From 1a529607583fed2c2b7656a5f5502db4edbc17d7 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:02:08 +0530 Subject: [PATCH 01/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 1 - terraform/aws/ec2/ec2_ebs.tf | 2 +- terraform/aws/ec2/ec2_instance_in_vpc.tf | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 4ad9cd3..ea2f049 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -63,5 +63,4 @@ jobs: mod-branch: v0.18 controls: | ec2_ebs_default_encryption_enabled - ... diff --git a/terraform/aws/ec2/ec2_ebs.tf b/terraform/aws/ec2/ec2_ebs.tf index 37766f2..2cfadfc 100644 --- a/terraform/aws/ec2/ec2_ebs.tf +++ b/terraform/aws/ec2/ec2_ebs.tf @@ -1,3 +1,3 @@ resource "aws_ebs_encryption_by_default" "example" { enabled = false -} \ No newline at end of file +} diff --git a/terraform/aws/ec2/ec2_instance_in_vpc.tf b/terraform/aws/ec2/ec2_instance_in_vpc.tf index 76b716b..c51fed1 100644 --- a/terraform/aws/ec2/ec2_instance_in_vpc.tf +++ b/terraform/aws/ec2/ec2_instance_in_vpc.tf @@ -24,4 +24,4 @@ resource "aws_instance" "rajweb2" { tags = { Name = "RajHelloWorld" } -} \ No newline at end of file +} From 05f23685171fdd33b477cd2beaa409d7946b01da Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:03:33 +0530 Subject: [PATCH 02/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index ea2f049..5f8bba8 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -4,7 +4,8 @@ on: workflow_dispatch: push: branches: - - "main" + - "branch-test" + pull_request: permissions: id-token: write From 1736bbf0fb6557e7397d463d04e2b7ef6749dfb8 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:17:56 +0530 Subject: [PATCH 03/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 5f8bba8..47e9728 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -58,7 +58,7 @@ jobs: # ebs_volume_unused - name: Run Terraform AWS Compliance v0.18 control - uses: turbot/steampipe-action-check@v1 + uses: turbot/powerpipe-action-check@v1 with: mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance mod-branch: v0.18 From 4ea0916a4fe609ff12851f7c71e8517b3485ce75 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:18:45 +0530 Subject: [PATCH 04/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 47e9728..ed48154 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -2,9 +2,6 @@ name: 'Powerpipe' on: workflow_dispatch: - push: - branches: - - "branch-test" pull_request: permissions: From 15c39a8e39328478694b6b22dc576b9377b0a7d0 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:27:12 +0530 Subject: [PATCH 05/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index ed48154..52cf9da 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -33,9 +33,11 @@ jobs: uses: turbot/steampipe-action-setup@v1 with: plugin-connections: | - connection "terraform" { + connection "aws_tf" { plugin = "terraform" - configuration_file_paths = [ "./**/*.tf" ] + configuration_file_paths = [ + "terraform/aws/**/*.tf" + ] } - name: Install Powerpipe @@ -54,11 +56,11 @@ jobs: # controls: | # ebs_volume_unused - - name: Run Terraform AWS Compliance v0.18 control + - name: Run Terraform AWS Compliance control uses: turbot/powerpipe-action-check@v1 with: mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance - mod-branch: v0.18 controls: | ec2_ebs_default_encryption_enabled + ... From ffb47bf694eea2a6191173195111b69203e6b793 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:30:23 +0530 Subject: [PATCH 06/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 52cf9da..59de71c 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -6,7 +6,11 @@ on: permissions: id-token: write - contents: read + contents: write + checks: write + issues: write + pull-requests: write + statuses: read jobs: powerpipe: From 961e0e0d39909c0646b808a81e4975dd81882eca Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:31:14 +0530 Subject: [PATCH 07/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 59de71c..898a2c1 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -5,12 +5,20 @@ on: pull_request: permissions: - id-token: write - contents: write - checks: write - issues: write - pull-requests: write - statuses: read + actions: write + attestations: write + checks: write + contents: write + deployments: write + id-token: write + issues: write + discussions: write + packages: write + pages: write + pull-requests: write + repository-projects: write + security-events: write + statuses: write jobs: powerpipe: From 874ef5198ef9a733a4b14bc44aec3b77ecd1cbd4 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:33:22 +0530 Subject: [PATCH 08/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 898a2c1..0c6e5c0 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -72,7 +72,7 @@ jobs: uses: turbot/powerpipe-action-check@v1 with: mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance - controls: | - ec2_ebs_default_encryption_enabled + # controls: | + # ec2_ebs_default_encryption_enabled ... From da4de284516b7683d398d64a51b6298bca6796f1 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Fri, 8 Nov 2024 03:39:55 +0530 Subject: [PATCH 09/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 0c6e5c0..90e329c 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -51,6 +51,10 @@ jobs: "terraform/aws/**/*.tf" ] } + connection "aws" { + plugin = "aws" + } + - name: Install Powerpipe uses: turbot/powerpipe-action-setup@v1 @@ -72,7 +76,16 @@ jobs: uses: turbot/powerpipe-action-check@v1 with: mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance - # controls: | - # ec2_ebs_default_encryption_enabled + controls: | + ec2_ebs_default_encryption_enabled + - name: Run specific AWS Compliance controls + uses: turbot/powerpipe-action-check@v1 + with: + mod-url: https://github.com/turbot/steampipe-mod-aws-compliance + # controls: | + # ebs_volume_unused + # foundational_security_s3_1 + benchmarks: | + benchmark.cis_v200 ... From 944669ad9b491344a3999c832c733dbbbf1ecd14 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:25:19 +0530 Subject: [PATCH 10/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 141 +++++++++++---------- .github/workflows/pp-shared-workflow.yml | 155 +++++++++++++++++++++++ 2 files changed, 226 insertions(+), 70 deletions(-) create mode 100644 .github/workflows/pp-shared-workflow.yml diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 90e329c..93cc86c 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -5,87 +5,88 @@ on: pull_request: permissions: - actions: write - attestations: write - checks: write - contents: write - deployments: write + # actions: write + # attestations: write + # checks: write + # contents: write + # deployments: write id-token: write - issues: write - discussions: write - packages: write - pages: write - pull-requests: write - repository-projects: write - security-events: write - statuses: write + # issues: write + # discussions: write + # packages: write + # pages: write + # pull-requests: write + # repository-projects: write + # security-events: write + # statuses: write jobs: powerpipe: - name: 'Powerpipe' - runs-on: ubuntu-latest - # env: - # # This is needed since we are running terraform with read-only permissions - # ARM_SKIP_PROVIDER_REGISTRATION: true - # outputs: - # tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }} + uses: .github/workflows/pp-shared-workflow.yml + with: + cloud_provider: 'AWS' + aws_assume_role: "arn:aws:iam::924144197303:role/nilesh-powerpipe-role" + secrets: + GITHUB: ${{ secrets.GITHUB }} - steps: - - name: Checkout repo - uses: actions/checkout@v4 + # name: 'Powerpipe' + # runs-on: ubuntu-latest + # steps: + # - name: Checkout repo + # uses: actions/checkout@v4 - - name: Setup AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::924144197303:role/nilesh-powerpipe-role - role-session-name: powerpipe - aws-region: us-east-1 + # - name: Setup AWS Credentials + # uses: aws-actions/configure-aws-credentials@v4 + # with: + # role-to-assume: arn:aws:iam::924144197303:role/nilesh-powerpipe-role + # role-session-name: powerpipe + # aws-region: us-east-1 - - name: Setup Steampipe - uses: turbot/steampipe-action-setup@v1 - with: - plugin-connections: | - connection "aws_tf" { - plugin = "terraform" - configuration_file_paths = [ - "terraform/aws/**/*.tf" - ] - } - connection "aws" { - plugin = "aws" - } + # - name: Setup Steampipe + # uses: turbot/steampipe-action-setup@v1 + # with: + # plugin-connections: | + # connection "aws_tf" { + # plugin = "terraform" + # configuration_file_paths = [ + # "terraform/aws/**/*.tf" + # ] + # } + # connection "aws" { + # plugin = "aws" + # } - - name: Install Powerpipe - uses: turbot/powerpipe-action-setup@v1 + # - name: Install Powerpipe + # uses: turbot/powerpipe-action-setup@v1 - - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database - run: | - steampipe service start - # yes | powerpipe mod install github.com/turbot/steampipe-mod-aws-thrifty - # continue-on-error: true + # - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database + # run: | + # steampipe service start + # # yes | powerpipe mod install github.com/turbot/steampipe-mod-aws-thrifty + # # continue-on-error: true - # - name: Run Powerpipe benchmark - # uses: turbot/powerpipe-action-check@v1 - # with: - # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance - # controls: | - # ebs_volume_unused + # # - name: Run Powerpipe benchmark + # # uses: turbot/powerpipe-action-check@v1 + # # with: + # # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance + # # controls: | + # # ebs_volume_unused - - name: Run Terraform AWS Compliance control - uses: turbot/powerpipe-action-check@v1 - with: - mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance - controls: | - ec2_ebs_default_encryption_enabled + # - name: Run Terraform AWS Compliance control + # uses: turbot/powerpipe-action-check@v1 + # with: + # mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance + # controls: | + # ec2_ebs_default_encryption_enabled - - name: Run specific AWS Compliance controls - uses: turbot/powerpipe-action-check@v1 - with: - mod-url: https://github.com/turbot/steampipe-mod-aws-compliance - # controls: | - # ebs_volume_unused - # foundational_security_s3_1 - benchmarks: | - benchmark.cis_v200 + # - name: Run specific AWS Compliance controls + # uses: turbot/powerpipe-action-check@v1 + # with: + # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance + # # controls: | + # # ebs_volume_unused + # # foundational_security_s3_1 + # benchmarks: | + # benchmark.cis_v200 ... diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml new file mode 100644 index 0000000..f53aaf7 --- /dev/null +++ b/.github/workflows/pp-shared-workflow.yml @@ -0,0 +1,155 @@ +--- +name: 'Powerpipe Github Action Workflow' +on: + workflow_call: + inputs: + cloud_provider: + description: 'Cloud Provider Name. i.g. AWS, Azure, GCP, OCI' + required: true + type: string + default: 'AWS' + mod_url: + description: 'Powerpipe Mod URL. Get URL from here: https://hub.powerpipe.io/' + required: false + type: string + default: 'https://github.com/turbot/steampipe-mod-aws-thrifty' + plugin_connection: + description: 'Powerpipe plugin-connection to establish the connection between powerpipe and plugin.' + required: false + type: string + default: | + connection "aws" { + plugin = "aws" + } + # controls: + # description: 'Controlers to run in powerpipe' + # required: false + # type: string + benchmarks: + description: 'Powerpipe step benchmarks to scan in specific mod.' + required: false + type: string + default: | + all + + # AWS Authentication + aws_assume_role: + description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.' + required: false + type: string + + # GCP Authentication + create_credentials_file: + required: false + type: string + default: true + description: 'If true, the action will securely generate a credentials file which can be used for authentication via gcloud and Google Cloud SDKs.' + token_format: + required: false + type: string + default: access_token + description: 'Output format for the generated authentication token. For OAuth 2.0 access tokens, specify "access_token". For OIDC tokens, specify "id_token". To skip token generation, leave this value empty' + access_token_lifetime: + required: false + type: string + default: 300s + description: 'Desired lifetime duration of the access token, in seconds' + project_id: + required: false + type: string + description: 'ID of the default project to use for future API calls and invocations.' + + secrets: + GITHUB: + description: 'GitHub Token' + required: false + + # GCP Authentication + GCP_CREDENTIALS: + description: 'The Google Cloud JSON service account key to use for authentication' + required: false + WORKLOAD_IDENTITY_PROVIDER: + required: false + description: 'The full identifier of the Workload Identity Provider' + SERVICE_ACCOUNT: + required: false + description: 'The service account to be used' + +jobs: + powerpipe: + name: 'Powerpipe Shared Workflow' + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Setup AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ inputs.aws_assume_role }} + role-session-name: powerpipe + aws-region: us-east-1 + if: ${{ inputs.cloud_provider == 'AWS' }} + + - name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v2' + with: + credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + create_credentials_file: ${{ inputs.create_credentials_file }} + token_format: ${{ inputs.token_format }} + workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} + access_token_lifetime: ${{ inputs.access_token_lifetime }} + project_id: ${{ inputs.project_id }} + if: ${{ inputs.cloud_provider == 'GCP' }} + + # - name: Set mod-url based on cloud provider + # id: set_mod_url + # run: | + # if [ "${{ github.event.inputs.cloud_provider }}" == "AWS" ]; then + # echo "mod_url=https://github.com/turbot/steampipe-mod-terraform-aws-compliance" >> $GITHUB_ENV + # elif [ "${{ github.event.inputs.cloud_provider }}" == "GCP" ]; then + # echo "mod_url=https://github.com/turbot/steampipe-mod-terraform-gcp-compliance" >> $GITHUB_ENV + # else + # echo "Unsupported cloud provider: ${{ github.event.inputs.cloud_provider }}" + # exit 1 + # fi + + - name: Setup Steampipe + uses: turbot/steampipe-action-setup@v1 + with: + plugin-connections: ${{ inputs.plugin_connection }} + + - name: Install Powerpipe + uses: turbot/powerpipe-action-setup@v1 + + - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database + run: | + steampipe service start + + # - name: Run Powerpipe benchmark + # uses: turbot/powerpipe-action-check@v1 + # with: + # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance + # controls: | + # ebs_volume_unused + + - name: Run Terraform AWS Compliance control + uses: turbot/powerpipe-action-check@v1 + with: + mod-url: ${{ inputs.mod_url }} + # controls: ${{ inputs.controls }} + benchmarks: ${{ inputs.benchmarks }} + github-token: ${{ secrets.GITHUB }} + + # - name: Run specific AWS Compliance controls + # uses: turbot/powerpipe-action-check@v1 + # with: + # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance + # # controls: | + # # ebs_volume_unused + # # foundational_security_s3_1 + # benchmarks: | + # benchmark.cis_v200 + # github-token: ${{ secrets.GITHUB }} +... From b47f2d374331ff4720eb4be966270d3eb325a4af Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:29:31 +0530 Subject: [PATCH 11/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 93cc86c..d5405f1 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -22,7 +22,7 @@ permissions: jobs: powerpipe: - uses: .github/workflows/pp-shared-workflow.yml + uses: ./.github/workflows/pp-shared-workflow.yml with: cloud_provider: 'AWS' aws_assume_role: "arn:aws:iam::924144197303:role/nilesh-powerpipe-role" From 639ea70a800b48be6d1c08705f52f3dd8141d924 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:43:52 +0530 Subject: [PATCH 12/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index d5405f1..0c5c2da 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -25,7 +25,7 @@ jobs: uses: ./.github/workflows/pp-shared-workflow.yml with: cloud_provider: 'AWS' - aws_assume_role: "arn:aws:iam::924144197303:role/nilesh-powerpipe-role" + aws_assume_role: ${{ secrets.assume_role }} secrets: GITHUB: ${{ secrets.GITHUB }} From 8a8133ed7a9dbb1fccd177d0c16a59ea87e2f855 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:51:18 +0530 Subject: [PATCH 13/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 3 ++- .github/workflows/pp-shared-workflow.yml | 11 +++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 0c5c2da..f78468e 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -25,9 +25,10 @@ jobs: uses: ./.github/workflows/pp-shared-workflow.yml with: cloud_provider: 'AWS' - aws_assume_role: ${{ secrets.assume_role }} + # aws_assume_role: ${{ secrets.assume_role }} secrets: GITHUB: ${{ secrets.GITHUB }} + aws_assume_role: ${{ secrets.assume_role }} # name: 'Powerpipe' # runs-on: ubuntu-latest diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index f53aaf7..9a9c48b 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -32,12 +32,6 @@ on: default: | all - # AWS Authentication - aws_assume_role: - description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.' - required: false - type: string - # GCP Authentication create_credentials_file: required: false @@ -60,6 +54,11 @@ on: description: 'ID of the default project to use for future API calls and invocations.' secrets: + # AWS Authentication + aws_assume_role: + description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.' + required: false + GITHUB: description: 'GitHub Token' required: false From 1508238e93b85306b122b890aad6197caa44f2e9 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:53:14 +0530 Subject: [PATCH 14/32] test: testing powerpipe workflow --- .github/workflows/pp-shared-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index 9a9c48b..7221d11 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -85,7 +85,7 @@ jobs: - name: Setup AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ inputs.aws_assume_role }} + role-to-assume: ${{ secrets.aws_assume_role }} role-session-name: powerpipe aws-region: us-east-1 if: ${{ inputs.cloud_provider == 'AWS' }} From 0b4129dbd5ac1b0197273f7050ed2ae55a0cd73f Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:54:21 +0530 Subject: [PATCH 15/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index f78468e..9097576 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -26,9 +26,9 @@ jobs: with: cloud_provider: 'AWS' # aws_assume_role: ${{ secrets.assume_role }} - secrets: - GITHUB: ${{ secrets.GITHUB }} - aws_assume_role: ${{ secrets.assume_role }} + secrets: inherit + # GITHUB: ${{ secrets.GITHUB }} + # aws_assume_role: ${{ secrets.assume_role }} # name: 'Powerpipe' # runs-on: ubuntu-latest From 578243bbb82bdce85f688af7ce97b99486334f6d Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:56:13 +0530 Subject: [PATCH 16/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 30 ++++++++++++------------ .github/workflows/pp-shared-workflow.yml | 11 ++++++--- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 9097576..fdb51a4 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -4,21 +4,21 @@ on: workflow_dispatch: pull_request: -permissions: - # actions: write - # attestations: write - # checks: write - # contents: write - # deployments: write - id-token: write - # issues: write - # discussions: write - # packages: write - # pages: write - # pull-requests: write - # repository-projects: write - # security-events: write - # statuses: write +# permissions: +# # actions: write +# # attestations: write +# # checks: write +# # contents: write +# # deployments: write +# id-token: write +# # issues: write +# # discussions: write +# # packages: write +# # pages: write +# # pull-requests: write +# # repository-projects: write +# # security-events: write +# # statuses: write jobs: powerpipe: diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index 7221d11..b411e51 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -1,5 +1,10 @@ --- name: 'Powerpipe Github Action Workflow' + +permissions: + id-token: write + + on: workflow_call: inputs: @@ -59,9 +64,9 @@ on: description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.' required: false - GITHUB: - description: 'GitHub Token' - required: false + # GITHUB: + # description: 'GitHub Token' + # required: false # GCP Authentication GCP_CREDENTIALS: From df954d361849596a2ddf2488ac15cbbf86363eae Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 02:59:12 +0530 Subject: [PATCH 17/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 37 ++++++++++++------------ .github/workflows/pp-shared-workflow.yml | 10 +++---- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index fdb51a4..dc6781b 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -4,31 +4,30 @@ on: workflow_dispatch: pull_request: -# permissions: -# # actions: write -# # attestations: write -# # checks: write -# # contents: write -# # deployments: write -# id-token: write -# # issues: write -# # discussions: write -# # packages: write -# # pages: write -# # pull-requests: write -# # repository-projects: write -# # security-events: write -# # statuses: write +permissions: + # actions: write + # attestations: write + # checks: write + # contents: write + # deployments: write + id-token: write + # issues: write + # discussions: write + # packages: write + # pages: write + # pull-requests: write + # repository-projects: write + # security-events: write + # statuses: write jobs: powerpipe: uses: ./.github/workflows/pp-shared-workflow.yml with: cloud_provider: 'AWS' - # aws_assume_role: ${{ secrets.assume_role }} - secrets: inherit - # GITHUB: ${{ secrets.GITHUB }} - # aws_assume_role: ${{ secrets.assume_role }} + secrets: + TOKEN: ${{ secrets.GITHUB }} + aws_assume_role: ${{ secrets.assume_role }} # name: 'Powerpipe' # runs-on: ubuntu-latest diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index b411e51..1f12318 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -64,9 +64,9 @@ on: description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.' required: false - # GITHUB: - # description: 'GitHub Token' - # required: false + TOKEN: + description: 'GitHub Token' + required: false # GCP Authentication GCP_CREDENTIALS: @@ -144,7 +144,7 @@ jobs: mod-url: ${{ inputs.mod_url }} # controls: ${{ inputs.controls }} benchmarks: ${{ inputs.benchmarks }} - github-token: ${{ secrets.GITHUB }} + github-token: ${{ secrets.TOKEN }} # - name: Run specific AWS Compliance controls # uses: turbot/powerpipe-action-check@v1 @@ -155,5 +155,5 @@ jobs: # # foundational_security_s3_1 # benchmarks: | # benchmark.cis_v200 - # github-token: ${{ secrets.GITHUB }} + # github-token: ${{ secrets.TOKEN }} ... From 9980c4d49873b844c3b0d59878f53223ad737f4f Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:01:13 +0530 Subject: [PATCH 18/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index dc6781b..7efe408 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -26,7 +26,7 @@ jobs: with: cloud_provider: 'AWS' secrets: - TOKEN: ${{ secrets.GITHUB }} + TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} # name: 'Powerpipe' From 87eda24adca1a1b918dd6ae92a6fadee9fafaf47 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:20:03 +0530 Subject: [PATCH 19/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 13 +++++++ .github/workflows/pp-shared-workflow.yml | 48 +++++------------------- 2 files changed, 22 insertions(+), 39 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 7efe408..3eac563 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -25,6 +25,19 @@ jobs: uses: ./.github/workflows/pp-shared-workflow.yml with: cloud_provider: 'AWS' + mod_url: "https://github.com/turbot/steampipe-mod-terraform-aws-compliance" + plugin_connection: | + connection "aws_tf" { + plugin = "terraform" + configuration_file_paths = [ + "terraform/aws/**/*.tf" + ] + } + connection "aws" { + plugin = "aws" + } + controls: | + ec2_ebs_default_encryption_enabled secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index 1f12318..005485d 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -26,10 +26,10 @@ on: connection "aws" { plugin = "aws" } - # controls: - # description: 'Controlers to run in powerpipe' - # required: false - # type: string + controls: + description: 'Controlers to run in powerpipe' + required: false + type: string benchmarks: description: 'Powerpipe step benchmarks to scan in specific mod.' required: false @@ -59,15 +59,15 @@ on: description: 'ID of the default project to use for future API calls and invocations.' secrets: + TOKEN: + description: 'GitHub Token' + required: false + # AWS Authentication aws_assume_role: description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.' required: false - TOKEN: - description: 'GitHub Token' - required: false - # GCP Authentication GCP_CREDENTIALS: description: 'The Google Cloud JSON service account key to use for authentication' @@ -107,18 +107,6 @@ jobs: project_id: ${{ inputs.project_id }} if: ${{ inputs.cloud_provider == 'GCP' }} - # - name: Set mod-url based on cloud provider - # id: set_mod_url - # run: | - # if [ "${{ github.event.inputs.cloud_provider }}" == "AWS" ]; then - # echo "mod_url=https://github.com/turbot/steampipe-mod-terraform-aws-compliance" >> $GITHUB_ENV - # elif [ "${{ github.event.inputs.cloud_provider }}" == "GCP" ]; then - # echo "mod_url=https://github.com/turbot/steampipe-mod-terraform-gcp-compliance" >> $GITHUB_ENV - # else - # echo "Unsupported cloud provider: ${{ github.event.inputs.cloud_provider }}" - # exit 1 - # fi - - name: Setup Steampipe uses: turbot/steampipe-action-setup@v1 with: @@ -131,29 +119,11 @@ jobs: run: | steampipe service start - # - name: Run Powerpipe benchmark - # uses: turbot/powerpipe-action-check@v1 - # with: - # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance - # controls: | - # ebs_volume_unused - - name: Run Terraform AWS Compliance control uses: turbot/powerpipe-action-check@v1 with: mod-url: ${{ inputs.mod_url }} - # controls: ${{ inputs.controls }} + controls: ${{ inputs.controls }} benchmarks: ${{ inputs.benchmarks }} github-token: ${{ secrets.TOKEN }} - - # - name: Run specific AWS Compliance controls - # uses: turbot/powerpipe-action-check@v1 - # with: - # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance - # # controls: | - # # ebs_volume_unused - # # foundational_security_s3_1 - # benchmarks: | - # benchmark.cis_v200 - # github-token: ${{ secrets.TOKEN }} ... From 18895607423c8bc3db1e973b49c411798a906923 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:32:15 +0530 Subject: [PATCH 20/32] test: testing powerpipe workflow --- .github/workflows/pp-shared-workflow.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index 005485d..1bf2a6f 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -126,4 +126,23 @@ jobs: controls: ${{ inputs.controls }} benchmarks: ${{ inputs.benchmarks }} github-token: ${{ secrets.TOKEN }} + + - name: Read generated markdown file + id: read_md_file + run: | + # Read the content of the generated .md file into an environment variable + FILE_PATH="${{ github.workspace }}/*.md" + MD_CONTENT=$(cat $FILE_PATH) + echo "md_content<> $GITHUB_ENV + echo "$MD_CONTENT" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Comment on the PR with the markdown report + uses: peter-evans/create-or-update-comment@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ## Terraform Compliance Report + ${{ env.md_content }} ... From 03199e2d2c6cb820ca6e06fb9181d2a360fe64f2 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:34:21 +0530 Subject: [PATCH 21/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 3eac563..c635f3a 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -38,6 +38,7 @@ jobs: } controls: | ec2_ebs_default_encryption_enabled + benchmark: '' secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} From 93806d976422d44048aaecb9833356f1d349ef1e Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:35:40 +0530 Subject: [PATCH 22/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index c635f3a..840864c 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -38,7 +38,7 @@ jobs: } controls: | ec2_ebs_default_encryption_enabled - benchmark: '' + benchmarks: '' secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} From b8d735b512fc5ac2ea04fc56509d2edac3b79160 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:38:04 +0530 Subject: [PATCH 23/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 840864c..7c2cdfb 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -15,7 +15,7 @@ permissions: # discussions: write # packages: write # pages: write - # pull-requests: write + pull-requests: write # repository-projects: write # security-events: write # statuses: write From 2a8d71e55674a47ca66f3add13a5b4c832b2ebd3 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:39:16 +0530 Subject: [PATCH 24/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 7c2cdfb..88979b1 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -37,8 +37,8 @@ jobs: plugin = "aws" } controls: | - ec2_ebs_default_encryption_enabled - benchmarks: '' + all + # benchmarks: secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} From 499617290862cf5943e6ffc84b82c1ff6f470a26 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:41:39 +0530 Subject: [PATCH 25/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 88979b1..c1c24c4 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -36,9 +36,10 @@ jobs: connection "aws" { plugin = "aws" } - controls: | + # controls: | + # all + benchmarks: | all - # benchmarks: secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} From 90efc848bbc5f8ea04e9dd13a02ce13284483f9c Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:50:07 +0530 Subject: [PATCH 26/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index c1c24c4..0aa8999 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -39,7 +39,8 @@ jobs: # controls: | # all benchmarks: | - all + ec2 + s3 secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} From 0d15cf0776e2e88f608652f49b1cd224e54fba73 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:51:49 +0530 Subject: [PATCH 27/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 0aa8999..877779d 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -11,7 +11,7 @@ permissions: # contents: write # deployments: write id-token: write - # issues: write + issues: write # discussions: write # packages: write # pages: write From 8455e2fbb01d41da2ff254a081e117949768f7f5 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:53:39 +0530 Subject: [PATCH 28/32] test: testing powerpipe workflow --- .github/workflows/pp-shared-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index 1bf2a6f..d0ab958 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -140,7 +140,7 @@ jobs: - name: Comment on the PR with the markdown report uses: peter-evans/create-or-update-comment@v3 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.TOKEN }} issue-number: ${{ github.event.pull_request.number }} body: | ## Terraform Compliance Report From 9ff4161cd735bf6098f2d5f70bc49cc885d5e3ab Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 03:57:19 +0530 Subject: [PATCH 29/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 877779d..751a8e0 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -40,7 +40,6 @@ jobs: # all benchmarks: | ec2 - s3 secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} From ee8c0770ba1ebc80aec23cd97dc07638657c447b Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 04:00:16 +0530 Subject: [PATCH 30/32] test: testing powerpipe workflow --- .github/workflows/pp-shared-workflow.