[Snyk] Security upgrade debian from bullseye-20240211-slim to bullseye-20240513-slim #70
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Leverage Toolbox Integration Test | |
on: [pull_request] | |
jobs: | |
test_leverage: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout base branch | |
uses: actions/checkout@v3 | |
- name: Clone RefArch | |
run: | | |
printf "[INFO] Cloning RefArch" | |
git clone https://github.com/binbashar/le-tf-infra-aws.git ./refarch | |
- name: Build and reference Toolbox Image | |
run: | | |
printf "[INFO] Build Toolbox\n" | |
make init-makefiles | |
make build-local | |
DOCKER_REPO_NAME=$(grep -E "DOCKER_REPO_NAME +:=" Makefile | sed -E 's/DOCKER_REPO_NAME +:= (.+)/\1/') | |
DOCKER_IMG_NAME=$(grep -E "DOCKER_IMG_NAME +:=" Makefile | sed -E 's/DOCKER_IMG_NAME +:= (.+)/\1/') | |
LEVERAGE_CLI_TAG=$(grep -E "LEVERAGE_CLI_TAG +:=" Makefile | sed -E 's/LEVERAGE_CLI_TAG +:= (.+)/\1/') | |
TERRAFORM_TAG=$(grep -E "TERRAFORM_TAG +:=" Makefile | sed -E 's/TERRAFORM_TAG +:= (.+)/\1/') | |
TOOLBOX_VERSION=${TERRAFORM_TAG}-${LEVERAGE_CLI_TAG} | |
TOOLBOX_IMAGE=${DOCKER_REPO_NAME}/${DOCKER_IMG_NAME} | |
cat << EOF > refarch/build.env | |
# Project settings | |
PROJECT=bb | |
# General | |
MFA_ENABLED=false | |
# Terraform | |
TERRAFORM_IMAGE_TAG=${TOOLBOX_VERSION} | |
EOF | |
- name: Install CLI | |
run: | | |
printf "[INFO] Installing CLI\n" | |
python --version | |
pip install leverage | |
- name: Set up credentials | |
run: | | |
printf "[INFO] Setting up credentials\n" | |
mkdir -p ~/.aws/bb | |
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} --profile bb-deploymaster | |
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} --profile bb-deploymaster | |
aws configure set region us-east-1 --profile bb-apps-devstg-devops | |
aws configure set output json --profile bb-apps-devstg-devops | |
aws configure set role_arn arn:aws:iam::${{ secrets.AWS_DEVSTG_ACCOUNT_ID }}:role/DeployMaster --profile bb-apps-devstg-devops | |
aws configure set source_profile bb-deploymaster --profile bb-apps-devstg-devops | |
cat << EOF > ~/.aws/credentials | |
[bb-deploymaster] | |
aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
EOF | |
cp ~/.aws/credentials ~/.aws/bb/ | |
cp ~/.aws/config ~/.aws/bb/ | |
- name: Configure Reference Architecture | |
run: | | |
echo "[INFO] Configure Reference Architecture\n" | |
cat << EOF >> ./config/common.tfvars | |
project = "bb" | |
project_long = "binbash" | |
region_primary = "us-east-1" | |
region_secondary = "us-east-2" | |
vault_address = "vault_trash" | |
vault_token = "vault_trash" | |
sso_region = "us-east-1" | |
sso_enabled = false | |
sso_start_url = "sso_trash" | |
accounts = { | |
security = { | |
id = ${{ secrets.AWS_SECURITY_ACCOUNT_ID }} | |
} | |
apps-devstg = { | |
id = ${{ secrets.AWS_DEVSTG_ACCOUNT_ID }} | |
} | |
} | |
EOF | |
echo "[INFO] Disable MFA\n" | |
sed -i "s/^\(MFA_ENABLED=\)true/\1false/" build.env | |
working-directory: ./refarch | |
- name: Test Terraform | |
env: | |
LEVERAGE_INTERACTIVE: 0 | |
run: | | |
export DOCKER_HOST=/var/run/docker/docker.sock | |
docker info | |
echo $DOCKER_HOST | |
ls -l /var/run/docker/docker.sock | |
ls -l /var/run/docker.sock | |
printf "[INFO] Testing terraform\n" | |
# These are later mounted in the container | |
mkdir ~/.ssh && touch ~/.gitconfig | |
printf "[INFO] Initializing layer\n" | |
leverage tf init | |
printf "[INFO] Generating plan\n" | |
leverage tf plan | |
working-directory: ./refarch/apps-devstg/global/cli-test-layer | |
- name: Test AWS | |
run: | | |
printf "[INFO] Testing AWS\n" | |
printf "[INFO] Getting identity\n" | |
ID=$(leverage aws sts get-caller-identity --profile bb-apps-devstg-devops | grep Account | sed -E 's/^.*("Account.+")[0-9]{12}".*$/\1************"/') | |
if [[ "$ID" == "\"Account\": \"************\"" ]]; | |
then | |
printf "[INFO] OK \n" | |
else | |
printf "[ERROR] Fail \n" | |
exit 1 | |
fi | |
working-directory: ./refarch/apps-devstg/global/cli-test-layer |