ofiriro3 · ofiriro3 · Jan 25, 2023 · Jan 25, 2023 · Jan 25, 2023 · Jan 25, 2023
diff --git a/.github/workflows/weekly-enviroment.yml b/.github/workflows/weekly-enviroment.yml
@@ -0,0 +1,177 @@
+name: Weekly environment deployment
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to run tests against'
+        type: choice
+        options:
+          - weekly environment
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - TRACE
+          - DEBUG
+          - INFO
+          - WARN
+          - ERROR
+
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CONTAINER_SUFFIX: ${{ github.run_id }}
+  AWS_REGION: eu-north-1
+  KUBE_NAMESPACE: kube-system
+  WORKING_DIR: deploy/cloud
+  ENVIRONMENT: "weekly-environment"
+  TF_VAR_ec_api_key: ${{ secrets.TF_VAR_EC_API_KEY }}
+  TF_VAR_environment: ${{ github.event.inputs.logLevel }}
+  TF_VAR_eks_region: eu-north-1
+  TF_LOG: ${{ github.event.inputs.logLevel }}
+
+jobs:
+  terraform:
+    name: Deploy KSPM/CSPM cloud environment
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIR }}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+           terraform_version: 1.3.5
+           terraform_wrapper: false
+
+#      - name: Terraform fmt
+#        id: fmt
+#        run: terraform fmt -check
+#        continue-on-error: true
+#
+#      - name: Terraform Validate
+#        id: validate
+#        run: terraform validate -no-color
+      - name: Terraform Init
+        id: init
+        run: terraform init -no-color
+
+      - name: Deploy EKS cluster and Elastic Cloud
+        id: apply
+        run: terraform apply --auto-approve -target "module.ec_deployment" -target "null_resource.rules" -target "null_resource.store_local_dashboard" -target "module.eks"
+
+      - name: Create IAM role for EKS
+        id: kspm
+        run: terraform apply --auto-approve -target "module.api" -target "module.iam_eks_role"
+
+      - name : Deploy EC2 instance to run Cloudbeat on vanilla cluster
+        id: ec2
+        run: terraform apply --auto-approve -target "module.aws_ec2_with_agent"
+
+      - name: Deploy agent on EKS
+        id: eks
+        run: terraform apply --auto-approve
+
+      - name: Set terraform output as env variable
+        id: kibana_url
+        run: |
+          echo "KIBANA_URL=$(terraform output kibana_url)" >> $GITHUB_ENV
+          echo "EKS_CLUSTER_NAME=$(terraform output eks_cluster_name)" >> $GITHUB_ENV
+          echo "EKS_REGION=$(terraform output eks_region)" >> $GITHUB_ENV
+          echo "EC2_INSTANCE_ID=$(terraform output ec2_instance_id)" >> $GITHUB_ENV
+
+      - name: Set sensitive terraform output as env variable
+        id: set_sensitive_output
+        run: |
+          export ELASTICSEARCH_USERNAME=$(terraform output elasticsearch_username)
+          echo "::add-mask::$ELASTICSEARCH_USERNAME"
+          echo "ELASTICSEARCH_USERNAME=$ELASTICSEARCH_USERNAME" >> $GITHUB_ENV
+
+          export ELASTICSEARCH_PASSWORD=$(terraform output elasticsearch_password)
+          echo "::add-mask::$ELASTICSEARCH_PASSWORD"
+          echo "ELASTICSEARCH_PASSWORD=$ELASTICSEARCH_PASSWORD" >> $GITHUB_ENV
+
+          export EC2_PRIVATE_KEY=$(echo $(terraform output cloudbeat_private_key) | base64)
+          echo "::add-mask::$EC2_PRIVATE_KEY"
+          echo "EC2_PRIVATE_KEY=$EC2_PRIVATE_KEY" >> $GITHUB_ENV
+
+          export SSH_CMD=$(terraform output cloudbeat_ssh_cmd)
+          echo "::add-mask::$SSH_CMD"
+          echo "SSH_CMD=$SSH_CMD" >> $GITHUB_ENV
+
+      - name: Deploy Agents
+        id: deploy_ec2_instance
+        run: |
+          terraform apply -auto-approve -no-color
+
+      # Once https://github.com/slackapi/slack-github-action/issues/84 will be resolved we can push the payload to a different file
+      - name: Send custom JSON data to Slack workflow
+        id: slack
+        uses: slackapi/slack-github-action@v1.23.0
+        with:
+          payload: |
+            {
+              "text": "A new deployment job has been triggered",
+              "attachments": [
+                {
+                  "color": "#36a64f",
+                  "fields": [
+                    {
+                      "title": "Environment",
+                      "value": "${{ github.event.inputs.environment }}",
+                      "short": true
+                    },
+                    {
+                      "title": "Log level",
+                      "value": "${{ github.event.inputs.logLevel }}",
+                      "short": true
+                    },
+                    {
+                      "title": "Kibana URL",
+                      "value": ${{ env.KIBANA_URL }},
+                      "short": false
+                    },
+                    {
+                      "title": "ElasticSearch username",
+                      "value": ${{ env.ELASTICSEARCH_USERNAME }},
+                      "short": false
+                    },
+                    {
+                      "title": "ElasticSearch password",
+                      "value": ${{ env.ELASTICSEARCH_PASSWORD }},
+                      "short": false
+                    },
+                    {
+                      "title": "EKS region",
+                      "value": ${{ env.EKS_REGION }},
+                      "short": true
+                    },
+                    {
+                      "title": "EKS cluster name",
+                      "value": ${{ env.EKS_CLUSTER_NAME }},
+                      "short": true
+                    },
+                    {
+                      "title": "Instance ID",
+                      "value": "${{ env.EC2_INSTANCE_ID }}",
+                      "short": false
+                    },
+                    {
+                      "title": "EC2 private key",
+                      "value": "${{ env.EC2_PRIVATE_KEY }}",
+                      "short": false
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
diff --git a/deploy/cloud/data/package_policy.json b/deploy/cloud/data/package_policy.json
@@ -59,12 +59,7 @@
     ],
     "package": {
         "name": "cloud_security_posture",
-        "title": "Kubernetes Security Posture Management",
-        "version": "1.0.5"
-    },
-    "vars": {
-        "runtimeCfg": {
-            "type": "yaml"
-        }
+        "title": "Kubernetes Security Posture Management (KSPM)",
+        "version": "1.1.1"
     }
 }
diff --git a/deploy/cloud/data/package_policy_vanilla.json b/deploy/cloud/data/package_policy_vanilla.json
@@ -58,12 +58,7 @@
     ],
     "package": {
         "name": "cloud_security_posture",
-        "title": "Kubernetes Security Posture Management",
-        "version": "1.0.5"
-    },
-    "vars": {
-        "runtimeCfg": {
-            "type": "yaml"
-        }
+        "title": "Kubernetes Security Posture Management (KSPM)",
+        "version": "1.1.1"
     }
-}
+}
diff --git a/deploy/cloud/main.tf b/deploy/cloud/main.tf
@@ -200,6 +200,9 @@ module "aws_ec2_with_agent" {
   source    = "./modules/ec2"
   providers = { aws : aws }
   yml       = module.api.yaml_vanilla
+  environment_tag_name = var.environment_tag_name
+  aws_ami = "ami-03260a5267db32f55"
+
   depends_on = [
     module.ec_deployment,
     module.api,

