Update instance.rego #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform CI/CD with OPA | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '**/*.tf' | |
| - 'policies/*.rego' | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - '**/*.tf' | |
| - 'policies/*.rego' | |
| jobs: | |
| terraform_plan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: List files in repository | |
| run: | | |
| echo "Listing root directory:" | |
| ls -alh | |
| echo "Checking if select_policy.py exists:" | |
| if [ -f ./select_policy.py ]; then | |
| echo "select_policy.py is present." | |
| else | |
| echo "select_policy.py is not found." | |
| fi | |
| - name: Cleanup macOS metadata files | |
| run: find ./policies -name '._*' -delete | |
| - name: Set up AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - name: Set up Python | |
| uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.x' | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Terraform Init and Plan | |
| run: | | |
| terraform init | |
| terraform plan -out=tfplan | |
| - name: Save Terraform Plan | |
| run: terraform show -json tfplan > plan.json | |
| - name: Install OPA | |
| run: | | |
| curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64 | |
| chmod +x opa | |
| - name: Download and Debug OPA Policies | |
| run: | | |
| curl -L -o policies.tar.gz ${{ secrets.POLICY_URL }} -w "%{http_code} - %{content_type}\n" | |
| echo "Downloaded file type:" | |
| file policies.tar.gz | |
| mkdir -p policies | |
| tar -xzf policies.tar.gz -C policies || echo "Failed to extract tar.gz" | |
| - name: Install Dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| - name: Select OPA Policy Using Tags | |
| id: select_policy | |
| run: | | |
| policy_file=$(python ./select_policy.py ./policies 'instance') | |
| echo "Policy File: $policy_file" | |
| echo "::set-output name=policy_path::$policy_file" | |
| - name: OPA Policy Evaluation | |
| run: | | |
| ./opa eval --format pretty --data ${{ steps.select_policy.outputs.policy_path }} --input plan.json "data.terraform.allow" | |
| terraform_apply: | |
| needs: terraform_plan | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Set up AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Terraform Apply | |
| run: | | |
| terraform apply tfplan |