-
Notifications
You must be signed in to change notification settings - Fork 11
/
sample-workflow.yml
79 lines (70 loc) · 2.62 KB
/
sample-workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: sample-workflow
on:
push:
branches:
- main
paths:
- policies/cloudtrail/**
workflow_dispatch:
defaults:
run:
shell: bash
working-directory: policies/cloudtrail/
env:
AWS_ACCOUNT_ID: "123456789012"
REGION_LIST: |
(
"us-east-1"
"ap-southeast-1"
)
ROLE_NAME: custodian-sample-role
jobs:
CustodianDeployer:
name: Deploy Lambda for CloudTrail Events
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install python3.8
uses: actions/setup-python@v2
with:
python-version: '3.8'
- name: Install Custodian
run: |
pip install c7n
- name: Configure AWS credentials from ${{env.AWS_ACCOUNT_ID}} account
run: |
CREDS=( $(aws sts assume-role --role-arn "arn:aws:iam::${{env.AWS_ACCOUNT_ID}}:role/${{env.ROLE_NAME}}" --role-session-name "${{env.ROLE_NAME}}" --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --duration-seconds 5400 --output text) )
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=${CREDS[0]}
echo "::add-mask::$AWS_ACCESS_KEY_ID"
echo AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID >> $GITHUB_ENV
AWS_SECRET_ACCESS_KEY=${CREDS[1]}
echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY >> $GITHUB_ENV
AWS_SESSION_TOKEN=${CREDS[2]}
echo "::add-mask::$AWS_SESSION_TOKEN"
echo AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN >> $GITHUB_ENV
- name: Check Access
run: |
aws sts get-caller-identity
- name: Deploy regional policies
run: |
find . \( -iname "*.yml" -o -iname "*.yaml" \) | { grep -v "route53\|cloudfront\|iam\|s3" || true; } | while read POLICY; do
sed -i 's,REPLACE_WEBHOOK_HERE,${{ secrets.CUSTODIAN_SLACK_WEBHOOK }},g' "$POLICY"
array=${{ env.REGION_LIST }}
for REGION in ${array[*]}; do
custodian run -s /tmp/ -v --cache-period 0 -c "$POLICY" --region "$REGION"
done
done
- name: Deploy global policies
run: |
find . \( -iname "*.yml" -o -iname "*.yaml" \) | { grep "route53\|cloudfront\|iam\|s3" || true; } | while read POLICY; do
sed -i 's,REPLACE_WEBHOOK_HERE,${{ secrets.CUSTODIAN_SLACK_WEBHOOK }},g' "$POLICY"
custodian run -s /tmp/ -v --cache-period 0 -c "$POLICY" --region us-east-1
done