bcgov · afwilcox · Oct 30, 2024 · Oct 25, 2024 · Oct 25, 2024 · Oct 25, 2024
diff --git a/.github/scripts/sysdig_deploy.sh b/.github/scripts/sysdig_deploy.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Handles sysdig terraform validation and apply
+
+set -e # failfast
+# ENV:
+# APPLY: determines if plan is applied, lease as false for dry-run
+
+cd terraform || exit 1
+terraform -v
+terraform init \
+    -backend-config="bucket=${STATE_BACKEND_BUCKET}" \
+    -backend-config="key=${STATE_BACKEND_FILEPATH}" \
+    -backend-config="access_key=${STATE_BACKEND_ACCESS_KEY}" \
+    -backend-config="secret_key=${STATE_BACKEND_SECRET_KEY}" \
+    -backend-config="endpoint=${STATE_BACKEND_ENDPOINT}"
+
+# validate and lint check
+terraform validate
+terraform plan
+
+if [ "$APPLY" = "true" ]; then
+    echo "APPLY=true flag provided, attempting to apply changes"
+    # deploy
+    terraform apply -auto-approve
+else
+    echo "Dry-run, skipping apply"
+fi
diff --git a/.github/scripts/sysdig_installed.sh b/.github/scripts/sysdig_installed.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# Fetches the sysdig team crd and checks at least 1 user is present in the config
+# IMPORTANT NOTE: requires a serviceaccount with get/list on sysdig-team
+# ENV:
+# OC_NAMESPACE
+# OC_SERVER
+# OC_TOKEN
+set -e # failfast
+if [ -z "$OC_NAMESPACE" ]; then
+    echo "OC_NAMESPACE not set"
+    exit 1
+fi
+if [ -z "$OC_SERVER" ]; then
+    echo "OC_SERVER not set"
+    exit 1
+fi
+if [ -z "$OC_TOKEN" ]; then
+    echo "OC_TOKEN not set"
+    exit 1
+fi
+
+OC_TEMP_TOKEN=$(curl -k -X POST $OC_SERVER/api/v1/namespaces/$OC_NAMESPACE/serviceaccounts/pipeline/token --header "Authorization: Bearer $OC_TOKEN" -d '{"spec": {"expirationSeconds": 600}}' -H 'Content-Type: application/json; charset=utf-8' | jq -r '.status.token' )
+oc login --token=$OC_TEMP_TOKEN --server=$OC_SERVER
+oc project $OC_NAMESPACE # Safeguard!
+
+
+sysdig_config=$(oc get sysdig-team -n $OC_NAMESPACE -ojson)
+num_users=$(echo $sysdig_config | jq -r '.items[0].spec.team.users | length')
+if [ $num_users -eq 0 ]; then
+    echo "No users found in sysdig-team"
+    exit 1
+fi
+echo "Found $num_users users in sysdig-team"
+exit 0
diff --git a/.github/workflows/deploy-sysdig.yml b/.github/workflows/deploy-sysdig.yml
@@ -0,0 +1,64 @@
+name: Deploy Sysdig Alerts
+
+on:
+  push:
+    paths:
+      - "terraform/**"
+
+concurrency:
+  # Do not interrupt previous workflows
+  # avoid state corruption from cancels
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  installed:
+    environment: tools
+    name: Check Sysdig Installed
+    runs-on: ubuntu-22.04
+    timeout-minutes: 1
+    steps:
+      - uses: actions/checkout@v4
+      - run: ./.github/scripts/sysdig_installed.sh
+        env:
+          OC_NAMESPACE: ${{ secrets.OC_NAMESPACE }}
+          OC_SERVER: ${{ secrets.OC_SERVER }}
+          OC_TOKEN: ${{ secrets.OC_TOKEN }}
+
+  validate:
+    environment: tools
+    needs: installed
+    name: Validate Sysdig Terraform
+    runs-on: ubuntu-22.04
+    timeout-minutes: 3
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate Sysdig Terraform
+        run: APPLY=false ./.github/scripts/sysdig_deploy.sh
+        env:
+          STATE_BACKEND_BUCKET: ${{ secrets.STATE_BACKEND_BUCKET }}
+          STATE_BACKEND_ACCESS_KEY: ${{ secrets.STATE_BACKEND_ACCESS_KEY }}
+          STATE_BACKEND_SECRET_KEY: ${{ secrets.STATE_BACKEND_SECRET_KEY }}
+          STATE_BACKEND_FILEPATH: ${{ secrets.STATE_BACKEND_FILEPATH }}
+          STATE_BACKEND_ENDPOINT: ${{ secrets.STATE_BACKEND_ENDPOINT }}
+          TF_VAR_sysdig_api_token: ${{ secrets.TF_VAR_SYSDIG_API_TOKEN }}
+          AWS_NO_SIGN_REQUEST: 1
+  deploy:
+    if: github.ref == 'refs/heads/main'
+    needs: validate
+    environment: tools
+    name: Deploy Sysdig Terraform
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - name: Apply Sysdig Terraform
+        run: APPLY=true ./.github/scripts/sysdig_deploy.sh
+        env:
+          STATE_BACKEND_BUCKET: ${{ secrets.STATE_BACKEND_BUCKET }}
+          STATE_BACKEND_ACCESS_KEY: ${{ secrets.STATE_BACKEND_ACCESS_KEY }}
+          STATE_BACKEND_SECRET_KEY: ${{ secrets.STATE_BACKEND_SECRET_KEY }}
+          STATE_BACKEND_FILEPATH: ${{ secrets.STATE_BACKEND_FILEPATH }}
+          STATE_BACKEND_ENDPOINT: ${{ secrets.STATE_BACKEND_ENDPOINT }}
+          TF_VAR_sysdig_api_token: ${{ secrets.TF_VAR_SYSDIG_API_TOKEN }}
+          AWS_NO_SIGN_REQUEST: 1
diff --git a/.gitignore b/.gitignore
@@ -119,3 +119,23 @@ frontend/cypress/screenshots/allegation-details-edit.cy.ts/Complaint Edit Page s
 frontend/cypress/screenshots/hwcr-details-edit.cy.ts/Complaint Edit Page spec - Edit View -- Navigate to the Complaint Edit page & check inputs (failed).png
 frontend/cypress/screenshots/hwcr-details-edit.cy.ts/Complaint Edit Page spec - Edit View -- it has a map on screen with a marker at the correct location (failed).png
 nr-compliance-enforcement.code-workspace
+
+# Terraform
+*.tfstate
+*.tfstate.*
+crash.log
+crash.*.log
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraform/
+.terraform.lock.hcl
+**/.terraform/*
+*.tfvars
+*.tfvars.json
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc