From 05b2d443f42c51094abe4f3fc9e3cbe6017847a6 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Tue, 8 Oct 2024 21:35:10 +0100 Subject: [PATCH 01/14] feat: Added semantic release to the CI pipeline. --- .github/pull_request_template.md | 1 + .github/workflows/ci-pipeline.yaml | 29 +++++++++++++-- .releaserc | 10 ++++++ docs/developer-guide.md | 47 +++++------------------- docs/pipelines.md | 57 ++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 6 files changed, 104 insertions(+), 41 deletions(-) create mode 100644 .releaserc create mode 100644 docs/pipelines.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index e7e21db..9f88ff5 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -24,6 +24,7 @@ Please check or cross through each option: - [ ] I have added tests that prove my change works - [ ] I have updated the documentation - [ ] The CI build is passing for my PR +- [ ] If merging into main the PR will be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) ## Additional Information diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 829fcf8..b3423ee 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Terraform uses: hashicorp/setup-terraform@v2 @@ -65,7 +65,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Terraform uses: hashicorp/setup-terraform@v2 @@ -107,3 +107,28 @@ jobs: - name: Run Trivy Scan run: trivy filesystem --security-checks vuln,config --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed . + + publish: + name: Publish Release + runs-on: ubuntu-latest + needs: [build-verification, static-code-analysis] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Create Semantic Release + uses: cycjimmy/semantic-release-action@v4.1.0 + id: semantic-release + with: + dry_run: ${{github.event_name == 'pull_request'}} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Output Release Details + if: steps.semantic-release.outputs.new_release_published == 'true' + run: | + echo ${{ steps.semantic.outputs.new_release_version }} + echo ${{ steps.semantic.outputs.new_release_major_version }} + echo ${{ steps.semantic.outputs.new_release_minor_version }} + echo ${{ steps.semantic.outputs.new_release_patch_version }} \ No newline at end of file diff --git a/.releaserc b/.releaserc new file mode 100644 index 0000000..827e5cd --- /dev/null +++ b/.releaserc @@ -0,0 +1,10 @@ +{ + "plugins": [ + "@semantic-release/commit-analyzer", + "@semantic-release/release-notes-generator", + "@semantic-release/github" + ], + "branches": [ + "main" + ] +} \ No newline at end of file diff --git a/docs/developer-guide.md b/docs/developer-guide.md index 9d6bc43..c978f32 100644 --- a/docs/developer-guide.md +++ b/docs/developer-guide.md @@ -82,7 +82,9 @@ Take the following steps to get started in configuring and verifying the infrast terraform destroy -auto-approve ``` -## Integration Tests +## Testing + +### Integration Tests The test suite consists of a number Terraform HCL integration tests that use a mock azurerm provider. @@ -112,7 +114,7 @@ Take the following steps to run the test suite: terraform test ```` -## End to End Tests +### End to End Tests The end to end tests are written in go, and use the [terratest library](https://terratest.gruntwork.io/) and the [Azure SDK for Go](https://github.com/Azure/azure-sdk-for-go/tree/main). @@ -164,7 +166,7 @@ To run the tests, take the following steps: go test -v -timeout 10m ```` -### Debugging +#### Debugging To debug the tests in vscode, add the following configuration to launch settings and run the configuration: @@ -193,41 +195,8 @@ To debug the tests in vscode, add the following configuration to launch settings > For the storage account name, the TF state backend should have been created during the [getting started guide](#getting-started), at which point the storage account will have been created and the name generated. -## CI Pipeline - -The CI pipeline builds and verifies the solution and runs a number of static code analysis steps on the code base. - -Part of the build verification is end to end testing. This requires the pipeline to login to Azure and deploy an environment on which to execute the tests. In order for the pipeline to login to Azure the following GitHub actions secrets must be created: - -* `AZURE_TENANT_ID` - The ID of an Azure tenant which can be used for the end to end test environment. - -* `AZURE_SUBSCRIPTION_ID` - The ID of an Azure subscription which can be used for the end to end test environment. - -* `AZURE_CLIENT_ID` - The client ID of an Azure service principal / app registration which can be used to authenticate with the end to end test environment. - - The app registration must have contributor permissions on the subscription in order to create resources. - -* `AZURE_CLIENT_SECRET` - The client secret of an Azure app registration which can be used to authenticate with the end to end test environment. - -* `TF_STATE_RESOURCE_GROUP` - The resource group which contains the TF state storage account. - -* `TF_STATE_STORAGE_ACCOUNT` - The storage account used for TF state. - -* `TF_STATE_STORAGE_COMTAINER` - The storage container used for TF state. - -### Static Code Analysis +## Creating