Added the Protected Fargate Task

PaloAltoNetworks · Aug 22, 2024 · 5d8b540 · 5d8b540
1 parent 299cf25
commit 5d8b540
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 11 deletions.
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -8,56 +8,102 @@ on:
 
 jobs:
 
-  build:
+  fargate:
     runs-on: ubuntu-latest
     environment: Testing
+    env:
+      IMAGE_NAME: ${{ vars.IMAGE_NAME }}
+      TASK_DEFINTION_NAME: ${{ vars.TASK_DEFINTION_NAME }}
     permissions:
       id-token: write
       contents: read
     steps:
     - uses: actions/checkout@v4
+
     - name: Configure AWS Credentials region audience
       uses: aws-actions/configure-aws-credentials@v4
       with:
         audience: sts.amazonaws.com
         aws-region: ${{ secrets.AWS_REGION }}
         role-to-assume: ${{ secrets.AWS_ROLE }}
+
     - name: Set env
       run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
+
     - name: Build image and CI Scanning
       run: |
         # Build docker image
         docker build -t ${{ vars.IMAGE_NAME }}:latest .
 
-        #Generate Console token
+        # Generate Console token
         token=$(curl -s -k ${{ secrets.PCC_URL }}/api/v1/authenticate -X POST -H "Content-Type: application/json" -d '{
           "username":"${{ secrets.PCC_USER }}",
           "password":"${{ secrets.PCC_PASS }}"
           }'  | grep -Po '"'"token"'"\s*:\s*"\K([^"]*)')
         
-        #Download Twistcli
+        # Download Twistcli
+        echo "Downloading twistcli binary"
         curl -s -O ${{ secrets.PCC_URL }}/api/v1/util/twistcli -H "Authorization: Bearer $token"
         chmod a+x twistcli
         ./twistcli --version
 
-        #Perform CI Scan
+        # Perform CI Scan
+        echo "Performing Vulnerability and Compliance Scanning"
         ./twistcli images scan --address ${{ secrets.PCC_URL }} --token $token --details ${{ vars.IMAGE_NAME }}:latest
 
-        #Perform Analysis Sandbox 
+        # Perform Analysis Sandbox
+        echo "Performing Image Analysis Sandbox"
         sudo ./twistcli sandbox --address ${{ secrets.PCC_URL }} --token $token --analysis-duration 2m ${{ vars.IMAGE_NAME }}:latest
+
     - name: Login to Docker Hub
       uses: docker/login-action@v3
       with:
         registry: ${{ secrets.AWS_ECR_REGISTRY }}
         username: AWS
         password: ${{ secrets.AWS_ACCESS_TOKEN }}
+
     - name: Push
       uses: docker/build-push-action@v5
       with:
         context: .
         push: true
-        tags: ${{ vars.IMAGE_NAME }}:latest,${{ vars.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+        tags: ${{ vars.IMAGE_NAME }}:latest,${{ vars.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+
+    - name: Generate Protected Fargate Task
+      run: |
+        # Generate Fargate Task using template
+        envsubst < fargate-task-template.json > fargate-task.json
+
+        # Initial Path
+        PCC_SAN="$(echo ${{ secrets.PCC_URL }} | awk -F[/:] '{print $4}')"
+        path="/api/v1/defenders/fargate.json?consoleaddr=$PCC_SAN"
+        
+        # Identify if required to extract entrypoint
+        entrypoint=$(cat fargate-task-template.json | jq -r ".containerDefinitions[].entryPoint")
+        extract_entrypoint="false"
+        if [ "$entrypoint" == null ]
+        then
+          extract_entrypoint="true"
+          IFS="." read -r -a image_data <<< "${{ secrets.AWS_ECR_REGISTRY }}"
+          credential_id="${image_data[0]}"
+          path="$path&registryType=aws&registryCredentialID=$credential_id"
+        fi
+
+        path="$path&extractEntrypoint=$extract_entrypoint"
+
+        # Generate Console token
+        token=$(curl -s -k ${{ secrets.PCC_URL }}/api/v1/authenticate -X POST -H "Content-Type: application/json" -d '{
+          "username":"${{ secrets.PCC_USER }}",
+          "password":"${{ secrets.PCC_PASS }}"
+          }'  | grep -Po '"'"token"'"\s*:\s*"\K([^"]*)')
+
+        # Generate Protected Task
+        curl -x POST -H "Content-Type: application/json" -H "Authorization: Bearer $token" --data "@fargate-task.json" "${{ secrets.PCC_URL }}$path" > protected-fargate-task.json
+        cat protected-fargate-task.json
+        
diff --git a/fargate-task-template.json b/fargate-task-template.json
@@ -1,11 +1,8 @@
 {
     "containerDefinitions": [ 
        { 
-          "command": [
-             "${COMMAND}"
-          ],
           "essential": true,
-          "image": "${IMAGE}",
+          "image": "${IMAGE_NAME}",
           "name": "sample-fargate-app",
           "portMappings": [ 
              { 
@@ -17,7 +14,7 @@
        }
     ],
     "cpu": "256",
-    "family": "fargate-task-definition",
+    "family": "${TASK_DEFINTION_NAME}",
     "memory": "512",
     "networkMode": "awsvpc",
     "runtimePlatform": {