Skip to content

Update Main WAF

Update Main WAF #66

name: Update Main WAF
on:
schedule:
- cron: "0 5 * * 4"
# on:
# workflow_dispatch:
jobs:
checkVersion:
name: Check versions
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set env.BRANCH
run: echo "BRANCH=main" >> $GITHUB_ENV
- name: Install basic dependancies
run: ./scripts/pipeline/deb-basic-deps.sh
- name: Install Cloudfoundry CLI
run: ./scripts/pipeline/deb-cf-install.sh
- name: Cloud.gov login
env:
CF_USER: "${{ secrets.CF_USER }}"
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
CF_ORG: "${{ secrets.CF_ORG }}"
PROJECT: "${{ secrets.PROJECT }}"
run: source ./scripts/pipeline/cloud-gov-login.sh
- name: Check version
id: version
env:
PROJECT: "${{ secrets.PROJECT }}"
run: |
ubuntu_version=${{ vars.UBUNTU_VERSION }}
modsecurity_nginx_version=${{ vars.MODSECURITY_NGINX_VERSION }}
source ./scripts/pipeline/cloud-gov-waf-version.sh
outputs:
current_nginx_version: ${{ steps.version.outputs.current_nginx_version }}
new_nginx_version: ${{ steps.version.outputs.new_nginx_version }}
current_bp_version: ${{ steps.version.outputs.current_bp_version }}
new_bp_version: ${{ steps.version.outputs.new_bp_version }}
update: ${{ steps.version.outputs.update }}
updateWAF:
name: Update WAF
runs-on: ubuntu-latest
needs: checkVersion
if: needs.checkVersion.outputs.update == 'true'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set env.BRANCH
run: echo "BRANCH=main" >> $GITHUB_ENV
- name: Install basic dependancies
run: ./scripts/pipeline/deb-basic-deps.sh
- name: Install Cloudfoundry CLI
run: ./scripts/pipeline/deb-cf-install.sh
- name: Cloud.gov login
env:
CF_USER: "${{ secrets.CF_USER }}"
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
CF_ORG: "${{ secrets.CF_ORG }}"
PROJECT: "${{ secrets.PROJECT }}"
TF_BASTION: "${{ secrets.TF_BASTION }}"
TF_BACKEND_SPACE: "${{ secrets.TF_BACKEND_SPACE }}"
run: |
source ./scripts/pipeline/cloud-gov-login.sh
cf target -s "${TF_BACKEND_SPACE}" >/dev/null 2>&1
- name: Start Bastion
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
run: |
cf start "${TF_BASTION}" >/dev/null 2>&1
./scripts/pipeline/cloud-gov-wait-for-app-start.sh "${TF_BASTION}"
- name: Cloud.gov bastion git checkout
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
run: |
declare -a commands=("rm -rf px-benefit-finder" "git clone https://github.com/GSA/px-benefit-finder.git && cd px-benefit-finder && git checkout ${BRANCH}")
for command in "${commands[@]}"; do
./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "${command}" 1
done
- name: Build nginx WAF Plugin
env:
ubuntu_version: "${{ vars.UBUNTU_VERSION }}"
modsecurity_nginx_version: "${{ vars.MODSECURITY_NGINX_VERSION }}"
new_nginx_version: ${{ needs.checkVersion.outputs.new_nginx_version }}
TF_BASTION: "${{ secrets.TF_BASTION }}"
run: |
source ./scripts/pipeline/terraform-build-waf-plugin.sh
- name: Configure Terraform
env:
CF_USER: "${{ secrets.CF_USER }}"
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
CF_ORG: "${{ secrets.CF_ORG }}"
PROJECT: "${{ secrets.PROJECT }}"
TF_BASTION: "${{ secrets.TF_BASTION }}"
run: |
CWD=$(pwd)
cd terraform/infra
envsubst < terraform.tfvars.tmpl > terraform.tfvars
${CWD}/scripts/pipeline/cloud-gov-scp-file.sh "${TF_BASTION}" "terraform.tfvars" "px-benefit-finder/terraform/infra"
cd "${CWD}"
