export azure ci to action

elastic · Mar 4, 2024 · 1860127 · 1860127
1 parent c72a0b7
commit 1860127
Show file tree

Hide file tree

Showing 4 changed files with 182 additions and 0 deletions.
diff --git a/.github/actions/azure-ci/action.yml b/.github/actions/azure-ci/action.yml
@@ -0,0 +1,71 @@
+name: 'Azure CI'
+description: 'Azure integration tests'
+inputs:
+ elk-version:
+ description: 'ELK version'
+ required: true
+ azure-client-id:
+ description: 'Azure client id'
+ required: true
+ azure-tenant-id:
+ description: 'Azure tenant id'
+ required: true
+ azure-client-secret:
+ description: 'Azure client secret'
+ required: true
+runs:
+ using: composite
+ steps:
+ - name: Run elasticsearch
+ uses: elastic/elastic-github-actions/elasticsearch@master
+ with:
+ stack-version: ${{ inputs.elk-version }}
+ security-enabled: false
+
+ - name: Elasticsearch disable dynamic mapping for findings
+ shell: bash
+ run: ./.ci/scripts/disable_dynamic_mapping.sh
+
+ - name: Run cloudbeat in background
+ env:
+ ES_HOST: http://localhost:9200
+ ES_USERNAME: elastic
+ ES_PASSWORD: changeme
+ AZURE_ACCOUNT_TYPE: single-account
+ AZURE_CREDENTIALS_TYPE: service_principal_with_client_secret
+ AZURE_CLIENT_ID: ${{ inputs.azure-client-id }}
+ AZURE_TENANT_ID: ${{ inputs.azure-tenant-id }}
+ AZURE_CLIENT_SECRET: ${{ inputs.azure-client-secret }}
+ shell: bash
+ run: |
+ ./cloudbeat -c deploy/azure/cloudbeat-azure.yml -d '*' &
+
+ - name: Wait for cloudbeat to send events
+ shell: bash
+ run: sleep 264
+
+ - name: Stop cloudbeat
+ shell: bash
+ run: pkill -15 cloudbeat
+
+ - name: Check for findings
+ working-directory: ./tests
+ env:
+ USE_K8S: false
+ shell: bash
+ run: |
+ poetry run pytest -k "azure" --alluredir=./allure/results/ --clean-alluredir
+
+ - name: Upload test results
+ if: always()
+ uses: actions/upload-artifact@v3
+ with:
+ name: allure-results-ci-azure
+ path: tests/allure/results/
+
+ - name: Upload cloudbeat logs
+ if: always()
+ uses: actions/upload-artifact@v3
+ with:
+ name: cloubeat-logs-ci-azure
+ path: logs/
diff --git a/.github/actions/hermit/action.yml b/.github/actions/hermit/action.yml
@@ -0,0 +1,59 @@
+name: 'Hermit Environment'
+description: 'Activate hermit environment'
+inputs:
+ cache:
+ description: 'Cache hermit files'
+ required: false
+ default: 'true'
+runs:
+ using: composite
+ steps:
+ - if: ${{ inputs.cache == 'true' }}
+ id: hermit-hash
+ shell: bash
+ run: |
+ bin_hashes="$(find ./bin ! -type d | sort | xargs openssl sha256 | openssl sha256 -r | cut -d' ' -f1)"
+ poetry_security_polices="${{ hashFiles('./security-policies/poetry.lock', './security-policies/pyproject.toml') }}"
+ poetry_tests="${{ hashFiles('./tests/poetry.lock', './tests/pyproject.toml') }}"
+ pre_commit="${{ hashFiles('.pre-commit-config.yaml') }}"
+ action_hash="${{ hashFiles('.github/actions/hermit/action.yml') }}"
+ hash="$(echo "${bin_hashes} ${poetry_security_polices} ${poetry_tests} ${pre_commit} ${action_hash}" | sha256sum | cut -d' ' -f1)"
+ echo "hash=$hash" >> "$GITHUB_OUTPUT"
+
+ - if: ${{ inputs.cache == 'true' }}
+ uses: actions/cache@v4
+ with:
+ path: |
+ ~/.cache/hermit/pkg
+ ./.hermit
+ ~/.cache/pypoetry
+ ~/go/pkg/
+ ~/.cache/pre-commit
+ key: ci-hermit-env-${{ runner.os }}-${{ steps.hermit-hash.outputs.hash }}
+ restore-keys: |
+ ci-hermit-env-${{ runner.os }}
+
+ - name: Initialize hermit
+ shell: bash
+ run: ./bin/hermit env --raw >> "$GITHUB_ENV"
+
+ - name: Install hermit packages
+ shell: bash
+ run: hermit install
+ - name: Install poetry
+ shell: bash
+ run: pip3 install poetry
+ - name: Install tests poetry dependencies
+ shell: bash
+ run: cd ./tests && poetry install --no-root
+ - name: Install security-policies poetry dependencies
+ shell: bash
+ run: cd ./security-policies && poetry install --no-root
+ - name: Install pre-commit repos
+ shell: bash
+ run: pre-commit || true
+
+ - shell: bash
+ run: go mod download
+ - shell: bash
+ run: go env
diff --git a/.github/workflows/azure-ci.yml b/.github/workflows/azure-ci.yml
@@ -13,6 +13,7 @@ on:
 
 jobs:
  Run-CSPM-AZURE-Tests:
+ if: ${{ false }}
  name: CIS AZURE integration test
  runs-on: ubuntu-22.04
  timeout-minutes: 60

diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml
@@ -0,0 +1,51 @@
+name: CI
+
+on:
+ pull_request:
+ branches:
+ - main
+ - "[0-9]+.[0-9]+"
+ types: [opened, synchronize, reopened]
+ push:
+ branches:
+ - main
+ - "[0-9]+.[0-9]+"
+ workflow_dispatch:
+
+jobs:
+ init-hermit:
+ name: Init Hermit Tools
+ runs-on: ubuntu-22.04
+ timeout-minutes: 60
+ steps:
+ - name: Check out the repo
+ uses: actions/checkout@v4
+ - name: Hermit Environment
+ uses: ./.github/actions/hermit
+
+ ci-azure:
+ needs: [ init-hermit ]
+ name: Integrations Tests CIS Azure
+ runs-on: ubuntu-22.04
+ timeout-minutes: 60
+ permissions:
+ contents: "read"
+ id-token: "write"
+ steps:
+ - name: Check out the repo
+ uses: actions/checkout@v4
+
+ - name: Hermit Environment
+ uses: ./.github/actions/hermit
+
+ - name: Build cloudbeat binary
+ shell: bash
+ run: mage build
+
+ - name: Run Azure integration tests
+ uses: ./.github/actions/azure-ci
+ with:
+ elk-version: ${{ env.ELK_VERSION }}
+ azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
+ azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
+ azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}