diff --git a/.github/workflows/terrasecure-scan.yml b/.github/workflows/terrasecure-scan.yml new file mode 100644 index 0000000..c45a6ff --- /dev/null +++ b/.github/workflows/terrasecure-scan.yml @@ -0,0 +1,51 @@ +name: TerraSecure IaC Security Scan +on: + workflow_dispatch: + +permissions: + contents: read + security-events: write + +concurrency: + group: terrasecure-${{ github.ref }} + cancel-in-progress: true + +jobs: + terrasecure-scan: + name: Scan infra/terraform with TerraSecure + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run TerraSecure (SARIF) + uses: JashwanthMU/TerraSecure@v2.0.0 + with: + path: '${{ github.workspace }}/infra/terraform' + format: 'sarif' + output: '${{ github.workspace }}/terrasecure-results.sarif' + fail-on: 'critical' + + - name: Upload SARIF to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: '${{ github.workspace }}/terrasecure-results.sarif' + + - name: Run TerraSecure (JSON report) + if: always() + continue-on-error: true + uses: JashwanthMU/TerraSecure@v2.0.0 + with: + path: '${{ github.workspace }}/infra/terraform' + format: 'json' + output: '${{ github.workspace }}/terrasecure-report.json' + fail-on: 'critical' + + - name: Upload JSON report artifact + if: always() + uses: actions/upload-artifact@v4 + with: + name: terrasecure-report + path: '${{ github.workspace }}/terrasecure-report.json' + retention-days: 30 \ No newline at end of file diff --git a/docs/week-10-notes.md b/docs/week-10-notes.md new file mode 100644 index 0000000..98a8f7f --- /dev/null +++ b/docs/week-10-notes.md @@ -0,0 +1,41 @@ +# Week 10 — ArgoCD GitOps Setup + +## What ArgoCD does +ArgoCD watches your GitHub repo. When anything in k8s/base/ changes, +it automatically applies those changes to the EKS cluster. +No more manual kubectl apply. + +## To Install ArgoCD +winget install -e --id argoproj.argocd + +The official Argo CD CLI documentation also lists WinGet as a supported installation method. + +## I got this!! +PS C:\Projects\crms> argocd version --client +argocd: v3.4.4+443415b + BuildDate: 2026-06-18T09:15:00Z + GitCommit: 443415b5527ac55366e0760c93ef0e1abd0cf273 + GitTreeState: clean + GoVersion: go1.26.0 + Compiler: gc + Platform: windows/amd64 + +## Install ArgoCD on cluster +kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml + +## Access ArgoCD UI +kubectl port-forward svc/argocd-server -n argocd 8080:443 + +## Get initial admin password +kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d + +## Deploy CRMS Application +kubectl apply -f k8s/argocd/crms-application.yaml + +## GitOps flow after setup +1. Developer pushes code to GitHub +2. GitHub Actions builds new Docker image, pushes to GHCR +3. GitHub Actions updates image tag in k8s/base/backend-deployment.yaml +4. ArgoCD detects change in Git +5. ArgoCD automatically syncs to EKS cluster +6. New pods roll out with zero downtime \ No newline at end of file diff --git a/k8s/argocd/crms-application.yaml b/k8s/argocd/crms-application.yaml new file mode 100644 index 0000000..3be9b98 --- /dev/null +++ b/k8s/argocd/crms-application.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crms + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/crms-devops/crms.git + targetRevision: main + path: k8s/base + destination: + server: https://kubernetes.default.svc + namespace: crms + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true \ No newline at end of file diff --git a/k8s/argocd/namespace.yaml b/k8s/argocd/namespace.yaml new file mode 100644 index 0000000..28e81d7 --- /dev/null +++ b/k8s/argocd/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd + labels: + app: argocd \ No newline at end of file