Add missing ARM Template permissions (read ServicePrincipal) (#2849) #1786
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
# Temporary disabled, will be solved by https://github.com/elastic/security-team/issues/9129 | |
# pull_request_target: | |
# branches: | |
# - main | |
# - "[0-9]+.[0-9]+" | |
# types: [opened, synchronize, reopened] | |
push: | |
branches: | |
- main | |
- "[0-9]+.[0-9]+" | |
- "8.x" | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
check-asset-inventory-supported-version: | |
name: Check Asset Inventory supported version | |
runs-on: ubuntu-22.04 | |
outputs: | |
asset_inventory_supported: ${{ steps.check-asset-inventory-supported-version.outputs.asset_inventory_supported }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Check Asset Inventory supported version | |
id: check-asset-inventory-supported-version | |
env: | |
STACK_VERSION: ${{ env.ELK_VERSION }} | |
run: | | |
MIN_VERSION="8.16.0" | |
if [[ "$(echo -e "$MIN_VERSION\n$STACK_VERSION" | sort -V | head -n 1)" == "$MIN_VERSION" ]]; then | |
echo "Stack version meets the requirement: $STACK_VERSION >= $MIN_VERSION." | |
echo "asset_inventory_supported=true" >> $GITHUB_ENV | |
else | |
echo "Stack version is below the requirement: $STACK_VERSION < $MIN_VERSION." | |
echo "asset_inventory_supported=false" >> $GITHUB_ENV | |
fi | |
init-hermit: | |
name: Init Hermit Tools | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
with: | |
init-tools: 'true' | |
ci-azure: | |
needs: [ init-hermit ] | |
name: CIS Azure CI | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run Azure integration tests | |
uses: ./.github/actions/azure-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} | |
azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} | |
azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} | |
ci-azure-asset-inventory: | |
needs: [ init-hermit, check-asset-inventory-supported-version ] | |
name: Azure Asset Inventory CI | |
runs-on: ubuntu-22.04 | |
if: needs.check-asset-inventory-supported-version.outputs.asset_inventory_supported == 'true' | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run Azure integration tests | |
uses: ./.github/actions/azure-asset-inventory-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} | |
azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} | |
azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} | |
ci-aws: | |
needs: [ init-hermit ] | |
name: CIS AWS CI | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run AWS integration tests | |
uses: ./.github/actions/aws-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }} | |
aws-account-type: single-account | |
ci-aws-asset-inventory: | |
needs: [ init-hermit, check-asset-inventory-supported-version ] | |
name: AWS Asset Inventory CI | |
runs-on: ubuntu-22.04 | |
if: needs.check-asset-inventory-supported-version.outputs.asset_inventory_supported == 'true' | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run AWS Asset Inventory integration tests | |
uses: ./.github/actions/aws-asset-inventory-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }} | |
ci-gcp: | |
needs: [ init-hermit ] | |
name: CIS GCP CI | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run GCP integration tests | |
uses: ./.github/actions/gcp-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
workload-identity-provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
service-account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
gcp-project-id: 'elastic-security-test' | |
gcp-account-type: 'single-account' | |
ci-gcp-asset-inventory: | |
needs: [ init-hermit, check-asset-inventory-supported-version ] | |
name: GCP Asset Inventory CI | |
runs-on: ubuntu-22.04 | |
if: needs.check-asset-inventory-supported-version.outputs.asset_inventory_supported == 'true' | |
timeout-minutes: 60 | |
permissions: | |
contents: "read" | |
id-token: "write" | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run GCP Asset Inventory integration tests | |
uses: ./.github/actions/gcp-asset-inventory-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
credentials-json: ${{ secrets.GCP_ASSETS_INVENTORY_CREDENTIALS_JSON }} | |
project-id: "elastic-security-test" | |
ci-cnvm: | |
needs: [ init-hermit ] | |
name: CNVM CI | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 30 | |
steps: | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
android: true | |
dotnet: true | |
haskell: true | |
large-packages: false | |
docker-images: true | |
swap-storage: true | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Run CNVM integration tests | |
uses: ./.github/actions/cnvm-ci | |
with: | |
elk-version: ${{ env.ELK_VERSION }} | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: 'us-east-2' | |
docker-images: | |
needs: [ init-hermit ] | |
name: Build docker images | |
