Skip to content

Create MI for Github workflow in Vulnaribility Scanner #128

Create MI for Github workflow in Vulnaribility Scanner

Create MI for Github workflow in Vulnaribility Scanner #128

name: Check Terraform infrastructure
on:
pull_request:
workflow_dispatch:
inputs:
subscription:
description: 'Subscription'
type: choice
required: true
options:
- 's940'
- 's941'
default: 's941'
terraformapply:
description: 'Terraform apply'
type: boolean
required: true
default: false
# secrets:
# AZURE_CLIENT_ID:
# description: The client ID of the Azure AD service principal to use for authenticating to Azure.
# required: true
# AZURE_SUBSCRIPTION_ID:
# description: The ID of the Azure subscription to create the resources in.
# required: true
# AZURE_TENANT_ID:
# description: The ID of the Azure tenant to create the resources in.
# required: true
jobs:
terrform-s941:
name: Check infrastructure consistency
runs-on: ubuntu-latest
environment: s941
strategy:
matrix:
ENVIROMENT: [dev, playground]
env:
# ENVIROMENT: dev #variable passed to scipt
SUBSCRIPTION: s941 #variable passed to scipt
terraform_version: ~1.3.0
ARM_USE_OIDC: true
ARM_USE_AZUREAD: true
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
storage_account_name: ${{ inputs.subscription }}radixinfra
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3 #Clone Repo
- name: 'Az login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Get GitHub Public IP
id: github_public_ip
uses: haythem/public-ip@v1.3
- name: Add GitHub IP to StorageAccount
run: |
az storage account network-rule add \
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- name: Lets sleep for 30 seconds for FW rule to complete
run: sleep 30s
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.terraform_version }}
- name: Check terrorm in ${{ matrix.ENVIROMENT}}
working-directory: terraform/subscriptions/scripts
run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh
- name: Revoke GitHub IP on StorageAccount
run: |
az storage account network-rule remove \
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
terrform-s940:
name: Check infrastructure consistency
runs-on: ubuntu-latest
environment: s940
strategy:
matrix:
ENVIROMENT: [prod, c2]
env:
# ENVIROMENT: dev #variable passed to scipt
SUBSCRIPTION: s940 #variable passed to scipt
terraform_version: ~1.3.0
ARM_USE_OIDC: true
ARM_USE_AZUREAD: true
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
storage_account_name: ${{ inputs.subscription }}radixinfra
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3 #Clone Repo
- name: 'Az login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Get GitHub Public IP
id: github_public_ip
uses: haythem/public-ip@v1.3
- name: Add GitHub IP to StorageAccount
run: |
az storage account network-rule add \
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null
- name: Lets sleep for 30 seconds for FW rule to complete
run: sleep 30s
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.terraform_version }}
- name: Check terrorm in ${{ matrix.ENVIROMENT}}
working-directory: terraform/subscriptions/scripts
run: ENVIROMENT=${{ matrix.ENVIROMENT}} ./terraform.sh
- name: Revoke GitHub IP on StorageAccount
run: |
az storage account network-rule remove \
--resource-group "${{ env.SUBSCRIPTION}}-tfstate" \
--account-name "${{ env.SUBSCRIPTION}}radixinfra" \
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }} >/dev/null