.github/workflows/post_tests.yml

name: post_tests

on:
  # checkov:skip=CKV_GHA_7:The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.
  workflow_dispatch:
    inputs:
      posts:
        type: choice
        description: Select post
        default: 2024-12-14-secure-cheap-amazon-eks-auto
        options:
          - 2022-11-27-cheapest-amazon-eks
          - 2022-12-24-amazon-eks-karpenter-tests 2022-11-27-cheapest-amazon-eks
          - 2023-03-08-trivy-operator-grafana 2022-11-27-cheapest-amazon-eks
          - 2023-03-20-velero-and-cert-manager 2022-11-27-cheapest-amazon-eks
          - 2023-04-01-secrets-store-csi-driver-reloader 2023-03-20-velero-and-cert-manager 2022-11-27-cheapest-amazon-eks
          - 2023-06-06-my-favourite-krew-plugins-kubectl 2022-11-27-cheapest-amazon-eks
          - 2023-08-03-cilium-amazon-eks
          - 2023-09-25-secure-cheap-amazon-eks
          - 2024-04-27-exploit-vulnerability-wordpress-plugin-kali-linux-1
          - 2024-05-03-secure-cheap-amazon-eks-with-pod-identities
          - 2023-03-20-velero-and-cert-manager 2024-05-03-secure-cheap-amazon-eks-with-pod-identities
          - 2024-05-09-exploit-vulnerability-wordpress-plugin-kali-linux-2
          - 2024-07-07-detect-a-hacker-attacks-eks-vm
          - 2024-12-12-terraform-keep-sorted
          - 2024-12-14-secure-cheap-amazon-eks-auto
      action:
        type: choice
        description: Select action
        default: build + destroy
        options:
          - build
          - destroy
          - build + destroy

env:
  AWS_DEFAULT_REGION: us-east-1
  AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
  GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
  GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
  CLUSTER_FQDN: k01.k8s.mylabs.dev
  CLUSTER_NAME: k01
  TAGS: "product_id='12345',used_for=dev,owner=petr.ruzicka@gmail.com,cluster=k01.k8s.mylabs.dev"

permissions: read-all

jobs:
  post-pipeline:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    name: "${{ inputs.action }} | ${{ inputs.posts }}"
    concurrency:
      group: post_tests
    timeout-minutes: 100
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-duration-seconds: 7000
          role-session-name: GitHubOidcFederatedRole
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          mask-aws-account-id: true

      - name: Check out repository code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: "${{ inputs.action }} | ${{ inputs.posts }}"
        env:
          GH_TOKEN: ${{ github.token }}
          GH_ACTION: ${{ inputs.action }}
          GH_INPUTS: ${{ inputs.posts }}
        run: |
          set -euxo pipefail

          export TMP_DIR="${PWD}"
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"

          POST_FILES_ARRAY=()
          # shellcheck disable=SC2043
          for POST_FILE in ${GH_INPUTS}; do
            POST_FILES_ARRAY+=("$(find "${PWD}/_posts" -type f -name "*${POST_FILE}*.md")")
          done

          if grep -Eq '(^| )eksctl ' "${POST_FILES_ARRAY[@]}" && ! command -v eksctl &> /dev/null ; then
            echo "*** Installing eksctl"
            brew install eksctl
            (
              echo "<https://${CLUSTER_FQDN}>"
              echo '```'
              echo "export AWS_DEFAULT_REGION=\"${AWS_DEFAULT_REGION}\""
              # shellcheck disable=SC2028
              echo "eval \"\$(aws sts assume-role --role-arn \"\${AWS_ROLE_TO_ASSUME}\" --role-session-name \"\$USER@\$(hostname -f)-k8s-\$(date +%s)\" --duration-seconds 36000 | jq -r '.Credentials | \"export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\\nexport AWS_SESSION_TOKEN=\(.SessionToken)\\n\"')\""
              echo "export KUBECONFIG=\"/tmp/kubeconfig-${CLUSTER_NAME}.conf\""
              echo "aws eks update-kubeconfig --region \"${AWS_DEFAULT_REGION}\" --name \"${CLUSTER_NAME}\" --kubeconfig \"\$KUBECONFIG\""
              echo '```'
            ) | tee -a "${GITHUB_STEP_SUMMARY}"
          fi

          if grep -Eq '(^| )copilot ' "${POST_FILES_ARRAY[@]}" && ! command -v copilot &> /dev/null ; then
            echo "*** Installing copilot"
            brew install copilot
          fi

          if grep -Eq '(^| )cilium ' "${POST_FILES_ARRAY[@]}" && ! command -v cilium &> /dev/null ; then
            echo "*** Installing cilium"
            brew install cilium-cli
          fi

          if grep -Eq '(^| )rain ' "${POST_FILES_ARRAY[@]}" && ! command -v rain &> /dev/null ; then
            echo "*** Installing rain"
            brew install rain
          fi

          if grep -Eq '(^| )velero ' "${POST_FILES_ARRAY[@]}" && ! command -v velero &> /dev/null ; then
            echo "*** Installing velero"
            brew install velero
          fi

          if [[ "${GH_ACTION}" =~ 'build' ]]; then
            echo -e "********************\n*** Create\n********************"
            for (( idx=${#POST_FILES_ARRAY[@]}-1 ; idx>=0 ; idx-- )); do
              echo "*** ${POST_FILES_ARRAY[idx]} | build"
              # shellcheck disable=SC1090
              source <(echo "set -euxo pipefail" ; sed -n "/^\s*\`\`\`bash$/,/^\s*\`\`\`$/p" "${POST_FILES_ARRAY[idx]}" | sed 's/^\s*```*//')
            done
          fi

          if [[ "${GH_ACTION}" =~ 'destroy' ]]; then
            echo -e "********************\n*** Destroy\n********************"
            if eksctl get clusters --name="${CLUSTER_NAME}" &> /dev/null; then
              export KUBECONFIG="${TMP_DIR}/${CLUSTER_FQDN}/kubeconfig-${CLUSTER_NAME}.conf"
              aws eks update-kubeconfig --region "${AWS_DEFAULT_REGION}" --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" || true
            fi

            for POST_FILE in "${POST_FILES_ARRAY[@]}"; do
              echo "*** ${POST_FILE} | destroy"
              # shellcheck disable=SC1090
              source <(echo "set -euxo pipefail" ; sed -n "/^\`\`\`sh$/,/^\`\`\`$/p" "${POST_FILE}" | sed "/^\`\`\`*/d") || true
            done
          fi