diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 2b0fa05..82a1f4a 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -5,55 +5,79 @@ on: branches: [ main, release ] permissions: - actions: read - checks: read - contents: read - deployments: read id-token: write - issues: read - discussions: read - packages: read - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read + contents: read jobs: - get-target-configs: - name: Get target configs for branch - outputs: - target_configs: ${{ steps.get-target-configs.outputs.target_configs }} - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v3 - - name: Get target configs - id: get-target-configs - run: | - configs=$(ls $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME} | jq -Rsc '. / "\n" - [""]') - echo "target_configs=${configs}" >> $GITHUB_OUTPUT - - build-deploy-image: - name: Build & push + build-deploy: runs-on: ubuntu-20.04 - needs: - - get-target-configs strategy: fail-fast: false - matrix: - config: ${{ fromJson(needs.get-target-configs.outputs.target_configs) }} + matrix: + target: + - name: "dev" + ref: "refs/heads/master" + acr-name: "radixdev" + client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb" + subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" + + - name: "playground" + ref: "refs/heads/release" + acr-name: "radixdev" + client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb" + subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" + + - name: "platform" + ref: "refs/heads/release" + acr-name: "radixprod" + client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58" + subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" + + - name: "c2" + ref: "refs/heads/release" + acr-name: "radixc2prod" + client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58" + subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" + steps: - - uses: actions/checkout@v3 - - name: Persist environment from ${{ matrix.config }} across steps - run: | - $GITHUB_WORKSPACE/.github/workflows/scripts/persist-env.sh ${{ matrix.config }} - - - uses: azure/login@v1 - with: - client-id: ${{ env.AZURE_CLIENT_ID }} - tenant-id: ${{ env.AZURE_TENANT_ID }} - subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} - - - name: Build image - run: | - $GITHUB_WORKSPACE/.github/workflows/scripts/build-push.sh + - uses: actions/checkout@v4 + if: matrix.target.ref == github.ref + + - uses: azure/login@v1 + if: matrix.target.ref == github.ref + with: + client-id: ${{matrix.target.client-id}} + tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription-id: ${{matrix.target.subscription-id}} + + - name: Generate image tag + if: matrix.target.ref == github.ref + id: tag + run: | + sha=${GITHUB_SHA::8} + ts=$(date +%s) + echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT + + - name: Build image + if: matrix.target.ref == github.ref + env: + AZURE_SUBSCRIPTION_ID: ${{matrix.target.subscription-id}} + ACR_NAME: ${{matrix.target.acr-name}} + IMAGE_NAME: radix-vulnerability-scanner + TAG: ${{steps.tag.outputs.tag}} + run: | + az acr task run \ + --subscription ${AZURE_SUBSCRIPTION_ID} \ + --name radix-image-builder-internal \ + --registry ${ACR_NAME} \ + --context ${GITHUB_WORKSPACE} \ + --file ${GITHUB_WORKSPACE}/Dockerfile \ + --set DOCKER_REGISTRY=${ACR_NAME} \ + --set BRANCH=${GITHUB_REF_NAME} \ + --set TAGS="--tag ${ACR_NAME}.azurecr.io/${IMAGE_NAME}:${TAG}" \ + --set DOCKER_FILE_NAME=Dockerfile \ + --set PUSH="--push" \ + --set REPOSITORY_NAME=${IMAGE_NAME} \ + --set CACHE="" \ + --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max" + diff --git a/.github/workflows/config/common.cfg b/.github/workflows/config/common.cfg deleted file mode 100644 index bdf0ba1..0000000 --- a/.github/workflows/config/common.cfg +++ /dev/null @@ -1,7 +0,0 @@ -# build & push image -AZURE_TENANT_ID=3aa4a235-b6e2-48d5-9195-7fcf05b459b0 -IMAGE_NAME=radix-vulnerability-scanner - -# arm deployment -DB_NAME=radix-vulnerability-scan -SQL_ADMIN_USER_NAME=radix \ No newline at end of file diff --git a/.github/workflows/config/main/dev.cfg b/.github/workflows/config/main/dev.cfg deleted file mode 100644 index 9efd446..0000000 --- a/.github/workflows/config/main/dev.cfg +++ /dev/null @@ -1,12 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg - -# build & push image -ACR_NAME=radixdev -AZURE_CLIENT_ID=1a292b18-2960-49a5-b429-c8a50349b5eb -AZURE_SUBSCRIPTION_ID=16ede44b-1f74-40a5-b428-46cca9a5741b - -# arm deployment -RESOURCE_GROUP=vulnerability-scan -SQL_SERVER_NAME=sql-radix-vulnerability-scan-dev -KEY_VAULT_NAME=radix-vault-dev -DB_ADMIN_SECRET_NAME=radix-vulnerability-scan-db-admin \ No newline at end of file diff --git a/.github/workflows/config/release/c2.cfg b/.github/workflows/config/release/c2.cfg deleted file mode 100644 index 0c9d5cb..0000000 --- a/.github/workflows/config/release/c2.cfg +++ /dev/null @@ -1,12 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg - -# build & push image -ACR_NAME=radixc2prod -AZURE_CLIENT_ID=d1ee58e8-5896-48d9-a777-5418c3df9a58 -AZURE_SUBSCRIPTION_ID=ded7ca41-37c8-4085-862f-b11d21ab341a - -# arm deployment -RESOURCE_GROUP=vulnerability-scan-westeurope -SQL_SERVER_NAME=sql-radix-vulnerability-scan-c2-prod -KEY_VAULT_NAME=radix-vault-c2-prod -DB_ADMIN_SECRET_NAME=radix-vulnerability-scan-db-admin \ No newline at end of file diff --git a/.github/workflows/config/release/playground.cfg b/.github/workflows/config/release/playground.cfg deleted file mode 100644 index 4957c15..0000000 --- a/.github/workflows/config/release/playground.cfg +++ /dev/null @@ -1,12 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg - -# build & push image -ACR_NAME=radixdev -AZURE_CLIENT_ID=1a292b18-2960-49a5-b429-c8a50349b5eb -AZURE_SUBSCRIPTION_ID=16ede44b-1f74-40a5-b428-46cca9a5741b - -# arm deployment -RESOURCE_GROUP=vulnerability-scan -SQL_SERVER_NAME=sql-radix-vulnerability-scan-playground -KEY_VAULT_NAME=radix-vault-dev -DB_ADMIN_SECRET_NAME=radix-vulnerability-scan-db-admin-playground \ No newline at end of file diff --git a/.github/workflows/config/release/prod.cfg b/.github/workflows/config/release/prod.cfg deleted file mode 100644 index de1bd26..0000000 --- a/.github/workflows/config/release/prod.cfg +++ /dev/null @@ -1,12 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg - -# build & push image -ACR_NAME=radixprod -AZURE_CLIENT_ID=d1ee58e8-5896-48d9-a777-5418c3df9a58 -AZURE_SUBSCRIPTION_ID=ded7ca41-37c8-4085-862f-b11d21ab341a - -# arm deployment -RESOURCE_GROUP=vulnerability-scan -SQL_SERVER_NAME=sql-radix-vulnerability-scan-prod -KEY_VAULT_NAME=radix-vault-prod -DB_ADMIN_SECRET_NAME=radix-vulnerability-scan-db-admin \ No newline at end of file diff --git a/.github/workflows/deploy-database.yml b/.github/workflows/deploy-database.yml index d49a923..be275a9 100644 --- a/.github/workflows/deploy-database.yml +++ b/.github/workflows/deploy-database.yml @@ -3,85 +3,91 @@ name: Deploy Database on: push: branches: [main, release] + workflow_dispatch: permissions: - actions: read - checks: read - contents: read - deployments: read id-token: write - issues: read - discussions: read - packages: read - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read + contents: read jobs: - get-target-configs: - name: Get target configs for branch - outputs: - target_configs: ${{ steps.get-target-configs.outputs.target_configs }} - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v3 - - name: Get target configs - id: get-target-configs - run: | - configs=$(ls $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME} | jq -Rsc '. / "\n" - [""]') - echo "target_configs=${configs}" >> $GITHUB_OUTPUT - - deploy-sql-server: + deploy: runs-on: ubuntu-20.04 - needs: - - get-target-configs strategy: fail-fast: false - matrix: - config: ${{ fromJson(needs.get-target-configs.outputs.target_configs) }} + matrix: + target: + - name: "dev" + ref: "refs/heads/master" + client-id: "a23b30b8-3faa-42a1-817e-6cd097a620f1" + server: "sql-radix-vulnerability-scan-dev.database.windows.net" + + - name: "playground" + ref: "refs/heads/release" + client-id: "453fb3de-daaa-43e6-93ef-a470849a2b6b" + server: "sql-radix-vulnerability-scan-playground.database.windows.net" + + - name: "platform" + ref: "refs/heads/release" + client-id: "50e78187-ff60-49c5-bcbe-701bbbf4f5d7" + server: "sql-radix-vulnerability-scan-prod.database.windows.net" + + - name: "c2" + ref: "refs/heads/release" + client-id: "f26240e2-3095-4273-8559-2ca9a121991e" + server: "sql-radix-vulnerability-scan-c2.database.windows.net" + + env: + connection: >- + Server=${{matrix.target.server}}; + Initial Catalog=radix-vulnerability-scan; + Authentication=Active Directory Default; + Encrypt=True; + TrustServerCertificate=False; + Connection Timeout=30; + steps: - - uses: actions/checkout@v3 - - name: Persist environment from ${{ matrix.config }} across steps - run: | - $GITHUB_WORKSPACE/.github/workflows/scripts/persist-env.sh ${{ matrix.config }} + - uses: actions/checkout@v4 + if: matrix.target.ref == github.ref + + - uses: azure/login@v1 + if: matrix.target.ref == github.ref + with: + client-id: ${{matrix.target.client-id}} + tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + allow-no-subscriptions: true - - uses: azure/login@v1 - with: - client-id: ${{ env.AZURE_CLIENT_ID }} - tenant-id: ${{ env.AZURE_TENANT_ID }} - subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} + - uses: azure/sql-action@v2.2.1 + if: matrix.target.ref == github.ref + with: + connection-string: ${{env.connection}} + path: './azure-infrastructure/sql-scripts/predeploy.sql' - - name: Get DB password from KV - run: | - db_admin_pw=$(az keyvault secret show --id https://${KEY_VAULT_NAME}.vault.azure.net/secrets/${DB_ADMIN_SECRET_NAME} --query value --output tsv) - echo "::add-mask::$db_admin_pw" - echo "DB_ADMIN_PASSWORD=$db_admin_pw" >> $GITHUB_ENV + - uses: azure/sql-action@v2.2.1 + if: matrix.target.ref == github.ref + with: + connection-string: ${{env.connection}} + path: './azure-infrastructure/sql-scripts/roles.sql' - - name: Generate random firewall rule name - run: | - fw_rule_name="github-runner-$(uuidgen)" - echo "FIREWALL_RULE_NAME=$fw_rule_name" >> $GITHUB_ENV - - - name: Install SqlServer PS module - shell: pwsh - run: | - Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted - Install-Module -Name SqlServer + - uses: azure/sql-action@v2.2.1 + if: matrix.target.ref == github.ref + with: + connection-string: ${{env.connection}} + path: './azure-infrastructure/sql-scripts/types.sql' - - name: Whitelist Runner IP in firewalls - shell: pwsh - run: | - ./.github/workflows/scripts/whitelist-ip.ps1 -FirewallRuleName "${env:FIREWALL_RULE_NAME}" + - uses: azure/sql-action@v2.2.1 + if: matrix.target.ref == github.ref + with: + connection-string: ${{env.connection}} + path: './azure-infrastructure/sql-scripts/tables.sql' - - name: Creating DB schema and tables - shell: pwsh - run: | - ./.github/workflows/scripts/create-db.ps1 + - uses: azure/sql-action@v2.2.1 + if: matrix.target.ref == github.ref + with: + connection-string: ${{env.connection}} + path: './azure-infrastructure/sql-scripts/views.sql' - - name: Blacklist Runner IP in firewalls - shell: pwsh - if: ${{ always() }} - run: | - ./.github/workflows/scripts/blacklist-ip.ps1 -FirewallRuleName "${env:FIREWALL_RULE_NAME}" \ No newline at end of file + - uses: azure/sql-action@v2.2.1 + if: matrix.target.ref == github.ref + with: + connection-string: ${{env.connection}} + path: './azure-infrastructure/sql-scripts/procedures.sql' diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 119b2e4..aa3eb88 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -3,12 +3,13 @@ on: pull_request: branches: - main + jobs: build: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build docker image env: REF: ${{ github. sha }} @@ -36,7 +37,7 @@ jobs: name: Unit Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-go@v4 with: go-version: '1.21' diff --git a/.github/workflows/scripts/blacklist-ip.ps1 b/.github/workflows/scripts/blacklist-ip.ps1 deleted file mode 100644 index d0c3ab7..0000000 --- a/.github/workflows/scripts/blacklist-ip.ps1 +++ /dev/null @@ -1,8 +0,0 @@ -param ( - [Parameter(Mandatory=$true)][string]$FirewallRuleName - ) - -az sql server firewall-rule delete ` - --name ${FirewallRuleName} ` - --resource-group ${env:RESOURCE_GROUP} ` - --server ${env:SQL_SERVER_NAME} \ No newline at end of file diff --git a/.github/workflows/scripts/build-push.sh b/.github/workflows/scripts/build-push.sh deleted file mode 100755 index 5225ebc..0000000 --- a/.github/workflows/scripts/build-push.