Update terraform.yml

migara · May 2, 2024 · c1d9eda · c1d9eda
1 parent f0cef5c
commit c1d9eda
Showing 1 changed file with 30 additions and 16 deletions.
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -1,5 +1,9 @@
 name: "Terraform"
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   push:
     branches:
@@ -9,19 +13,18 @@ on:
 
 jobs:
   terraform:
+    permissions: write-all
     name: "Terraform"
     runs-on: ubuntu-latest
     env:
       PANOS_HOSTNAME: ${{ secrets.PANOS_HOSTNAME }}
       PANOS_USERNAME: ${{ secrets.PANOS_USERNAME }}
       PANOS_PASSWORD: ${{ secrets.PANOS_PASSWORD }}
-      GITHUB_REF: ${{ github.ref }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ASSUME_ROLE: ${{ secrets.ASSUME_ROLE }}
       AWS_REGION: "eu-west-2"
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Set env to development
         if: endsWith(github.ref, '/development') || endsWith(github.base_ref, 'development')
@@ -33,19 +36,23 @@ jobs:
         run: |
           echo "TF_VAR_device_group_name=production" >> $GITHUB_ENV
 
-      # OPA Checks
-      - name: Evaluate OPA Policy
-        id: opa_eval
-        uses: migara/test-action@master
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2
         with:
-          tests: /tests/panos.rego
-          policy: /policy.yml
+          version: latest
+
+      - name: Run OPA Tests
+        id: opa_eval
+        run: |
+          result=$(opa eval -i policy.yml -d tests/panos.rego 'data.panos')
+          echo OPA=$result >> "$GITHUB_OUTPUT"
+        
 
       - name: Set OPA Results
         uses: actions/[email protected]
         if: github.event_name == 'pull_request'
         env:
-          opa_results: ${{ steps.opa_eval.outputs.opa_results }}
+          opa_results: ${{ steps.opa_eval.outputs.OPA }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -54,7 +61,7 @@ jobs:
             const deny = opa_results.result[0].expressions[0].value.deny
 
             if (!allow) {
-              const output = `#### OPA Policy Violation 🤷 ❌
+              const output = `#### OPA Policy Violation 🚫
               #### Policy Violations
               
               ${deny.map(msg => `* ${msg}`).join("\n")}
@@ -71,9 +78,16 @@ jobs:
               console.log(context)
               process.exit(1);
             }
-
+        
+      - name: configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.ASSUME_ROLE }}
+          role-session-name: gh-action-role-session
+          aws-region: ${{ env.AWS_REGION }}
+
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v3
         # with:
           # terraform_version: 0.13.0:
           # cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
@@ -133,7 +147,7 @@ jobs:
         uses: actions/[email protected]
         if: github.event_name == 'pull_request'
         env:
-          opa_results: ${{ steps.opa_eval.outputs.opa_results }}
+          opa_results: ${{ steps.opa_eval.outputs.OPA }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -167,5 +181,5 @@ jobs:
         run: exit 1
 
       - name: Terraform Apply
-        if: github.event_name == 'push'
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
         run: terraform apply -auto-approve