-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #782 from spack/tf-drift-ci
Terraform drift detection cron job
- Loading branch information
Showing
9 changed files
with
213 additions
and
97 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
name: Detect infrastructure drift | ||
on: | ||
schedule: | ||
- cron: '0 * * * *' # run once an hour | ||
|
||
permissions: | ||
id-token: write | ||
contents: read | ||
|
||
jobs: | ||
detect-drift: | ||
runs-on: ubuntu-latest | ||
defaults: | ||
run: | ||
working-directory: terraform/production | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
with: | ||
role-to-assume: arn:aws:iam::588562868276:role/GitHubActionsReadonlyRole-prod | ||
aws-region: us-east-1 | ||
|
||
- name: Install Terraform | ||
uses: hashicorp/setup-terraform@v3 | ||
with: | ||
terraform_version: "~1.5.2" | ||
terraform_wrapper: false | ||
|
||
- name: Initialize Terraform | ||
run: terraform init | ||
|
||
- name: Run Terraform Plan | ||
run: terraform plan -lock=false -detailed-exitcode -no-color -input=false -out=tfplan > tfplan_output.txt 2>&1 | ||
env: | ||
TF_VAR_eks_cluster_role: "arn:aws:iam::588562868276:role/GitHubActionsReadonlyRole-prod" | ||
|
||
- name: Send Slack alert on drift | ||
if: failure() | ||
run: | | ||
# Post message | ||
curl -X POST \ | ||
-H "Content-type: application/json" \ | ||
-H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ | ||
-d '{ | ||
"channel": "spack-alerts", | ||
"text": ":rotating_light: :rotating_light: :rotating_light: Infrastructure drift detected! :rotating_light: :rotating_light: :rotating_light:" | ||
}' \ | ||
https://slack.com/api/chat.postMessage | ||
# Upload TF plan stdout | ||
curl -F file=@tfplan_output.txt \ | ||
-F channels=spack-alerts \ | ||
-F title="tfplan_output.txt" \ | ||
-F filetype="text" \ | ||
-H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ | ||
https://slack.com/api/files.upload | ||
# Upload TF plan binary file | ||
curl -F file=@tfplan \ | ||
-F channels=spack-alerts \ | ||
-F title="tfplan" \ | ||
-F filetype="binary" \ | ||
-H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ | ||
https://slack.com/api/files.upload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
locals { | ||
iam_role_name = "GitHubActionsReadonlyRole-${var.deployment_name}" | ||
} | ||
|
||
resource "aws_iam_role" "github_actions" { | ||
name = local.iam_role_name | ||
description = "Managed by Terraform. IAM Role that a GitHub Actions runner can assume to authenticate with AWS." | ||
|
||
assume_role_policy = jsonencode({ | ||
"Version" : "2012-10-17", | ||
"Statement" : [ | ||
{ | ||
"Effect" : "Allow", | ||
"Principal" : { | ||
"Federated" : var.github_actions_oidc_arn | ||
}, | ||
"Action" : "sts:AssumeRoleWithWebIdentity", | ||
"Condition" : { | ||
"StringLike" : { | ||
"token.actions.githubusercontent.com:sub" : "repo:spack/spack-infrastructure:ref:refs/heads/main", | ||
"token.actions.githubusercontent.com:aud" : "sts.amazonaws.com" | ||
} | ||
} | ||
}, | ||
{ | ||
"Action" : "sts:AssumeRole", | ||
"Principal" : { | ||
# Unfortunately, we need to do this until https://github.com/hashicorp/terraform-provider-aws/issues/27034 is resolved. | ||
# This trust statement allows the role to assume itself, which is necessary for the GitHub Actions session user to run terraform plan. | ||
"AWS" : "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/GitHubActionsReadonlyRole-${var.deployment_name}/GitHubActions" | ||
}, | ||
"Effect" : "Allow", | ||
}, | ||
] | ||
}) | ||
|
||
# The `ReadOnlyAccess` managed policy doesn't include secretsmanager, so we explicitly grant it here. | ||
inline_policy { | ||
name = "read-secrets" | ||
policy = jsonencode({ | ||
"Version" : "2012-10-17", | ||
"Statement" : [ | ||
{ | ||
"Effect" : "Allow", | ||
"Action" : [ | ||
"secretsmanager:GetSecretValue" | ||
], | ||
"Resource" : "*" | ||
} | ||
] | ||
}) | ||
} | ||
} | ||
|
||
# This policy grants the GitHub Actions role read-only access to most resources in the AWS account. | ||
# There are some exceptions, such as secretsmanager (see inline_policy above) | ||
resource "aws_iam_role_policy_attachment" "github_actions" { | ||
role = aws_iam_role.github_actions.name | ||
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" | ||
} | ||
|
||
# This ClusterRole and ClusterRoleBinding allow for read-only access to the | ||
# Kubernetes cluster. This allows the GitHub Actions role to run a `terraform plan`, | ||
# but crucially, not a `terraform apply` or other mutable actions. | ||
resource "kubectl_manifest" "github_actions_clusterrole" { | ||
yaml_body = <<YAML | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: github-actions-oidc | ||
rules: | ||
- apiGroups: ["*"] | ||
resources: ["*"] | ||
verbs: ["get", "list", "watch"] | ||
YAML | ||
} | ||
resource "kubectl_manifest" "github_actions_clusterrolebinding" { | ||
yaml_body = <<YAML | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: github-actions-oidc | ||
subjects: | ||
- kind: Group | ||
name: github-actions | ||
apiGroup: rbac.authorization.k8s.io | ||
roleRef: | ||
kind: ClusterRole | ||
name: ${kubectl_manifest.github_actions_clusterrole.name} | ||
apiGroup: rbac.authorization.k8s.io | ||
YAML | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
data "tls_certificate" "github_actions" { | ||
url = "https://token.actions.githubusercontent.com" | ||
} | ||
|
||
resource "aws_iam_openid_connect_provider" "github_actions" { | ||
url = "https://token.actions.githubusercontent.com" | ||
client_id_list = ["sts.amazonaws.com"] | ||
thumbprint_list = [data.tls_certificate.github_actions.certificates.0.sha1_fingerprint] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
data "aws_iam_openid_connect_provider" "github_actions" { | ||
url = "https://token.actions.githubusercontent.com" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters