Fix GCP deployment manager formatting #133
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: GCP Deployment Manager Test | |
on: | |
pull_request: | |
branches: | |
- main | |
- "[0-9]+.[0-9]+" | |
types: [opened, synchronize, reopened] | |
paths: | |
- ".github/workflows/test-gcp-dm.yml" | |
- "deploy/deployment-manager/compute_engine.py" | |
- "deploy/deployment-manager/compute_engine.py.schema" | |
- "deploy/deployment-manager/deploy.sh" | |
- "deploy/deployment-manager/set_env.sh" | |
- "deploy/deployment-manager/deploy_service_account.sh" | |
- "deploy/deployment-manager/service_account.py" | |
- "deploy/deployment-manager/service_account.py.schema" | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
env: | |
TEST_ENVS_DIR: deploy/test-environments | |
INTEGRATIONS_SETUP_DIR: tests/integrations_setup | |
DEPLOYMENT_MANAGER_DIR: deploy/deployment-manager | |
TF_VAR_ec_api_key: ${{ secrets.EC_API_KEY }} | |
TF_VAR_ess_region: gcp-us-west2 # default region for testing deployments | |
GCP_LABELS: "ci=integration,owner=${{ github.actor }}" | |
jobs: | |
# Test a GCP Deployment Manager deployment using Application Default Credentials | |
set_stack_version: | |
name: Set Stack Version | |
runs-on: ubuntu-22.04 | |
outputs: | |
STACK_VERSION: ${{ steps.stack_version.outputs.STACK_VERSION }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Set stack version | |
id: stack_version | |
run: | | |
version=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"") | |
echo "STACK_VERSION=$version-SNAPSHOT" >> $GITHUB_OUTPUT | |
gcp_dm_adc: | |
needs: set_stack_version | |
name: CSPM GCP with ADC | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Set up unique deployment names | |
run: | | |
suffix="$(date +%s | tail -c 3)" | |
echo "TF_VAR_deployment_name=gcp-dm-ci-test-$suffix" >> $GITHUB_ENV | |
echo "GCP_DEPLOYMENT_NAME=ea-cspm-ci-dm-test-$suffix" >> $GITHUB_ENV | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Init Hermit | |
run: ./bin/hermit env -r >> $GITHUB_ENV | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.9" | |
- name: Install Poetry | |
run: | | |
curl -sSL https://install.python-poetry.org | python3 - | |
poetry --version | |
- id: google-auth | |
name: Authenticate to Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} # this also sets the project name | |
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
- name: Provision Test Environment (EC) | |
id: apply | |
if: success() | |
working-directory: ${{ env.TEST_ENVS_DIR }} | |
env: | |
TF_VAR_stack_version: ${{ needs.set_stack_version.outputs.STACK_VERSION }} | |
run: | | |
terraform -v | |
terraform init | |
terraform validate | |
terraform apply --auto-approve -target="module.ec_deployment" -target="module.ec_project" | |
terraform output | |
echo "KIBANA_URL=$(terraform output -raw kibana_url)" >> $GITHUB_ENV | |
echo "ES_URL=$(terraform output -raw elasticsearch_url)" >> $GITHUB_ENV | |
echo "ES_USER=$(terraform output -raw elasticsearch_username)" >> $GITHUB_ENV | |
export ES_PASSWORD=$(terraform output -raw elasticsearch_password) | |
echo "::add-mask::$ES_PASSWORD" | |
echo "ES_PASSWORD=$ES_PASSWORD" >> $GITHUB_ENV | |
- name: Install CSPM GCP integration | |
id: cspm-gcp-integration | |
working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }} | |
env: | |
STACK_VERSION: ${{ needs.set_stack_version.outputs.STACK_VERSION }} | |
ELK_VERSION: ${{ needs.set_stack_version.outputs.STACK_VERSION }} | |
DEPLOYMENT_NAME: ${{env.GCP_DEPLOYMENT_NAME}} | |
run: | | |
poetry install | |
poetry run python ./install_cspm_gcp_integration.py | |
- name: Deploy CSPM GCP agent | |
id: cspm-gcp-agent | |
working-directory: deploy/deployment-manager | |
env: | |
DEPLOYMENT_LABELS: ${{ env.GCP_DEFAULT_TAGS }} | |
DEPLOYMENT_NAME: ${{env.GCP_DEPLOYMENT_NAME}} | |
run: | | |
. ./set_env.sh && ./deploy.sh && gcloud deployment-manager deployments update "${DEPLOYMENT_NAME}" --update-labels "${GCP_LABELS}" | |
- name: Check for findings | |
working-directory: ./tests | |
env: | |
USE_K8S: false | |
run: | | |
poetry install | |
poetry run pytest -k "cspm_gcp" --alluredir=./allure/results/ --clean-alluredir --maxfail=4 | |
- name: Destory EC deployment | |
if: always() | |
working-directory: ${{ env.TEST_ENVS_DIR }} | |
run: | | |
