From 323102342a988ebfc6f2c48f16eb9e5a6daffda2 Mon Sep 17 00:00:00 2001 From: Mykhailo Nikiforov Date: Sat, 9 Dec 2023 09:06:22 +0200 Subject: [PATCH] feat(workflows): init terraform --- security/blackbox-decrypt.yml | 32 +++++++++ security/checks-trivy.yml | 43 ++++++++++++ terraform/tf-apply.yml | 122 ++++++++++++++++++++++++++++++++++ terraform/tf-docs.yml | 41 ++++++++++++ terraform/tf-plan.yml | 69 +++++++++++++++++++ 5 files changed, 307 insertions(+) create mode 100644 security/blackbox-decrypt.yml create mode 100644 security/checks-trivy.yml create mode 100644 terraform/tf-apply.yml create mode 100644 terraform/tf-docs.yml create mode 100644 terraform/tf-plan.yml diff --git a/security/blackbox-decrypt.yml b/security/blackbox-decrypt.yml new file mode 100644 index 0000000..945d33d --- /dev/null +++ b/security/blackbox-decrypt.yml @@ -0,0 +1,32 @@ +# - name: Blackbox decrypt +# uses: https://git.palkoi.net/local/workflows/security/blackbox-decrypt.yml +# secrets: +# gpg-key: ${{ secrets.gpg-key }} +name: blackbox-decrypt +on: + workflow_call: + secrets: + gpg-key: + required: true + type: string + +jobs: + blackbox-decrypt: + name: Blackbox Decrypt + runs-on: ubuntu-latest + + steps: + - name: Clone blackbox repo + uses: actions/checkout@v4 + with: + repository: xaked/blackbox + path: /tmp/blackbox + ref: master + - name: Decrypt secrets + shell: bash + run: | + cd /tmp/blackbox || exit 1; + make copy-install; + echo ${{ secrets.gpg-key }} | base64 -d | gpg --import; + cd ${{ github.workspace }}; + blackbox_decrypt_all_files; diff --git a/security/checks-trivy.yml b/security/checks-trivy.yml new file mode 100644 index 0000000..6827777 --- /dev/null +++ b/security/checks-trivy.yml @@ -0,0 +1,43 @@ +name: checks-trivy +on: + workflow_call: + +jobs: + checks-trivy: + name: checks-trivy + runs-on: ubuntu-latest + + steps: + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.5.7 + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + - name: Clone repo + uses: actions/checkout@v4 + - name: Setup SSH key + uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + with: + private-key: ${{ secrets.SSH_PRIVATE_KEY }} + private-key-name: id_ed25519 + known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }} + - name: Run terraform init + shell: bash + run: terraform init + - name: Run Trivy vulnerability scanner in IaC mode (LOW/MED) + uses: aquasecurity/trivy-action@master + with: + scan-type: "config" + hide-progress: false + format: "table" + exit-code: "0" + ignore-unfixed: true + severity: "LOW,MEDIUM" + - name: Run Trivy vulnerability scanner in IaC mode (HIGH/CRIT) + uses: aquasecurity/trivy-action@master + with: + scan-type: "config" + hide-progress: false + format: "table" + exit-code: "1" + ignore-unfixed: true + severity: "CRITICAL,HIGH" diff --git a/terraform/tf-apply.yml b/terraform/tf-apply.yml new file mode 100644 index 0000000..6a500e2 --- /dev/null +++ b/terraform/tf-apply.yml @@ -0,0 +1,122 @@ +name: tf-apply +on: + workflow_call: + secrets: + gpg-key: + required: true + tf-api-token: + required: true + ssh-private-key: + required: true + ssh-known-hosts: + required: true + +jobs: + tf-plan: + name: Terraform Plan + runs-on: ubuntu-latest + outputs: + tfplanexitcode: ${{ steps.tfplan.outputs.exitcode }} + + steps: + - name: Blackbox decrypt + uses: https://git.palkoi.net/local/workflows/security/blackbox-decrypt.yml + secrets: + gpg-key: ${{ secrets.gpg-key }} + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.5.7 + cli_config_credentials_token: ${{ secrets.tf-api-token }} + - name: Clone repo + uses: actions/checkout@v4 + - name: Setup SSH key + uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + with: + private-key: ${{ secrets.ssh-private-key }} + private-key-name: id_ed25519 + known-hosts: ${{ secrets.ssh-known-hosts }} + - name: Restore terraform cache + uses: actions/cache@v3 + id: cache-terraform-restore + with: + path: .terraform + key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-tf + - name: Run terraform init + shell: bash + run: terraform init + - name: Run terraform validate + shell: bash + run: terraform validate + - name: Run terraform plan + id: tfplan + shell: bash + run: | + terraform plan -detailed-exitcode -out=tfplan.binary -input=false; + continue-on-error: true + - name: Check if job errored + if: ${{ steps.tfplan.outputs.exitcode == 1 }} + shell: sh + run: exit 1 + - name: Upload terraform plan if diffs are detected + if: ${{ steps.tfplan.outputs.exitcode == 2 }} + uses: actions/upload-artifact@v3 + with: + name: tfplan + path: tfplan.binary + - name: Save