Create MI for Github workflow in Vulnaribility Scanner #128
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check Terraform infrastructure | |
on: | |
pull_request: | |
workflow_dispatch: | |
inputs: | |
subscription: | |
description: 'Subscription' | |
type: choice | |
required: true | |
options: | |
- 's940' | |
- 's941' | |
default: 's941' | |
terraformapply: | |
description: 'Terraform apply' | |
type: boolean | |
required: true | |
default: false | |
# secrets: | |
# AZURE_CLIENT_ID: | |
# description: The client ID of the Azure AD service principal to use for authenticating to Azure. | |
# required: true | |
# AZURE_SUBSCRIPTION_ID: | |
# description: The ID of the Azure subscription to create the resources in. | |
# required: true | |
# AZURE_TENANT_ID: | |
# description: The ID of the Azure tenant to create the resources in. | |
# required: true | |
jobs: | |
terrform-s941: | |
name: Check infrastructure consistency | |
runs-on: ubuntu-latest | |
environment: s941 | |
strategy: | |
matrix: | |
ENVIROMENT: [dev, playground] | |
env: | |
# ENVIROMENT: dev #variable passed to scipt | |
SUBSCRIPTION: s941 #variable passed to scipt | |
terraform_version: ~1.3.0 | |
ARM_USE_OIDC: true | |
ARM_USE_AZUREAD: true | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
storage_account_name: ${{ inputs.subscription }}radixinfra | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 #Clone Repo | |
- name: 'Az login' | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Get GitHub Public IP | |
id: github_public_ip | |
uses: haythem/public-ip@v1.3 | |
- name: Add GitHub IP to StorageAccount | |
run: | | |
az storage account network-rule add \ | |
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | |
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | |
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null | |
- name: Lets sleep for 30 seconds for FW rule to complete | |
run: sleep 30s | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: ${{ env.terraform_version }} | |
- name: Check terrorm in ${{ matrix.ENVIROMENT}} | |
working-directory: terraform/subscriptions/scripts | |
run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh | |
- name: Revoke GitHub IP on StorageAccount | |
run: | | |
az storage account network-rule remove \ | |
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | |
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | |
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null | |
terrform-s940: | |
name: Check infrastructure consistency | |
runs-on: ubuntu-latest | |
environment: s940 | |
strategy: | |
matrix: | |
ENVIROMENT: [prod, c2] | |
env: | |
# ENVIROMENT: dev #variable passed to scipt | |
SUBSCRIPTION: s940 #variable passed to scipt | |
terraform_version: ~1.3.0 | |
ARM_USE_OIDC: true | |
ARM_USE_AZUREAD: true | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
storage_account_name: ${{ inputs.subscription }}radixinfra | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 #Clone Repo | |
- name: 'Az login' | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Get GitHub Public IP | |
id: github_public_ip | |
uses: haythem/public-ip@v1.3 | |
- name: Add GitHub IP to StorageAccount | |
run: | | |
az storage account network-rule add \ | |
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | |
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | |
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null | |
- name: Lets sleep for 30 seconds for FW rule to complete | |
run: sleep 30s | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: ${{ env.terraform_version }} | |
- name: Check terrorm in ${{ matrix.ENVIROMENT}} | |
working-directory: terraform/subscriptions/scripts | |
run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh | |
- name: Revoke GitHub IP on StorageAccount | |
run: | | |
az storage account network-rule remove \ | |
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \ | |
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \ | |
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null |