Created
October 18, 2020 19:40
-
-
Save metahertz/b2dbb7ded68f7f34a64d932893e08b06 to your computer and use it in GitHub Desktop.
AirIAM drift detection with GH Actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy SLS with IAM change notifications | |
| on: | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| airiam-pre: | |
| name: Generate current IAM terraform, pre-deploy. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v1 | |
| - uses: actions/setup-python@v2 | |
| with: | |
| python-version: 3.7 | |
| - name: Generate terraform with AirIAM | |
| run: | | |
| pip3 install -U pip setuptools | |
| pip3 install airiam | |
| airiam terraform --no-cache --without-import -l 30 -d pre-$GITHUB_SHA | |
| tar -czvf pre-$GITHUB_SHA.tgz pre-$GITHUB_SHA | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - name: Upload resultant terraform | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: pre-${{github.sha}} | |
| path: pre-${{github.sha}}.tgz | |
| deploy-dev: | |
| needs: airiam-pre | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v1 | |
| - uses: actions/setup-node@v1 | |
| with: | |
| node-version: '10.x' | |
| - uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.8' | |
| - name: Install Serverless Framework | |
| run: npm install -g serverless | |
| - name: Install NPM dependencies | |
| run: | | |
| npm install | |
| npm install serverless-python-requirements | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-2 | |
| - name: Deploy sls functions and resources | |
| run: sls deploy -s dev | |
| airiam-post: | |
| needs: deploy-dev | |
| name: Generate current IAM terraform, post-deploy. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v1 | |
| - uses: actions/setup-python@v1 | |
| with: | |
| python-version: 3.7 | |
| - name: Generate terraform with AirIAM | |
| run: | | |
| pip3 install -U pip setuptools | |
| pip install airiam | |
| airiam terraform --no-cache --without-import -l 30 -d post-$GITHUB_SHA | |
| tar -czvf post-$GITHUB_SHA.tgz post-$GITHUB_SHA | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - name: Upload resultant terraform | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: post-${{github.sha}} | |
| path: post-${{github.sha}}.tgz | |
| airiamdiff: | |
| needs: airiam-post | |
| outputs: | |
| airiamhasdiff: ${{ steps.step3.outputs.airiamhasdiff }} | |
| name: Diff pre and post deploy terraform. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download pre-deploy terraform | |
| id: "step1" | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: pre-${{github.sha}} | |
| - name: Download post-deploy terraform | |
| id: "step2" | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: post-${{github.sha}} | |
| - shell: bash | |
| id: "step3" | |
| run: | | |
| tar -xzvf pre-$GITHUB_SHA.tgz | |
| tar -xzvf post-$GITHUB_SHA.tgz | |
| diff ./pre-$GITHUB_SHA ./post-$GITHUB_SHA > $GITHUB_SHA.diff || echo ::set-output name=airiamhasdiff::"1" | |
| - name: Upload diff as artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: ${{github.sha}} | |
| path: ${{github.sha}}.diff | |
| airiam-alert: | |
| needs: airiamdiff | |
| name: Alert on IAM Changes. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get diff artifact | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: ${{github.sha}} | |
| - shell: bash | |
| run: | | |
| echo ${{ needs.airiamdiff.outputs.airiamhasdiff }} | |
| echo $GITHUB_SHA.diff | |
| - name: Send slack message to CodifiedSecurity | |
| uses: 8398a7/action-slack@v3 | |
| with: | |
| status: custom | |
| fields: repo,message,commit,author,action,eventName,ref,workflow,job,took # selectable (default: repo,message) | |
| custom_payload: | | |
| { | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": `*The following commit to master changed your IAM access configuration!!\n*` | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": `*Author:*\n${process.env.AS_AUTHOR}` | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": `*Commit:*\n${process.env.AS_COMMIT}` | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": `*Repo:*\n${process.env.AS_REPO}` | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": `*Diff available here:*\n${process.env.AS_ACTION}` | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} # optional | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} # required | |
| if: ${{ needs.airiamdiff.outputs.airiamhasdiff == 1 }} | |
| - name: Run Checkov against latest terraform | |
| uses: actions/setup-python@v1 | |
| with: | |
| python-version: 3.8 | |
| - run: | | |
| pip install checkov | |
| checkov --quiet -d ./postterraform | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment