Skip to content

Add missing ARM Template permissions (read ServicePrincipal) (#2849) #1786

Add missing ARM Template permissions (read ServicePrincipal) (#2849)

Add missing ARM Template permissions (read ServicePrincipal) (#2849) #1786

Workflow file for this run

name: Tests
on:
# Temporary disabled, will be solved by https://github.com/elastic/security-team/issues/9129
# pull_request_target:
# branches:
# - main
# - "[0-9]+.[0-9]+"
# types: [opened, synchronize, reopened]
push:
branches:
- main
- "[0-9]+.[0-9]+"
- "8.x"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
check-asset-inventory-supported-version:
name: Check Asset Inventory supported version
runs-on: ubuntu-22.04
outputs:
asset_inventory_supported: ${{ steps.check-asset-inventory-supported-version.outputs.asset_inventory_supported }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Check Asset Inventory supported version
id: check-asset-inventory-supported-version
env:
STACK_VERSION: ${{ env.ELK_VERSION }}
run: |
MIN_VERSION="8.16.0"
if [[ "$(echo -e "$MIN_VERSION\n$STACK_VERSION" | sort -V | head -n 1)" == "$MIN_VERSION" ]]; then
echo "Stack version meets the requirement: $STACK_VERSION >= $MIN_VERSION."
echo "asset_inventory_supported=true" >> $GITHUB_ENV
else
echo "Stack version is below the requirement: $STACK_VERSION < $MIN_VERSION."
echo "asset_inventory_supported=false" >> $GITHUB_ENV
fi
init-hermit:
name: Init Hermit Tools
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
with:
init-tools: 'true'
ci-azure:
needs: [ init-hermit ]
name: CIS Azure CI
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run Azure integration tests
uses: ./.github/actions/azure-ci
with:
elk-version: ${{ env.ELK_VERSION }}
azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
ci-azure-asset-inventory:
needs: [ init-hermit, check-asset-inventory-supported-version ]
name: Azure Asset Inventory CI
runs-on: ubuntu-22.04
if: needs.check-asset-inventory-supported-version.outputs.asset_inventory_supported == 'true'
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run Azure integration tests
uses: ./.github/actions/azure-asset-inventory-ci
with:
elk-version: ${{ env.ELK_VERSION }}
azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
ci-aws:
needs: [ init-hermit ]
name: CIS AWS CI
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run AWS integration tests
uses: ./.github/actions/aws-ci
with:
elk-version: ${{ env.ELK_VERSION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
aws-account-type: single-account
ci-aws-asset-inventory:
needs: [ init-hermit, check-asset-inventory-supported-version ]
name: AWS Asset Inventory CI
runs-on: ubuntu-22.04
if: needs.check-asset-inventory-supported-version.outputs.asset_inventory_supported == 'true'
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run AWS Asset Inventory integration tests
uses: ./.github/actions/aws-asset-inventory-ci
with:
elk-version: ${{ env.ELK_VERSION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
ci-gcp:
needs: [ init-hermit ]
name: CIS GCP CI
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run GCP integration tests
uses: ./.github/actions/gcp-ci
with:
elk-version: ${{ env.ELK_VERSION }}
workload-identity-provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service-account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcp-project-id: 'elastic-security-test'
gcp-account-type: 'single-account'
ci-gcp-asset-inventory:
needs: [ init-hermit, check-asset-inventory-supported-version ]
name: GCP Asset Inventory CI
runs-on: ubuntu-22.04
if: needs.check-asset-inventory-supported-version.outputs.asset_inventory_supported == 'true'
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run GCP Asset Inventory integration tests
uses: ./.github/actions/gcp-asset-inventory-ci
with:
elk-version: ${{ env.ELK_VERSION }}
credentials-json: ${{ secrets.GCP_ASSETS_INVENTORY_CREDENTIALS_JSON }}
project-id: "elastic-security-test"
ci-cnvm:
needs: [ init-hermit ]
name: CNVM CI
runs-on: ubuntu-22.04
timeout-minutes: 30
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Run CNVM integration tests
uses: ./.github/actions/cnvm-ci
with:
elk-version: ${{ env.ELK_VERSION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: 'us-east-2'
