Skip to content

Okta Provisioning

Okta Provisioning #13

name: Okta Provisioning
on:
push:
paths:
- .github/workflows/okta-provisioning.yaml
- okta/okta-provisioning/**
workflow_dispatch:
env:
MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_CONFIG_BASE64 }}
TF_VAR_api_token: ${{ secrets.OKTA_API_TOKEN }}
TF_VAR_base_url: ${{ vars.OKTA_BASE_URL }}
TF_VAR_org_name: ${{ vars.OKTA_ORG_NAME }}
jobs:
terraform-pre-plan-validation:
name: "Terraform Validate"
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
defaults:
run:
working-directory: ./okta/okta-terraform-provisioning
steps:
- uses: 'actions/checkout@v3'
- id: 'google-cloud-auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
- uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
- name: Terraform Init
id: init
run: terraform init -reconfigure
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Terraform Validate
id: validate
run: terraform validate -no-color
cnspec-scan-terraform-hcl:
name: "Scan Terraform (pre-plan)"
runs-on: ubuntu-latest
container: mondoo/cnspec:9
needs: terraform-pre-plan-validation
permissions:
pull-requests: write
contents: write
steps:
- uses: 'actions/checkout@v3'
- name: Scan ${{ vars.OKTA_ORG_NAME }} Terraform HCL (pre-plan)
run: |
echo "### ${{ vars.OKTA_ORG_NAME }} Terraform pre-plan security scan :shield:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
cnspec scan terraform ./okta/okta-terraform-provisioning --asset-name ${{ vars.OKTA_ORG_NAME }}-terraform-hcl >> $GITHUB_STEP_SUMMARY
echo "CNSPEC_PRE_SCAN=$GITHUB_STEP_SUMMARY" >> $GITHUB_ENV
terraform-plan:
name: Generate Terraform Plan
runs-on: ubuntu-latest
container: hashicorp/terraform:1.4
needs: cnspec-scan-terraform-hcl
steps:
- name: Check out repository code
uses: actions/checkout@v3
- id: 'google-cloud-auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
- name: Mitigate that fancy action/cache@v3 does not work with busybox tar on alpine
run: apk add --no-cache tar
- name: Use cache to share files between jobs
uses: actions/cache@v3
id: terraform-plan
with:
key: ${{ runner.os }}-terraform-${{ hashFiles('**/okta/okta-terraform-provisioning/**') }}
path: ./okta/okta-terraform-provisioning/plan.json
- name: Terraform init
run: terraform -chdir="./okta/okta-terraform-provisioning" init
- name: Terraform plan
run: terraform -chdir="./okta/okta-terraform-provisioning" plan -out=plan.out
- name: Terraform show
run: terraform -chdir="./okta/okta-terraform-provisioning" show -json plan.out > ./okta/okta-terraform-provisioning/plan.json
post-plan-scan:
name: Scan Terraform (post-plan)
needs: terraform-plan
runs-on: ubuntu-latest
container: mondoo/cnspec:9
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Use cache to share files between jobs
uses: actions/cache@v3
id: terraform-plan
with:
key: ${{ runner.os }}-terraform-${{ hashFiles('**/okta/okta-terraform-provisioning/**') }}
path: ./okta/okta-terraform-provisioning/plan.json
- name: Scan ${{ vars.OKTA_ORG_NAME }} Terraform Plan (post-plan)
run: |
echo "### ${{ vars.OKTA_ORG_NAME }} Terraform post-plan security scan :shield:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
cnspec scan terraform plan ./okta/okta-terraform-provisioning/plan.json --asset-name ${{ vars.OKTA_ORG_NAME }}-terraform-plan >> $GITHUB_STEP_SUMMARY
echo "CNSPEC_PRE_SCAN=$GITHUB_STEP_SUMMARY" >> $GITHUB_ENV
env:
MONDOO_DETECT_CICD: false
terraform-apply:
name: Terraform Apply
runs-on: ubuntu-latest
container: hashicorp/terraform:1.4
needs: post-plan-scan
steps:
- name: Check out repository code
uses: actions/checkout@v3
- id: 'google-cloud-auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
- name: Terraform init
run: terraform -chdir="./okta/okta-terraform-provisioning" init
- name: Terraform Apply
run: terraform -chdir="./okta/okta-terraform-provisioning" apply -auto-approve
post-apply-scan:
name: Scan Okta Org (Post-Apply)
needs: terraform-apply
runs-on: ubuntu-latest
container: mondoo/cnspec:9
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Scan ${{ vars.OKTA_ORG_NAME }}.okta.com
run: |
echo "### ${{ vars.OKTA_ORG_NAME }}.okta.com security scan (post-apply) :shield:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
cnspec scan okta --organization ${{ vars.OKTA_ORG_NAME }}.okta.com --token ${{ secrets.OKTA_API_TOKEN }} --asset-name ${{ vars.OKTA_ORG_NAME }}.okta.com >> $GITHUB_STEP_SUMMARY
echo "CNSPEC_PRE_SCAN=$GITHUB_STEP_SUMMARY" >> $GITHUB_ENV