Skip to content

Commit

Permalink
add cis action
Browse files Browse the repository at this point in the history
  • Loading branch information
@gurevichdmitry
gurevichdmitry committed Nov 6, 2024
1 parent ed20fb5 commit 1555617
Show file tree
Hide file tree
Showing 2 changed files with 264 additions and 2 deletions.
234 changes: 234 additions & 0 deletions .github/actions/cis/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
name: 'CIS Integrations Installation'
description: 'Deploy CIS Integrations to Elastic Cloud'
inputs:
deployment-name:
description: |
Name with letters, numbers, hyphens; start with a letter. Max 20 chars. e.g., 'my-env-123'
required: true
type: string
aws-region:
description: "AWS region"
default: "eu-west-1"
required: false
type: string
deploy-aws-kspm:
description: "Deploy AWS KSPM EC2 resources"
type: boolean
default: true
deploy-aws-cspm:
description: "Deploy AWS CSPM EC2 resources"
type: boolean
default: true
cnvm-stack-name:
description: "CNVM CloudFormation stack name"
required: true
type: string
cspm-gcp-zone:
description: "GCP zone for CSPM agent deployment"
required: true
type: string
cspm-azure-creds:
description: "Azure credentials for CSPM agent deployment"
required: true
type: string
cspm-azure-tags:
description: "Azure tags for CSPM agent deployment"
required: true
type: string
stack-enrollment-token:
description: "Stack enrollment token"
required: true
type: string
env-s3-bucket:
description: "S3 bucket"
required: true
type: string
test-agentless:
description: "Run agentless integrations"
type: boolean
default: false
tag-project:
description: "Optional project resource tag"
default: "test-environments"
required: false
type: string
tag-owner:
description: "Optional owner tag"
default: "cloudbeat"
required: false
type: string