a Release -The following static code analysis checks are executed: +The CI pipeline workflow uses [Semantic Release](https://github.com/cycjimmy/semantic-release-action) to create semantic version number (e.g. 1.0.0 / major.minor.patch), add a tag to the repository, and publish a release to GitHub. -* [Terraform format](https://developer.hashicorp.com/terraform/cli/commands/fmt) -* [Terraform lint](https://github.com/terraform-linters/tflint) -* [Checkov scan](https://www.checkov.io/) -* [Gitleaks scan](https://github.com/gitleaks/gitleaks) -* [Trivy vulnerability scan](https://github.com/aquasecurity/trivy) +Semantic Release relies on commit message conventions, therefore any merge into `main` should squash merged with a commit message that [adheres to the semantic release formatting rules.](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) diff --git a/docs/pipelines.md b/docs/pipelines.md new file mode 100644 index 0000000..0773ae8 --- /dev/null +++ b/docs/pipelines.md @@ -0,0 +1,57 @@ +# Pipelines + +## CI Pipeline + +The CI pipeline builds and verifies the solution and runs a number of static code analysis steps on the code base. Once successful, if the pipeline is running against the `main` branch a GitHub release will be published using [Semantic Release.](https://github.com/cycjimmy/semantic-release-action) + +Part of the build verification is end to end testing which requires the pipeline to login to an Azure tenant and deploy an environment on which to execute the tests. + +### Static Code Analysis + +The following static code analysis checks are executed: + +* [Terraform format](https://developer.hashicorp.com/terraform/cli/commands/fmt) +* [Terraform lint](https://github.com/terraform-linters/tflint) +* [Checkov scan](https://www.checkov.io/) +* [Gitleaks scan](https://github.com/gitleaks/gitleaks) +* [Trivy vulnerability scan](https://github.com/aquasecurity/trivy) + +### Pipeline Secrets + + In order for the pipeline to login to Azure the following secrets must be created: + +* `AZURE_TENANT_ID` + + The ID of an Azure tenant which can be used for the end to end test environment. + +* `AZURE_SUBSCRIPTION_ID` + + The ID of an Azure subscription which can be used for the end to end test environment. + +* `AZURE_CLIENT_ID` + + The client ID of an Azure service principal / app registration which can be used to authenticate with the end to end test environment. + + The app registration must have contributor permissions on the subscription in order to create resources, and RBAC admin as described in [Environment Setup](./developer-guide.md#environment-setup). + +* `AZURE_CLIENT_SECRET` + + The client secret of an Azure app registration which can be used to authenticate with the end to end test environment. + +* `TF_STATE_RESOURCE_GROUP` + + The resource group which contains the TF state storage account. + +* `TF_STATE_STORAGE_ACCOUNT` + + The storage account used for TF state. + +* `TF_STATE_STORAGE_CONTAINER` + + The storage container used for TF state. + +For the release tag to be added to the repository the following secrets must be created: + +* `GITHUB_TOKEN` + + A personal access token (yuk) which allows the pipeline to commit a release tag to the repository. The PAT will expire periodically and must be maintained. diff --git a/mkdocs.yml b/mkdocs.yml index 7049ac8..989a9b1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -20,6 +20,7 @@ nav: - Design: design.md - Usage: usage.md - Developer Guide: developer-guide.md + - Pipelines: pipelines.md markdown_extensions: - pymdownx.superfences From 1b8fa180fafd8efd452754564a605109b5621e98 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Tue, 8 Oct 2024 21:45:37 +0100 Subject: [PATCH 02/14] Refinement to docs for semantic release. --- README.md | 5 +++++ docs/index.md | 3 ++- docs/usage.md | 4 ++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e6cdf44..4df0fc1 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ See the following key docs for more information: * [Design](./docs/design.md) * [Usage](./docs/usage.md) * [Developer Guide](./docs/developer-guide.md) +* [Pipelines](./docs/pipelines.md) ## Repository Structure @@ -62,6 +63,10 @@ docker-compose -f ./docs/docker-compose.yml up Once the container is running, navigate to [http://localhost:8000](http://localhost:8000). +## Releases + +The project uses [Semantic Release](https://github.com/cycjimmy/semantic-release-action) to create and publish releases within the CI pipeline, which relies on [commit message conventions.](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) + ## Contributing If you want to contribute to the project, raise a PR on GitHub. diff --git a/docs/index.md b/docs/index.md index d42fca9..842db1c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -13,6 +13,7 @@ The following technologies have been used: * [Azure]() * [Azure CLI](https://learn.microsoft.com/en-us/cli/azure) * [Terraform](https://developer.hashicorp.com/terraform) -* [Go (used for end-to-end testing)](https://go.dev/dl/) +* [MkDocs](https://www.mkdocs.org/) and the [Squidfunk MkDocs Material UI theme](https://squidfunk.github.io/mkdocs-material/) +* [Go (for end-to-end testing)](https://go.dev/dl/) * [Terratest](https://terratest.gruntwork.io/) * [Azure SDK for Go](https://github.com/Azure/azure-sdk-for-go) diff --git a/docs/usage.md b/docs/usage.md index 878dc80..1ccd220 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -12,11 +12,11 @@ In future we will use release tags to ensure consumers can depend on a specific ## Example -The following is an example of how the module should be used: +The following is an example of how the module should be used - **update the ref with the release version that you want to use**: ```terraform module "my_backup" { - source = "github.com/nhsdigital/az-backup//infrastructure" + source = "github.com/nhsdigital/az-backup//infrastructure?ref=" vault_name = "myvault" vault_location = "uksouth" vault_redundancy = "LocallyRedundant" From 65831a74187595407b34adb4d60b23aeb8c30a0d Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Tue, 8 Oct 2024 21:46:58 +0100 Subject: [PATCH 03/14] Updated PR template. --- .github/pull_request_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9f88ff5..7733197 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -12,6 +12,7 @@ Please check the relevant options: - [ ] Bug fix (a change which fixes an issue) - [ ] Refactoring (code cleanup or optimization) - [ ] Testing (enhanced test coverage, or test improvement) +- [ ] Pipelines (changes related to pipelines and workflows) - [ ] Documentation (changes to documentation) - [ ] Other (something that's not listed here - please explain in the description or additional information) From 9fdb46f5336b9dcb4216195df7bb07e637db359a Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Tue, 8 Oct 2024 21:49:15 +0100 Subject: [PATCH 04/14] Update PR template. --- .github/pull_request_template.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 7733197..33114ae 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -24,7 +24,9 @@ Please check or cross through each option: - [ ] I have added comments in hard to understand areas - [ ] I have added tests that prove my change works - [ ] I have updated the documentation -- [ ] The CI build is passing for my PR + +## Reminder + - [ ] If merging into main the PR will be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) ## Additional Information From eeaa554287a237d4dd2c6249c455666086a8cb54 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Tue, 8 Oct 2024 22:05:09 +0100 Subject: [PATCH 05/14] Updated release token details. --- .github/workflows/ci-pipeline.yaml | 6 +++--- docs/pipelines.md | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index b3423ee..1b02d7b 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -116,14 +116,14 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Disable default GITHUB_TOKEN persistence - name: Create Semantic Release uses: cycjimmy/semantic-release-action@v4.1.0 id: semantic-release - with: - dry_run: ${{github.event_name == 'pull_request'}} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} - name: Output Release Details if: steps.semantic-release.outputs.new_release_published == 'true' diff --git a/docs/pipelines.md b/docs/pipelines.md index 0773ae8..5d85956 100644 --- a/docs/pipelines.md +++ b/docs/pipelines.md @@ -52,6 +52,8 @@ The following static code analysis checks are executed: For the release tag to be added to the repository the following secrets must be created: -* `GITHUB_TOKEN` +* `RELEASE_TOKEN` - A personal access token (yuk) which allows the pipeline to commit a release tag to the repository. The PAT will expire periodically and must be maintained. + A personal access token which allows the pipeline to commit a release tag to the repository. The PAT will expire periodically and must be maintained. + + The PAT should be a "fine grained" access token, restricted to the `az-backup` repository, with Read/Write permissions for "Actions". From 50a3c7714d1b9619864bb611c35b26e6a69d4a2d Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Tue, 8 Oct 2024 22:18:53 +0100 Subject: [PATCH 06/14] Removed releaserc and moved changes to ci pipeline for simplicity. --- .github/workflows/ci-pipeline.yaml | 7 +++++++ .releaserc | 10 ---------- 2 files changed, 7 insertions(+), 10 deletions(-) delete mode 100644 .releaserc diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 1b02d7b..15f6cc3 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -122,6 +122,13 @@ jobs: - name: Create Semantic Release uses: cycjimmy/semantic-release-action@v4.1.0 id: semantic-release + with: + branches: | + ['main'] + extra_plugins: | + @semantic-release/commit-analyzer + @semantic-release/release-notes-generator + @semantic-release/github env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} diff --git a/.releaserc b/.releaserc deleted file mode 100644 index 827e5cd..0000000 --- a/.releaserc +++ /dev/null @@ -1,10 +0,0 @@ -{ - "plugins": [ - "@semantic-release/commit-analyzer", - "@semantic-release/release-notes-generator", - "@semantic-release/github" - ], - "branches": [ - "main" - ] -} \ No newline at end of file From d04c3c034a0e5cf092907d08950b9029e2899a98 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:02:23 +0100 Subject: [PATCH 07/14] Added dry run details to test the release. --- .github/workflows/ci-pipeline.