Update Main WAF #66
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update Main WAF | |
on: | |
schedule: | |
- cron: "0 5 * * 4" | |
# on: | |
# workflow_dispatch: | |
jobs: | |
checkVersion: | |
name: Check versions | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set env.BRANCH | |
run: echo "BRANCH=main" >> $GITHUB_ENV | |
- name: Install basic dependancies | |
run: ./scripts/pipeline/deb-basic-deps.sh | |
- name: Install Cloudfoundry CLI | |
run: ./scripts/pipeline/deb-cf-install.sh | |
- name: Cloud.gov login | |
env: | |
CF_USER: "${{ secrets.CF_USER }}" | |
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}" | |
CF_ORG: "${{ secrets.CF_ORG }}" | |
PROJECT: "${{ secrets.PROJECT }}" | |
run: source ./scripts/pipeline/cloud-gov-login.sh | |
- name: Check version | |
id: version | |
env: | |
PROJECT: "${{ secrets.PROJECT }}" | |
run: | | |
ubuntu_version=${{ vars.UBUNTU_VERSION }} | |
modsecurity_nginx_version=${{ vars.MODSECURITY_NGINX_VERSION }} | |
source ./scripts/pipeline/cloud-gov-waf-version.sh | |
outputs: | |
current_nginx_version: ${{ steps.version.outputs.current_nginx_version }} | |
new_nginx_version: ${{ steps.version.outputs.new_nginx_version }} | |
current_bp_version: ${{ steps.version.outputs.current_bp_version }} | |
new_bp_version: ${{ steps.version.outputs.new_bp_version }} | |
update: ${{ steps.version.outputs.update }} | |
updateWAF: | |
name: Update WAF | |
runs-on: ubuntu-latest | |
needs: checkVersion | |
if: needs.checkVersion.outputs.update == 'true' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set env.BRANCH | |
run: echo "BRANCH=main" >> $GITHUB_ENV | |
- name: Install basic dependancies | |
run: ./scripts/pipeline/deb-basic-deps.sh | |
- name: Install Cloudfoundry CLI | |
run: ./scripts/pipeline/deb-cf-install.sh | |
- name: Cloud.gov login | |
env: | |
CF_USER: "${{ secrets.CF_USER }}" | |
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}" | |
CF_ORG: "${{ secrets.CF_ORG }}" | |
PROJECT: "${{ secrets.PROJECT }}" | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
TF_BACKEND_SPACE: "${{ secrets.TF_BACKEND_SPACE }}" | |
run: | | |
source ./scripts/pipeline/cloud-gov-login.sh | |
cf target -s "${TF_BACKEND_SPACE}" >/dev/null 2>&1 | |
- name: Start Bastion | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
run: | | |
cf start "${TF_BASTION}" >/dev/null 2>&1 | |
./scripts/pipeline/cloud-gov-wait-for-app-start.sh "${TF_BASTION}" | |
- name: Cloud.gov bastion git checkout | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
run: | | |
declare -a commands=("rm -rf px-benefit-finder" "git clone https://github.com/GSA/px-benefit-finder.git && cd px-benefit-finder && git checkout ${BRANCH}") | |
for command in "${commands[@]}"; do | |
./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "${command}" 1 | |
done | |
- name: Build nginx WAF Plugin | |
env: | |
ubuntu_version: "${{ vars.UBUNTU_VERSION }}" | |
modsecurity_nginx_version: "${{ vars.MODSECURITY_NGINX_VERSION }}" | |
new_nginx_version: ${{ needs.checkVersion.outputs.new_nginx_version }} | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
run: | | |
source ./scripts/pipeline/terraform-build-waf-plugin.sh | |
- name: Configure Terraform | |
env: | |
CF_USER: "${{ secrets.CF_USER }}" | |
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}" | |
CF_ORG: "${{ secrets.CF_ORG }}" | |
PROJECT: "${{ secrets.PROJECT }}" | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
run: | | |
CWD=$(pwd) | |
cd terraform/infra | |
envsubst < terraform.tfvars.tmpl > terraform.tfvars | |
${CWD}/scripts/pipeline/cloud-gov-scp-file.sh "${TF_BASTION}" "terraform.tfvars" "px-benefit-finder/terraform/infra" | |