runs:
using: composite
steps:
- name: Deploy CIS Infrastructure
id: deploy-cis-infra
env:
TF_VAR_deployment_name: ${{ inputs.deployment-name }}
TF_VAR_region: ${{ inputs.aws-region }}
TF_VAR_deploy_aws_kspm: ${{ inputs.deploy-aws-kspm }}
TF_VAR_deploy_aws_cspm: ${{ inputs.deploy-aws-cspm }}
TF_VAR_project: ${{ inputs.tag-project }}
TF_VAR_owner: ${{ inputs.tag-owner }}
shell: bash
working-directory: "deploy/test-environments/cis"
run: |
terraform init
terraform validate
terraform apply -auto-approve
- name: Get CIS Outputs
id: generate-data
if: success()
shell: bash
working-directory: "deploy/test-environments/cis"
run: |
ec2_cspm=$(terraform output -raw ec2_cspm_ssh_cmd)
echo "::add-mask::$ec2_cspm"
echo "ec2-cspm=$ec2_cspm" >> "$GITHUB_OUTPUT"
ec2_kspm=$(terraform output -raw ec2_kspm_ssh_cmd)
echo "::add-mask::$ec2_kspm"
echo "ec2-kspm=$ec2_kspm" >> "$GITHUB_OUTPUT"
ec2_cspm_key=$(terraform output -raw ec2_cspm_key)
echo "::add-mask::$ec2_cspm_key"
echo "ec2-cspm-key=$ec2_cspm_key" >> "$GITHUB_OUTPUT"
ec2_kspm_key=$(terraform output -raw ec2_kspm_key)
echo "::add-mask::$ec2_kspm_key"
echo "ec2-kspm-key=$ec2_kspm_key" >> "$GITHUB_OUTPUT"
kspm_public_ip=$(terraform output -raw ec2_kspm_public_ip)
echo "::add-mask::$kspm_public_ip"
echo "kspm-public-ip=$kspm_public_ip" >> "$GITHUB_OUTPUT"
cspm_public_ip=$(terraform output -raw ec2_cspm_public_ip)
echo "::add-mask::$cspm_public_ip"
echo "cspm-public-ip=$cspm_public_ip" >> "$GITHUB_OUTPUT"
- name: Install CNVM integration
id: cnvm
working-directory: tests/integrations_setup
# env:
# CNVM_STACK_NAME: "${{ inputs.cnvm-stack-name }}"
run: |
poetry run python ./install_cnvm_integration.py
- name: Deploy CNVM agent
if: steps.cnvm.outcome == 'success'
env:
STACK_NAME: "${{ inputs.cnvm-stack-name }}"
ENROLLMENT_TOKEN: "${{ inputs.stack-enrollment-token }}"
run: |
unset ENROLLMENT_TOKEN
just deploy-cloudformation
- name: Install CSPM GCP integration
id: cspm-gcp-integration
working-directory: tests/integrations_setup
run: |
poetry run python ./install_cspm_gcp_integration.py
- name: Deploy CSPM GCP agent
id: cspm-gcp-agent
if: steps.cspm-gcp-integration.outcome == 'success'
working-directory: deploy/deployment-manager
env:
ACTOR: ${{ github.actor }}
DEPLOYMENT_NAME: "${{ inputs.deployment-name }}"
GCP_ZONE: "${{ inputs.cspm-gcp-zone }}"
run: |
# GCP labeling rules:
# Only hyphens (-), underscores (_), lowercase characters, and numbers are allowed. International characters are allowed.
# Convert github.actor to lowercase, replace disallowed characters
gcp_label=$(echo "$ACTOR" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9_-]/_/g')
gcp_default_tag="division=engineering,org=security,team=cloud-security-posture,project=test-environments,owner=$gcp_label"
. ./set_env.sh && ./deploy.sh && gcloud compute instances update "${DEPLOYMENT_NAME}" --update-labels "${gcp_default_tag}" --zone="${GCP_ZONE}"
- name: Install CSPM Azure integration
id: cspm-azure-integration
working-directory: tests/integrations_setup
run: |
poetry run python ./install_cspm_azure_integration.py
- name: Deploy CSPM Azure agent
id: cspm-azure-agent
if: steps.cspm-azure-integration.outcome == 'success'
working-directory: deploy/azure
env:
AZURE_TAGS: "${{ inputs.cspm-azure-tags }}"
run: ./install_agent_az_cli.sh

- name: Install D4C integration
id: kspm-d4c
if: steps.deploy-cis-infra.outcome == 'success'
working-directory: tests/integrations_setup
run: |
poetry run python ./install_d4c_integration.py
- name: Install KSPM EKS integration
id: kspm-eks
if: steps.deploy-cis-infra.outcome == 'success'
working-directory: tests/integrations_setup
run: |
poetry run python ./install_kspm_eks_integration.py
- name: Deploy KSPM EKS agent
if: steps.kspm-eks.outcome == 'success'
env:
DEPLOYMENT_NAME: "${{ inputs.deployment-name }}"
S3_BUCKET: "${{ inputs.env-s3-bucket }}"
AWS_REGION: "${{ inputs.aws-region }}"
run: |
aws eks --region ${AWS_REGION} update-kubeconfig --name ${DEPLOYMENT_NAME} --alias eks-config
echo 'KUBE_CONFIG_DATA=$(cat ~/.kube/config | base64)' >> $GITHUB_ENV
kubectl config use-context eks-config
kubectl apply -f tests/integrations_setup/kspm_d4c.yaml
- name: Install KSPM Unmanaged integration
id: kspm-unmanaged
if: steps.deploy-cis-infra.outcome == 'success'
working-directory: tests/integrations_setup
run: |
poetry run python ./install_kspm_unmanaged_integration.py
- name: Deploy KSPM Unmanaged agent
if: steps.kspm-unmanaged.outcome == 'success'
working-directory: deploy/test-environments/cis
env:
EC2_KSPM_KEY: ${{ steps.generate-data.outputs.ec2-kspm-key }}
KSPM_PUBLIC_IP: ${{ steps.generate-data.outputs.kspm-public-ip }}
run: |
scriptname="kspm_unmanaged.yaml"
src="../../../tests/integrations_setup/$scriptname"
cmd="kubectl apply -f $scriptname"
../remote_setup.sh -k "$EC2_KSPM_KEY" -s "$src" -h "$KSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
- name: Install CSPM AWS integration
id: cspm-aws-integration
if: steps.deploy-cis-infra.outcome == 'success'
working-directory: tests/integrations_setup
run: |
poetry run python ./install_cspm_integration.py
- name: Deploy CSPM agent
if: steps.cspm-aws-integration.outcome == 'success'
working-directory: deploy/test-environments/cis
env:
EC2_CSPM_KEY: ${{ steps.generate-data.outputs.ec2-cspm-key }}
CSPM_PUBLIC_IP: ${{ steps.generate-data.outputs.cspm-public-ip }}
run: |
scriptname="cspm-linux.sh"
src="../../../tests/integrations_setup/$scriptname"
cmd="chmod +x $scriptname && ./$scriptname"
../remote_setup.sh -k "$EC2_CSPM_KEY" -s "$src" -h "$CSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
- name: Install Agentless integrations
id: agentless
if: ${{ inputs.test-agentless }} == 'true'
working-directory: tests/integrations_setup
env:
AZURE_CREDENTIALS: ${{ inputs.cspm-azure-creds }}
run: |
poetry run python ./install_agentless_integrations.py
32 changes: 30 additions & 2 deletions .github/workflows/test-environment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -358,13 +358,38 @@ jobs:
tag-owner: ${{ github.actor }}

