diff --git a/.github/workflows/weekly-enviroment.yml b/.github/workflows/weekly-enviroment.yml new file mode 100644 index 0000000000..a3dcfc87be --- /dev/null +++ b/.github/workflows/weekly-enviroment.yml @@ -0,0 +1,177 @@ +name: Weekly environment deployment + +on: + workflow_dispatch: + inputs: + environment: + description: 'Environment to run tests against' + type: choice + options: + - weekly environment + logLevel: + description: 'Log level' + required: true + default: 'warning' + type: choice + options: + - TRACE + - DEBUG + - INFO + - WARN + - ERROR + +env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CONTAINER_SUFFIX: ${{ github.run_id }} + AWS_REGION: eu-north-1 + KUBE_NAMESPACE: kube-system + WORKING_DIR: deploy/cloud + ENVIRONMENT: "weekly-environment" + TF_VAR_ec_api_key: ${{ secrets.TF_VAR_EC_API_KEY }} + TF_VAR_environment: ${{ github.event.inputs.logLevel }} + TF_VAR_eks_region: eu-north-1 + TF_LOG: ${{ github.event.inputs.logLevel }} + +jobs: + terraform: + name: Deploy KSPM/CSPM cloud environment + runs-on: ubuntu-latest + defaults: + run: + working-directory: ${{ env.WORKING_DIR }} + steps: + - name: Check out the repo + uses: actions/checkout@v2 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.3.5 + terraform_wrapper: false + +# - name: Terraform fmt +# id: fmt +# run: terraform fmt -check +# continue-on-error: true +# +# - name: Terraform Validate +# id: validate +# run: terraform validate -no-color + - name: Terraform Init + id: init + run: terraform init -no-color + + - name: Deploy EKS cluster and Elastic Cloud + id: apply + run: terraform apply --auto-approve -target "module.ec_deployment" -target "null_resource.rules" -target "null_resource.store_local_dashboard" -target "module.eks" + + - name: Create IAM role for EKS + id: kspm + run: terraform apply --auto-approve -target "module.api" -target "module.iam_eks_role" + + - name : Deploy EC2 instance to run Cloudbeat on vanilla cluster + id: ec2 + run: terraform apply --auto-approve -target "module.aws_ec2_with_agent" + + - name: Deploy agent on EKS + id: eks + run: terraform apply --auto-approve + + - name: Set terraform output as env variable + id: kibana_url + run: | + echo "KIBANA_URL=$(terraform output kibana_url)" >> $GITHUB_ENV + echo "EKS_CLUSTER_NAME=$(terraform output eks_cluster_name)" >> $GITHUB_ENV + echo "EKS_REGION=$(terraform output eks_region)" >> $GITHUB_ENV + echo "EC2_INSTANCE_ID=$(terraform output ec2_instance_id)" >> $GITHUB_ENV + + - name: Set sensitive terraform output as env variable + id: set_sensitive_output + run: | + export ELASTICSEARCH_USERNAME=$(terraform output elasticsearch_username) + echo "::add-mask::$ELASTICSEARCH_USERNAME" + echo "ELASTICSEARCH_USERNAME=$ELASTICSEARCH_USERNAME" >> $GITHUB_ENV + + export ELASTICSEARCH_PASSWORD=$(terraform output elasticsearch_password) + echo "::add-mask::$ELASTICSEARCH_PASSWORD" + echo "ELASTICSEARCH_PASSWORD=$ELASTICSEARCH_PASSWORD" >> $GITHUB_ENV + + export EC2_PRIVATE_KEY=$(echo $(terraform output cloudbeat_private_key) | base64) + echo "::add-mask::$EC2_PRIVATE_KEY" + echo "EC2_PRIVATE_KEY=$EC2_PRIVATE_KEY" >> $GITHUB_ENV + + export SSH_CMD=$(terraform output cloudbeat_ssh_cmd) + echo "::add-mask::$SSH_CMD" + echo "SSH_CMD=$SSH_CMD" >> $GITHUB_ENV + + - name: Deploy Agents + id: deploy_ec2_instance + run: | + terraform apply -auto-approve -no-color + + # Once https://github.com/slackapi/slack-github-action/issues/84 will be resolved we can push the payload to a different file + - name: Send custom JSON data to Slack workflow + id: slack + uses: slackapi/slack-github-action@v1.23.0 + with: + payload: | + { + "text": "A new deployment job has been triggered", + "attachments": [ + { + "color": "#36a64f", + "fields": [ + { + "title": "Environment", + "value": "${{ github.event.inputs.environment }}", + "short": true + }, + { + "title": "Log level", + "value": "${{ github.event.inputs.logLevel }}", + "short": true + }, + { + "title": "Kibana URL", + "value": ${{ env.KIBANA_URL }}, + "short": false + }, + { + "title": "ElasticSearch username", + "value": ${{ env.ELASTICSEARCH_USERNAME }}, + "short": false + }, + { + "title": "ElasticSearch password", + "value": ${{ env.ELASTICSEARCH_PASSWORD }}, + "short": false + }, + { + "title": "EKS region", + "value": ${{ env.EKS_REGION }}, + "short": true + }, + { + "title": "EKS cluster name", + "value": ${{ env.EKS_CLUSTER_NAME }}, + "short": true + }, + { + "title": "Instance ID", + "value": "${{ env.EC2_INSTANCE_ID }}", + "short": false + }, + { + "title": "EC2 private key", + "value": "${{ env.EC2_PRIVATE_KEY }}", + "short": false + } + ] + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/deploy/cloud/data/package_policy.json b/deploy/cloud/data/package_policy.json index d4387d1c40..c81a761f2c 100644 --- a/deploy/cloud/data/package_policy.json +++ b/deploy/cloud/data/package_policy.json @@ -59,12 +59,7 @@ ], "package": { "name": "cloud_security_posture", - "title": "Kubernetes Security Posture Management", - "version": "1.0.5" - }, - "vars": { - "runtimeCfg": { - "type": "yaml" - } + "title": "Kubernetes Security Posture Management (KSPM)", + "version": "1.1.1" } } diff --git a/deploy/cloud/data/package_policy_vanilla.json b/deploy/cloud/data/package_policy_vanilla.json index 33345e39d9..8724da43f3 100644 --- a/deploy/cloud/data/package_policy_vanilla.json +++ b/deploy/cloud/data/package_policy_vanilla.json @@ -58,12 +58,7 @@ ], "package": { "name": "cloud_security_posture", - "title": "Kubernetes Security Posture Management", - "version": "1.0.5" - }, - "vars": { - "runtimeCfg": { - "type": "yaml" - } + "title": "Kubernetes Security Posture Management (KSPM)", + "version": "1.1.1" } -} \ No newline at end of file +} diff --git a/deploy/cloud/main.tf b/deploy/cloud/main.tf index 55fc1f1e23..ca6303f925 100644 --- a/deploy/cloud/main.tf +++ b/deploy/cloud/main.tf @@ -200,6 +200,9 @@ module "aws_ec2_with_agent" { source = "./modules/ec2" providers = { aws : aws } yml = module.api.yaml_vanilla + environment_tag_name = var.environment_tag_name + aws_ami = "ami-03260a5267db32f55" + depends_on = [ module.ec_deployment, module.api, diff --git a/deploy/cloud/modules/ec2/main.tf b/deploy/cloud/modules/ec2/main.tf index 39c44bda57..1becefb4f4 100644 --- a/deploy/cloud/modules/ec2/main.tf +++ b/deploy/cloud/modules/ec2/main.tf @@ -4,6 +4,7 @@ locals { common_tags = { id = "${random_id.id.hex}" provisioner = "terraform" + environment = var.environment_tag_name } } resource "tls_private_key" "cloudbeat_key" { diff --git a/deploy/cloud/modules/ec2/output.tf b/deploy/cloud/modules/ec2/output.tf index b63c0535b2..0f0817c27d 100644 --- a/deploy/cloud/modules/ec2/output.tf +++ b/deploy/cloud/modules/ec2/output.tf @@ -8,3 +8,14 @@ output "cloudbeat_ssh_cmd" { value = "ssh -i ${local.cloudbeat_private_key_file} ${local.ec2_username}@${aws_instance.cloudbeat.public_ip}" } +output "ec2_private_key" { + description = "Use this private key to SSH into the ec2 instance" + value = tls_private_key.cloudbeat_key.private_key_pem + sensitive = true +} + +output "ec2_instance_id" { + description = "Use this private key to SSH into the ec2 instance" + value = aws_instance.cloudbeat.id + sensitive = true +} diff --git a/deploy/cloud/modules/ec2/variables.tf b/deploy/cloud/modules/ec2/variables.tf index 345474a9be..8c5745d949 100644 --- a/deploy/cloud/modules/ec2/variables.tf +++ b/deploy/cloud/modules/ec2/variables.tf @@ -15,3 +15,8 @@ variable "yml" { type = string } + +variable "environment_tag_name" { + description = "Environment tag name to be used" + type = string +} diff --git a/deploy/cloud/outputs.tf b/deploy/cloud/outputs.tf index bd0d6f212c..e03a52c14e 100644 --- a/deploy/cloud/outputs.tf +++ b/deploy/cloud/outputs.tf @@ -75,5 +75,18 @@ output "role_arn" { } output "cloudbeat_ssh_cmd" { - value = module.aws_ec2_with_agent.cloudbeat_ssh_cmd + value = module.aws_ec2_with_agent.cloudbeat_ssh_cmd + sensitive = true } + +output "ec2_private_key" { + value = module.aws_ec2_with_agent.ec2_private_key + sensitive = true +} + +output "ec2_instance_id" { + description = "EC2 instance ID" + value = module.aws_ec2_with_agent.ec2_instance_id +} + + diff --git a/deploy/cloud/variables.tf b/deploy/cloud/variables.tf index 570c73ee11..0519176142 100644 --- a/deploy/cloud/variables.tf +++ b/deploy/cloud/variables.tf @@ -69,3 +69,9 @@ variable "eks_region" { type = string } +variable "environment_tag_name" { + default = "local environment" + description = "Environment tag name to be used" + type = string +} +