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index d0ab958..e787328 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -1,10 +1,6 @@ --- name: 'Powerpipe Github Action Workflow' -permissions: - id-token: write - - on: workflow_call: inputs: From c5417c1a339a4b936f8a59f0b18fa54c7c4e7717 Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Sat, 9 Nov 2024 04:07:50 +0530 Subject: [PATCH 31/32] test: testing powerpipe workflow --- .github/workflows/powerpipe.yml | 2 +- .github/workflows/pp-shared-workflow.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 751a8e0..4d95046 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -22,7 +22,7 @@ permissions: jobs: powerpipe: - uses: ./.github/workflows/pp-shared-workflow.yml + uses: clouddrove/github-shared-workflows/.github/workflows/powerpipe.yml@feat/powerpipe # ./.github/workflows/pp-shared-workflow.yml with: cloud_provider: 'AWS' mod_url: "https://github.com/turbot/steampipe-mod-terraform-aws-compliance" diff --git a/.github/workflows/pp-shared-workflow.yml b/.github/workflows/pp-shared-workflow.yml index e787328..8dfda30 100644 --- a/.github/workflows/pp-shared-workflow.yml +++ b/.github/workflows/pp-shared-workflow.yml @@ -141,4 +141,5 @@ jobs: body: | ## Terraform Compliance Report ${{ env.md_content }} + continue-on-error: true ... From 17ab09d44f0a08444e16f48c174f801a0c52da1e Mon Sep 17 00:00:00 2001 From: Nilesh Gadgi Date: Tue, 12 Nov 2024 04:11:44 +0530 Subject: [PATCH 32/32] doc: added readme for powerpipe share githuba action --- .github/workflows/powerpipe.yml | 76 +-------------------------------- 1 file changed, 1 insertion(+), 75 deletions(-) diff --git a/.github/workflows/powerpipe.yml b/.github/workflows/powerpipe.yml index 4d95046..7ea3dc4 100644 --- a/.github/workflows/powerpipe.yml +++ b/.github/workflows/powerpipe.yml @@ -5,24 +5,13 @@ on: pull_request: permissions: - # actions: write - # attestations: write - # checks: write - # contents: write - # deployments: write id-token: write issues: write - # discussions: write - # packages: write - # pages: write pull-requests: write - # repository-projects: write - # security-events: write - # statuses: write jobs: powerpipe: - uses: clouddrove/github-shared-workflows/.github/workflows/powerpipe.yml@feat/powerpipe # ./.github/workflows/pp-shared-workflow.yml + uses: clouddrove/github-shared-workflows/.github/workflows/powerpipe.yml@feat/powerpipe with: cloud_provider: 'AWS' mod_url: "https://github.com/turbot/steampipe-mod-terraform-aws-compliance" @@ -36,72 +25,9 @@ jobs: connection "aws" { plugin = "aws" } - # controls: | - # all benchmarks: | ec2 secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} aws_assume_role: ${{ secrets.assume_role }} - - # name: 'Powerpipe' - # runs-on: ubuntu-latest - # steps: - # - name: Checkout repo - # uses: actions/checkout@v4 - - # - name: Setup AWS Credentials - # uses: aws-actions/configure-aws-credentials@v4 - # with: - # role-to-assume: arn:aws:iam::924144197303:role/nilesh-powerpipe-role - # role-session-name: powerpipe - # aws-region: us-east-1 - - # - name: Setup Steampipe - # uses: turbot/steampipe-action-setup@v1 - # with: - # plugin-connections: | - # connection "aws_tf" { - # plugin = "terraform" - # configuration_file_paths = [ - # "terraform/aws/**/*.tf" - # ] - # } - # connection "aws" { - # plugin = "aws" - # } - - - # - name: Install Powerpipe - # uses: turbot/powerpipe-action-setup@v1 - - # - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database - # run: | - # steampipe service start - # # yes | powerpipe mod install github.com/turbot/steampipe-mod-aws-thrifty - # # continue-on-error: true - - # # - name: Run Powerpipe benchmark - # # uses: turbot/powerpipe-action-check@v1 - # # with: - # # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance - # # controls: | - # # ebs_volume_unused - - # - name: Run Terraform AWS Compliance control - # uses: turbot/powerpipe-action-check@v1 - # with: - # mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance - # controls: | - # ec2_ebs_default_encryption_enabled - - # - name: Run specific AWS Compliance controls - # uses: turbot/powerpipe-action-check@v1 - # with: - # mod-url: https://github.com/turbot/steampipe-mod-aws-compliance - # # controls: | - # # ebs_volume_unused - # # foundational_security_s3_1 - # benchmarks: | - # benchmark.cis_v200 ...