[Feature Requests] Publish a GitHub Action version of the validation

[kisst]

While the default location for the LZA config is Codepipeline, due the shortfalls for the AWS DevOps tool-chain some LZA customers manage their codebase outside the AWS echo system in some more mature offerings like GH, and as validation should happen also close to the code, GitHub Actions is an obvious choice for this.
While the SSM parameter resolution is a limiting factor, via OIDC should be trivial to address too.

[jc1518]

It is easy to run LZA-Validator in action. Here is a example:

1. Build a LZA-Validator image then push it to your image repo (e.g DockerHub).

2. Add following to .github/workflow/ folder, e.g validate-lza-config.yml.

name: Validate LZA Configurations

on: push

jobs:
  validation:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout LZA configurations repo
        uses: actions/checkout@v4
      # - name: Login to Docker Hub (required for private)
      #   uses: docker/login-action@v3
      #   with:
      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Run LZA-Validator
        uses: addnab/docker-run-action@v3
        with:
          image: <your_dockerhub_repo>/lza-validator:<tag>
          options: -v ${{ github.workspace }}:/lza/config
          run: /lza/lza-validator.sh /lza/config/

Test and verified in my sandbox:

BTW, you can use LZA-RepoSync to sync LZA configuration repositories from GitHub, GitLab, Bitbucket to CodeCommit automatically.

[kisst]

I agree with you that it is easy to run only if we disregard the maintenance of the docker image , however GitHub Actions is a convinient abstraction layer on top of otherwise multistep config, but even just building Docker Images would make a difference , either within GH or at Docker Hub

[jc1518]

Unfortunately, we don't have an image repo for that. You can easily create an action to manage your LZA-Validator image build and publish.

[kisst]

How about the GitHub registry itself ?
https://docs.github.com/en/actions/publishing-packages/publishing-docker-images#publishing-images-to-github-packages

[kisst]

@jc1518 I tried to copy your setup, and I am failing on credentials.
Here is my workflow config:

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup aws credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          mask-aws-account-id: true
          output-credentials: false
          role-duration-seconds: 1200
          role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}

      - name: Run LZA-Validator
        uses: addnab/docker-run-action@v3
        with:
          image: kisst/lza-validator:v1.9.2
          options: -v ${{ github.workspace }}/aws-accelerator-config:/lza/config
          run: /lza/lza-validator.sh /lza/config/

But I get an error around the authentication:

2024-09-19 14:22:24.161 | info | replacements-config | Loading replacements config substitution values
2024-09-19 14:22:24.347 | info | config-validator | Config source directory -  /lza/config/
2024-09-19 14:22:24.351 | info | replacements-config | Loading replacements config substitution values
2024-09-19 14:22:24.380 | info | replacements-config | Loading replacements config substitution values
2024-09-19 14:22:24.383 | info | replacements-config | Loading replacements config substitution values
2024-09-19 14:22:25.029 | info | accounts-config-validator | accounts-config.yaml file validation started
2024-09-19 14:22:25.032 | info | global-config-validator | global-config.yaml file validation started
2024-09-19 14:22:25.036 | info | iam-config-validator | iam-config.yaml file validation started
2024-09-19 14:22:25.040 | info | network-config-validator | network-config.yaml file validation started
2024-09-19 14:22:25.044 | info | organization-config-validator | organization-config.yaml file validation started
2024-09-19 14:22:25.045 | info | security-config-validator | security-config.yaml file validation started
2024-09-19 14:22:25.048 | warn | config-validator | Config file validation failed !!!
2024-09-19 14:22:25.048 | warn | config-validator | CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 in accounts-config.yaml config file
error Command failed with exit code 1.

On AWS side I confirmed in Access Advisor and in CloudTrail that the Role in question does get assumed, but no other actions are called ( or denied ) , the container itself is getting called with all kind of AWS related env variables:

-e "AWS_DEFAULT_REGION" -e "AWS_REGION" -e "AWS_ACCESS_KEY_ID" -e "AWS_SECRET_ACCESS_KEY" -e "AWS_SESSION_TOKEN" 

and yet CredentialsError can you give me a hint how did you get around this ?

btw I build and pushed to public a bunch of version of the lza-validator under my own docker hub account for now, but a ghcr.io image would be a great stuff for the public.

[jc1518]

Credentials environment variables needs to be added in the options: -v ${{ github.workspace }}/aws-accelerator-config:/lza/config -e ...

[kisst]

with:
  image: kisst/lza-validator:v1.9.2
  options: -v /home/runner/work/landingzone/landingzone/aws-accelerator-config:/lza/config
  run: /lza/lza-validator.sh /lza/config/
  shell: sh
env:
  AWS_DEFAULT_REGION: us-east-1
  AWS_REGION: us-east-1
  AWS_ACCESS_KEY_ID: ***
  AWS_SECRET_ACCESS_KEY: ***
  AWS_SESSION_TOKEN: ***
/usr/bin/docker run --name f03280201d52dd42f1435e9e9482282fbdd0bb_0c86da --label f03280 --workdir /github/workspace --rm -e "AWS_DEFAULT_REGION" -e "AWS_REGION" -e "AWS_ACCESS_KEY_ID" -e "AWS_SECRET_ACCESS_KEY" -e "AWS_SESSION_TOKEN" -e "INPUT_IMAGE" -e "INPUT_OPTIONS" -e "INPUT_RUN" -e "INPUT_SHELL" -e "INPUT_REGISTRY" -e "INPUT_USERNAME" -e "INPUT_PASSWORD" -e "INPUT_DOCKER_NETWORK" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/landingzone/landingzone":"/github/workspace" f03280:201d52dd42f1435e9e9482282fbdd0bb

This is from the build log , as far as I can tell all the AWS environment variables are already passed into the docker container .

[jc1518]

I think this is the one -e "INPUT_OPTIONS" where the credential should be passed