terraform destroy --auto-approve -target="module.ec_deployment" -target="module.ec_project" | |
- name: Set up GCP Cloud SDK | |
if: always() | |
uses: "google-github-actions/setup-gcloud@v2" | |
- name: Delete GCP Deployment Manager deployment | |
if: always() | |
working-directory: ${{ env.TEST_ENVS_DIR }} | |
env: | |
DEPLOYMENT_NAME: ${{env.GCP_DEPLOYMENT_NAME}} | |
run: | | |
DEPLOYMENT="${DEPLOYMENT_NAME}" | |
PROJECT_NAME=$(gcloud config get-value core/project) | |
PROJECT_NUMBER=$(gcloud projects list --filter="${PROJECT_NAME}" --format="value(PROJECT_NUMBER)") | |
./delete_gcp_env.sh $PROJECT_NAME $PROJECT_NUMBER $DEPLOYMENT | |
# Test a GCP Deployment Manager deployment using a Service Account | |
gcp_dm_sa: | |
needs: [set_stack_version, gcp_dm_adc] | |
name: CSPM GCP with SA | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Set up unique deployment names | |
run: | | |
suffix="$(date +%s | tail -c 3)" | |
echo "TF_VAR_deployment_name=gcp-dm-ci-sa-test-$suffix" >> $GITHUB_ENV | |
echo "GCP_AGENT_DEPLOYMENT_NAME=ea-cspm-gcp-ci-test-$suffix" >> $GITHUB_ENV | |
echo "GCP_SA_DEPLOYMENT_NAME=sa-cspm-gcp-ci-test-$suffix" >> $GITHUB_ENV | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Init Hermit | |
run: ./bin/hermit env -r >> $GITHUB_ENV | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.9" | |
- name: Install Poetry | |
run: | | |
curl -sSL https://install.python-poetry.org | python3 - | |
poetry --version | |
- id: google-auth | |
name: Authenticate to Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} # this also sets the project name | |
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
- name: Provision Test Environment (EC) | |
id: deploy_ec | |
if: success() | |
working-directory: ${{ env.TEST_ENVS_DIR }} | |
env: | |
TF_VAR_stack_version: ${{ needs.set_stack_version.outputs.STACK_VERSION }} | |
run: | | |
terraform -v | |
terraform init | |
terraform validate | |
terraform apply --auto-approve -target="module.ec_deployment" -target="module.ec_project" | |
terraform output | |
echo "KIBANA_URL=$(terraform output -raw kibana_url)" >> $GITHUB_ENV | |
echo "ES_URL=$(terraform output -raw elasticsearch_url)" >> $GITHUB_ENV | |
echo "ES_USER=$(terraform output -raw elasticsearch_username)" >> $GITHUB_ENV | |
export ES_PASSWORD=$(terraform output -raw elasticsearch_password) | |
echo "::add-mask::$ES_PASSWORD" | |
echo "ES_PASSWORD=$ES_PASSWORD" >> $GITHUB_ENV | |
- name: Set up GCP Cloud SDK | |
if: always() | |
uses: "google-github-actions/setup-gcloud@v2" | |
- name: Deploy GCP Service Account and Agent | |
id: gcp_deploy | |
env: | |
STACK_VERSION: ${{ needs.set_stack_version.outputs.STACK_VERSION }} | |
ELK_VERSION: ${{ needs.set_stack_version.outputs.STACK_VERSION }} | |
run: | | |
# Deploys a GCP Service Account | |
cd "${DEPLOYMENT_MANAGER_DIR}" | |
export DEPLOYMENT_NAME="${GCP_SA_DEPLOYMENT_NAME}" | |
export SERVICE_ACCOUNT_NAME="${GCP_SA_DEPLOYMENT_NAME}-sa" | |
./deploy_service_account.sh | |
mv KEY_FILE.json "../../${INTEGRATIONS_SETUP_DIR}" | |
# Installs CSPM GCP integration | |
cd "../../${INTEGRATIONS_SETUP_DIR}" | |
export SERVICE_ACCOUNT_JSON_PATH="KEY_FILE.json" | |
export DEPLOYMENT_NAME="${GCP_AGENT_DEPLOYMENT_NAME}" | |
poetry install | |
poetry run python ./install_cspm_gcp_integration.py | |
# Deploys the agent using an existing service account (SERVICE_ACCOUNT_NAME) | |
cd "../../${DEPLOYMENT_MANAGER_DIR}" | |
. ./set_env.sh && ./deploy.sh && gcloud deployment-manager deployments update "${DEPLOYMENT_NAME}" --update-labels "${GCP_LABELS}" | |
- name: Check for findings | |
working-directory: ./tests | |
env: | |
USE_K8S: false | |
run: | | |
poetry install | |
poetry run pytest -k "cspm_gcp" --alluredir=./allure/results/ --clean-alluredir --maxfail=4 | |
- name: Destory EC deployment | |
if: always() | |
working-directory: ${{ env.TEST_ENVS_DIR }} | |
run: | | |
terraform destroy --auto-approve -target="module.ec_deployment" -target="module.ec_project" | |
- name: Delete GCP Deployments | |
if: always() | |
working-directory: ${{ env.TEST_ENVS_DIR }} | |
run: | | |
PROJECT_NAME=$(gcloud config get-value core/project) | |
PROJECT_NUMBER=$(gcloud projects list --filter="${PROJECT_NAME}" --format="value(PROJECT_NUMBER)") | |
./delete_gcp_env.sh $PROJECT_NAME $PROJECT_NUMBER "${GCP_SA_DEPLOYMENT_NAME}" "${GCP_AGENT_DEPLOYMENT_NAME}" |