From 15556179c352a007b4298da72cf8221ef245516e Mon Sep 17 00:00:00 2001
From: Dmitry Gurevich <99176494+gurevichdmitry@users.noreply.github.com>
Date: Wed, 6 Nov 2024 13:59:19 +0200
Subject: [PATCH] add cis action

---
 .github/actions/cis/action.yml         | 234 +++++++++++++++++++++++++
 .github/workflows/test-environment.yml |  32 +++-
 2 files changed, 264 insertions(+), 2 deletions(-)
 create mode 100644 .github/actions/cis/action.yml

diff --git a/.github/actions/cis/action.yml b/.github/actions/cis/action.yml
new file mode 100644
index 0000000000..564b0c1f69
--- /dev/null
+++ b/.github/actions/cis/action.yml
@@ -0,0 +1,234 @@
+name: 'CIS Integrations Installation'
+description: 'Deploy CIS Integrations to Elastic Cloud'
+inputs:
+  deployment-name:
+    description: |
+      Name with letters, numbers, hyphens; start with a letter. Max 20 chars. e.g., 'my-env-123'
+    required: true
+    type: string
+  aws-region:
+    description: "AWS region"
+    default: "eu-west-1"
+    required: false
+    type: string
+  deploy-aws-kspm:
+    description: "Deploy AWS KSPM EC2 resources"
+    type: boolean
+    default: true
+  deploy-aws-cspm:
+    description: "Deploy AWS CSPM EC2 resources"
+    type: boolean
+    default: true
+  cnvm-stack-name:
+    description: "CNVM CloudFormation stack name"
+    required: true
+    type: string
+  cspm-gcp-zone:
+    description: "GCP zone for CSPM agent deployment"
+    required: true
+    type: string
+  cspm-azure-creds:
+    description: "Azure credentials for CSPM agent deployment"
+    required: true
+    type: string
+  cspm-azure-tags:
+    description: "Azure tags for CSPM agent deployment"
+    required: true
+    type: string
+  stack-enrollment-token:
+    description: "Stack enrollment token"
+    required: true
+    type: string
+  env-s3-bucket:
+    description: "S3 bucket"
+    required: true
+    type: string
+  test-agentless:
+    description: "Run agentless integrations"
+    type: boolean
+    default: false
+  tag-project:
+    description: "Optional project resource tag"
+    default: "test-environments"
+    required: false
+    type: string
+  tag-owner:
+    description: "Optional owner tag"
+    default: "cloudbeat"
+    required: false
+    type: string
+
+runs:
+  using: composite
+  steps:
+    - name: Deploy CIS Infrastructure
+      id: deploy-cis-infra
+      env:
+        TF_VAR_deployment_name: ${{ inputs.deployment-name }}
+        TF_VAR_region: ${{ inputs.aws-region }}
+        TF_VAR_deploy_aws_kspm: ${{ inputs.deploy-aws-kspm }}
+        TF_VAR_deploy_aws_cspm: ${{ inputs.deploy-aws-cspm }}
+        TF_VAR_project: ${{ inputs.tag-project }}
+        TF_VAR_owner: ${{ inputs.tag-owner }}
+      shell: bash
+      working-directory: "deploy/test-environments/cis"
+      run: |
+        terraform init
+        terraform validate
+        terraform apply -auto-approve
+
+    - name: Get CIS Outputs
+      id: generate-data
+      if: success()
+      shell: bash
+      working-directory: "deploy/test-environments/cis"
+      run: |
+        ec2_cspm=$(terraform output -raw ec2_cspm_ssh_cmd)
+        echo "::add-mask::$ec2_cspm"
+        echo "ec2-cspm=$ec2_cspm" >> "$GITHUB_OUTPUT"
+
+        ec2_kspm=$(terraform output -raw ec2_kspm_ssh_cmd)
+        echo "::add-mask::$ec2_kspm"
+        echo "ec2-kspm=$ec2_kspm" >> "$GITHUB_OUTPUT"
+
+        ec2_cspm_key=$(terraform output -raw ec2_cspm_key)
+        echo "::add-mask::$ec2_cspm_key"
+        echo "ec2-cspm-key=$ec2_cspm_key" >> "$GITHUB_OUTPUT"
+
+        ec2_kspm_key=$(terraform output -raw ec2_kspm_key)
+        echo "::add-mask::$ec2_kspm_key"
+        echo "ec2-kspm-key=$ec2_kspm_key" >> "$GITHUB_OUTPUT"
+
+        kspm_public_ip=$(terraform output -raw ec2_kspm_public_ip)
+        echo "::add-mask::$kspm_public_ip"
+        echo "kspm-public-ip=$kspm_public_ip" >> "$GITHUB_OUTPUT"
+
+        cspm_public_ip=$(terraform output -raw ec2_cspm_public_ip)
+        echo "::add-mask::$cspm_public_ip"
+        echo "cspm-public-ip=$cspm_public_ip" >> "$GITHUB_OUTPUT"
+
+    - name: Install CNVM integration
+      id: cnvm
+      working-directory: tests/integrations_setup
+      # env:
+      #   CNVM_STACK_NAME: "${{ inputs.cnvm-stack-name }}"
+      run: |
+        poetry run python ./install_cnvm_integration.py
+
+    - name: Deploy CNVM agent
+      if: steps.cnvm.outcome  == 'success'
+      env:
+        STACK_NAME: "${{ inputs.cnvm-stack-name }}"
+        ENROLLMENT_TOKEN: "${{ inputs.stack-enrollment-token }}"
+      run: |
+        unset ENROLLMENT_TOKEN
+        just deploy-cloudformation
+
+    - name: Install CSPM GCP integration
+      id: cspm-gcp-integration
+      working-directory: tests/integrations_setup
+      run: |
+        poetry run python ./install_cspm_gcp_integration.py