docker-images:
needs: [ init-hermit ]
name: Build docker images
# Since we build the cloudbeat in the worker's OS and as non static,
# we need to keep the OS version same as elastic-agent docker image base.
# docker run --interactive --tty --rm --entrypoint bash docker.elastic.co/elastic-agent/elastic-agent-complete:8.14.0-SNAPSHOT -c 'cat /etc/os-release'
runs-on: ubuntu-20.04
timeout-minutes: 40
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Build docker images
uses: ./.github/actions/docker-images
with:
build-docker-images: 'true'
ci-k8s:
needs: [ init-hermit, docker-images ]
name: ${{ matrix.test-target }}-${{ matrix.kind-config }}
runs-on: ubuntu-22.04
timeout-minutes: 120
strategy:
fail-fast: false
matrix:
include:
- test-target: pre_merge
kind-config: kind-multi
values-file: tests/test_environments/values/ci.yml
- test-target: pre_merge_agent
kind-config: kind-multi
values-file: tests/test_environments/values/ci-sa-agent.yml
- test-target: k8s_file_system_rules
kind-config: kind-test-files
values-file: tests/test_environments/values/ci-test-k8s-files.yml
# - test-target: k8s_object_psp_rules
# kind-config: kind-multi
# values-file: tests/test_environments/values/ci-test-k8s-objects.yml
- test-target: k8s_process_rules
kind-config: kind-test-proc-conf1
values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml
- test-target: k8s_process_rules
kind-config: kind-test-proc-conf2
values-file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
- name: Get docker images
uses: ./.github/actions/docker-images
with:
build-docker-images: 'false'
docker-images-folder: '/tmp/.docker-images'
- name: Run k8s integration tests
uses: ./.github/actions/k8s-ci
with:
kind-config: ${{ matrix.kind-config }}
test-target: ${{ matrix.test-target }}
values-file: ${{ matrix.values-file }}
docker-images-folder: '/tmp/.docker-images'
upload-allure-results:
needs:
- ci-azure
- ci-azure-asset-inventory
- ci-aws
- ci-aws-asset-inventory
- ci-gcp
- ci-gcp-asset-inventory
- ci-cnvm
- ci-k8s
name: Upload integration tests results
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
pull-requests: write
if: ${{ always() }}
env:
AWS_REGION: "eu-west-1"
ALLURE_S3_BUCKET: "s3://csp-allure-reports/allure_reports/cloudbeat/ci"
S3_BUCKET_ALLURE_REPORT_AP: "http://csp-allure-reports.s3.amazonaws.com/allure_reports/cloudbeat/ci"
steps:
- name: Check out the repo
uses: actions/checkout@v4
- uses: actions/download-artifact@v4
if: ${{ always() }}
with:
pattern: allure-results-ci-*
path: tests/allure/results/
merge-multiple: true
- name: log
if: ${{ always() }}
shell: bash
run: |
ls -lahR tests/allure/results/ || true
- name: Publish allure report
if: ${{ always() }}
uses: andrcuns/[email protected]
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
with:
storageType: s3
resultsGlob: "tests/allure/results"
updatePr: actions
collapseSummary: false
summary: suites
summaryTableType: markdown
copyLatest: true
bucket: csp-allure-reports
prefix: allure_reports/cloudbeat/ci/${{ github.event.number }}
ignoreMissingResults: true
debug: false
- name: Allure Summary
if: ${{ success() && github.event_name != 'push' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
curl --fail --show-error --location '${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/history/history-trend.json' --output ./history-trend.json
allure_result=./history-trend.json
allure_url=${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/index.html
./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url"
allure_summary=$(./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url")
# saving result into env variable (with multiline handling)
echo "ALLURE_SUMMARY<<EOF" >> $GITHUB_ENV
echo "$allure_summary" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Comment test success result
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ success() && github.event_name != 'push' }}
with:
header: CI Test Results
number: ${{ github.event.number }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
message: |
${{ env.ALLURE_SUMMARY }}
- if: ${{ success() }}
name: Cleanup docker image artifacts
uses: geekyeggo/delete-artifact@v5
with:
name: docker-images
failOnError: false