magic_castle/.github/workflows/test.yaml at 6f9e819a8b3a0cfe50f87715ba83fd3f67ca768d · mboisson/magic_castle · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Validate Terraform code

on:
  push:
    branches:
      - main
    paths:
      - aws/*
      - azure/*
      - common/*
      - dns/*
      - examples/*
      - openstack/*
      - ovh/*
      - .github/workflows/test.yaml
  pull_request:
    branches:
      - main
    paths:
      - aws/*
      - azure/*
      - common/*
      - dns/*
      - examples/*
      - openstack/*
      - ovh/*
      - .github/workflows/test.yaml

jobs:
  validate_cloud_providers:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        provider: ['aws', 'azure', 'gcp', 'openstack', 'ovh']
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.5.7"
      - run: terraform -chdir=${{ matrix.provider }} init
      - run: terraform -chdir=${{ matrix.provider }} validate

  validate_dns_providers:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        provider: ['cloudflare', 'gcloud', 'txt']
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.5.7"
      - run: terraform -chdir=dns/${{ matrix.provider }} init
      - run: terraform -chdir=dns/${{ matrix.provider }} validate

  validate_examples:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        example:
          - aws
          - azure
          - gcp
          - openstack
          - ovh
          # - advanced/spot_instances/aws
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.5.7"
      - name: Generate an SSH key
        run: ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa
      - run: sed -i "s;git::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git//;../../;g" examples/${{ matrix.example }}/main.tf;
      - run: terraform -chdir=examples/${{ matrix.example }} init
      - run: terraform -chdir=examples/${{ matrix.example }} validate

  validate_advanced_examples:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        example:
          - spot_instances/aws
          - spot_instances/azure
          - spot_instances/gcp
          - basic_puppet/openstack
          - elk/openstack
          - k8s/openstack
          - lustre/openstack
          - spark/openstack
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.5.7"
      - name: Generate an SSH key
        run: ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa
      - run: sed -i "s;git::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git//;../../../../;g" examples/advanced/${{ matrix.example }}/main.tf;
      - run: terraform -chdir=examples/advanced/${{ matrix.example }} init
      - run: terraform -chdir=examples/advanced/${{ matrix.example }} validate

  trivy-vuln-scan:
    name: Running Trivy Scan
    runs-on: ubuntu-latest
    needs: [validate_cloud_providers, validate_examples]
    steps:
      - uses: actions/checkout@v4

      - name: Resolve symbolic links and fix source
        run: |
          rm {aws,azure,gcp,openstack}/{outputs.tf,variables.tf}
          for cloud in aws azure gcp openstack; do
            cp common/outputs.tf common/variables.tf $cloud/;
          done
          sed -i 's;git::https://github.com/ComputeCanada/magic_castle.git//;../../;g' examples/*/*.tf

      - name: Manual Trivy Setup
        uses: aquasecurity/setup-trivy@v0.2.2
        with:
          version: v0.61.1
          cache: true

      - name: Run Trivy on providers
        run: trivy config --misconfig-scanners terraform --tf-exclude-downloaded-modules --skip-dirs examples/advanced --format json -o trivy-results.json .

      - name: Convert Trivy JSON output to SARIF and filter duplicated results
        run: |
          trivy convert --format sarif trivy-results.json --output trivy-results.sarif
          # When converting from JSON to SARIF, some information, like origin of the misconfiguration, is lost.
          # The lost information results in duplicated issues. We filter these issues with jq and create a new
          # sarif file that will be uploaded to the security tab.
          jq 'reduce .runs[0].results[] as $a ([]; if IN(.[]; $a) then . else . += [$a] end)' trivy-results.sarif > trivy-results-filtered.sarif
          jq ".runs[0].results |= $(cat trivy-results-filtered.sarif)" trivy-results.sarif > trivy-results-final.sarif
          mv trivy-results-final.sarif trivy-results.sarif

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

      - name: Publish Trivy Output to Summary
        run: |
          if [[ -s trivy-results.json ]]; then
          {
            echo "### Trivy Misconfiguration Scan Output"
            echo "<details><summary>Click to expand</summary>"
            echo ""
            echo '```console'
            echo '$ trivy config --misconfig-scanners terraform --tf-exclude-downloaded-modules --skip-dirs examples/advanced .'
            trivy convert --format table trivy-results.json
            echo '```'
            echo "</details>"
          } >> $GITHUB_STEP_SUMMARY
          fi