# Since we build the cloudbeat in the worker's OS and as non static, | |
# we need to keep the OS version same as elastic-agent docker image base. | |
# docker run --interactive --tty --rm --entrypoint bash docker.elastic.co/elastic-agent/elastic-agent-complete:8.14.0-SNAPSHOT -c 'cat /etc/os-release' | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 40 | |
steps: | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
android: true | |
dotnet: true | |
haskell: true | |
large-packages: false | |
docker-images: true | |
swap-storage: true | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Build docker images | |
uses: ./.github/actions/docker-images | |
with: | |
build-docker-images: 'true' | |
ci-k8s: | |
needs: [ init-hermit, docker-images ] | |
name: ${{ matrix.test-target }}-${{ matrix.kind-config }} | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 120 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- test-target: pre_merge | |
kind-config: kind-multi | |
values-file: tests/test_environments/values/ci.yml | |
- test-target: pre_merge_agent | |
kind-config: kind-multi | |
values-file: tests/test_environments/values/ci-sa-agent.yml | |
- test-target: k8s_file_system_rules | |
kind-config: kind-test-files | |
values-file: tests/test_environments/values/ci-test-k8s-files.yml | |
# - test-target: k8s_object_psp_rules | |
# kind-config: kind-multi | |
# values-file: tests/test_environments/values/ci-test-k8s-objects.yml | |
- test-target: k8s_process_rules | |
kind-config: kind-test-proc-conf1 | |
values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml | |
- test-target: k8s_process_rules | |
kind-config: kind-test-proc-conf2 | |
values-file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml | |
steps: | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
android: true | |
dotnet: true | |
haskell: true | |
large-packages: false | |
docker-images: true | |
swap-storage: true | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Hermit Environment | |
uses: ./.github/actions/hermit | |
- name: Get docker images | |
uses: ./.github/actions/docker-images | |
with: | |
build-docker-images: 'false' | |
docker-images-folder: '/tmp/.docker-images' | |
- name: Run k8s integration tests | |
uses: ./.github/actions/k8s-ci | |
with: | |
kind-config: ${{ matrix.kind-config }} | |
test-target: ${{ matrix.test-target }} | |
values-file: ${{ matrix.values-file }} | |
docker-images-folder: '/tmp/.docker-images' | |
upload-allure-results: | |
needs: | |
- ci-azure | |
- ci-azure-asset-inventory | |
- ci-aws | |
- ci-aws-asset-inventory | |
- ci-gcp | |
- ci-gcp-asset-inventory | |
- ci-cnvm | |
- ci-k8s | |
name: Upload integration tests results | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 60 | |
permissions: | |
pull-requests: write | |
if: ${{ always() }} | |
env: | |
AWS_REGION: "eu-west-1" | |
ALLURE_S3_BUCKET: "s3://csp-allure-reports/allure_reports/cloudbeat/ci" | |
S3_BUCKET_ALLURE_REPORT_AP: "http://csp-allure-reports.s3.amazonaws.com/allure_reports/cloudbeat/ci" | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
if: ${{ always() }} | |
with: | |
pattern: allure-results-ci-* | |
path: tests/allure/results/ | |
merge-multiple: true | |
- name: log | |
if: ${{ always() }} | |
shell: bash | |
run: | | |
ls -lahR tests/allure/results/ || true | |
- name: Publish allure report | |
if: ${{ always() }} | |
uses: andrcuns/[email protected] | |
env: | |
GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
with: | |
storageType: s3 | |
resultsGlob: "tests/allure/results" | |
updatePr: actions | |
collapseSummary: false | |
summary: suites | |
summaryTableType: markdown | |
copyLatest: true | |
bucket: csp-allure-reports | |
prefix: allure_reports/cloudbeat/ci/${{ github.event.number }} | |
ignoreMissingResults: true | |
debug: false | |
- name: Allure Summary | |
if: ${{ success() && github.event_name != 'push' }} | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
curl --fail --show-error --location '${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/history/history-trend.json' --output ./history-trend.json | |
allure_result=./history-trend.json | |
allure_url=${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/index.html | |
./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url" | |
allure_summary=$(./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url") | |
# saving result into env variable (with multiline handling) | |
echo "ALLURE_SUMMARY<<EOF" >> $GITHUB_ENV | |
echo "$allure_summary" >> $GITHUB_ENV | |
echo "EOF" >> $GITHUB_ENV | |
- name: Comment test success result | |
uses: marocchino/sticky-pull-request-comment@v2 | |
if: ${{ success() && github.event_name != 'push' }} | |
with: | |
header: CI Test Results | |
number: ${{ github.event.number }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
message: | | |
${{ env.ALLURE_SUMMARY }} | |
- if: ${{ success() }} | |
name: Cleanup docker image artifacts | |
uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: docker-images | |
failOnError: false |