Use terraform's native s3 state locking #29
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Guardrail: Matching pentester CIDR blocks" | |
| on: | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - "infra/deployments/forms/tfvars/staging.tfvars" | |
| - "infra/deployments/forms/account/staging.tfvars" | |
| - "infra/deployments/deploy/engineer-access/roles.tf" | |
| env: | |
| HCL2JSON_VERSION: "v0.6.1" | |
| jobs: | |
| check_for_matching_cidr_blocks: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| name: Check for matching CIDR blocks | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install hcl2json | |
| run: | | |
| wget "https://github.com/tmccombs/hcl2json/releases/download/${HCL2JSON_VERSION}/hcl2json_linux_amd64" | |
| chmod +x hcl2json_linux_amd64 | |
| sudo mv hcl2json_linux_amd64 /usr/local/bin/hcl2json | |
| - name: Check CIDR blocks match everywhere | |
| run: | | |
| hcl2json infra/deployments/forms/tfvars/staging.tfvars | jq -rc '.environmental_settings.rate_limit_bypass_cidrs' > forms_tfvars_staging | |
| hcl2json infra/deployments/forms/account/tfvars/staging.tfvars | jq -rc '.pentester_cidr_ranges' > forms_acct_tfvars_staging | |
| hcl2json infra/deployments/deploy/engineer-access/roles.tf | jq -rc '.module.engineer_access[0].pentester_cidrs' > deploy_engineer_access_roles | |
| if ! cmp --silent forms_tfvars_staging forms_acct_tfvars_staging || \ | |
| ! cmp --silent forms_tfvars_staging deploy_engineer_access_roles || \ | |
| ! cmp --silent forms_acct_tfvars_staging deploy_engineer_access_roles; then | |
| cat <<EOF | |
| If you're setting pen tester CIDR blocks, make sure you set them the same everywhere | |
| * infra/deployments/forms/tfvars/staging.tfvars | |
| * infra/deployments/forms/account/tfvars/staging.tfvars | |
| * infra/deployments/deploy/engineer-access/roles.tf | |
| EOF | |
| echo "infra/deployments/forms/tfvars/staging.tfvars" | |
| cat forms_tfvars_staging | |
| echo "infra/deployments/forms/account/tfvars/staging.tfvars" | |
| cat forms_acct_tfvars_staging | |
| echo "infra/deployments/deploy/engineer-access/roles.tf" | |
| cat deploy_engineer_access_roles | |
| exit 1 | |
| fi | |
| - name: Check CIDR blocks are only set in staging | |
| run: | | |
| while IFS= read -r file | |
| do | |
| if "$(jq -rc '.environmental_settings.rate_limit_bypass_cidrs' "${file}")" != "[]"; then | |
| echo "Rate limiting bypass CIDRs should not be set outside out staging" | |
| echo "Guilty file: ${file}" | |
| exit 1 | |
| fi | |
| done < <(find infra/deployments/forms/tfvars infra/deployments/forms/account/tfvars -not -name "staging.tfvars" -name "*.tfvars") |