chore(deps): update dependency tfsec to v1.28.13 #309
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: EKS Cluster with an AuroraDB and OpenSearch creation and destruction test | |
on: | |
schedule: | |
- cron: 0 1 * * 2 # At 01:00 on Tuesday. | |
workflow_dispatch: | |
inputs: | |
cluster_name: | |
description: Cluster name. | |
required: false | |
type: string | |
create_db: | |
description: Should the aurora db be created | |
default: 'true' | |
create_opensearch: | |
description: Should the opensearch domain be created | |
default: 'true' | |
delete_cluster: | |
description: Whether to delete the cluster. | |
default: 'true' | |
db_username: | |
description: Database username. | |
required: false | |
type: string | |
db_password: | |
description: Database password. | |
required: false | |
type: string | |
opensearch_username: | |
description: OpenSearch username. | |
required: false | |
type: string | |
opensearch_password: | |
description: OpenSearch password. | |
required: false | |
type: string | |
pull_request: | |
# the paths should be synced with ../labeler.yml | |
paths: | |
- modules/fixtures/backend.tf | |
- modules/fixtures/fixtures.default.eks.tfvars | |
- modules/fixtures/fixtures.default.aurora.tfvars | |
- modules/eks-cluster/**.tf | |
- modules/aurora/**.tf | |
- .tool-versions | |
- .github/workflows/test-gha-eks.yml | |
- .github/actions/*/*.yml | |
# limit to a single execution per actor of this workflow | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
AWS_PROFILE: infex | |
AWS_REGION: eu-west-2 | |
# /!\ always use one of the available test region https://github.com/camunda/infraex-common-config | |
# please keep those synced with tests.yml | |
TF_STATE_BUCKET: tests-eks-tf-state-eu-central-1 | |
TF_STATE_BUCKET_REGION: eu-central-1 | |
CREATE_DB: ${{ github.event.inputs.create_db || 'true' }} | |
CREATE_OPENSEARCH: ${{ github.event.inputs.create_opensearch || 'true' }} | |
jobs: | |
action-test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
with: | |
ref: ${{ github.head_ref }} | |
fetch-depth: 0 | |
- name: Cache asdf installation | |
id: cache | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 | |
with: | |
path: | | |
/home/runner/.asdf | |
key: ${{ runner.os }}-tooling-${{ hashFiles('**/.tool-versions') }} | |
restore-keys: | | |
${{ runner.os }}-tooling- | |
- name: Install tooling using asdf | |
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 | |
- name: Get Cluster Info | |
id: commit_info | |
run: | | |
if [[ -n "${{ inputs.cluster_name }}" ]]; then | |
cluster_name="${{ inputs.cluster_name }}" | |
else | |
cluster_name="cl-$(git rev-parse --short HEAD)-t" | |
fi | |
echo "cluster_name=$cluster_name" | tee -a "$GITHUB_OUTPUT" | |
if [[ -n "${{ inputs.db_username }}" ]]; then | |
db_username="${{ inputs.db_username }}" | |
else | |
db_username="user$(openssl rand -hex 4 | tr -d '/@" ')" | |
fi | |
echo "db_username=$db_username" | tee -a "$GITHUB_OUTPUT" | |
if [[ -n "${{ inputs.db_password }}" ]]; then | |
db_password="${{ inputs.db_password }}" | |
else | |
db_password="$(openssl rand -base64 12 | tr -d '/@" ')" | |
fi | |
echo "db_password=$db_password" | tee -a "$GITHUB_OUTPUT" | |
if [[ -n "${{ inputs.opensearch_username }}" ]]; then | |
opensearch_username="${{ inputs.opensearch_username }}" | |
else | |
opensearch_username="user$(openssl rand -hex 4 | tr -d '/@" ')" | |
fi | |
echo "opensearch_username=$opensearch_username" | tee -a "$GITHUB_OUTPUT" | |
if [[ -n "${{ inputs.opensearch_password }}" ]]; then | |
opensearch_password="${{ inputs.opensearch_password }}" | |
else | |
opensearch_password="$(openssl rand -base64 12 | tr -d '/@" ')" | |
fi | |
echo "opensearch_password=$opensearch_password" | tee -a "$GITHUB_OUTPUT" | |
# Get the current commit hash for the modules revision | |
tf_modules_revision=$(git rev-parse HEAD) | |
echo "tf_modules_revision=$tf_modules_revision" | tee -a "$GITHUB_OUTPUT" | |
- name: Import Secrets | |
id: secrets | |
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3 | |
with: | |
url: ${{ secrets.VAULT_ADDR }} | |
method: approle | |
roleId: ${{ secrets.VAULT_ROLE_ID }} | |
secretId: ${{ secrets.VAULT_SECRET_ID }} | |
exportEnv: false | |
secrets: | | |
secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; | |
secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; | |
- name: Add profile credentials to ~/.aws/credentials | |
run: | | |
aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} | |
aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} | |
aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} | |
- name: Create EKS Cluster | |
timeout-minutes: 45 | |
uses: ./.github/actions/eks-manage-cluster | |
id: create_eks_cluster | |
# Do not interrupt tests; otherwise, the Terraform state may become inconsistent. | |
if: always() && success() | |
with: | |
cluster-name: ${{ steps.commit_info.outputs.cluster_name }} | |
aws-region: ${{ env.AWS_REGION }} | |
additional-terraform-vars: '{"np_capacity_type": "SPOT", "np_instance_types": ["t2.medium"]}' | |
s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} | |
s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} | |
tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} | |
- name: After EKS creation infos | |
id: after_cluster_creation_infos | |
run: | | |
vpc_id=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.vpc_id.value') | |
echo "vpc_id=$vpc_id" | tee -a "$GITHUB_OUTPUT" | |
private_subnet_ids=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.private_subnet_ids.value') | |
echo "private_subnet_ids=$private_subnet_ids" | tee -a "$GITHUB_OUTPUT" | |
private_vpc_cidr_blocks=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.private_vpc_cidr_blocks.value') | |
echo "private_vpc_cidr_blocks=$private_vpc_cidr_blocks" | tee -a "$GITHUB_OUTPUT" | |
availability_zones=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=${vpc_id}" --query 'Subnets[].AvailabilityZone' --output json | jq 'unique' -c) | |
echo "availability_zones=$availability_zones" | tee -a "$GITHUB_OUTPUT" | |
- name: Create Aurora Cluster | |
timeout-minutes: 20 | |
uses: ./.github/actions/aurora-manage-cluster | |
id: create_aurora_cluster | |
# Do not interrupt tests; otherwise, the Terraform state may become inconsistent. | |
if: env.CREATE_DB == 'true' && always() && success() | |
with: | |
cluster-name: ${{ steps.commit_info.outputs.cluster_name }} | |
username: ${{ steps.commit_info.outputs.db_username }} | |
password: ${{ steps.commit_info.outputs.db_password }} | |
aws-region: ${{ env.AWS_REGION }} | |
s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} | |
s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} | |
tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} | |
vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }} | |
subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} | |
cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }} | |
availability-zones: ${{ steps.after_cluster_creation_infos.outputs.availability_zones }} | |
- name: Deploy OpenSearch Domain | |
uses: ./.github/actions/opensearch-manage-cluster | |
id: deploy_opensearch_domain | |
# Do not interrupt tests; otherwise, the Terraform state may become inconsistent. | |
if: env.CREATE_OPENSEARCH == 'true' && always() && success() | |
with: | |
domain-name: ${{ steps.commit_info.outputs.cluster_name }}-opensearch | |
aws-region: ${{ env.AWS_REGION }} | |
vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }} | |
subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} | |
cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }} | |
additional-terraform-vars: | | |
{ | |
"advanced_security_master_user_name": "${{ steps.commit_info.outputs.opensearch_username }}", | |
"advanced_security_master_user_password": "${{ steps.commit_info.outputs.opensearch_password }}", | |
"advanced_security_internal_user_database_enabled": true | |
} | |
s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} | |
s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} | |
tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} | |
- name: Delete Resources | |
timeout-minutes: 120 | |
if: always() && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') | |
uses: ./.github/actions/eks-cleanup-resources | |
with: | |
tf-bucket: ${{ env.TF_STATE_BUCKET }} | |
tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} | |
max-age-hours: 0 | |
target: ${{ steps.commit_info.outputs.cluster_name }} | |
- name: Notify in Slack in case of failure | |
id: slack-notification | |
if: failure() && github.event_name == 'schedule' | |
uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@08c796604f9b08614df763b333833dd1bdc037c0 # 1.2.11 | |
with: | |
vault_addr: ${{ secrets.VAULT_ADDR }} | |
vault_role_id: ${{ secrets.VAULT_ROLE_ID }} | |
vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} |