From 70f7f1a986cb293c7d4b8f43abc53b59199275e9 Mon Sep 17 00:00:00 2001
From: Kyle Somers <17753062+kylesomers@users.noreply.github.com>
Date: Mon, 15 Jul 2024 09:41:55 -0500
Subject: [PATCH] ci: add config scanning to trivy (#143)

---
 .github/workflows/packer-build.yml        | 77 +++++++++++++++++++++++
 .github/workflows/packer-daily-builds.yml | 54 +++-------------
 .github/workflows/trivy.yml               |  1 +
 3 files changed, 88 insertions(+), 44 deletions(-)
 create mode 100644 .github/workflows/packer-build.yml

diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml
new file mode 100644
index 00000000..d7415f51
--- /dev/null
+++ b/.github/workflows/packer-build.yml
@@ -0,0 +1,77 @@
+# Builds a Packer template. Reusable workflow that can be triggered manually or by the `packer-daily-builds.yml` workflow. Also triggeres on pull requests when packer templates are modified. 
+
+name: Packer Build
+on: 
+  workflow_dispatch: # Manually trigger the workflow
+  workflow_call:
+    inputs:
+      packer_template_file_name:
+        description: 'Packer template file name'
+        required: true
+        type: string
+      packer_template_dir:
+        description: 'Packer template directory'
+        required: true
+        type: string
+      packer_template_description:
+        description: 'Packer template description'
+        required: true
+        type: string
+      branch:
+        description: 'Branch to checkout'
+        required: true
+        type: string
+        default: main
+  pull_request:
+    paths:
+      - 'assets/packer/**'
+permissions:
+  id-token: write
+  contents: read
+jobs:
+  packer-ci:
+    environment: aws-ci
+    runs-on: ubuntu-latest
+    steps:
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+      with:
+        role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
+        aws-region: ${{ vars.AWS_REGION }}
+        role-session-name: CGDToolkitGitHubActions
+    - name: Checkout code
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      with:
+        ref: ${{ inputs.branch }}
+    - name: Install AWS CLI
+      run: |
+        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+        unzip awscliv2.zip
+        sudo ./aws/install --update
+        aws --version
+    - name: Install Packer
+      run: |
+        PACKER_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packer | jq -r -M '.current_version')
+        wget https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip
+        unzip packer_${PACKER_VERSION}_linux_amd64.zip
+        mv packer /usr/local/bin
+        rm packer_${PACKER_VERSION}_linux_amd64.zip
+    - name: Packer Init and Validate
+      working-directory: ./assets/packer/${{ inputs.packer_template_dir }}
+      run: |
+        echo "Validating Packer template: ${{ inputs.packer_template_description }} - ${{ inputs.packer_template_file_name }}"
+        packer init ${{ inputs.packer_template_file_name }}
+        cat > ci.pkrvars.hcl << EOF
+        region = "${{ vars.AWS_REGION }}"
+        vpc_id = "${{ secrets.AWS_VPC_ID_CI }}"
+        subnet_id = "${{ secrets.AWS_SUBNET_ID_CI }}"
+        public_key = <<PUBLIC_KEY
+        ${{ secrets.PACKER_CI_PUBLIC_KEY }}
+        PUBLIC_KEY
+        profile = "${{ secrets.AWS_PROFILE_CI }}"
+        EOF
+        packer validate -var-file=ci.pkrvars.hcl ${{ inputs.packer_template_file_name }}
+    - name: Packer Build
+      working-directory: ./assets/packer/${{ inputs.packer_template_dir }}
+      run: |
+        packer build -var-file=ci.pkrvars.hcl ${{ inputs.packer_template_file_name }}
diff --git a/.github/workflows/packer-daily-builds.yml b/.github/workflows/packer-daily-builds.yml
index 9f172dec..25a758b0 100644
--- a/.github/workflows/packer-daily-builds.yml
+++ b/.github/workflows/packer-daily-builds.yml
@@ -6,6 +6,8 @@ on:
 permissions:
   id-token: write
   contents: read
+env:
+  GITHUB_BRANCH: main
 jobs:
   get-packer-templates: # Retrieve the Packer templates from the config file and build a matrix of them to run parallel jobs
     if: github.repository == 'aws-games/cloud-game-development-toolkit'
@@ -14,7 +16,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
         with:
-          ref: main
+          ref: ${{ env.GITHUB_BRANCH }}
       - name: Install yq
         run: |
           sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
@@ -28,7 +30,7 @@ jobs:
           echo "MATRIX_JSON: ${MATRIX_JSON}"
     outputs:
       matrix: ${{ steps.packer-templates-matrix.outputs.matrix }}
-  packer-ci: # Run Packer validation and build for each template
+  run-packer-builds:
     if: github.repository == 'aws-games/cloud-game-development-toolkit'
     needs: get-packer-templates
     strategy:
@@ -38,46 +40,10 @@ jobs:
     environment: aws-ci
     runs-on: ubuntu-latest
     steps:
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+    - name: 'Build Packer template - ${{ matrix.file_name }}
+      uses: ./github/workflows/packer-build.yml
       with:
-        role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
-        aws-region: ${{ vars.AWS_REGION }}
-        role-session-name: CGDToolkitGitHubActions
-    - name: Checkout code
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-      with:
-        ref: main
-    - name: Install AWS CLI
-      run: |
-        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-        unzip awscliv2.zip
-        sudo ./aws/install --update
-        aws --version
-    - name: Install Packer
-      run: |
-        PACKER_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packer | jq -r -M '.current_version')
-        wget https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip
-        unzip packer_${PACKER_VERSION}_linux_amd64.zip
-        mv packer /usr/local/bin
-        rm packer_${PACKER_VERSION}_linux_amd64.zip
-    - name: Packer Init and Validate
-      working-directory: ./assets/packer/${{ matrix.dir }}
-      run: |
-        echo "Validating Packer template: ${{ matrix.description }} - ${{ matrix.file_name }}"
-        packer init ${{ matrix.file_name }}
-        cat > ci.pkrvars.hcl << EOF
-        region = "${{ vars.AWS_REGION }}"
-        vpc_id = "${{ secrets.AWS_VPC_ID_CI }}"
-        subnet_id = "${{ secrets.AWS_SUBNET_ID_CI }}"
-        public_key = <<PUBLIC_KEY
-        ${{ secrets.PACKER_CI_PUBLIC_KEY }}
-        PUBLIC_KEY
-        profile = "${{ secrets.AWS_PROFILE_CI }}"
-        EOF
-        packer validate -var-file=ci.pkrvars.hcl ${{ matrix.file_name }}
-    - name: Packer Build
-      working-directory: ./assets/packer/${{ matrix.dir }}
-      run: |
-        packer build -var-file=ci.pkrvars.hcl ${{ matrix.file_name }}
-
+        packer_template_file_name: ${{ matrix.file_name }}
+        packer_template_dir: ${{ matrix.dir }}
+        packer_template_description: ${{ matrix.description }}
+        branch: ${{ env.GITHUB_BRANCH }}
\ No newline at end of file
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 217aa22f..143f1a10 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -20,6 +20,7 @@ jobs:
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
+          scanners: 'vuln, secret, config'
           severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab