Use workload identity for sql server auth (#39)

* handle errors in tests * test no subs * test multiline connection string * test multiline connection string * test env variable * test odbc sqlcmd * run script file * use default auth * use sql action * spelling * change client-id * test matrix * test acr task run * actually run * test * simplify workflows, use new managed identity for database interactions * remove permissions from pr * only run sql updates in prod/c2/playground on push to release * use checkout v4 * add comment * fix ref * fix ref and client-id
equinor · Feb 12, 2024 · cd77228 · cd77228
1 parent 335e10c
commit cd77228
Show file tree

Hide file tree

Showing 13 changed files with 145 additions and 224 deletions.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -5,55 +5,79 @@ on:
     branches: [ main, release ]
 
 permissions:
-  actions: read
-  checks: read
-  contents: read
-  deployments: read
   id-token: write
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
+  contents: read
 
 jobs:
-  get-target-configs:
-    name: Get target configs for branch
-    outputs:
-      target_configs: ${{ steps.get-target-configs.outputs.target_configs }}
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v3
-      - name: Get target configs
-        id: get-target-configs
-        run: |
-          configs=$(ls $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME} | jq -Rsc '. / "\n" - [""]')
-          echo "target_configs=${configs}" >> $GITHUB_OUTPUT
-  
-  build-deploy-image:
-    name: Build & push
+  build-deploy:
     runs-on: ubuntu-20.04
-    needs:
-      - get-target-configs
     strategy:
       fail-fast: false
-      matrix: 
-        config: ${{ fromJson(needs.get-target-configs.outputs.target_configs) }}
+      matrix:
+        target:
+          - name: "dev"
+            ref: "refs/heads/master"
+            acr-name: "radixdev"
+            client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb"
+            subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
+
+          - name: "playground"
+            ref: "refs/heads/release"
+            acr-name: "radixdev"
+            client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb"
+            subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
+
+          - name: "platform"
+            ref: "refs/heads/release"
+            acr-name: "radixprod"
+            client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58"
+            subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
+
+          - name: "c2"
+            ref: "refs/heads/release"
+            acr-name: "radixc2prod"
+            client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58"
+            subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
+
     steps:
-    - uses: actions/checkout@v3
-    - name: Persist environment from ${{ matrix.config }} across steps
-      run: |
-        $GITHUB_WORKSPACE/.github/workflows/scripts/persist-env.sh ${{ matrix.config }}
-
-    - uses: azure/login@v1
-      with:
-        client-id: ${{ env.AZURE_CLIENT_ID }}
-        tenant-id: ${{ env.AZURE_TENANT_ID }}
-        subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Build image
-      run: |
-        $GITHUB_WORKSPACE/.github/workflows/scripts/build-push.sh
+      - uses: actions/checkout@v4
+        if: matrix.target.ref == github.ref
+
+      - uses: azure/login@v1
+        if: matrix.target.ref == github.ref
+        with:
+          client-id: ${{matrix.target.client-id}}
+          tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+          subscription-id: ${{matrix.target.subscription-id}}
+
+      - name: Generate image tag
+        if: matrix.target.ref == github.ref
+        id: tag
+        run: |
+          sha=${GITHUB_SHA::8}
+          ts=$(date +%s)
+          echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
+
+      - name: Build image
+        if: matrix.target.ref == github.ref
+        env:
+          AZURE_SUBSCRIPTION_ID: ${{matrix.target.subscription-id}}
+          ACR_NAME: ${{matrix.target.acr-name}}
+          IMAGE_NAME: radix-vulnerability-scanner
+          TAG: ${{steps.tag.outputs.tag}}
+        run: |
+          az acr task run \
+             --subscription ${AZURE_SUBSCRIPTION_ID} \
+             --name radix-image-builder-internal \
+             --registry ${ACR_NAME} \
+             --context ${GITHUB_WORKSPACE} \
+             --file ${GITHUB_WORKSPACE}/Dockerfile \
+             --set DOCKER_REGISTRY=${ACR_NAME} \
+             --set BRANCH=${GITHUB_REF_NAME} \
+             --set TAGS="--tag ${ACR_NAME}.azurecr.io/${IMAGE_NAME}:${TAG}" \
+             --set DOCKER_FILE_NAME=Dockerfile \
+             --set PUSH="--push" \
+             --set REPOSITORY_NAME=${IMAGE_NAME} \
+             --set CACHE="" \
+             --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max"
+
diff --git a/.github/workflows/config/common.cfg b/.github/workflows/config/common.cfg
diff --git a/.github/workflows/config/main/dev.cfg b/.github/workflows/config/main/dev.cfg
diff --git a/.github/workflows/config/release/c2.cfg b/.github/workflows/config/release/c2.cfg
diff --git a/.github/workflows/config/release/playground.cfg b/.github/workflows/config/release/playground.cfg
diff --git a/.github/workflows/config/release/prod.cfg b/.github/workflows/config/release/prod.cfg
diff --git a/.github/workflows/deploy-database.yml b/.github/workflows/deploy-database.yml
@@ -3,85 +3,91 @@ name: Deploy Database
 on:
   push:
     branches: [main, release]
+  workflow_dispatch:
 
 permissions:
-  actions: read
-  checks: read
-  contents: read
-  deployments: read
   id-token: write
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
+  contents: read
 