- name: Upload tf state
id: env.INFRA_TYPE != 'cis'
if: always()
id: upload-state-cdr
if: env.INFRA_TYPE != 'cis'
env:
S3_BUCKET: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
run: |
./manage_infrastructure.sh "cdr" "upload-state"
- name: Deploy CIS Integrations
id: cis-integrations
if: env.INFRA_TYPE != 'cdr'
uses: ./.github/actions/cis
with:
deployment-name: ${{ env.DEPLOYMENT_NAME }}
aws-region: ${{ env.AWS_REGION }}
cnvm-stack-name: ${{ env.CNVM_STACK_NAME }}
gcp-zone: ${{ env.GCP_ZONE }}
cspm-azure-creds: ${{ secrets.AZURE_CREDENTIALS }}
cspm-azure-tags: ${{ env.AZURE_DEFAULT_TAGS }}
stack-enrollment-token: ${{ env.ENROLLMENT_TOKEN }}
env-s3-bucket: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
test-agentless: ${{ env.TEST_AGENTLESS }}
tag-project: ${{ github.actor }}
tag-owner: ${{ github.actor }}

- name: Upload tf state
id: upload-state-cis
if: env.INFRA_TYPE != 'cdr'
env:
S3_BUCKET: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
run: |
./manage_infrastructure.sh "cis" "upload-state"
# TODO: REMOVE THIS SECTION
# - name: Install AWS Cloudtrail integration
# id: cloudtrail-integration
Expand Down Expand Up @@ -425,6 +450,8 @@ jobs:
# ../remote_setup.sh -k "$AUDIT_LOGS_KEY" -s "$src" -h "$AUDIT_LOGS_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
#========================================================

# TODO: Remove this section
#========================================================
# - name: Install CNVM integration
# id: cnvm
# if: env.INFRA_TYPE != 'cdr'
Expand Down Expand Up @@ -559,6 +586,7 @@ jobs:
# src="../../../$INTEGRATIONS_SETUP_DIR/$scriptname"
# cmd="chmod +x $scriptname && ./$scriptname"
# ../remote_setup.sh -k "$EC2_CSPM_KEY" -s "$src" -h "$CSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
#========================================================

# TODO: REMOVE THIS SECTION
#========================================================
Expand Down

0 comments on commit 1555617

Please sign in to comment.