test: testing powerpipe workflow

.github/workflows/powerpipe.yml

@@ -2,66 +2,32 @@
 name: 'Powerpipe'
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - "main"
+  pull_request:
 
 permissions:
- id-token: write
- contents: read
+  id-token: write
+  issues: write
+  pull-requests: write
 
 jobs:
   powerpipe:
-    name: 'Powerpipe'
-    runs-on: ubuntu-latest
-    # env:
-    #   # This is needed since we are running terraform with read-only permissions
-    #   ARM_SKIP_PROVIDER_REGISTRATION: true
-    # outputs:
-    #   tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
-
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-
-      - name: Setup AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::924144197303:role/nilesh-powerpipe-role
-          role-session-name: powerpipe
-          aws-region: us-east-1
-
-      - name: Setup Steampipe
-        uses: turbot/steampipe-action-setup@v1
-        with:
-          plugin-connections: |
-            connection "terraform" {
-              plugin = "terraform"
-              configuration_file_paths = [ "./**/*.tf" ]
-            }
-
-      - name: Install Powerpipe
-        uses: turbot/powerpipe-action-setup@v1
-
-      - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database
-        run: |
-          steampipe service start
-          # yes | powerpipe mod install github.com/turbot/steampipe-mod-aws-thrifty
-        # continue-on-error: true
-
-      # - name: Run Powerpipe benchmark
-      #   uses: turbot/powerpipe-action-check@v1
-      #   with:
-      #     mod-url: https://github.com/turbot/steampipe-mod-aws-compliance
-      #     controls: |
-      #       ebs_volume_unused
-
-      - name: Run Terraform AWS Compliance v0.18 control
-        uses: turbot/steampipe-action-check@v1
-        with:
-          mod-url: https://github.com/turbot/steampipe-mod-terraform-aws-compliance
-          mod-branch: v0.18
-          controls: |
-            ec2_ebs_default_encryption_enabled
-
+    uses: clouddrove/github-shared-workflows/.github/workflows/powerpipe.yml@feat/powerpipe
+    with:
+      cloud_provider: 'AWS'
+      mod_url: "https://github.com/turbot/steampipe-mod-terraform-aws-compliance"
+      plugin_connection: |
+        connection "aws_tf" {
+          plugin = "terraform"
+          configuration_file_paths = [
+            "terraform/aws/**/*.tf"
+          ]
+        }
+        connection "aws" {
+          plugin = "aws"
+        }
+      benchmarks: |
+        ec2
+    secrets: 
+      TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      aws_assume_role: ${{ secrets.assume_role }}
 ...

.github/workflows/pp-shared-workflow.yml

@@ -0,0 +1,145 @@
+---
+name: 'Powerpipe Github Action Workflow'
+
+on:
+  workflow_call:
+    inputs:
+      cloud_provider:
+        description: 'Cloud Provider Name. i.g. AWS, Azure, GCP, OCI'
+        required: true
+        type: string
+        default: 'AWS'
+      mod_url: 
+        description: 'Powerpipe Mod URL. Get URL from here: https://hub.powerpipe.io/'
+        required: false
+        type: string
+        default: 'https://github.com/turbot/steampipe-mod-aws-thrifty'
+      plugin_connection:
+        description: 'Powerpipe plugin-connection to establish the connection between powerpipe and plugin.'
+        required: false
+        type: string
+        default: |
+          connection "aws" {
+            plugin = "aws"
+          }
+      controls:
+        description: 'Controlers to run in powerpipe'
+        required: false
+        type: string
+      benchmarks:
+        description: 'Powerpipe step benchmarks to scan in specific mod.'
+        required: false
+        type: string
+        default: |
+          all
+
+      # GCP Authentication
+      create_credentials_file:
+        required: false
+        type: string
+        default: true
+        description: 'If true, the action will securely generate a credentials file which can be used for authentication via gcloud and Google Cloud SDKs.'
+      token_format:
+        required: false
+        type: string
+        default: access_token
+        description: 'Output format for the generated authentication token. For OAuth 2.0 access tokens, specify "access_token". For OIDC tokens, specify "id_token". To skip token generation, leave this value empty'
+      access_token_lifetime:
+        required: false
+        type: string
+        default: 300s
+        description: 'Desired lifetime duration of the access token, in seconds'
+      project_id:
+        required: false
+        type: string
+        description: 'ID of the default project to use for future API calls and invocations.'
+
+    secrets:
+      TOKEN:
+        description: 'GitHub Token'
+        required: false
+
+      # AWS Authentication
+      aws_assume_role:
+        description: 'AWS IAM role to assume. Necessary if cloud_provider is AWS.'
+        required: false
+
+      # GCP Authentication
+      GCP_CREDENTIALS:
+        description: 'The Google Cloud JSON service account key to use for authentication'
+        required: false
+      WORKLOAD_IDENTITY_PROVIDER:
+        required: false
+        description: 'The full identifier of the Workload Identity Provider'
+      SERVICE_ACCOUNT:
+        required: false
+        description: 'The service account to be used'
+
+jobs:
+  powerpipe:
+    name: 'Powerpipe Shared Workflow'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.aws_assume_role }}
+          role-session-name: powerpipe
+          aws-region: us-east-1
+        if: ${{ inputs.cloud_provider == 'AWS' }}
+
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+          create_credentials_file: ${{ inputs.create_credentials_file }}
+          token_format: ${{ inputs.token_format }}
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+          access_token_lifetime: ${{ inputs.access_token_lifetime }}
+          project_id: ${{ inputs.project_id }}
+        if: ${{ inputs.cloud_provider == 'GCP' }}
+
+      - name: Setup Steampipe
+        uses: turbot/steampipe-action-setup@v1
+        with:
+          plugin-connections: ${{ inputs.plugin_connection }}
+
+      - name: Install Powerpipe
+        uses: turbot/powerpipe-action-setup@v1
+
+      - name: Start steampipe service # start steampipe service - powerpipe will connect to this running steampipe postgres database
+        run: |
+          steampipe service start
+
+      - name: Run Terraform AWS Compliance control
+        uses: turbot/powerpipe-action-check@v1
+        with:
+          mod-url: ${{ inputs.mod_url }}
+          controls: ${{ inputs.controls }}
+          benchmarks: ${{ inputs.benchmarks }}
+          github-token: ${{ secrets.TOKEN }}
+
+      - name: Read generated markdown file
+        id: read_md_file
+        run: |
+          # Read the content of the generated .md file into an environment variable
+          FILE_PATH="${{ github.workspace }}/*.md"
+          MD_CONTENT=$(cat $FILE_PATH)
+          echo "md_content<<EOF" >> $GITHUB_ENV
+          echo "$MD_CONTENT" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      - name: Comment on the PR with the markdown report
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ secrets.TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            ## Terraform Compliance Report
+            ${{ env.md_content }}
+        continue-on-error: true
+...

terraform/aws/ec2/ec2_ebs.tf

@@ -1,3 +1,3 @@
 resource "aws_ebs_encryption_by_default" "example" {
   enabled = false
-}
+}

terraform/aws/ec2/ec2_instance_in_vpc.tf

@@ -24,4 +24,4 @@ resource "aws_instance" "rajweb2" {
   tags = {
     Name = "RajHelloWorld"
   }
-}
+}