rancher
/
terraform-aws-access
mirror of https://github.com/rancher/terraform-aws-access.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: update to comply with new restrictions (#128) 

Signed-off-by: matttrach <matt.trachier@suse.com>
This commit is contained in:
Matt Trachier 2025-03-06 12:07:15 -06:00 committed by GitHub
parent 0f3c59090e
commit 043e58746a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 161 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
.github/workflows/release.yaml vendored
View File

@ -6,9 +6,10 @@ on:
- main
env:
AWS_REGION: us-west-1
AWS_REGION: us-west-2
AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
permissions: write-all
@ -16,47 +17,102 @@ jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/release-please-action@v4
- uses: googleapis/release-please-action@v4
id: release-please
with:
release-type: terraform-module
- uses: peter-evans/create-or-update-comment@v4
name: 'Remind to wait'
- name: Install Let's Encrypt Roots and Intermediate Certificates
if: steps.release-please.outputs.pr
run: |
# https://letsencrypt.org/certificates/
sudo apt-get update -y
sudo apt-get install -y ca-certificates wget openssl libssl-dev
wget https://letsencrypt.org/certs/isrgrootx1.pem # rsa
sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/isrg-root-x2.pem # ecdsa
sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r11.pem
sudo cp r11.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r10.pem
sudo cp r10.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e5.pem
sudo cp e5.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e6.pem
sudo cp e6.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
- name: Verify Lets Encrypt CA Functionality
if: steps.release-please.outputs.pr
run: |
# Function to check if Let's Encrypt CA is effectively used by openssl
check_letsencrypt_ca() {
# Try to verify a known Let's Encrypt certificate (you can use any valid one)
if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
return 0 # Success
else
return 1 # Failure
fi
}
if check_letsencrypt_ca; then
echo "Let's Encrypt CA is functioning correctly."
else
echo "Error: Let's Encrypt CA is not being used for verification."
exit 1
fi
- uses: actions/github-script@v7
if: steps.release-please.outputs.pr
with:
issue-number: ${{ fromJson(steps.release-please.outputs.pr).number }}
body: |
Please make sure e2e tests pass before merging this PR!
${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
body: "Please make sure e2e tests pass before merging this PR! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
})
- uses: actions/checkout@v4
if: steps.release-please.outputs.pr
with:
token: ${{secrets.GITHUB_TOKEN}}
fetch-depth: 0
- uses: aws-actions/configure-aws-credentials@v4
- id: aws-creds
uses: aws-actions/configure-aws-credentials@v4
if: steps.release-please.outputs.pr
with:
role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
role-session-name: ${{github.run_id}}
aws-region: ${{env.AWS_REGION}}
- uses: matttrach/nix-installer-action@main
role-duration-seconds: 7200 # 2 hours
output-credentials: true
- name: install-nix
if: steps.release-please.outputs.pr
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: Run Tests
if: steps.release-please.outputs.pr
shell: 'nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
env:
AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_OWNER: rancher
IDENTIFIER: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
IDENTIFIER: ${{github.run_id}}
ZONE: ${{secrets.ZONE}}
ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
RANCHER_INSECURE: false
run: |
go version
./run_tests.sh
- uses: peter-evans/create-or-update-comment@v4
name: 'Report Success'
- uses: actions/github-script@v7
if: steps.release-please.outputs.pr
with:
issue-number: ${{ fromJson(steps.release-please.outputs.pr).number }}
body: |
End to End Tests Passed!
${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
body: "End to End Tests Passed! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
})

88
.github/workflows/validate.yaml vendored
View File

@ -2,7 +2,7 @@ name: validate
on:
pull_request:
branches: main
branches: [main]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -17,9 +17,14 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: matttrach/nix-installer-action@main
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: lint terraform
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: |
terraform fmt -check -recursive
tflint --recursive
@ -31,9 +36,14 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: matttrach/nix-installer-action@main
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: action lint
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: actionlint
shellcheck:
@ -42,9 +52,14 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: matttrach/nix-installer-action@main
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: shell check
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: |
while read -r file; do
echo "checking $file..."
@ -57,9 +72,14 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # fetch all history so that we can validate the commit messages
- uses: matttrach/nix-installer-action@main
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: Check commit message
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: |
set -e
# Check commit messages
@ -135,10 +155,56 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: matttrach/nix-installer-action@main
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: Check for secrets
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
run: |
gitleaks detect --no-banner -v --no-git
gitleaks detect --no-banner -v
continue-on-error: true
check-certificate-authorities:
name: 'Verify Lets Encrypt CA Functionality'
runs-on: ubuntu-latest
steps:
- name: Install Let's Encrypt Root Certificate
run: |
# https://letsencrypt.org/certificates/
sudo apt-get update -y
sudo apt-get install -y ca-certificates wget openssl libssl-dev
wget https://letsencrypt.org/certs/isrgrootx1.pem
sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/isrg-root-x2.pem
sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r11.pem
sudo cp r11.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r10.pem
sudo cp r10.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e5.pem
sudo cp e5.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e6.pem
sudo cp e6.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
- name: Verify Lets Encrypt CA Functionality
run: |
# Function to check if Let's Encrypt CA is effectively used by openssl
check_letsencrypt_ca() {
# Try to verify a known Let's Encrypt certificate (you can use any valid one)
if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
return 0 # Success
else
return 1 # Failure
fi
}
if check_letsencrypt_ca; then
echo "Let's Encrypt CA is functioning correctly."
else
echo "Error: Let's Encrypt CA is not being used for verification."
exit 1
fi