cd "${CWD}" | |
- name: Terraform Init | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
id: init | |
run: ./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "tofu -chdir=px-benefit-finder/terraform/infra init" 1 | |
- name: Terraform Validate | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
id: validate | |
run: | | |
stdout=$(./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${BRANCH} tofu -chdir=px-benefit-finder/terraform/infra validate -no-color" 1) | |
stdout=$(echo $stdout | sed '$ d') | |
echo ${stdout} | |
echo "stdout=${stdout}" >> $GITHUB_OUTPUT | |
- name: Terraform Plan | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
id: plan | |
run: | | |
stdout=$(./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${BRANCH} tofu -chdir=px-benefit-finder/terraform/infra plan -no-color" 1) | |
stdout=$(echo $stdout | sed '$ d') | |
echo ${stdout} | |
echo "stdout=${stdout}" >> $GITHUB_OUTPUT | |
- name: Terraform Apply | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
id: apply | |
run: | | |
stdout=$(./scripts/pipeline/cloud-gov-remote-command.sh "${TF_BASTION}" "TF_WORKSPACE=${BRANCH} tofu -chdir=px-benefit-finder/terraform/infra apply -auto-approve" 1) | |
stdout=$(echo $stdout | sed '$ d') | |
echo ${stdout} | |
echo "stdout=${stdout}" >> $GITHUB_OUTPUT | |
- name: Create Issue For Review | |
id: issue | |
uses: dacbd/create-issue-action@main | |
with: | |
token: ${{ secrets.ADD_TO_PROJECT_PAT }} | |
assignees: ${{ vars.TECH_LEAD }} | |
title: "Update to NGINX ${{ needs.checkVersion.outputs.new_nginx_version }} (main)" | |
body: | | |
## Automated update of NGINX WAF | |
This is an automated build and deploy of the NGINX WAF application in main. | |
Build pack: ${{ needs.checkVersion.outputs.current_bp_version }} => ${{ needs.checkVersion.outputs.new_bp_version }} | |
NGINX: ${{ needs.checkVersion.outputs.current_nginx_version }} => ${{ needs.checkVersion.outputs.new_nginx_version }} | |
#### Terraform Initialization ⚙`${{ steps.init.outcome }}` | |
#### Terraform Validation 🤖`${{ steps.validate.outcome }}` | |
<details><summary>Validation Output</summary> | |
``` | |
${{ steps.validate.outputs.stdout }} | |
``` | |
</details> | |
#### Terraform Plan 📅`${{ steps.plan.outcome }}` | |
<details><summary>Show Plan</summary> | |
``` | |
${{ steps.plan.outputs.stdout }} | |
``` | |
</details> | |
### Terraform Apply 🚀`${{ steps.apply.outcome }}` | |
# - name: Update Project Status | |
# env: | |
# GH_PROJECT_NUMBER: ${{ secrets.GH_PROJECT_NUMBER }} | |
# GH_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }} | |
# ISSUE_NUMBER: ${{ steps.issue.outputs.number }} | |
# run: | | |
# source ./scripts/pipeline/github-update-issue-status.sh | |
stopBastion: | |
name: Stop Bastion | |
runs-on: ubuntu-latest | |
needs: updateWAF | |
if: ${{ always() }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set env.BRANCH | |
run: echo "BRANCH=main" >> $GITHUB_ENV | |
- name: Install basic dependancies | |
run: ./scripts/pipeline/deb-basic-deps.sh | |
- name: Install Cloudfoundry CLI | |
run: ./scripts/pipeline/deb-cf-install.sh | |
- name: Cloud.gov login | |
env: | |
CF_USER: "${{ secrets.CF_USER }}" | |
CF_PASSWORD: "${{ secrets.CF_PASSWORD }}" | |
CF_ORG: "${{ secrets.CF_ORG }}" | |
PROJECT: "${{ secrets.PROJECT }}" | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
TF_BACKEND_SPACE: "${{ secrets.TF_BACKEND_SPACE }}" | |
run: | | |
source ./scripts/pipeline/cloud-gov-login.sh | |
cf target -s "${TF_BACKEND_SPACE}" >/dev/null 2>&1 | |
- name: Stop Bastion | |
env: | |
TF_BASTION: "${{ secrets.TF_BASTION }}" | |
run: cf stop "${TF_BASTION}" >/dev/null 2>&1 |