Audit Account #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Audit Account | |
| on: | |
| schedule: | |
| - cron: "0 16 * * 1" # Every Monday at 1600 UTC | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| id-token: write | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: set variable values | |
| run: ./.github/build-vars.sh set_values | |
| env: | |
| AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
| AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
| - name: Configure AWS credentials for GitHub Actions | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }} | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| - name: Collect resources from account | |
| run: pushd .github && aws resourcegroupstaggingapi get-resources > resources.json | |
| - name: List active resources created by CI pipeline | |
| run: pushd .github && ./audit-account.sh ci_active resources.json | |
| - name: List orphaned resources created by CI pipeline | |
| run: pushd .github && ./audit-account.sh ci_inactive resources.json | |
| - name: List resources created by Cloudformation but not from CI pipeline | |
| run: pushd .github && ./audit-account.sh cf_other resources.json | |
| - name: List untagged resources | |
| run: pushd .github && ./audit-account.sh untagged resources.json | |
| - name: Create reports dir | |
| run: pushd .github && mkdir -p reports | |
| - name: Assemble CSV files | |
| run: | | |
| #!/bin/bash | |
| pushd .github | |
| echo "Reports with no entries will be omitted" | |
| CI_ACTIVE="$(./audit-account.sh ci_active resources.json)" | |
| [[ $(jq -r 'length' <<< "${CI_ACTIVE}") -gt 0 ]] && jq -r '(.[0] | |
| | keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${CI_ACTIVE}" > reports/ci_active.csv | |
| CI_INACTIVE="$(./audit-account.sh ci_inactive resources.json)" | |
| [[ $(jq -r 'length' <<< "${CI_INACTIVE}") -gt 0 ]] && jq -r '(.[0] | |
| | keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${CI_INACTIVE}" > reports/ci_inactive.csv | |
| CF_OTHER="$(./audit-account.sh cf_other resources.json)" | |
| [[ $(jq -r 'length' <<< "${CF_OTHER}") -gt 0 ]] && jq -r '(.[0] | |
| | keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${CF_OTHER}" > reports/cf_other.csv | |
| UNTAGGED="$(./audit-account.sh untagged resources.json)" | |
| [[ $(jq -r 'length' <<< "${UNTAGGED}") -gt 0 ]] && jq -r '(.[0] | |
| | keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${UNTAGGED}" > reports/untagged.csv | |
| - name: Upload reports | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: resource-reports | |
| path: .github/reports/ | |
| retention-days: 14 |