- name: Terraform Init
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
id: init
run: ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "tofu -chdir=px-benefit-finder/terraform/infra init" 1
- name: Terraform Validate
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
id: validate
run: |
stdout=$(./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${BRANCH} tofu -chdir=px-benefit-finder/terraform/infra validate -no-color" 1)
stdout=$(echo $stdout | sed '$ d')
echo ${stdout}
echo "stdout=${stdout}" >> $GITHUB_OUTPUT
- name: Terraform Plan
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
id: plan
run: |
stdout=$(./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${BRANCH} tofu -chdir=px-benefit-finder/terraform/infra plan -no-color" 1)
stdout=$(echo $stdout | sed '$ d')
echo ${stdout}
echo "stdout=${stdout}" >> $GITHUB_OUTPUT
- name: Terraform Apply
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
id: apply
run: |
stdout=$(./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${BRANCH} tofu -chdir=px-benefit-finder/terraform/infra apply -auto-approve" 1)
stdout=$(echo $stdout | sed '$ d')
echo ${stdout}
echo "stdout=${stdout}" >> $GITHUB_OUTPUT
- name: Create Issue For Review
id: issue
uses: dacbd/create-issue-action@main
with:
token: ${{ secrets.ADD_TO_PROJECT_PAT }}
assignees: ${{ vars.TECH_LEAD }}
title: "Update to NGINX ${{ needs.checkVersion.outputs.new_nginx_version }} (main)"
body: |
## Automated update of NGINX WAF
This is an automated build and deploy of the NGINX WAF application in main.
Build pack: ${{ needs.checkVersion.outputs.current_bp_version }} => ${{ needs.checkVersion.outputs.new_bp_version }}
NGINX: ${{ needs.checkVersion.outputs.current_nginx_version }} => ${{ needs.checkVersion.outputs.new_nginx_version }}
#### Terraform Initialization &#x2699;`${{ steps.init.outcome }}`
#### Terraform Validation &#x1F916;`${{ steps.validate.outcome }}`
<details><summary>Validation Output</summary>
```
${{ steps.validate.outputs.stdout }}
```
</details>
#### Terraform Plan &#x1F4C5;`${{ steps.plan.outcome }}`
<details><summary>Show Plan</summary>
```
${{ steps.plan.outputs.stdout }}
```
</details>
### Terraform Apply &#x1f680;`${{ steps.apply.outcome }}`
# - name: Update Project Status
# env:
# GH_PROJECT_NUMBER: ${{ secrets.GH_PROJECT_NUMBER }}
# GH_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
# ISSUE_NUMBER: ${{ steps.issue.outputs.number }}
# run: |
# source ./scripts/pipeline/github-update-issue-status.sh
stopBastion:
name: Stop Bastion
runs-on: ubuntu-latest
needs: updateWAF
if: ${{ always() }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set env.BRANCH
run: echo "BRANCH=main" >> $GITHUB_ENV
- name: Install basic dependancies
run: ./scripts/pipeline/deb-basic-deps.sh
- name: Install Cloudfoundry CLI
run: ./scripts/pipeline/deb-cf-install.sh
- name: Cloud.gov login
env:
CF_USER: "${{ secrets.CF_USER }}"
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
CF_ORG: "${{ secrets.CF_ORG }}"
PROJECT: "${{ secrets.PROJECT }}"
TF_BASTION: "${{ secrets.TF_BASTION }}"
TF_BACKEND_SPACE: "${{ secrets.TF_BACKEND_SPACE }}"
run: |
source ./scripts/pipeline/cloud-gov-login.sh
cf target -s "${TF_BACKEND_SPACE}" >/dev/null 2>&1
- name: Stop Bastion
env:
TF_BASTION: "${{ secrets.TF_BASTION }}"
run: cf stop "${TF_BASTION}" >/dev/null 2>&1