rancher
/
terraform-aws-access
mirror of https://github.com/rancher/terraform-aws-access.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: update to comply with new restrictions (#128) 

Signed-off-by: matttrach <matt.trachier@suse.com>
This commit is contained in:
Matt Trachier 2025-03-06 12:07:15 -06:00 committed by GitHub
parent 0f3c59090e
commit 043e58746a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 161 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
.github/workflows/release.yaml vendored
View File

@ -6,9 +6,10 @@ on:
- main - main
env: env:
AWS_REGION: us-west-1 AWS_REGION: us-west-2
AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
permissions: write-all permissions: write-all
@ -16,47 +17,102 @@ jobs:
release: release:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: google-github-actions/release-please-action@v4 - uses: googleapis/release-please-action@v4
id: release-please id: release-please
with: with:
release-type: terraform-module release-type: terraform-module
- uses: peter-evans/create-or-update-comment@v4 - name: Install Let's Encrypt Roots and Intermediate Certificates
name: 'Remind to wait' if: steps.release-please.outputs.pr
run: |
# https://letsencrypt.org/certificates/
sudo apt-get update -y
sudo apt-get install -y ca-certificates wget openssl libssl-dev
wget https://letsencrypt.org/certs/isrgrootx1.pem # rsa
sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/isrg-root-x2.pem # ecdsa
sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r11.pem
sudo cp r11.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r10.pem
sudo cp r10.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e5.pem
sudo cp e5.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e6.pem
sudo cp e6.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
- name: Verify Lets Encrypt CA Functionality
if: steps.release-please.outputs.pr
run: |
# Function to check if Let's Encrypt CA is effectively used by openssl
check_letsencrypt_ca() {
# Try to verify a known Let's Encrypt certificate (you can use any valid one)
if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
return 0 # Success
else
return 1 # Failure
fi
}
if check_letsencrypt_ca; then
echo "Let's Encrypt CA is functioning correctly."
else
echo "Error: Let's Encrypt CA is not being used for verification."
exit 1
fi
- uses: actions/github-script@v7
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
with: with:
issue-number: ${{ fromJson(steps.release-please.outputs.pr).number }} github-token: ${{secrets.GITHUB_TOKEN}}
body: | script: |
Please make sure e2e tests pass before merging this PR! github.rest.issues.createComment({
${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
body: "Please make sure e2e tests pass before merging this PR! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
})
- uses: actions/checkout@v4 - uses: actions/checkout@v4
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
with: with:
token: ${{secrets.GITHUB_TOKEN}} token: ${{secrets.GITHUB_TOKEN}}
fetch-depth: 0 fetch-depth: 0
- uses: aws-actions/configure-aws-credentials@v4 - id: aws-creds
uses: aws-actions/configure-aws-credentials@v4
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
with: with:
role-to-assume: ${{env.AWS_ROLE}} role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} role-session-name: ${{github.run_id}}
aws-region: ${{env.AWS_REGION}} aws-region: ${{env.AWS_REGION}}
- uses: matttrach/nix-installer-action@main role-duration-seconds: 7200 # 2 hours
output-credentials: true
- name: install-nix
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: Run Tests - name: Run Tests
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
shell: 'nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}' shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
env: env:
AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_OWNER: rancher GITHUB_OWNER: rancher
IDENTIFIER: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} IDENTIFIER: ${{github.run_id}}
ZONE: ${{secrets.ZONE}} ZONE: ${{secrets.ZONE}}
ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
RANCHER_INSECURE: false
run: | run: |
go version
./run_tests.sh ./run_tests.sh
- uses: peter-evans/create-or-update-comment@v4 - uses: actions/github-script@v7
name: 'Report Success'
if: steps.release-please.outputs.pr if: steps.release-please.outputs.pr
with: with:
issue-number: ${{ fromJson(steps.release-please.outputs.pr).number }} github-token: ${{secrets.GITHUB_TOKEN}}
body: | script: |
End to End Tests Passed! github.rest.issues.createComment({
${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
body: "End to End Tests Passed! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
})

104
.github/workflows/validate.yaml vendored
View File

@ -2,7 +2,7 @@ name: validate
on: on:
pull_request: pull_request:
branches: main branches: [main]
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -17,9 +17,14 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: matttrach/nix-installer-action@main - name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: lint terraform - name: lint terraform
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: | run: |
terraform fmt -check -recursive terraform fmt -check -recursive
tflint --recursive tflint --recursive
@ -31,9 +36,14 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: matttrach/nix-installer-action@main - name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: action lint - name: action lint
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: actionlint run: actionlint
shellcheck: shellcheck:
@ -42,9 +52,14 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: matttrach/nix-installer-action@main - name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: shell check - name: shell check
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: | run: |
while read -r file; do while read -r file; do
echo "checking $file..." echo "checking $file..."
@ -57,9 +72,14 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 # fetch all history so that we can validate the commit messages fetch-depth: 0 # fetch all history so that we can validate the commit messages
- uses: matttrach/nix-installer-action@main - name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: Check commit message - name: Check commit message
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: | run: |
set -e set -e
# Check commit messages # Check commit messages
@ -132,13 +152,59 @@ jobs:
name: 'Scan for Secrets' name: 'Scan for Secrets'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: matttrach/nix-installer-action@main - name: install-nix
- name: Check for secrets run: |
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} curl -L https://nixos.org/nix/install | sh
run: | source /home/runner/.nix-profile/etc/profile.d/nix.sh
gitleaks detect --no-banner -v --no-git nix --version
gitleaks detect --no-banner -v which nix
continue-on-error: true - name: Check for secrets
shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: |
gitleaks detect --no-banner -v --no-git
gitleaks detect --no-banner -v
continue-on-error: true
check-certificate-authorities:
name: 'Verify Lets Encrypt CA Functionality'
runs-on: ubuntu-latest
steps:
- name: Install Let's Encrypt Root Certificate
run: |
# https://letsencrypt.org/certificates/
sudo apt-get update -y
sudo apt-get install -y ca-certificates wget openssl libssl-dev
wget https://letsencrypt.org/certs/isrgrootx1.pem
sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/isrg-root-x2.pem
sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r11.pem
sudo cp r11.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r10.pem
sudo cp r10.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e5.pem
sudo cp e5.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e6.pem
sudo cp e6.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
- name: Verify Lets Encrypt CA Functionality
run: |
# Function to check if Let's Encrypt CA is effectively used by openssl
check_letsencrypt_ca() {
# Try to verify a known Let's Encrypt certificate (you can use any valid one)
if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
return 0 # Success
else
return 1 # Failure
fi
}
if check_letsencrypt_ca; then
echo "Let's Encrypt CA is functioning correctly."
else
echo "Error: Let's Encrypt CA is not being used for verification."
exit 1
fi