type: string
default: 'all-permutations'
required: false
product_version:
description: 'Product version to deploy. Valid for options: sonar-with-fam. Otherwise latest per product is used.'
type: string
default: 'latest'
required: false
push:
branches:
- 'dev'
paths:
- 'modules/aws/**'
- '!modules/aws/sonar-upgrader/**'
- '!modules/aws/statistics/*'
- 'modules/null/**'
- '!modules/null/statistics/*'
- 'examples/aws/poc/dsf_deployment/*'
pull_request:
types:
- 'opened'
- 'reopened'
branches:
- 'dev'
paths:
- 'modules/aws/**'
- '!modules/aws/sonar-upgrader/*'
- '!modules/aws/statistics/*'
- 'modules/null/**'
- '!modules/null/statistics/*'
- 'examples/aws/poc/dsf_deployment/*'
env:
TF_CLI_ARGS: "-no-color"
TF_INPUT: 0
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
DESTROY_DELAY_SECONDS: 1800
TF_VAR_additional_tags: ${{ vars.DEPLOYMENT_TAGS }}
permissions:
contents: read
jobs:
prepare-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
deployment_version: ${{ steps.set-deployment-version.outputs.deployment_version }}
steps:
- name: Set Matrix
id: set-matrix
env:
VAR: ${{ github.event.inputs.deployment_type || 'all-permutations' }}
run: |
MATRIX=$(jq -n --compact-output --arg var "$VAR" '{
"include": [
(if $var == "all-permutations" or $var == "all-products" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":true,"enable_dra":true} else empty end),
(if $var == "all-permutations" or $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end)
]
}')
echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"
- name: Set deployment version
id: set-deployment-version
run: |
DEPLOYMENT_VERSION=""
if [[ "${{ github.event.inputs.product_version }}" != "latest" && -n "${{ github.event.inputs.product_version }}" ]]; then
if [[ "${{ github.event.inputs.deployment_type }}" == "dam" ]]; then
DEPLOYMENT_VERSION="dam_version=${{ github.event.inputs.product_version }}"
elif [[ "${{ github.event.inputs.deployment_type }}" == "dra" ]]; then
DEPLOYMENT_VERSION="dra_version=${{ github.event.inputs.product_version }}"
elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar" ]]; then
DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_version }}"
elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar-with-fam" ]]; then
DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_version }}"
fi
fi
echo "deployment_version=$DEPLOYMENT_VERSION" >> $GITHUB_OUTPUT
terraform:
needs: prepare-matrix
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }}
name: '${{ matrix.name }}'
runs-on: ubuntu-latest
env:
EXAMPLE_DIR: ./examples/aws/poc/dsf_deployment
AWS_REGION: eu-west-2
TF_VAR_enable_sonar: ${{ matrix.enable_sonar }}
TF_VAR_enable_ciphertrust: ${{ matrix.enable_ciphertrust }}
TF_VAR_enable_dam: ${{ matrix.enable_dam }}
TF_VAR_enable_dra: ${{ matrix.enable_dra }}
TF_VAR_allowed_ssh_cidrs: ${{ vars.ALLOWED_SSH_CIDRS }}
TF_VAR_password: ${{ secrets.PASSWORD }}
TF_VAR_dns_zone_domain: ${{ vars.DNS_ZONE_DOMAIN }}
TF_VAR_dns_route53_role_arn: ${{ vars.DNS_ROUTE53_ROLE_ARN }}
TF_VAR_dns_route53_zone_id: ${{ vars.DNS_ROUTE53_ZONE_ID }}
DEPLOYMENT_VERSION: ${{ needs.prepare-matrix.outputs.deployment_version }}
# Define the dynamic version string based on deployment_type and product_version
environment: test
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
run:
shell: bash
steps:
- name: Pick ref
run: |
if [ -z "${{ inputs.explicit_ref }}" ]; then
