Skip to content

fix(ecs): vitals env to exist even if set to off #299

fix(ecs): vitals env to exist even if set to off

fix(ecs): vitals env to exist even if set to off #299

Workflow file for this run

name: PR
concurrency: pr
on:
pull_request:
paths-ignore:
- '**/*.md'
env:
TERRAFORM_VERSION: 0.14.7
KICS_asg_with_no_elb: '8e94dced-9bcc-4203-8eb7-7e41202b2505' # KICS Query 'Auto Scaling Group With No Associated ELB'
KICS_iam_access_analyzer_not_enabled: 'e592a0c5-5bdb-414c-9066-5dba7cdea370' # KICS Query 'IAM Access Analyzer Not Enabled'
KICS_kms_vulnerable_policy: '7ebc9038-0bde-479a-acc4-6ed7b6758899' # KICS Query 'KMS Key With Vulnerable Policy'
KICS_ecs_service_with_no_tasks: '91f16d09-689e-4926-aca7-155157f634ed' # KICS Query 'ECS Service Without Running Tasks'
KICS_passwords_and_secrets: 'a88baa34-e2ad-44ea-ad6f-8cac87bc7c71' # KICS Query 'Passwords And Secrets'
jobs:
format:
name: Terraform-Format
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
- name: Terraform Format
id: fmt
run: terraform fmt -recursive -check
continue-on-error: true
kics-scan:
name: KICS Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
path: 'repo'
- name: KICS Github Action
uses: checkmarx/kics-action@v1.5
with:
path: 'repo'
exclude_paths: 'repo/examples'
output_path: 'results'
platform_type: terraform
fail_on: high,medium
exclude_queries: '${{ env.KICS_asg_with_no_elb }},${{ env.KICS_iam_access_analyzer_not_enabled }},${{ env.KICS_kms_vulnerable_policy }},${{ env.KICS_ecs_service_with_no_tasks }},${{ env.KICS_passwords_and_secrets }}'
enable_comments: true
- name: Display KICS Results
run: |
cat results/results.json
## Commenting until ACTIONS_ACCESS_KEY_ID and ACTIONS_SECRET_ACCESS_KEY are set with a valid set of credentials.
#
# docker:
# name: Docker build and push
# runs-on: ubuntu-latest
# if: github.event.pull_request.draft == false
# needs: check-aws-credentials
# steps:
# - name: Checkout repo
# uses: actions/checkout@v3
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v2
# - name: Login to GitHub Container Registry
# uses: docker/login-action@v2
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# - name: Login to AWS ECR
# uses: docker/login-action@v2
# with:
# registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com
# username: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
# password: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
# - name: Build and push
# uses: docker/build-push-action@v3
# with:
# context: docker-image
# build-args: 'KONG=2.8.1.1'
# push: true
# tags: |
# ghcr.io/dwp/terraform-aws-kong-gateway:${{ github.run_number }}
# ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com/terraform-aws-kong-gateway:${{ github.run_number }}
# check-aws-credentials:
# name: Test AWS Credentials
# runs-on: ubuntu-latest
# if: github.event.pull_request.draft == false
# steps:
# - name: Test AWS Credentials
# uses: docker://amazon/aws-cli
# with:
# args: ec2 describe-availability-zones --region us-east-1
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
# test:
# name: Kitchen-Terraform
# runs-on: ubuntu-latest
# if: github.event.pull_request.draft == false
# needs:
# - check-aws-credentials
# - docker
# env:
# GEMFILE_DIR: .
# AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
# TF_VAR_region: eu-west-1
# TF_VAR_vpc_cidr_block: "10.0.0.0/16"
# TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }}
# steps:
# - name: Checkout repo
# uses: actions/checkout@v2
# - name: Kitchen Test ECS
# uses: dwp/github-action-kitchen-terraform@v2.0.1
# with:
# terraform-version: 0.14.7
# kitchen-command: test hybrid-ecs --destroy=always
# aws-account-number: ${{ secrets.AWS_ACCOUNT }}
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
# TF_VAR_region: eu-west-1
# TF_VAR_environment: GHA-${{ github.run_number }}
# TF_VAR_vpc_cidr_block: "10.0.0.0/16"
# TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }}
# TF_VAR_image_url: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com/terraform-aws-kong-gateway:${{ github.run_number }}
# KONG_EE_LICENSE: ${{ secrets.KONG_EE_LICENSE }}
# - name: Kitchen Test Amazon Linux 2
# uses: dwp/github-action-kitchen-terraform@v2.0.1
# with:
# terraform-version: 0.14.7
# kitchen-command: test hybrid-amazon-linux --destroy=always
# aws-account-number: ${{ secrets.AWS_ACCOUNT }}
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}
# TF_VAR_region: eu-west-1
# TF_VAR_environment: GHA-${{ github.run_number }}
# TF_VAR_vpc_cidr_block: "10.0.0.0/16"
# TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }}
# - name: Deactivate AWS Credentials
# if: ${{ always() }}
# uses: docker://amazon/aws-cli
# with:
# args: iam update-access-key --access-key-id ${{ secrets.ACTIONS_ACCESS_KEY_ID }} --status Inactive
# env:
# AWS_REGION: us-east-1
# AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }}