MLPAB-2343 - create a self service SBOM generation workflow in GitHub…

… actions (#1386)

* ignore exports

* ignore exports

* add script to export a bill of materials for docker images

* creat workflow dispatch job

* use service prefix to keep things together

* use correct role

* remove default

.github/workflows/dispatch_export_sbom.yml

@@ -0,0 +1,44 @@
+name: "[WD] Export Software Bill of Materials (SBOM)"
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: 'Tag to export SBOM for'
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: write
+  security-events: write
+  pull-requests: none
+  actions: none
+  checks: none
+  deployments: none
+  issues: none
+  packages: none
+  repository-projects: none
+  statuses: none
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  export_sbom:
+    name: Export Software Bill of Materials (SBOM) for ${{ inputs.image_tag }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/[email protected]
+        with:
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-sbom-export
+          role-duration-seconds: 900
+          role-session-name: GithubActionsExportSBOM
+      - name: Request and Download SBO Export for ${{ inputs.image_tag }}
+        working-directory: scripts/sbom_exporter
+        id: export_and_download_sbom
+        run: |
+          ./export_ecr_image_sbom.sh modernising-lpa ${{ inputs.image_tag }} modernising_lpa_filter_criteria.json

.gitignore

@@ -39,3 +39,5 @@ multi-reporter-config.json
 /logs/*
 /pacts/*
 /coverage/*
+
+scripts/sbom_exporter/exports/*

scripts/sbom_exporter/README.md

@@ -0,0 +1,34 @@
+# Working with AWS Inspector SBOM exports
+
+## request SBOM export
+
+```bash
+aws-vault exec management-operator -- \
+    aws inspector2 create-sbom-export \
+    --report-format SPDX_2_3 \
+    --resource-filter-criteria file://filter_criteria.json \
+    --s3-destination bucketName=opg-aws-inspector-sbom,keyPrefix=v0.1323.0,kmsKeyArn=arn:aws:kms:eu-west-1:311462405659:key/mrk-1899eeb57e6045d1a85310e1edda47c9
+```
+
+## get status of export
+
+```bash
+aws-vault exec management-operator -- \
+    aws inspector2 get-sbom-export \
+--report-id ba783153-5dc6-40ae-a9c9-9b48b232ec7b
+```
+
+## cancel status of export
+
+```bash
+aws-vault exec management-operator -- \
+    aws inspector2 cancel-sbom-export \
+--report-id 516b3fd1-881a-41a8-9592-d0fa70207e0f
+```
+
+## download the export
+
+```bash
+aws-vault exec management-operator -- \
+    aws s3 cp s3://opg-aws-inspector-sbom/latest/SPDX_2_3_outputs_6ebd4d72-7eca-4693-bfbe-fb078ac11a6e/account=311462405659/resource=AWS_ECR_CONTAINER_IMAGE/ . --recursive
+```

scripts/sbom_exporter/export_ecr_image_sbom.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+set -e
+
+# Check if both arguments are provided
+if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
+  echo "Usage: $0 <service_name> <image_tag> <filter_criteria_file>"
+  exit 1
+fi
+
+# Use the provided arguments
+SERVICE_NAME=$1
+IMAGE_TAG=$2
+FILTER_CRITERIA_FILE=$3
+ACCOUNT_ID=311462405659
+
+echo "Using image tag: $IMAGE_TAG"
+echo "Using filter criteria file: $FILTER_CRITERIA_FILE"
+
+# Update the filter_criteria.json with the new IMAGE_TAG
+jq --arg tag "$IMAGE_TAG" '.ecrImageTags = [{"comparison": "EQUALS", "value": $tag}]' $FILTER_CRITERIA_FILE > tmp.$$.json
+
+# Create a SBOM export
+REQUEST=$(aws-vault exec management-operator -- \
+    aws inspector2 create-sbom-export \
+    --report-format SPDX_2_3 \
+    --resource-filter-criteria file://tmp.$$.json \
+    --s3-destination bucketName=opg-aws-inspector-sbom,keyPrefix=$SERVICE_NAME/$IMAGE_TAG,kmsKeyArn=arn:aws:kms:eu-west-1:311462405659:key/mrk-1899eeb57e6045d1a85310e1edda47c9)
+
+rm tmp.$$.json
+
+REPORT_ID=$(echo $REQUEST | jq -r '.reportId')
+
+echo "SBOM export request id: $REPORT_ID"
+
+# Wait for export to complete
+while true; do
+    RESPONSE=$(aws-vault exec management-operator -- aws inspector2 get-sbom-export --report-id $REPORT_ID)
+    STATUS=$(echo $RESPONSE | jq -r '.status')
+
+    if [ "$STATUS" != "IN_PROGRESS" ]; then
+        echo "Final response:"
+        echo $RESPONSE | jq -C
+        mkdir -p exports/$IMAGE_TAG
+        echo "downloading SBOMs from S3..."
+        aws-vault exec management-operator -- \
+            aws s3 cp s3://opg-aws-inspector-sbom/$SERVICE_NAME/$IMAGE_TAG/SPDX_2_3_outputs_$REPORT_ID/account=$ACCOUNT_ID/resource=AWS_ECR_CONTAINER_IMAGE/ ./exports/$IMAGE_TAG --recursive
+        break
+    fi
+
+    echo "Status is $STATUS. Retrying in 10 seconds..."
+    sleep 10
+done

scripts/sbom_exporter/mock_onelogin_filter_criteria.json

@@ -0,0 +1,14 @@
+{
+  "ecrImageTags": [
+      {
+          "comparison": "EQUALS",
+          "value": "latest"
+      }
+  ],
+  "ecrRepositoryName": [
+      {
+        "comparison": "EQUALS",
+        "value": "mock-onelogin"
+      }
+  ]
+}

scripts/sbom_exporter/modernising_lpa_filter_criteria.json

@@ -0,0 +1,26 @@
+{
+  "ecrImageTags": [
+      {
+          "comparison": "EQUALS",
+          "value": "latest"
+      }
+  ],
+  "ecrRepositoryName": [
+      {
+          "comparison": "EQUALS",
+          "value": "modernising-lpa/app"
+      },
+      {
+          "comparison": "EQUALS",
+          "value": "modernising-lpa/event-received"
+      },
+      {
+          "comparison": "EQUALS",
+          "value": "modernising-lpa/create-s3-batch-replication-job"
+      },
+      {
+          "comparison": "EQUALS",
+          "value": "modernising-lpa/mock-pay"
+      }
+  ]
+}