 jobs:
-  get-target-configs:
-    name: Get target configs for branch
-    outputs:
-      target_configs: ${{ steps.get-target-configs.outputs.target_configs }}
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v3
-      - name: Get target configs
-        id: get-target-configs
-        run: |
-          configs=$(ls $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME} | jq -Rsc '. / "\n" - [""]')
-          echo "target_configs=${configs}" >> $GITHUB_OUTPUT
-
-  deploy-sql-server:
+  deploy:
     runs-on: ubuntu-20.04
-    needs:
-      - get-target-configs
     strategy:
       fail-fast: false
-      matrix: 
-        config: ${{ fromJson(needs.get-target-configs.outputs.target_configs) }}
+      matrix:
+        target:
+        - name: "dev"
+          ref: "refs/heads/master"
+          client-id: "a23b30b8-3faa-42a1-817e-6cd097a620f1"
+          server: "sql-radix-vulnerability-scan-dev.database.windows.net"
+
+        - name: "playground"
+          ref: "refs/heads/release"
+          client-id: "453fb3de-daaa-43e6-93ef-a470849a2b6b"
+          server: "sql-radix-vulnerability-scan-playground.database.windows.net"
+
+        - name: "platform"
+          ref: "refs/heads/release"
+          client-id: "50e78187-ff60-49c5-bcbe-701bbbf4f5d7"
+          server: "sql-radix-vulnerability-scan-prod.database.windows.net"
+
+        - name: "c2"
+          ref: "refs/heads/release"
+          client-id: "f26240e2-3095-4273-8559-2ca9a121991e"
+          server: "sql-radix-vulnerability-scan-c2.database.windows.net"
+
+    env:
+      connection: >-
+        Server=${{matrix.target.server}};
+        Initial Catalog=radix-vulnerability-scan;
+        Authentication=Active Directory Default; 
+        Encrypt=True;
+        TrustServerCertificate=False;
+        Connection Timeout=30;
+
     steps:
-    - uses: actions/checkout@v3
-    - name: Persist environment from ${{ matrix.config }} across steps
-      run: |
-        $GITHUB_WORKSPACE/.github/workflows/scripts/persist-env.sh ${{ matrix.config }}
+      - uses: actions/checkout@v4
+        if: matrix.target.ref == github.ref
+
+      - uses: azure/login@v1
+        if: matrix.target.ref == github.ref
+        with:
+          client-id: ${{matrix.target.client-id}}
+          tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+          allow-no-subscriptions: true
 
-    - uses: azure/login@v1
-      with:
-        client-id: ${{ env.AZURE_CLIENT_ID }}
-        tenant-id: ${{ env.AZURE_TENANT_ID }}
-        subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+      - uses: azure/[email protected]
+        if: matrix.target.ref == github.ref
+        with:
+          connection-string: ${{env.connection}}
+          path: './azure-infrastructure/sql-scripts/predeploy.sql'
 
-    - name: Get DB password from KV
-      run: |
-        db_admin_pw=$(az keyvault secret show --id https://${KEY_VAULT_NAME}.vault.azure.net/secrets/${DB_ADMIN_SECRET_NAME} --query value --output tsv)
-        echo "::add-mask::$db_admin_pw"
-        echo "DB_ADMIN_PASSWORD=$db_admin_pw" >> $GITHUB_ENV
+      - uses: azure/[email protected]
+        if: matrix.target.ref == github.ref
+        with:
+          connection-string: ${{env.connection}}
+          path: './azure-infrastructure/sql-scripts/roles.sql'
 
-    - name: Generate random firewall rule name
-      run: |
-        fw_rule_name="github-runner-$(uuidgen)"
-        echo "FIREWALL_RULE_NAME=$fw_rule_name" >> $GITHUB_ENV
-        
-    - name: Install SqlServer PS module
-      shell: pwsh
-      run: |
-        Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
-        Install-Module -Name SqlServer
+      - uses: azure/[email protected]
+        if: matrix.target.ref == github.ref
+        with:
+          connection-string: ${{env.connection}}
+          path: './azure-infrastructure/sql-scripts/types.sql'
 
-    - name: Whitelist Runner IP in firewalls
-      shell: pwsh
-      run: |
-        ./.github/workflows/scripts/whitelist-ip.ps1 -FirewallRuleName "${env:FIREWALL_RULE_NAME}"
+      - uses: azure/[email protected]
+        if: matrix.target.ref == github.ref
+        with:
+          connection-string: ${{env.connection}}
+          path: './azure-infrastructure/sql-scripts/tables.sql'
 
-    - name: Creating DB schema and tables
-      shell: pwsh
-      run: |
-        ./.github/workflows/scripts/create-db.ps1
+      - uses: azure/[email protected]
+        if: matrix.target.ref == github.ref
+        with:
+          connection-string: ${{env.connection}}
+          path: './azure-infrastructure/sql-scripts/views.sql'
 
-    - name: Blacklist Runner IP in firewalls
-      shell: pwsh
-      if: ${{ always() }}
-      run: |
-        ./.github/workflows/scripts/blacklist-ip.ps1 -FirewallRuleName "${env:FIREWALL_RULE_NAME}"
+      - uses: azure/[email protected]
+        if: matrix.target.ref == github.ref
+        with:
+          connection-string: ${{env.connection}}
+          path: './azure-infrastructure/sql-scripts/procedures.sql'
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -3,12 +3,13 @@ on:
   pull_request:
     branches:
     - main
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Build docker image
       env:
         REF: ${{ github. sha }}
@@ -36,7 +37,7 @@ jobs:
     name: Unit Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version: '1.21'

diff --git a/.github/workflows/scripts/blacklist-ip.ps1 b/.github/workflows/scripts/blacklist-ip.ps1