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 15f6cc3..4ce8e74 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -38,11 +38,11 @@ jobs: terraform validate working-directory: infrastructure - - name: Run Integration Tests - run: | - terraform init -backend=false - terraform test - working-directory: tests/integration-tests + # - name: Run Integration Tests + # run: | + # terraform init -backend=false + # terraform test + # working-directory: tests/integration-tests - name: Run End to End Tests run: | @@ -123,8 +123,9 @@ jobs: uses: cycjimmy/semantic-release-action@v4.1.0 id: semantic-release with: + dry_run: true branches: | - ['main'] + ['main', 'johnc/semantic-release'] extra_plugins: | @semantic-release/commit-analyzer @semantic-release/release-notes-generator From 41eb575d75b608f4bd63d278d0f156a788d337df Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:02:43 +0100 Subject: [PATCH 08/14] Bypass e2e steps to test release. --- .github/workflows/ci-pipeline.yaml | 38 +++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 4ce8e74..0490438 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -38,26 +38,26 @@ jobs: terraform validate working-directory: infrastructure - # - name: Run Integration Tests - # run: | - # terraform init -backend=false - # terraform test - # working-directory: tests/integration-tests - - - name: Run End to End Tests + - name: Run Integration Tests run: | - go mod tidy - go test -v -timeout 30m - working-directory: tests/end-to-end-tests - env: - GOMAXPROCS: 8 - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - TF_STATE_RESOURCE_GROUP: ${{ secrets.TF_STATE_RESOURCE_GROUP }} - TF_STATE_STORAGE_ACCOUNT: ${{ secrets.TF_STATE_STORAGE_ACCOUNT }} - TF_STATE_STORAGE_CONTAINER: ${{ secrets.TF_STATE_STORAGE_CONTAINER }} + terraform init -backend=false + terraform test + working-directory: tests/integration-tests + + # - name: Run End to End Tests + # run: | + # go mod tidy + # go test -v -timeout 30m + # working-directory: tests/end-to-end-tests + # env: + # GOMAXPROCS: 8 + # ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + # ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + # ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + # ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # TF_STATE_RESOURCE_GROUP: ${{ secrets.TF_STATE_RESOURCE_GROUP }} + # TF_STATE_STORAGE_ACCOUNT: ${{ secrets.TF_STATE_STORAGE_ACCOUNT }} + # TF_STATE_STORAGE_CONTAINER: ${{ secrets.TF_STATE_STORAGE_CONTAINER }} static-code-analysis: name: Static Code Analysis From af6859c50347f594b6dde47f0b3e72a7df82d2eb Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:10:51 +0100 Subject: [PATCH 09/14] Removed release plugins that are installed by default. --- .github/workflows/ci-pipeline.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 0490438..db77c2d 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -126,10 +126,6 @@ jobs: dry_run: true branches: | ['main', 'johnc/semantic-release'] - extra_plugins: | - @semantic-release/commit-analyzer - @semantic-release/release-notes-generator - @semantic-release/github env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} From 953437c352adda6751d1c0e8598e1bce88f48810 Mon Sep 17 00:00:00 2001 From: John Collinson <13622412+johncollinson2001@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:50:25 +0100 Subject: [PATCH 10/14] Uncommented e2e test step from ci pipeline (commented to test semantic release). --- .github/workflows/ci-pipeline.yaml | 33 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index db77c2d..bacd050 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -44,20 +44,20 @@ jobs: terraform test working-directory: tests/integration-tests - # - name: Run End to End Tests - # run: | - # go mod tidy - # go test -v -timeout 30m - # working-directory: tests/end-to-end-tests - # env: - # GOMAXPROCS: 8 - # ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - # ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - # ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - # ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # TF_STATE_RESOURCE_GROUP: ${{ secrets.TF_STATE_RESOURCE_GROUP }} - # TF_STATE_STORAGE_ACCOUNT: ${{ secrets.TF_STATE_STORAGE_ACCOUNT }} - # TF_STATE_STORAGE_CONTAINER: ${{ secrets.TF_STATE_STORAGE_CONTAINER }} + - name: Run End to End Tests + run: | + go mod tidy + go test -v -timeout 30m + working-directory: tests/end-to-end-tests + env: + GOMAXPROCS: 8 + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + TF_STATE_RESOURCE_GROUP: ${{ secrets.TF_STATE_RESOURCE_GROUP }} + TF_STATE_STORAGE_ACCOUNT: ${{ secrets.TF_STATE_STORAGE_ACCOUNT }} + TF_STATE_STORAGE_CONTAINER: ${{ secrets.TF_STATE_STORAGE_CONTAINER }} static-code-analysis: name: Static Code Analysis @@ -108,7 +108,7 @@ jobs: - name: Run Trivy Scan run: trivy filesystem --security-checks vuln,config --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed . - publish: + publishing: name: Publish Release runs-on: ubuntu-latest needs: [build-verification, static-code-analysis] @@ -123,9 +123,8 @@ jobs: uses: cycjimmy/semantic-release-action@v4.1.0 id: semantic-release with: - dry_run: true branches: | - ['main', 'johnc/semantic-release'] + ['main'] env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} From 03d1684b990f08be57498d9d53806dc1bc391aaf Mon Sep 17 00:00:00 2001 From: johncollinson2001 <13622412+johncollinson2001@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:20:44 +0000 Subject: [PATCH 11/14] Updated semantic version action and docs. --- .github/pull_request_template.md | 15 ++-- .github/workflows/ci-pipeline.yaml | 11 +-- .releaserc | 16 ++++ README.md | 9 ++- docs/design.md | 109 -------------------------- docs/developer-guide.md | 16 +++- docs/pipelines.md | 2 +- docs/security-guide.md | 119 +++++++++++++++++++++++++++++ mkdocs.yml | 1 + 9 files changed, 168 insertions(+), 130 deletions(-) create mode 100644 .releaserc create mode 100644 docs/security-guide.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index b849e2e..d3a1185 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,6 +1,5 @@ - - + ## Description @@ -8,7 +7,7 @@ Please provide a brief summary of the changes made in this pull request. ## Type of change -Please check the relevant options, or cross through options which are not applicable to this change: +Please check the relevant options: 🔲 New feature (a change which adds functionality) 🔲 Bug fix (a change which fixes an issue) @@ -20,12 +19,12 @@ Please check the relevant options, or cross through options which are not applic ## Checklist -Please check the relevant options, or cross through options which are not applicable to this change: +Please check the relevant options: -- [ ] My code aligns with the style of this project -- [ ] I have added comments in hard to understand areas -- [ ] I have added tests that prove my change works -- [ ] I have updated the documentation +🔲 My code aligns with the style of this project +🔲 I have added comments in hard to understand areas +🔲 I have added tests that prove my change works +🔲 I have updated the documentation ## Reminder diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index c631416..d1bde72 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -122,16 +122,13 @@ jobs: - name: Create Semantic Release uses: cycjimmy/semantic-release-action@v4.1.0 id: semantic-release - with: - branches: | - ['main'] env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} - name: Output Release Details if: steps.semantic-release.outputs.new_release_published == 'true' run: | - echo ${{ steps.semantic.outputs.new_release_version }} - echo ${{ steps.semantic.outputs.new_release_major_version }} - echo ${{ steps.semantic.outputs.new_release_minor_version }} - echo ${{ steps.semantic.outputs.new_release_patch_version }} \ No newline at end of file + echo ${{ steps.semantic-release.outputs.new_release_version }} + echo ${{ steps.semantic-release.outputs.new_release_major_version }} + echo ${{ steps.semantic-release.outputs.new_release_minor_version }} + echo ${{ steps.semantic-release.outputs.new_release_patch_version }} \ No newline at end of file diff --git a/.releaserc b/.releaserc new file mode 100644 index 0000000..2f3a316 --- /dev/null +++ b/.releaserc @@ -0,0 +1,16 @@ +{ + "branches": [ + "main" + ], + "plugins": [ + "@semantic-release/commit-analyzer", + "@semantic-release/release-notes-generator", + "@semantic-release/github" + ], + "releaseRules": [ + { "breaking": true, "release": "major" }, + { "revert": true, "release": "patch" }, + { "type": "feat", "release": "minor" }, + { "message": "**", "release": "patch" } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 76d9d60..59f6a66 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,9 @@ The solution consists of a configurable Terraform module which deploys the follo * Backup vault * Backup policies * Backup instances for the following resources: - * Blob storage - * Managed disks - * PostgreSQL flexible server + * Blob storage + * Managed disks + * PostgreSQL flexible server * Integration of diagnostic settings with Azure Monitor The resources created by the module reside in their own resource group. @@ -23,6 +23,7 @@ See the following key docs for more information: * [Design](./docs/design.md) * [Usage](./docs/usage.md) * [Developer Guide](./docs/developer-guide.md) +* [Security Guide](./docs/security-guide.md) * [Pipelines](./docs/pipelines.md) ## Repository Structure @@ -77,6 +78,8 @@ Once the container is running, navigate to [http://localhost:8000](http://localh The project uses [Semantic Release](https://github.com/cycjimmy/semantic-release-action) to create and publish releases within the CI pipeline, which relies on [commit message conventions.](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) +[See the following section of the documentation for more information](./docs/developer-guide.md#creating-a-release). + ## Contributing If you want to contribute to the project, raise a PR on GitHub. diff --git a/docs/design.md b/docs/design.md index 2167218..424c26c 100644 --- a/docs/design.md +++ b/docs/design.md @@ -36,115 +36,6 @@ The following diagram illustrates the high level architecture: 1. Some resources such as Azure SQL and Azure Key Vault