Cloudformation access key #107
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CloudFormation-CI | |
on: | |
pull_request: | |
branches: | |
- main | |
- "[0-9]+.[0-9]+" | |
types: [opened, synchronize, reopened] | |
paths: | |
- deploy/cloudformation/*.yml | |
- .github/workflows/cloudformation-ci.yml | |
push: | |
branches: | |
- main | |
- "[0-9]+.[0-9]+" | |
paths: | |
- deploy/cloudformation/*.yml | |
- .github/workflows/cloudformation-ci.yml | |
env: | |
WORKING_DIR: deploy/test-environments | |
INTEGRATIONS_SETUP_DIR: tests/integrations_setup | |
TF_VAR_ec_api_key: ${{ secrets.EC_API_KEY }} | |
jobs: | |
Deploy-CloudFormation: | |
name: "Deploy CloudFormation" | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 40 | |
defaults: | |
run: | |
working-directory: ${{ env.WORKING_DIR }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Init Hermit | |
run: ./bin/hermit env -r >> $GITHUB_ENV | |
working-directory: ./ | |
- name: Set up unique deployment names | |
run: | | |
suffix="$(date +%s | tail -c 3)" | |
echo "TF_VAR_deployment_name=DEPLOY_PR${{ github.event.number }}-$suffix" >> $GITHUB_ENV | |
echo "CNVM_STACK_NAME=cnvm-stack-pr${{ github.event.number }}-$suffix" >> $GITHUB_ENV | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.9' | |
- name: Install Poetry | |
run: | | |
curl -sSL https://install.python-poetry.org | python3 - | |
poetry --version | |
- name: Install Fleet API dependencies | |
id: fleet-api-deps | |
working-directory: ./tests | |
run: | | |
poetry install | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: "eu-west-1" | |
- name: Provision Elastic Cloud Environment | |
id: apply | |
if: success() | |
env: | |
TF_VAR_stack_version: ${{ env.ELK_VERSION }} | |
TF_VAR_ess_region: "gcp-us-west2" | |
run: | | |
terraform init | |
terraform validate | |
# To address the conditional statement outputting stack values in the deployment stack, | |
# we need to specify both targets: ec_project and ec_deployment. | |
terraform apply --auto-approve -target=module.ec_deployment -target="module.ec_project" | |
- name: Set Environment Output | |
id: env-output | |
run: | | |
echo "KIBANA_URL=$(terraform output -raw kibana_url)" >> $GITHUB_ENV | |
echo "ES_URL=$(terraform output -raw elasticsearch_url)" >> $GITHUB_ENV | |
echo "ES_USER=$(terraform output -raw elasticsearch_username)" >> $GITHUB_ENV | |
export ES_PASSWORD=$(terraform output -raw elasticsearch_password) | |
echo "::add-mask::$ES_PASSWORD" | |
echo "ES_PASSWORD=$ES_PASSWORD" >> $GITHUB_ENV | |
- name: Install integrations | |
working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }} | |
env: | |
STACK_VERSION: ${{ env.ELK_VERSION }} | |
run: | | |
poetry run python ./install_cnvm_integration.py | |
- name: Deploy CNVM agent | |
env: | |
STACK_NAME: "${{ env.CNVM_STACK_NAME}}" | |
run: | | |
just deploy-cloudformation | |
- name: Wait for CloudFormation stack | |
id: wait-for-cfn | |
run: | | |
aws cloudformation wait stack-create-complete --stack-name ${{ env.CNVM_STACK_NAME }} | |
- name: Wait for agents to enroll | |
id: wait-for-agents | |
working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }} | |
timeout-minutes: 1 | |
run: | | |
poetry run python ./agents_enrolled.py | |
- name: Cleanup Environment | |
if: always() | |
run: | | |
terraform destroy --auto-approve -target="module.ec_deployment" -target="module.ec_project" | |
aws cloudformation delete-stack --stack-name ${{ env.CNVM_STACK_NAME }} | |
aws cloudformation wait stack-delete-complete --stack-name ${{ env.CNVM_STACK_NAME }} | |
Deploy-CloudFormation-DirectKeys: | |
name: "Deploy CloudFormation DirectKeys" | |
runs-on: ubuntu-latest | |
timeout-minutes: 40 | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
with: | |
init-tools: 'true' | |
- name: Set up unique deployment names | |
run: | | |
suffix="$(date +%s | tail -c 3)" | |
echo "DIRECT_KEY_STACK_NAME=direct-key-stack-pr${{ github.event.number }}-$suffix" >> $GITHUB_ENV | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: "eu-west-1" | |
- name: Deploy CloudFormation stack | |
env: | |
CF_FILE: 'deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml' | |
run: | | |
aws cloudformation validate-template --template-body file://${{ env.CF_FILE }} | |
aws cloudformation create-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --template-body file://${{ env.CF_FILE }} --capabilities CAPABILITY_NAMED_IAM | |
aws cloudformation wait stack-create-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} | |
- name: Get Direct Keys | |
id: direct-keys | |
shell: bash | |
run: | | |
BODY="$(aws cloudformation describe-stacks --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --query 'Stacks[0].Outputs' --output json)" | |
NEW_ACCESS_KEY_ID="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("AccessKeyId")) | .OutputValue')" | |
echo "::add-mask::$NEW_ACCESS_KEY_ID" | |
NEW_SECRET_ACCESS_KEY="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("SecretAccessKey")) | .OutputValue')" | |
echo "::add-mask::$NEW_SECRET_ACCESS_KEY" | |
echo "NEW_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}" >> $GITHUB_OUTPUT | |
echo "NEW_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}" >> $GITHUB_OUTPUT | |
- name: Run AWS integration tests | |
uses: ./.github/actions/aws-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
aws-access-key-id: ${{ steps.direct-keys.outputs.NEW_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ steps.direct-keys.outputs.NEW_SECRET_ACCESS_KEY }} | |
aws-account-type: single-account | |
- name: Cleanup Environment | |
if: always() | |
run: | | |
aws cloudformation delete-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} | |
aws cloudformation wait stack-delete-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} |