+
+    - name: Deploy CSPM GCP agent
+      id: cspm-gcp-agent
+      if: steps.cspm-gcp-integration.outcome  == 'success'
+      working-directory: deploy/deployment-manager
+      env:
+        ACTOR: ${{ github.actor }}
+        DEPLOYMENT_NAME: "${{ inputs.deployment-name }}"
+        GCP_ZONE: "${{ inputs.cspm-gcp-zone }}"
+      run: |
+        # GCP labeling rules:
+        # Only hyphens (-), underscores (_), lowercase characters, and numbers are allowed. International characters are allowed.
+        # Convert github.actor to lowercase, replace disallowed characters
+        gcp_label=$(echo "$ACTOR" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9_-]/_/g')
+        gcp_default_tag="division=engineering,org=security,team=cloud-security-posture,project=test-environments,owner=$gcp_label"
+        . ./set_env.sh && ./deploy.sh && gcloud compute instances update "${DEPLOYMENT_NAME}" --update-labels "${gcp_default_tag}" --zone="${GCP_ZONE}"
+
+    - name: Install CSPM Azure integration
+      id: cspm-azure-integration
+      working-directory: tests/integrations_setup
+      run: |
+        poetry run python ./install_cspm_azure_integration.py
+
+    - name: Deploy CSPM Azure agent
+      id: cspm-azure-agent
+      if: steps.cspm-azure-integration.outcome  == 'success'
+      working-directory: deploy/azure
+      env:
+        AZURE_TAGS: "${{ inputs.cspm-azure-tags }}"
+      run: ./install_agent_az_cli.sh
+
+    - name: Install D4C integration
+      id: kspm-d4c
+      if: steps.deploy-cis-infra.outcome  == 'success'
+      working-directory: tests/integrations_setup
+      run: |
+        poetry run python ./install_d4c_integration.py
+
+    - name: Install KSPM EKS integration
+      id: kspm-eks
+      if: steps.deploy-cis-infra.outcome  == 'success'
+      working-directory: tests/integrations_setup
+      run: |
+        poetry run python ./install_kspm_eks_integration.py
+
+    - name: Deploy KSPM EKS agent
+      if: steps.kspm-eks.outcome  == 'success'
+      env:
+        DEPLOYMENT_NAME: "${{ inputs.deployment-name }}"
+        S3_BUCKET: "${{ inputs.env-s3-bucket }}"
+        AWS_REGION: "${{ inputs.aws-region }}"
+      run: |
+        aws eks --region ${AWS_REGION} update-kubeconfig --name ${DEPLOYMENT_NAME} --alias eks-config
+        echo 'KUBE_CONFIG_DATA=$(cat ~/.kube/config | base64)' >> $GITHUB_ENV
+        kubectl config use-context eks-config
+        kubectl apply -f tests/integrations_setup/kspm_d4c.yaml
+
+    - name: Install KSPM Unmanaged integration
+      id: kspm-unmanaged
+      if: steps.deploy-cis-infra.outcome  == 'success'
+      working-directory: tests/integrations_setup
+      run: |
+        poetry run python ./install_kspm_unmanaged_integration.py
+
+    - name: Deploy KSPM Unmanaged agent
+      if: steps.kspm-unmanaged.outcome  == 'success'
+      working-directory: deploy/test-environments/cis
+      env:
+        EC2_KSPM_KEY: ${{ steps.generate-data.outputs.ec2-kspm-key }}
+        KSPM_PUBLIC_IP: ${{ steps.generate-data.outputs.kspm-public-ip }}
+      run: |
+        scriptname="kspm_unmanaged.yaml"
+        src="../../../tests/integrations_setup/$scriptname"
+        cmd="kubectl apply -f $scriptname"
+        ../remote_setup.sh -k "$EC2_KSPM_KEY" -s "$src" -h "$KSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
+
+    - name: Install CSPM AWS integration
+      id: cspm-aws-integration
+      if: steps.deploy-cis-infra.outcome  == 'success'
+      working-directory: tests/integrations_setup
+      run: |
+        poetry run python ./install_cspm_integration.py
+
+    - name: Deploy CSPM agent
+      if: steps.cspm-aws-integration.outcome  == 'success'
+      working-directory: deploy/test-environments/cis
+      env:
+        EC2_CSPM_KEY: ${{ steps.generate-data.outputs.ec2-cspm-key }}
+        CSPM_PUBLIC_IP: ${{ steps.generate-data.outputs.cspm-public-ip }}
+      run: |
+        scriptname="cspm-linux.sh"
+        src="../../../tests/integrations_setup/$scriptname"
+        cmd="chmod +x $scriptname && ./$scriptname"
+        ../remote_setup.sh -k "$EC2_CSPM_KEY" -s "$src" -h "$CSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
+
+    - name: Install Agentless integrations
+      id: agentless
+      if: ${{ inputs.test-agentless }} == 'true'
+      working-directory: tests/integrations_setup
+      env:
+        AZURE_CREDENTIALS: ${{ inputs.cspm-azure-creds }}
+      run: |
+        poetry run python ./install_agentless_integrations.py
diff --git a/.github/workflows/test-environment.yml b/.github/workflows/test-environment.yml
index 0b9c16e035..2e5ed0d970 100644
--- a/.github/workflows/test-environment.yml
+++ b/.github/workflows/test-environment.yml
@@ -358,13 +358,38 @@ jobs:
           tag-owner: ${{ github.actor }}
 