are not directly supported by Azure **backup vault**, but can be incorporated via a supplementary process that backs up the data to Azure Blob Storage first. In the case of Azure SQL, a typical scenario could be an Azure Logic App that takes a backup of Azure SQL on a regular basis and stores the data in Azure Blob Storage. It is the aspiration of this solution to provide guidance and tooling that teams can adopt to support these scenarios. -## Security Design - -The following diagram illustrates the security design of the solution: - -![Security Design](assets/security-design.drawio.svg) - -See the following links for further details on some concepts relevant to the design: - -* [Azure Multi-user Authorisation (MUA) and Resource Guard](https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization-concept) -* [Backup Operator Role](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#backup-operator) -* [Azure Privileged Identity Management (PIM)](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management) - -### Actors - -> NOTE: The roles listed below are not an exhaustive list, and are only those which are of relevance to the backup solution. - -1. Tenant Admin - - The tenant admin, aka the "global administrator", is typically a restricted group of technical specialists and/or senior engineering staff. They have full control over the Azure tenant including all subscriptions and identities. - - The actor holds the following roles: - - * Tenant Owner - * Tenant RBAC Administrator - - The following risks and mitigations should be considered: - - | Risks | Mitigations | - |-|-| - | Backup instance tampered with. | Use of PIM for temporary elevated privileges. | - | Backup policy tampered with. | Use of MUA for restricted backup operations. | - | Role based access tampered. | Dedicated admin accounts. | - | No other account able to override a malicious actor. | | - -1. Subscription Admin - - The subscription admin is typically a restricted group of team leads who are deploying their teams solutions to the subscription. They have full control over the subscription, including the backup vault and the backup resources. - - The actor holds the following roles: - - * Subscription Owner - * Subscription RBAC Administrator - - The following risks and mitigations should be considered: - - | Risks | Mitigations | - |-|-| - | Backup instance tampered with.                       | Use of PIM for temporary elevated privileges. | - | Backup policy tampered with. | Use of MUA for restricted backup operations. | - | Role based access tampered. | | - -1. Deployment Service Principal - - The deployment service principal is an unattended credential used to deploy the solution from an automated process such as a pipeline or workflow. It has the permission to deploy resources (such as the backup vault) and assign the roles required for the solution to operate. - - The actor holds the following roles: - - * Subscription Contributor - * Subscription RBAC Administrator limited to the roles required by the deployment - - The following risks and mitigations should be considered: - - | Risks | Mitigations | - |-|-| - | Backup instance tampered with.                       | Use of PIM for temporary elevated privileges. | - | Backup policy tampered with. | Use of MUA for restricted backup operations. | - | Role based access tampered. | Secret scanning in pipeline. | - | Poor secret management. | Robust secret management procedures. | - -1. Backup Admin - - The backup admin is typically a group of team support engineers and/or technical specialists. They have the permission to monitor backup telemetry, and restore backups in order to recover services. - - The actor holds the following roles: - - * Subscription Backup Operator - -1. Backup Monitor - - The backup monitor is typically a group of service staff. They have the permission to monitor backup telemetry in order to raise the alarm if any issues are found. - - The actor holds the following roles: - - * Monitoring Reader - -1. Security Admin - - The security admin is typically a group of cyber security specialists that are isolated from the other actors, by being in a different tenant or a highly restricted subscription. They have permissions to manage Resource Guard, which provide multi user authorisation to perform restricted operations on the backup vault, such as changing policies or stopping a backup instance. - - The actor holds the following roles: - - * Subscription Backup MUA Administrator - - | Risks | Mitigations | - |-|-| - | Elevated roles note revoked.                       | Use of PIM for temporary elevated privileges. | - | | Robust and well documented processes. | - - **NOTE: MUA without PIM requires a manual revocation of elevated permissions.