Skip to content

chore(deps): update dependency tfsec to v1.28.13 #309

chore(deps): update dependency tfsec to v1.28.13

chore(deps): update dependency tfsec to v1.28.13 #309

Workflow file for this run

---
name: EKS Cluster with an AuroraDB and OpenSearch creation and destruction test
on:
schedule:
- cron: 0 1 * * 2 # At 01:00 on Tuesday.
workflow_dispatch:
inputs:
cluster_name:
description: Cluster name.
required: false
type: string
create_db:
description: Should the aurora db be created
default: 'true'
create_opensearch:
description: Should the opensearch domain be created
default: 'true'
delete_cluster:
description: Whether to delete the cluster.
default: 'true'
db_username:
description: Database username.
required: false
type: string
db_password:
description: Database password.
required: false
type: string
opensearch_username:
description: OpenSearch username.
required: false
type: string
opensearch_password:
description: OpenSearch password.
required: false
type: string
pull_request:
# the paths should be synced with ../labeler.yml
paths:
- modules/fixtures/backend.tf
- modules/fixtures/fixtures.default.eks.tfvars
- modules/fixtures/fixtures.default.aurora.tfvars
- modules/eks-cluster/**.tf
- modules/aurora/**.tf
- .tool-versions
- .github/workflows/test-gha-eks.yml
- .github/actions/*/*.yml
# limit to a single execution per actor of this workflow
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
AWS_PROFILE: infex
AWS_REGION: eu-west-2
# /!\ always use one of the available test region https://github.com/camunda/infraex-common-config
# please keep those synced with tests.yml
TF_STATE_BUCKET: tests-eks-tf-state-eu-central-1
TF_STATE_BUCKET_REGION: eu-central-1
CREATE_DB: ${{ github.event.inputs.create_db || 'true' }}
CREATE_OPENSEARCH: ${{ github.event.inputs.create_opensearch || 'true' }}
jobs:
action-test:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Cache asdf installation
id: cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: |
/home/runner/.asdf
key: ${{ runner.os }}-tooling-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-tooling-
- name: Install tooling using asdf
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Get Cluster Info
id: commit_info
run: |
if [[ -n "${{ inputs.cluster_name }}" ]]; then
cluster_name="${{ inputs.cluster_name }}"
else
cluster_name="cl-$(git rev-parse --short HEAD)-t"
fi
echo "cluster_name=$cluster_name" | tee -a "$GITHUB_OUTPUT"
if [[ -n "${{ inputs.db_username }}" ]]; then
db_username="${{ inputs.db_username }}"
else
db_username="user$(openssl rand -hex 4 | tr -d '/@" ')"
fi
echo "db_username=$db_username" | tee -a "$GITHUB_OUTPUT"
if [[ -n "${{ inputs.db_password }}" ]]; then
db_password="${{ inputs.db_password }}"
else
db_password="$(openssl rand -base64 12 | tr -d '/@" ')"
fi
echo "db_password=$db_password" | tee -a "$GITHUB_OUTPUT"
if [[ -n "${{ inputs.opensearch_username }}" ]]; then
opensearch_username="${{ inputs.opensearch_username }}"
else
opensearch_username="user$(openssl rand -hex 4 | tr -d '/@" ')"
fi
echo "opensearch_username=$opensearch_username" | tee -a "$GITHUB_OUTPUT"
if [[ -n "${{ inputs.opensearch_password }}" ]]; then
opensearch_password="${{ inputs.opensearch_password }}"
else
opensearch_password="$(openssl rand -base64 12 | tr -d '/@" ')"
fi
echo "opensearch_password=$opensearch_password" | tee -a "$GITHUB_OUTPUT"
# Get the current commit hash for the modules revision
tf_modules_revision=$(git rev-parse HEAD)
echo "tf_modules_revision=$tf_modules_revision" | tee -a "$GITHUB_OUTPUT"
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: false
secrets: |
secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY;
secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY;
- name: Add profile credentials to ~/.aws/credentials
run: |
aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }}
aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }}
aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }}
