Skip to content

Commit

Permalink
ci: add config scanning to trivy (aws-games#143)
Browse files Browse the repository at this point in the history
  • Loading branch information
kylesomers authored Jul 15, 2024
1 parent 49ac394 commit 70f7f1a
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 44 deletions.
77 changes: 77 additions & 0 deletions .github/workflows/packer-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Builds a Packer template. Reusable workflow that can be triggered manually or by the `packer-daily-builds.yml` workflow. Also triggeres on pull requests when packer templates are modified.

name: Packer Build
on:
workflow_dispatch: # Manually trigger the workflow
workflow_call:
inputs:
packer_template_file_name:
description: 'Packer template file name'
required: true
type: string
packer_template_dir:
description: 'Packer template directory'
required: true
type: string
packer_template_description:
description: 'Packer template description'
required: true
type: string
branch:
description: 'Branch to checkout'
required: true
type: string
default: main
pull_request:
paths:
- 'assets/packer/**'
permissions:
id-token: write
contents: read
jobs:
packer-ci:
environment: aws-ci
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-region: ${{ vars.AWS_REGION }}
role-session-name: CGDToolkitGitHubActions
- name: Checkout code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
ref: ${{ inputs.branch }}
- name: Install AWS CLI
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install --update
aws --version
- name: Install Packer
run: |
PACKER_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packer | jq -r -M '.current_version')
wget https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip
unzip packer_${PACKER_VERSION}_linux_amd64.zip
mv packer /usr/local/bin
rm packer_${PACKER_VERSION}_linux_amd64.zip
- name: Packer Init and Validate
working-directory: ./assets/packer/${{ inputs.packer_template_dir }}
run: |
echo "Validating Packer template: ${{ inputs.packer_template_description }} - ${{ inputs.packer_template_file_name }}"
packer init ${{ inputs.packer_template_file_name }}
cat > ci.pkrvars.hcl << EOF
region = "${{ vars.AWS_REGION }}"
vpc_id = "${{ secrets.AWS_VPC_ID_CI }}"
subnet_id = "${{ secrets.AWS_SUBNET_ID_CI }}"
public_key = <<PUBLIC_KEY
${{ secrets.PACKER_CI_PUBLIC_KEY }}
PUBLIC_KEY
profile = "${{ secrets.AWS_PROFILE_CI }}"
EOF
packer validate -var-file=ci.pkrvars.hcl ${{ inputs.packer_template_file_name }}
- name: Packer Build
working-directory: ./assets/packer/${{ inputs.packer_template_dir }}
run: |
packer build -var-file=ci.pkrvars.hcl ${{ inputs.packer_template_file_name }}
54 changes: 10 additions & 44 deletions .github/workflows/packer-daily-builds.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
permissions:
id-token: write
contents: read
env:
GITHUB_BRANCH: main
jobs:
get-packer-templates: # Retrieve the Packer templates from the config file and build a matrix of them to run parallel jobs
if: github.repository == 'aws-games/cloud-game-development-toolkit'
Expand All @@ -14,7 +16,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
ref: main
ref: ${{ env.GITHUB_BRANCH }}
- name: Install yq
run: |
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
Expand All @@ -28,7 +30,7 @@ jobs:
echo "MATRIX_JSON: ${MATRIX_JSON}"
outputs:
matrix: ${{ steps.packer-templates-matrix.outputs.matrix }}
packer-ci: # Run Packer validation and build for each template
run-packer-builds:
if: github.repository == 'aws-games/cloud-game-development-toolkit'
needs: get-packer-templates
strategy:
Expand All @@ -38,46 +40,10 @@ jobs:
environment: aws-ci
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
- name: 'Build Packer template - ${{ matrix.file_name }}
uses: ./github/workflows/packer-build.yml
with:
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-region: ${{ vars.AWS_REGION }}
role-session-name: CGDToolkitGitHubActions
- name: Checkout code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
ref: main
- name: Install AWS CLI
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install --update
aws --version
- name: Install Packer
run: |
PACKER_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packer | jq -r -M '.current_version')
wget https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip
unzip packer_${PACKER_VERSION}_linux_amd64.zip
mv packer /usr/local/bin
rm packer_${PACKER_VERSION}_linux_amd64.zip
- name: Packer Init and Validate
working-directory: ./assets/packer/${{ matrix.dir }}
run: |
echo "Validating Packer template: ${{ matrix.description }} - ${{ matrix.file_name }}"
packer init ${{ matrix.file_name }}
cat > ci.pkrvars.hcl << EOF
region = "${{ vars.AWS_REGION }}"
vpc_id = "${{ secrets.AWS_VPC_ID_CI }}"
subnet_id = "${{ secrets.AWS_SUBNET_ID_CI }}"
public_key = <<PUBLIC_KEY
${{ secrets.PACKER_CI_PUBLIC_KEY }}
PUBLIC_KEY
profile = "${{ secrets.AWS_PROFILE_CI }}"
EOF
packer validate -var-file=ci.pkrvars.hcl ${{ matrix.file_name }}
- name: Packer Build
working-directory: ./assets/packer/${{ matrix.dir }}
run: |
packer build -var-file=ci.pkrvars.hcl ${{ matrix.file_name }}
packer_template_file_name: ${{ matrix.file_name }}
packer_template_dir: ${{ matrix.dir }}
packer_template_description: ${{ matrix.description }}
branch: ${{ env.GITHUB_BRANCH }}
1 change: 1 addition & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln, secret, config'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
Expand Down

0 comments on commit 70f7f1a

Please sign in to comment.