Merge pull request #242 from adamrushuk/develop

devops-lab-v3.0.0

Author: adamrushuk

.devcontainer/devcontainer.json

@@ -27,7 +27,6 @@
 		"ms-vscode.azurecli",
 		"ms-azuretools.vscode-docker",
 		"aaron-bond.better-comments",
-		"coenraads.bracket-pair-colorizer-2",
 		"eamodio.gitlens",
 		"ms-kubernetes-tools.vscode-kubernetes-tools",
 		"yzhang.markdown-all-in-one",

.devcontainer/library-scripts/azcli-debian.sh

@@ -30,4 +30,4 @@ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_rel
 curl -sL https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT)
 apt-get update
 apt-get install -y azure-cli
-echo "Done!"
+echo "Done!"

.devcontainer/library-scripts/docker-debian.sh

@@ -178,4 +178,4 @@ exec "\$@"
 EOF
 chmod +x /usr/local/share/docker-init.sh
 chown ${USERNAME}:root /usr/local/share/docker-init.sh
-echo "Done!"
+echo "Done!"

.devcontainer/library-scripts/node-debian.sh

@@ -121,4 +121,4 @@ EOF
 ) | tee -a /etc/bash.bashrc >> /etc/zsh/zshrc
 fi
 
-echo "Done!"
+echo "Done!"

.github/workflows/TriggerCustomAction.ps1

@@ -34,7 +34,7 @@ param(
 
     $GithubUserName = "adamrushuk",
 
-    $GithubRepo = "aks-nexus-velero",
+    $GithubRepo = "devops-lab",
 
     [ValidateSet("test", "build", "deallocate_vmss", "start_vmss", "destroy")]
     $CustomEventAction = "test"

.github/workflows/build.yml

@@ -7,10 +7,6 @@ name: build
 # name of GitHub event that triggers workflow
 # https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch
 on:
-  # trigger when I star my own repo
-  watch:
-    types: [started]
-
   # trigger via webhook
   # https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28
   repository_dispatch:
@@ -21,18 +17,23 @@ on:
   workflow_dispatch:
     inputs: {}
 
+# permissions for oidc login
+# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
 # global environment variables
 # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables
 env:
   # prefix: used for some globally unique name requirements
   PREFIX: arshz
 
   # debug
-  CI_DEBUG: false
+  CI_DEBUG: true
 
-  # azure creds
+  # azure creds (used with OIDC auth)
   ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
   ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
 
@@ -46,7 +47,7 @@ env:
   FORCE_TEST_FAIL: false
   K8S_TLS_SECRET_NAME: tls-secret
   KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk
-  KEY_VAULT_NAME: kv-rush-iz6y
+  KEY_VAULT_NAME: kv-rush-aqy2
   KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot
   # NOTE: "eastus" is cheaper than "uksouth"
   LOCATION: eastus
@@ -59,14 +60,16 @@ env:
   # terraform
   TF_IN_AUTOMATION: "true"
   TF_INPUT: "false"
+  # https://developer.hashicorp.com/terraform/internals/debugging
+  TF_LOG: "ERROR" # TRACE, DEBUG, INFO, WARN or ERROR
   TF_PLAN: "tfplan"
   # https://github.com/hashicorp/terraform/releases
-  TF_VERSION: "1.0.10"
+  TF_VERSION: "1.3.7"
   TF_WORKING_DIR: ./terraform
-  # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases
-  TFLINT_RULESET_AZURERM_VERSION: "v0.13.2"
-  # https://github.com/terraform-linters/tflint/releases
-  TFLINT_VERSION: "v0.33.1"
+  # azurerm provider oidc
+  # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
+  # https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#oidc_request_token
+  ARM_USE_OIDC: "true"
 
   # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
   # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
@@ -75,11 +78,11 @@ jobs:
   build-and-deploy:
     # always pin versions
     # view installed software: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners#supported-software
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
 
     # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment
     environment:
-      name: dev_environment
+      name: dev
       url: "https://argocd.${{ env.ROOT_DOMAIN_NAME }}"
 
     # only run if owner triggered action
@@ -88,7 +91,7 @@ jobs:
     steps:
       # Checkout
       # https://github.com/marketplace/actions/checkout
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       # specify different branch
       # NOT required as I've changed the default branch to develop
       # with:
@@ -105,13 +108,19 @@ jobs:
           echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
           echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV
           echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV
+          echo "TERRAFORM_STORAGE_CONTAINER=terraform" >> $GITHUB_ENV
           echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV
           echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV
-          echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV
 
       # Login
-      - name: Login to Azure
-        run: ./scripts/azure_login.sh
+      # https://github.com/Azure/login
+      - name: Login via OIDC to Azure Public Cloud (az cli and az powershell)
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.ARM_CLIENT_ID }}
+          tenant-id: ${{ secrets.ARM_TENANT_ID }}
+          subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
 
       # This is required when developing after the initial build, and the AKS cluster may have been stopped
       # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform apply tasks
@@ -123,8 +132,9 @@ jobs:
       - name: Create Storage Account for Terraform state
         run: ./scripts/storage_create.sh
 
-      - name: Lookup Storage Key
-        run: ./scripts/storage_key.sh
+      # TODO remove this step
+      # - name: Lookup Storage Key
+      #   run: ./scripts/storage_key.sh
 
       - name: Replace tokens in Terraform config files
         run: pwsh -command "./scripts/Replace-Tokens.ps1"
@@ -133,26 +143,47 @@ jobs:
           HELM_CHART_REPO_DEPLOY_PRIVATE_KEY: ${{ secrets.HELM_CHART_REPO_DEPLOY_PRIVATE_KEY }}
           IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }}
 
-      - name: Create zip file of Function App
-        run: pwsh -command "./function_app/CreateFunctionAppZip.ps1"
-
       # Terraform
-      - uses: hashicorp/setup-terraform@v1
+      # https://github.com/hashicorp/setup-terraform
+      - uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ env.TF_VERSION }}
 
       - name: Terraform Init / Validate
         run: |
-          terraform init
+          echo 'Running terraform init...'
+          terraform init \
+            -backend-config="resource_group_name=$TERRAFORM_STORAGE_RG" \
+            -backend-config="storage_account_name=$TERRAFORM_STORAGE_ACCOUNT"
+
+          # validate
+          echo 'Running terraform validate...'
           terraform validate
         working-directory: ${{ env.TF_WORKING_DIR }}
 
-      - name: Terraform Lint
-        run: ./scripts/tflint.sh
-        env:
-          TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }}
-          TFLINT_RULESET_AZURERM_VERSION: ${{ env.TFLINT_RULESET_AZURERM_VERSION }}
-          TFLINT_VERSION: ${{ env.TFLINT_VERSION }}
+      # https://github.com/aquasecurity/tfsec-action
+      - name: Run tfsec security scan
+        uses: aquasecurity/tfsec-action@v1.0.3
+        with:
+          working_directory: ${{ env.TF_WORKING_DIR }}
+          soft_fail: true
+
+      # https://github.com/bridgecrewio/checkov-action
+      - name: Run Checkov security scan
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ${{ env.TF_WORKING_DIR }}
+          # check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
+          # optional: skip a specific check_id. can be comma separated list
+          skip_check: CKV2_AZURE_1,CKV_AZURE_4,CKV_AZURE_6,CKV2_AZURE_8,CKV2_AZURE_21,CKV_AZURE_33,CKV_AZURE_35,CKV_AZURE_117,CKV_AZURE_141
+          quiet: true # optional: display only failed checks
+          soft_fail: true # optional: do not return an error code if there are failed checks
+          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
+          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
+          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
+          # log_level: DEBUG # optional: set log level. Default WARNING
+          # config_file: path/this_file
 
       - name: 👀 Terraform Plan
         id: plan
@@ -182,6 +213,7 @@ jobs:
           NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }}
 
       # Docker
+      # https://github.com/Azure/docker-login
       - name: Docker repo login
         uses: Azure/docker-login@v1
         with:
@@ -197,17 +229,18 @@ jobs:
         run: pwsh -command "./scripts/Fix-FunctionApp.ps1"
         env:
           FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp"
-          FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app"
+          FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-aks-dev-001"
 
       # Pester tests
       - name: 🧪 Run Pester tests
         continue-on-error: true
         run: pwsh -command "./scripts/Start-Test.ps1"
 
+      # https://github.com/actions/upload-artifact
       - name: Archive test artifacts
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v3
         with:
-          name: test results
+          name: test-results
           path: test/pester-test-results.xml
         if: always()
 
@@ -216,35 +249,47 @@ jobs:
         run: pwsh -command "Unregister-PSRepository -Name nuget.org-proxy -Verbose"
 
       # Shows at the bottom of a run: https://github.com/adamrushuk/devops-lab/runs/1035347513?check_suite_focus=true
-      - name: Pester report
-        uses: zyborg/pester-tests-report@v1
-        with:
-          test_results_path: test/pester-test-results.xml
-          report_name: pester_tests
-          report_title: Pester Tests
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+      # https://github.com/zyborg/pester-tests-report
+      # - name: Pester report
+      #   uses: zyborg/pester-tests-report@v1
+      #   with:
+      #     test_results_path: test/pester-test-results.xml
+      #     report_name: pester_tests
+      #     report_title: Pester Tests
+      #     github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      # - uses: dorny/test-reporter@v1.6.0
+      #   with:
+      #     # artifact: test-results             # artifact name
+      #     name: Pester Tests Results           # Name of the check run which will be created
+      #     path: 'test/pester-test-results.xml' # Path to test results (inside artifact .zip)
+      #     reporter: java-junit                 # Format of test results
 
       # Notify
       - name: Notify slack
         continue-on-error: true
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-        run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Build complete"
+        run: ./scripts/send_slack_message.sh "[devops-lab] Build complete"
 
   # used for any windows-only tasks
   test-windows:
     needs: build-and-deploy
 
     # https://github.com/actions/virtual-environments
-    runs-on: windows-2019
+    runs-on: windows-2022
+
+    # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment
+    environment:
+      name: dev
 
     # only run if owner triggered action
     if: github.actor == github.event.repository.owner.login
 
     steps:
       # Checkout
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       # Init tasks - inc Env var concatenation
       # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files
@@ -256,8 +301,14 @@ jobs:
           echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV"
 
       # Login
-      - name: Login to Azure
-        run: ./scripts/azure_login.ps1
+      # https://github.com/Azure/login
+      - name: Login via OIDC to Azure Public Cloud (az cli and az powershell)
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.ARM_CLIENT_ID }}
+          tenant-id: ${{ secrets.ARM_TENANT_ID }}
+          subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
 
       # Chocolatey
       - name: Test Nexus Chocolatey proxy repo