- name: Create EKS Cluster
timeout-minutes: 45
uses: ./.github/actions/eks-manage-cluster
id: create_eks_cluster
# Do not interrupt tests; otherwise, the Terraform state may become inconsistent.
if: always() && success()
with:
cluster-name: ${{ steps.commit_info.outputs.cluster_name }}
aws-region: ${{ env.AWS_REGION }}
additional-terraform-vars: '{"np_capacity_type": "SPOT", "np_instance_types": ["t2.medium"]}'
s3-backend-bucket: ${{ env.TF_STATE_BUCKET }}
s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }}
tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }}
- name: After EKS creation infos
id: after_cluster_creation_infos
run: |
vpc_id=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.vpc_id.value')
echo "vpc_id=$vpc_id" | tee -a "$GITHUB_OUTPUT"
private_subnet_ids=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.private_subnet_ids.value')
echo "private_subnet_ids=$private_subnet_ids" | tee -a "$GITHUB_OUTPUT"
private_vpc_cidr_blocks=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.private_vpc_cidr_blocks.value')
echo "private_vpc_cidr_blocks=$private_vpc_cidr_blocks" | tee -a "$GITHUB_OUTPUT"
availability_zones=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=${vpc_id}" --query 'Subnets[].AvailabilityZone' --output json | jq 'unique' -c)
echo "availability_zones=$availability_zones" | tee -a "$GITHUB_OUTPUT"
- name: Create Aurora Cluster
timeout-minutes: 20
uses: ./.github/actions/aurora-manage-cluster
id: create_aurora_cluster
# Do not interrupt tests; otherwise, the Terraform state may become inconsistent.
if: env.CREATE_DB == 'true' && always() && success()
with:
cluster-name: ${{ steps.commit_info.outputs.cluster_name }}
username: ${{ steps.commit_info.outputs.db_username }}
password: ${{ steps.commit_info.outputs.db_password }}
aws-region: ${{ env.AWS_REGION }}
s3-backend-bucket: ${{ env.TF_STATE_BUCKET }}
s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }}
tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }}
vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }}
subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }}
cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }}
availability-zones: ${{ steps.after_cluster_creation_infos.outputs.availability_zones }}
- name: Deploy OpenSearch Domain
uses: ./.github/actions/opensearch-manage-cluster
id: deploy_opensearch_domain
# Do not interrupt tests; otherwise, the Terraform state may become inconsistent.
if: env.CREATE_OPENSEARCH == 'true' && always() && success()
with:
domain-name: ${{ steps.commit_info.outputs.cluster_name }}-opensearch
aws-region: ${{ env.AWS_REGION }}
vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }}
subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }}
cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }}
additional-terraform-vars: |
{
"advanced_security_master_user_name": "${{ steps.commit_info.outputs.opensearch_username }}",
"advanced_security_master_user_password": "${{ steps.commit_info.outputs.opensearch_password }}",
"advanced_security_internal_user_database_enabled": true
}
s3-backend-bucket: ${{ env.TF_STATE_BUCKET }}
s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }}
tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }}
- name: Delete Resources
timeout-minutes: 120
if: always() && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false')
uses: ./.github/actions/eks-cleanup-resources
with:
tf-bucket: ${{ env.TF_STATE_BUCKET }}
tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }}
max-age-hours: 0
target: ${{ steps.commit_info.outputs.cluster_name }}
- name: Notify in Slack in case of failure
id: slack-notification
if: failure() && github.event_name == 'schedule'
uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@08c796604f9b08614df763b333833dd1bdc037c0 # 1.2.11
with:
vault_addr: ${{ secrets.VAULT_ADDR }}
vault_role_id: ${{ secrets.VAULT_ROLE_ID }}
vault_secret_id: ${{ secrets.VAULT_SECRET_ID }}