Skip to content

Commit

Permalink
Refactor AWS credentials in tf-drift-detection.yaml and kyverno.tf
Browse files Browse the repository at this point in the history
  • Loading branch information
@adamlahbib
adamlahbib committed Nov 20, 2024
1 parent 3692b02 commit 6fc4169
Show file tree
Hide file tree
Showing 2 changed files with 148 additions and 40 deletions.
182 changes: 146 additions & 36 deletions .github/workflows/tf-drift-detection.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ on:
schedule:
- cron: '0 3 * * *'

permissions:
id-token: write
contents: read
issues: write

env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Expand All @@ -24,53 +29,158 @@ env:
CROWDSEC_ENROLL_KEY: ${{ secrets.CROWDSEC_ENROLL_KEY }}

jobs:
drift-detection:
name: Check Drift

permissions:
id-token: write
contents: read
pull-requests: read
checks: read

terraform-plan:
name: Terraform Plan
runs-on: ubuntu-latest

outputs:
TFPLAN_EXIT_CODE: ${{ steps.tfplan.outputs.exitcode }}

steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0

- name: Install Terramate
uses: terramate-io/terramate-action@v1
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-region: ${{ inputs.aws-region }}

- name: Install Terraform
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.8
terraform_wrapper: false

- name: Terraform Init
run: terraform init

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Terraform Plan
id: tfplan
env:
TF_VAR_GRAFANA_ADMIN_PASSWORD: ${{ inputs.GRAFANA_ADMIN_PASSWORD }}
TF_VAR_CLOUDFLARE_ZONE_ID: ${{ inputs.CLOUDFLARE_ZONE_ID }}
TF_VAR_CLOUDFLARE_TOKEN: ${{ inputs.CLOUDFLARE_TOKEN }}
TF_VAR_CLOUDFLARE_EMAIL: ${{ inputs.CLOUDFLARE_EMAIL }}
TF_VAR_CLOUDFLARE_API_TOKEN: ${{ inputs.CLOUDFLARE_API_TOKEN }}
TF_VAR_SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}
TF_VAR_TAILSCALE_CLIENT_ID: ${{ inputs.TAILSCALE_CLIENT_ID }}
TF_VAR_TAILSCALE_CLIENT_SECRET: ${{ inputs.TAILSCALE_CLIENT_SECRET }}
TF_VAR_CROWDSEC_ENROLL_KEY: ${{ inputs.CROWDSEC_ENROLL_KEY }}
run: |
export exitcode=0
terraform plan -detailed-exitcode -no-color -out tfplan || exitcode=$?
echo "exitcode=$exitcode" >> $GITHUB_ENV
if [ $exitcode -eq 1 ]; then
echo Terraform Plan Failed!
exit 1
else
exit 0
fi
- name: Upload Terraform Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: tfplan

- name: Run Terraform init on all stacks
id: init
run: terramate run -- terraform init
- name: Create String Output
id: tf-plan-string
run: |
TERRAFORM_PLAN=$(terraform show -no-color tfplan)
delimiter="$(openssl rand -hex 8)"
echo "summary<<${delimiter}" >> $GITHUB_OUTPUT
echo "## Terraform Plan Output" >> $GITHUB_OUTPUT
echo "<details><summary>Click to expand</summary>" >> $GITHUB_OUTPUT
echo "" >> $GITHUB_OUTPUT
echo '```terraform' >> $GITHUB_OUTPUT
echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT
echo '```' >> $GITHUB_OUTPUT
echo "</details>" >> $GITHUB_OUTPUT
echo "${delimiter}" >> $GITHUB_OUTPUT
- name: Run drift detection
id: drift
- name: Publish Terraform Plan to Task Summary
env:
SUMMARY: ${{ steps.tf-plan-string.outputs.summary }}
run: |
terramate run \
--sync-drift-status \
--terraform-plan-file=drift.tfplan \
--continue-on-error \
--parallel 5 \
-- \
terraform plan -out drift.tfplan -detailed-exitcode -lock=false
echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
- name: Publish Drift Report
if: steps.tf-plan.outputs.exitcode == 2
uses: actions/github-script@v7
env:
GITHUB_TOKEN: ${{ github.token }}
SUMMARY: "${{ steps.tf-plan-string.outputs.summary }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const body = `${process.env.SUMMARY}`;
const title = 'Terraform Configuration Drift Detected';
const creator = 'github-actions[bot]'
// Look to see if there is an existing drift issue
const issues = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
creator: creator,
title: title
})
if( issues.data.length > 0 ) {
// We assume there shouldn't be more than 1 open issue, since we update any issue we find
const issue = issues.data[0]
if ( issue.body == body ) {
console.log('Drift Detected: Found matching issue with duplicate content')
} else {
console.log('Drift Detected: Found matching issue, updating body')
github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue.number,
body: body
})
}
} else {
console.log('Drift Detected: Creating new issue')
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body
})
}
- name: Publish Drift Report
if: steps.tf-plan.outputs.exitcode == 0
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const title = 'Terraform Configuration Drift Detected';
const creator = 'github-actions[bot]'
// Look to see if there is an existing drift issue
const issues = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
creator: creator,
title: title
})
if( issues.data.length > 0 ) {
const issue = issues.data[0]
github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue.number,
state: 'closed'
})
}
- name: Error on Failure
if: steps.tf-plan.outputs.exitcode == 2
run: exit 1
6 changes: 2 additions & 4 deletions _DOCUMENTATION/README.MD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,11 +241,9 @@ Bandit is a tool designed to find common security issues in Python code. To do t

Checkov is a static code analysis tool for infrastructure-as-code. It scans Terraform, CloudFormation, Kubernetes, and other IaC files for security and compliance issues. Checkov is used to ensure that the Terraform code is secure and compliant with best practices.

### TERRAFORM DRIFT DETECTION WITH TERRAMATE
### TERRAFORM DRIFT DETECTION

Terramate helps you to detect drift by periodically running drift detection workflows in your CI/CD such as GitHub Actions, GitLab CI/CD or BitBucket pipelines. Upon detection of drift in stacks, Terramate will sync those drift to Terramate Cloud allowing you to identify and manage drift

Terramate can create actionable alerts for drifted stacks that notify an owner or a group of owners of stacks. In addition, notifications can be sent to a centralized Slack channel or directly to Slack users by using our Slack app.
I first wanted to use Terramate for this but their process involved using a client locally on my laptop and more, so I went with this one https://github.com/azure-samples/terraform-github-actions/blob/main/.github/workflows/tf-drift.yml that was a great inspiration to understand the process from and implement it myself.

### TRUFFLEHOG

Expand Down

0 comments on commit 6fc4169

Please sign in to comment.