diff --git a/deploy/cloud/modules/ec2/main.tf b/deploy/cloud/modules/ec2/main.tf
@@ -4,6 +4,7 @@ locals {
   common_tags = {
     id          = "${random_id.id.hex}"
     provisioner = "terraform"
+    environment = var.environment_tag_name
   }
 }
 resource "tls_private_key" "cloudbeat_key" {

diff --git a/deploy/cloud/modules/ec2/output.tf b/deploy/cloud/modules/ec2/output.tf
@@ -8,3 +8,14 @@ output "cloudbeat_ssh_cmd" {
   value       = "ssh -i ${local.cloudbeat_private_key_file} ${local.ec2_username}@${aws_instance.cloudbeat.public_ip}"
 }
 
+output "ec2_private_key" {
+  description = "Use this private key to SSH into the ec2 instance"
+  value = tls_private_key.cloudbeat_key.private_key_pem
+  sensitive = true
+}
+
+output "ec2_instance_id" {
+  description = "Use this private key to SSH into the ec2 instance"
+  value = aws_instance.cloudbeat.id
+  sensitive = true
+}
diff --git a/deploy/cloud/modules/ec2/variables.tf b/deploy/cloud/modules/ec2/variables.tf
@@ -15,3 +15,8 @@ variable "yml" {
   type        = string
 
 }
+
+variable "environment_tag_name" {
+  description = "Environment tag name to be used"
+  type        = string
+}
diff --git a/deploy/cloud/outputs.tf b/deploy/cloud/outputs.tf
@@ -75,5 +75,18 @@ output "role_arn" {
 }
 
 output "cloudbeat_ssh_cmd" {
-  value = module.aws_ec2_with_agent.cloudbeat_ssh_cmd
+  value     = module.aws_ec2_with_agent.cloudbeat_ssh_cmd
+  sensitive = true
 }
+
+output "ec2_private_key" {
+  value     = module.aws_ec2_with_agent.ec2_private_key
+  sensitive = true
+}
+
+output "ec2_instance_id" {
+  description = "EC2 instance ID"
+  value       = module.aws_ec2_with_agent.ec2_instance_id
+}
+
+
diff --git a/deploy/cloud/variables.tf b/deploy/cloud/variables.tf
@@ -69,3 +69,9 @@ variable "eks_region" {
   type        = string
 }
 
+variable "environment_tag_name" {
+  default     = "local environment"
+  description = "Environment tag name to be used"
+  type        = string
+}
+