** - -1. Backup Vault Managed Identity - - The backup vault managed identity is a "System Assigned" managed identity that performs backup vault operations. It is restricted to just the services defined at deployment, and cannot be compromised at runtime. - - The actor holds the following roles: - - * Backup Vault Resource Writer - * Reader role on resources that require backup - ## Terraform Design The following diagram illustrates the terraform design: diff --git a/docs/developer-guide.md b/docs/developer-guide.md index 640be65..cab1785 100644 --- a/docs/developer-guide.md +++ b/docs/developer-guide.md @@ -1,3 +1,5 @@ + + # Developer Guide ## Overview @@ -205,6 +207,16 @@ To debug the tests in vscode, add the following configuration to launch settings ## Creating a Release -The CI pipeline workflow uses [Semantic Release](https://github.com/cycjimmy/semantic-release-action) to create semantic version number (e.g. 1.0.0 / major.minor.patch), add a tag to the repository, and publish a release to GitHub. +The CI pipeline workflow uses the [Semantic Release](https://github.com/cycjimmy/semantic-release-action) GitHub action to create semantic version number (e.g. 1.0.0 / major.minor.patch), add a tag to the repository, and publish a release to GitHub. See the `./releaserc` file at the repo root to view the configuration that has been applied. + +Semantic Release relies on commit message conventions, therefore any merge into `main` should squash merged with a commit message that [adheres to the semantic release formatting rules](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format). + +**When a PR is merged into `main`, if no commit messages are found that meet the convention then the patch number is incremented by default.** + +Here are some example commit messages which will result in a version increment: -Semantic Release relies on commit message conventions, therefore any merge into `main` should squash merged with a commit message that [adheres to the semantic release formatting rules.](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) +|Commit Message|Type|Example| +|--------------|----|-------| +|fix: Fixed a bug.|Patch|1.1.**10** -> 1.1.**11**| +|feat: Added a feature.|Minor|1.**1**.10 -> 1.**2**.0| +|feat: Changed a feature.
BREAKING CHANGE: This change breaks things.|Major|**1**.1.10 -> **2**.0.0| diff --git a/docs/pipelines.md b/docs/pipelines.md index 5d85956..9863ad3 100644 --- a/docs/pipelines.md +++ b/docs/pipelines.md @@ -56,4 +56,4 @@ For the release tag to be added to the repository the following secrets must be A personal access token which allows the pipeline to commit a release tag to the repository. The PAT will expire periodically and must be maintained. - The PAT should be a "fine grained" access token, restricted to the `az-backup` repository, with Read/Write permissions for "Actions". + The PAT should be a fine grained access token, restricted to the `az-backup` repository, with Read/Write for the "Contents" permission. diff --git a/docs/security-guide.md b/docs/security-guide.md new file mode 100644 index 0000000..4337b82 --- /dev/null +++ b/docs/security-guide.md @@ -0,0 +1,119 @@ + + + +# Security + +## Overview + +The security of the solution relies on configuration at the tenant and subscription level which is outside of the control of this module. + +The design proposed in this section acts as a best practice guide and it will be down to teams and programmes to implement the necessary controls and procedures. + +## Design + +The following diagram illustrates the security design of the solution: + +![Security Design](assets/security-design.drawio.svg) + +See the following links for further details on some concepts relevant to the design: + +* [Azure Multi-user Authorisation (MUA) and Resource Guard](https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization-concept) +* [Backup Operator Role](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#backup-operator) +* [Azure Privileged Identity Management (PIM)](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management) + +### Actors + +> NOTE: The roles listed below are not an exhaustive list, and are only those which are of relevance to the backup solution. + +#### 1. Tenant Admin + +The tenant admin, aka the "global administrator", is typically a restricted group of technical specialists and/or senior engineering staff. They have full control over the Azure tenant including all subscriptions and identities. + +The actor holds the following roles: + +* Tenant Owner +* Tenant RBAC Administrator + +The following risks and mitigations should be considered: + +| Risks | Mitigations | +|-|-| +| Backup instance tampered with. | Use of PIM for temporary elevated privileges. | +| Backup policy tampered with. | Use of MUA for restricted backup operations. | +| Role based access tampered. | Dedicated admin accounts. | +| No other account able to override a malicious actor. | | + +#### 2. Subscription Admin + +The subscription admin is typically a restricted group of team leads who are deploying their teams solutions to the subscription. They have full control over the subscription, including the backup vault and the backup resources. + +The actor holds the following roles: + +* Subscription Owner +* Subscription RBAC Administrator + +The following risks and mitigations should be considered: + +| Risks | Mitigations | +|-|-| +| Backup instance tampered with.                       | Use of PIM for temporary elevated privileges. | +| Backup policy tampered with. | Use of MUA for restricted backup operations. | +| Role based access tampered. | | + +#### 3. Deployment Service Principal + +The deployment service principal is an unattended credential used to deploy the solution from an automated process such as a pipeline or workflow. It has the permission to deploy resources (such as the backup vault) and assign the roles required for the solution to operate. + +The actor holds the following roles: + +* Subscription Contributor +* Subscription RBAC Administrator limited to the roles required by the deployment + +The following risks and mitigations should be considered: + +| Risks | Mitigations | +|-|-| +| Backup instance tampered with.                       | Use of PIM for temporary elevated privileges. | +| Backup policy tampered with. | Use of MUA for restricted backup operations. | +| Role based access tampered. | Secret scanning in pipeline. | +| Poor secret management. | Robust secret management procedures. | + +#### 4. Backup Admin + +The backup admin is typically a group of team support engineers and/or technical specialists. They have the permission to monitor backup telemetry, and restore backups in order to recover services. + +The actor holds the following roles: + +* Subscription Backup Operator + +#### 5. Backup Monitor + +The backup monitor is typically a group of service staff. They have the permission to monitor backup telemetry in order to raise the alarm if any issues are found. + +The actor holds the following roles: + +* Monitoring Reader + +#### 6. Security Admin + +The security admin is typically a group of cyber security specialists that are isolated from the other actors, by being in a different tenant or a highly restricted subscription. They have permissions to manage Resource Guard, which provide multi user authorisation to perform restricted operations on the backup vault, such as changing policies or stopping a backup instance. + +The actor holds the following roles: + +* Subscription Backup MUA Administrator + +| Risks | Mitigations | +|-|-| +| Elevated roles note revoked.                       | Use of PIM for temporary elevated privileges. | +| | Robust and well documented processes. | + +**NOTE: MUA without PIM requires a manual revocation of elevated permissions.** + +#### 7. Backup Vault Managed Identity + +The backup vault managed identity is a "System Assigned" managed identity that performs backup vault operations. It is restricted to just the services defined at deployment, and cannot be compromised at runtime. + +The actor holds the following roles: + +* Backup Vault Resource Writer +* Reader role on resources that require backup diff --git a/mkdocs.yml b/mkdocs.yml index 989a9b1..5dff426 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -20,6 +20,7 @@ nav: - Design: design.md - Usage: usage.md - Developer Guide: developer-guide.md + - Security Guide: security-guide.md - Pipelines: pipelines.md markdown_extensions: From 1cf29d689a12a6174a944dc5a6eb6f07d0352456 Mon Sep 17 00:00:00 2001 From: johncollinson2001 <13622412+johncollinson2001@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:30:19 +0000 Subject: [PATCH 12/14] Updated PR template reminders section. --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d3a1185..18e2615 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -28,7 +28,7 @@ Please check the relevant options: ## Reminder -- [ ] If merging into main the PR will be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) +🔲 If merging into main, I'm aware that the PR will be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) ## Additional Information From 57b784938d2a5f465b515a3dbd03abec1eef39fb Mon Sep 17 00:00:00 2001 From: johncollinson2001 <13622412+johncollinson2001@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:31:19 +0000 Subject: [PATCH 13/14] Updated PR template. --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 18e2615..e5fedfa 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -28,7 +28,7 @@ Please check the relevant options: ## Reminder -🔲 If merging into main, I'm aware that the PR will be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) +🔲 If merging into main, I'm aware that the PR should be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) ## Additional Information From 73c7195a9c0b61fc7eedd4a073e9ba9ca890d5ff Mon Sep 17 00:00:00 2001 From: johncollinson2001 <13622412+johncollinson2001@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:32:31 +0000 Subject: [PATCH 14/14] Updated PR template. --- .github/pull_request_template.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index e5fedfa..5bd3a68 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -25,9 +25,6 @@ Please check the relevant options: 🔲 I have added comments in hard to understand areas 🔲 I have added tests that prove my change works 🔲 I have updated the documentation - -## Reminder - 🔲 If merging into main, I'm aware that the PR should be squash merged with [a commit message that adheres to the semantic release format](https://github.com/semantic-release/semantic-release/tree/master?tab=readme-ov-file#commit-message-format) ## Additional Information