echo REF=${{ github.ref }} >> $GITHUB_ENV;
else
echo REF=${{ inputs.explicit_ref }} >> $GITHUB_ENV;
fi
- name: Set Workspace Name
run: |
echo "Event Name: ${{ github.event_name }}"
if [ ${{ github.event_name }} == 'schedule' ]; then
echo TF_WORKSPACE=${{ matrix.workspace }}${{ github.event_name }}-$REF >> $GITHUB_ENV
else
echo TF_WORKSPACE=${{ matrix.workspace }}${{ github.run_number }}-${{ github.run_attempt }}-${{ inputs.explicit_ref }} >> $GITHUB_ENV
echo TMP_WORKSPACE_NAME=${{ matrix.workspace }}${{ github.run_number }}-${{ github.run_attempt }}-${{ inputs.explicit_ref }} >> $GITHUB_ENV
fi
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ env.REF }}
- name: Change the modules source to local
if: ${{ inputs.use_modules_from_terraform_registry == false }}
run: |
find ./examples/ -type f -exec sed -i -f sed.expr {} \;
- name: Create terraform backend file
run: |
cat << EOF > $EXAMPLE_DIR/backend.tf
terraform {
backend "s3" {
bucket = "terraform-state-bucket-dsfkit-github-tests"
key = "states/terraform.tfstate"
dynamodb_table = "terraform-state-lock"
region = "us-east-1"
}
}
EOF
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
terraform_version: ~1.7.0
- name: Setup jq
uses: sergeysova/jq-action@v2
- name: Create License File
env:
MY_SECRET: ${{ secrets.DAM_LICENSE }}
run: |
echo "${{ secrets.DAM_LICENSE }}" | base64 -d > $EXAMPLE_DIR/license.mprv
cat $EXAMPLE_DIR/license.mprv
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform -chdir=$EXAMPLE_DIR init
env:
TF_WORKSPACE: default
- name: Cleaning environment
run: |
if [ ${{ github.event_name }} == 'schedule' ]; then
mv $EXAMPLE_DIR/main.tf{,_}
mv $EXAMPLE_DIR/outputs.tf{,_}
mv $EXAMPLE_DIR/dam.tf{,_}
mv $EXAMPLE_DIR/dra.tf{,_}
mv $EXAMPLE_DIR/sonar.tf{,_}
mv $EXAMPLE_DIR/networking.tf{,_}
mv $EXAMPLE_DIR/agentless_sources.tf{,_}
mv $EXAMPLE_DIR/agent_sources.tf{,_}
mv $EXAMPLE_DIR/versions.tf{,_}
mv $EXAMPLE_DIR/cm.tf{,_}
mv $EXAMPLE_DIR/cte_ddc_agents.tf{,_}
mv $EXAMPLE_DIR/fam_classification_integration_resources.tf{,_}
mv $EXAMPLE_DIR/dns.tf{,_}
# Try destroy first
if ! terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve; then
echo "First destroy attempt failed, trying to remove ciphertrust_trial_license state"
# Try to remove the state, but don't fail if this doesn't work
terraform -chdir=$EXAMPLE_DIR state rm ciphertrust_trial_license.trial_license || true
# Retry destroy
terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve
fi
mv $EXAMPLE_DIR/main.tf{_,}
mv $EXAMPLE_DIR/outputs.tf{_,}
mv $EXAMPLE_DIR/dam.tf{_,}
mv $EXAMPLE_DIR/dra.tf{_,}
mv $EXAMPLE_DIR/sonar.tf{_,}
mv $EXAMPLE_DIR/networking.tf{_,}
mv $EXAMPLE_DIR/agentless_sources.tf{_,}
mv $EXAMPLE_DIR/agent_sources.tf{_,}
mv $EXAMPLE_DIR/versions.tf{_,}
mv $EXAMPLE_DIR/cm.tf{_,}
mv $EXAMPLE_DIR/cte_ddc_agents.tf{_,}
mv $EXAMPLE_DIR/fam_classification_integration_resources.tf{_,}
mv $EXAMPLE_DIR/dns.tf{_,}
fi
- name: Terraform Validate
run: terraform -chdir=$EXAMPLE_DIR validate
# Generates an execution plan for Terraform
- name: Terraform Plan
run: |
terraform -chdir=$EXAMPLE_DIR workspace list
# Only pass DEPLOYMENT_VERSION if it's not empty
if [ -n "${{ env.DEPLOYMENT_VERSION }}" && ${{ env.DEPLOYMENT_VERSION }} != $'\n' ]; then
terraform -chdir=$EXAMPLE_DIR plan -var dam_license=license.mprv -var ${{ env.DEPLOYMENT_VERSION }}
else