terraform cache + uses: actions/cache/save@v3 + id: cache-terraform-save + with: + path: .terraform + key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }} + + tf-apply: + name: Terraform Apply + needs: tf-plan + runs-on: ubuntu-latest + if: needs.tf-plan.outputs.tfplanexitcode == 2 + + steps: + - name: Blackbox decrypt + uses: https://git.palkoi.net/local/workflows/security/blackbox-decrypt.yml + secrets: + gpg-key: ${{ secrets.gpg-key }} + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.5.7 + cli_config_credentials_token: ${{ secrets.tf-api-token }} + - name: Clone repo + uses: actions/checkout@v4 + - name: Setup SSH key + uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + with: + private-key: ${{ secrets.ssh-private-key }} + private-key-name: id_ed25519 + known-hosts: ${{ secrets.ssh-known-hosts }} + - name: Restore terraform cache + uses: actions/cache@v3 + id: cache-terraform-restore + with: + path: .terraform + key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-tf + - name: Download terraform plan + uses: actions/download-artifact@v3 + with: + name: tfplan + - name: Run terraform init + shell: bash + run: terraform init + - name: Run terraform validate + shell: bash + run: terraform validate + - name: Run terraform apply + id: tfplan + shell: bash + run: | + terraform apply -input=false -auto-approve tfplan.binary; + - name: Save terraform cache + uses: actions/cache/save@v3 + id: cache-terraform-save + with: + path: .terraform + key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }} diff --git a/terraform/tf-docs.yml b/terraform/tf-docs.yml new file mode 100644 index 0000000..7014b2a --- /dev/null +++ b/terraform/tf-docs.yml @@ -0,0 +1,41 @@ +name: tf-docs +on: + workflow_call: + +jobs: + tf-docs: + name: tf-docs + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Install terraform docs + shell: bash + working-directory: /tmp + run: | + curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz + tar -xzvf terraform-docs.tar.gz + chmod +x terraform-docs + mv terraform-docs /usr/local/bin/terraform-docs + - name: Generate terraform docs and push the changes back to PR branch + shell: bash + run: | + terraform-docs --version + terraform-docs markdown table --output-file README.md --output-mode inject . + - name: Verify Changed files + uses: tj-actions/verify-changed-files@v16 + id: verify-changed-files + with: + files: | + README.md + - name: Push updated README.md + if: steps.verify-changed-files.outputs.files_changed == 'true' + run: | + git config --global user.name "Gitea Bot" + git config --global user.email "gitea@xaked.com" + git add README.md + git status + git commit -m 'docs(tf-docs): update README.md' + git push diff --git a/terraform/tf-plan.yml b/terraform/tf-plan.yml new file mode 100644 index 0000000..a35fbb6 --- /dev/null +++ b/terraform/tf-plan.yml @@ -0,0 +1,69 @@ +name: tf-plan +on: + workflow_call: + secrets: + gpg-key: + required: true + tf-api-token: + required: true + ssh-private-key: + required: true + ssh-known-hosts: + required: true + +jobs: + tf-plan: + name: Terraform Plan + runs-on: ubuntu-latest + + steps: + - name: Blackbox decrypt + uses: https://git.palkoi.net/local/workflows/security/blackbox-decrypt.yml + secrets: + gpg-key: ${{ secrets.gpg-key }} + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.5.7 + cli_config_credentials_token: ${{ secrets.tf-api-token }} + - name: Clone repo + uses: actions/checkout@v4 + - name: Setup SSH key + uses: benoitchantre/setup-ssh-authentication-action@1.0.1 + with: + private-key: ${{ secrets.ssh-private-key }} + private-key-name: id_ed25519 + known-hosts: ${{ secrets.ssh-known-hosts }} + - name: Restore terraform cache + uses: actions/cache@v3 + id: cache-terraform-restore + with: + path: .terraform + key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-tf + - name: Run terraform init + shell: bash + run: terraform init + - name: Run terraform validate + shell: bash + run: terraform validate + - name: Run terraform plan + id: tfplan + shell: bash + run: | + terraform plan -detailed-exitcode -out=tfplan.binary -input=false; + continue-on-error: true + - name: Check if job errored + if: ${{ steps.tfplan.outputs.exitcode == 1 }} + shell: sh + run: exit 1 + - name: Upload terraform plan if diffs are detected + if: ${{ steps.tfplan.outputs.exitcode == 2 }} + uses: actions/upload-artifact@v3 + with: + name: tfplan + path: tfplan.binary + - name: Save terraform cache + uses: actions/cache/save@v3 + id: cache-terraform-save + with: + path: .terraform + key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}