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -sha=${GITHUB_SHA::8} -ts=$(date +%s) -build_id=${GITHUB_REF_NAME}-${sha}-${ts} - -image_tag=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:$build_id -az acr task run \ - --subscription ${AZURE_SUBSCRIPTION_ID} \ - --name radix-image-builder-internal \ - --registry ${ACR_NAME} \ - --context ${GITHUB_WORKSPACE} \ - --file ${GITHUB_WORKSPACE}/Dockerfile \ - --set DOCKER_REGISTRY=${ACR_NAME} \ - --set BRANCH=${GITHUB_REF_NAME} \ - --set TAGS="--tag ${image_tag}" \ - --set DOCKER_FILE_NAME=Dockerfile \ - --set PUSH="--push" \ - --set REPOSITORY_NAME=${IMAGE_NAME} \ - --set CACHE="" \ - --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max" \ No newline at end of file diff --git a/.github/workflows/scripts/create-db.ps1 b/.github/workflows/scripts/create-db.ps1 deleted file mode 100644 index c73ae07..0000000 --- a/.github/workflows/scripts/create-db.ps1 +++ /dev/null @@ -1,9 +0,0 @@ - -$targetSqlServerFQDN = "$(az sql server show -n ${env:SQL_SERVER_NAME} -g ${env:RESOURCE_GROUP} | jq -r .fullyQualifiedDomainName)" - -Invoke-Sqlcmd -InputFile ${env:GITHUB_WORKSPACE}/azure-infrastructure/sql-scripts/predeploy.sql -ServerInstance $targetSqlServerFQDN -Database ${env:DB_NAME} -Username ${env:SQL_ADMIN_USER_NAME} -password ${env:DB_ADMIN_PASSWORD} -Invoke-Sqlcmd -InputFile ${env:GITHUB_WORKSPACE}/azure-infrastructure/sql-scripts/roles.sql -ServerInstance $targetSqlServerFQDN -Database ${env:DB_NAME} -Username ${env:SQL_ADMIN_USER_NAME} -password ${env:DB_ADMIN_PASSWORD} -Invoke-Sqlcmd -InputFile ${env:GITHUB_WORKSPACE}/azure-infrastructure/sql-scripts/types.sql -ServerInstance $targetSqlServerFQDN -Database ${env:DB_NAME} -Username ${env:SQL_ADMIN_USER_NAME} -password ${env:DB_ADMIN_PASSWORD} -Invoke-Sqlcmd -InputFile ${env:GITHUB_WORKSPACE}/azure-infrastructure/sql-scripts/tables.sql -ServerInstance $targetSqlServerFQDN -Database ${env:DB_NAME} -Username ${env:SQL_ADMIN_USER_NAME} -password ${env:DB_ADMIN_PASSWORD} -Invoke-Sqlcmd -InputFile ${env:GITHUB_WORKSPACE}/azure-infrastructure/sql-scripts/views.sql -ServerInstance $targetSqlServerFQDN -Database ${env:DB_NAME} -Username ${env:SQL_ADMIN_USER_NAME} -password ${env:DB_ADMIN_PASSWORD} -Invoke-Sqlcmd -InputFile ${env:GITHUB_WORKSPACE}/azure-infrastructure/sql-scripts/procedures.sql -ServerInstance $targetSqlServerFQDN -Database ${env:DB_NAME} -Username ${env:SQL_ADMIN_USER_NAME} -password ${env:DB_ADMIN_PASSWORD} \ No newline at end of file diff --git a/.github/workflows/scripts/persist-env.sh b/.github/workflows/scripts/persist-env.sh deleted file mode 100755 index 2398544..0000000 --- a/.github/workflows/scripts/persist-env.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -config_name=$1 -env -i GITHUB_WORKSPACE=$GITHUB_WORKSPACE /bin/bash -c "set -a && source $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME}/${config_name} && printenv" > /tmp/env_vars -while read -r env_var -do - echo "$env_var" >> $GITHUB_ENV -done < /tmp/env_vars \ No newline at end of file diff --git a/.github/workflows/scripts/whitelist-ip.ps1 b/.github/workflows/scripts/whitelist-ip.ps1 deleted file mode 100644 index e558925..0000000 --- a/.github/workflows/scripts/whitelist-ip.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param ( - [Parameter(Mandatory=$true)][string]$FirewallRuleName - ) - -$runnerIp = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content -az sql server firewall-rule create ` - --end-ip-address $runnerIp ` - --start-ip-address $runnerIp ` - --name ${FirewallRuleName} ` - --resource-group ${env:RESOURCE_GROUP} ` - --server ${env:SQL_SERVER_NAME} \ No newline at end of file