Use all potential bastion tags instead of only the first match #1810
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Validate Terraform code | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - aws/* | |
| - azure/* | |
| - common/* | |
| - dns/* | |
| - examples/* | |
| - openstack/* | |
| - ovh/* | |
| - .github/workflows/test.yaml | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - aws/* | |
| - azure/* | |
| - common/* | |
| - dns/* | |
| - examples/* | |
| - openstack/* | |
| - ovh/* | |
| - .github/workflows/test.yaml | |
| jobs: | |
| validate_cloud_providers: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| provider: ['aws', 'azure', 'gcp', 'openstack', 'ovh'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.5.7" | |
| - run: terraform -chdir=${{ matrix.provider }} init | |
| - run: terraform -chdir=${{ matrix.provider }} validate | |
| validate_dns_providers: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| provider: ['cloudflare', 'gcloud', 'txt'] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.5.7" | |
| - run: terraform -chdir=dns/${{ matrix.provider }} init | |
| - run: terraform -chdir=dns/${{ matrix.provider }} validate | |
| validate_examples: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| example: | |
| - aws | |
| - azure | |
| - gcp | |
| - openstack | |
| - ovh | |
| # - advanced/spot_instances/aws | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.5.7" | |
| - name: Generate an SSH key | |
| run: ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa | |
| - run: sed -i "s;git::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git//;../../;g" examples/${{ matrix.example }}/main.tf; | |
| - run: terraform -chdir=examples/${{ matrix.example }} init | |
| - run: terraform -chdir=examples/${{ matrix.example }} validate | |
| validate_advanced_examples: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| example: | |
| - spot_instances/aws | |
| - spot_instances/azure | |
| - spot_instances/gcp | |
| - basic_puppet/openstack | |
| - elk/openstack | |
| - k8s/openstack | |
| - lustre/openstack | |
| - spark/openstack | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.5.7" | |
| - name: Generate an SSH key | |
| run: ssh-keygen -b 2048 -t rsa -q -N "" -f ~/.ssh/id_rsa | |
| - run: sed -i "s;git::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git//;../../../../;g" examples/advanced/${{ matrix.example }}/main.tf; | |
| - run: terraform -chdir=examples/advanced/${{ matrix.example }} init | |
| - run: terraform -chdir=examples/advanced/${{ matrix.example }} validate | |
| trivy-vuln-scan: | |
| name: Running Trivy Scan | |
| runs-on: ubuntu-latest | |
| needs: [validate_cloud_providers, validate_examples] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Resolve symbolic links and fix source | |
| run: | | |
| rm {aws,azure,gcp,openstack}/{outputs.tf,variables.tf} | |
| for cloud in aws azure gcp openstack; do | |
| cp common/outputs.tf common/variables.tf $cloud/; | |
| done | |
| sed -i 's;git::https://github.com/ComputeCanada/magic_castle.git//;../../;g' examples/*/*.tf | |
| - name: Manual Trivy Setup | |
| uses: aquasecurity/setup-trivy@v0.2.2 | |
| with: | |
| version: v0.61.1 | |
| cache: true | |
| - name: Run Trivy on providers | |
| run: trivy config --misconfig-scanners terraform --tf-exclude-downloaded-modules --skip-dirs examples/advanced --format json -o trivy-results.json . | |
| - name: Convert Trivy JSON output to SARIF and filter duplicated results | |
| run: | | |
| trivy convert --format sarif trivy-results.json --output trivy-results.sarif | |
| # When converting from JSON to SARIF, some information, like origin of the misconfiguration, is lost. | |
| # The lost information results in duplicated issues. We filter these issues with jq and create a new | |
| # sarif file that will be uploaded to the security tab. | |
| jq 'reduce .runs[0].results[] as $a ([]; if IN(.[]; $a) then . else . += [$a] end)' trivy-results.sarif > trivy-results-filtered.sarif | |
| jq ".runs[0].results |= $(cat trivy-results-filtered.sarif)" trivy-results.sarif > trivy-results-final.sarif | |
| mv trivy-results-final.sarif trivy-results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Publish Trivy Output to Summary | |
| run: | | |
| if [[ -s trivy-results.json ]]; then | |
| { | |
| echo "### Trivy Misconfiguration Scan Output" | |
| echo "<details><summary>Click to expand</summary>" | |
| echo "" | |
| echo '```console' | |
| echo '$ trivy config --misconfig-scanners terraform --tf-exclude-downloaded-modules --skip-dirs examples/advanced .' | |
| trivy convert --format table trivy-results.json | |
| echo '```' | |
| echo "</details>" | |
| } >> $GITHUB_STEP_SUMMARY | |
| fi |