       - name: Upload tf state
-        id: env.INFRA_TYPE != 'cis'
-        if: always()
+        id: upload-state-cdr
+        if: env.INFRA_TYPE != 'cis'
         env:
           S3_BUCKET: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
         run: |
           ./manage_infrastructure.sh "cdr" "upload-state"
 
+      - name: Deploy CIS Integrations
+        id: cis-integrations
+        if: env.INFRA_TYPE != 'cdr'
+        uses: ./.github/actions/cis
+        with:
+          deployment-name: ${{ env.DEPLOYMENT_NAME }}
+          aws-region: ${{ env.AWS_REGION }}
+          cnvm-stack-name: ${{ env.CNVM_STACK_NAME }}
+          gcp-zone: ${{ env.GCP_ZONE }}
+          cspm-azure-creds: ${{ secrets.AZURE_CREDENTIALS }}
+          cspm-azure-tags: ${{ env.AZURE_DEFAULT_TAGS }}
+          stack-enrollment-token: ${{ env.ENROLLMENT_TOKEN }}
+          env-s3-bucket: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
+          test-agentless: ${{ env.TEST_AGENTLESS }}
+          tag-project: ${{ github.actor }}
+          tag-owner: ${{ github.actor }}
+
+      - name: Upload tf state
+        id: upload-state-cis
+        if: env.INFRA_TYPE != 'cdr'
+        env:
+          S3_BUCKET: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
+        run: |
+          ./manage_infrastructure.sh "cis" "upload-state"
+
       # TODO: REMOVE THIS SECTION
       # - name: Install AWS Cloudtrail integration
       #   id: cloudtrail-integration
@@ -425,6 +450,8 @@ jobs:
       #     ../remote_setup.sh -k "$AUDIT_LOGS_KEY" -s "$src" -h "$AUDIT_LOGS_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
       #========================================================
 
+      # TODO: Remove this section
+      #========================================================
       # - name: Install CNVM integration
       #   id: cnvm
       #   if: env.INFRA_TYPE != 'cdr'
@@ -559,6 +586,7 @@ jobs:
       #     src="../../../$INTEGRATIONS_SETUP_DIR/$scriptname"
       #     cmd="chmod +x $scriptname && ./$scriptname"
       #     ../remote_setup.sh -k "$EC2_CSPM_KEY" -s "$src" -h "$CSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
+      #========================================================
 
       # TODO: REMOVE THIS SECTION
       #========================================================