terraform -chdir=$EXAMPLE_DIR plan -var dam_license=license.mprv
fi
# On push to "main", build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
id: apply
# if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
if [ -n "${{ env.DEPLOYMENT_VERSION }}" && ${{ env.DEPLOYMENT_VERSION }} != $'\n' ]; then
terraform -chdir=$EXAMPLE_DIR apply -var dam_license=license.mprv -var ${{ env.DEPLOYMENT_VERSION }} -auto-approve
else
terraform -chdir=$EXAMPLE_DIR apply -var dam_license=license.mprv -auto-approve
fi
- name: Terraform Output
if: always()
run: terraform -chdir=$EXAMPLE_DIR output -json
- name: Collect Artifacts
id: collect-artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: collected-keys-${{ env.TF_WORKSPACE }}
path: |
${{ env.EXAMPLE_DIR }}/ssh_keys
- name: Check how was the workflow run
id: check-trigger
if: ${{ failure() }}
run: |
if [ "${{ github.event_name }}" == "schedule" ]; then
echo "run-by=Automation" >> $GITHUB_OUTPUT
else
echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT
fi
# This step allows time for investigation of the failed resources before destroying them
- name: Conditional Delay
if: ${{ failure() }}
run: |
echo "delay_destroy: ${{ inputs.delay_destroy }}"
if [ "${{ inputs.delay_destroy }}" == "true" ]; then
echo "Terraform workspace: $TF_WORKSPACE"
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
echo ""
echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment"
sleep $DESTROY_DELAY_SECONDS
fi
- name: Terraform Destroy
id: destroy
if: always()
run: |
# Try destroy first
if [ -n "${{ env.DEPLOYMENT_VERSION }}" && ${{ env.DEPLOYMENT_VERSION }} != $'\n' ]; then
DESTROY_CMD="terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -var ${{ env.DEPLOYMENT_VERSION }} -auto-approve"
else
DESTROY_CMD="terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve"
fi
if ! eval $DESTROY_CMD; then
echo "First destroy attempt failed, trying to remove ciphertrust_trial_license state"
# Try to remove the state, but don't fail if this doesn't work
terraform -chdir=$EXAMPLE_DIR state rm ciphertrust_trial_license.trial_license || true
# Retry destroy
eval $DESTROY_CMD
fi
- name: Terraform Delete Workspace
if: always()
run: |
if [ '${{ steps.destroy.conclusion }}' == 'success' ] && [ ${{ github.event_name }} != 'schedule' ]; then
terraform -chdir=$EXAMPLE_DIR workspace delete $TMP_WORKSPACE_NAME
fi
env:
TF_WORKSPACE: default
# Send job failure to Slack
- name: Send Slack When Failure
run: |
if [ ${{ env.REF }} == 'master' ]; then
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} Prod ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#dsfkit-prod"}' ${{ secrets.SLACK_WEBHOOK_URL }}
elif [ ${{ env.REF }} == 'dev' ]; then
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} dev ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
else
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} private branch ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
fi
if: ${{ failure() }}
# This step allows time for investigation of the failed resources before destroying them
- name: Conditional Delay
run: |
echo "delay_destroy: ${{ inputs.delay_destroy }}"
if [ "${{ inputs.delay_destroy }}" == "true" ]; then
echo "Terraform workspace: $TF_WORKSPACE"
curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
echo ""
echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment"
sleep $DESTROY_DELAY_SECONDS
fi