From 30407d0104c05cf1694a4c1123251e8c573e22d7 Mon Sep 17 00:00:00 2001 From: Shivam Kumar Date: Tue, 13 Aug 2024 23:37:26 +0530 Subject: [PATCH] feat/prowler shared workflow for AWS and GCP (#146) --- .github/workflows/prowler.yml | 128 ++++++++++++++++++++++++++++++++++ README.md | 52 ++++++++++++-- docs/helm.md | 1 + docs/prolwer.md | 84 ++++++++++++++++++++++ 4 files changed, 261 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/prowler.yml create mode 100644 docs/prolwer.md diff --git a/.github/workflows/prowler.yml b/.github/workflows/prowler.yml new file mode 100644 index 00000000..737cf37d --- /dev/null +++ b/.github/workflows/prowler.yml @@ -0,0 +1,128 @@ +--- +name: Prowler Reusable Workflow + +on: + workflow_call: + inputs: + cloud_provider: + required: true + type: string + description: 'Cloud Provider' + project_id: + required: false + type: string + description: 'Project ID for GCP' + aws_region: + required: false + type: string + description: 'AWS Region' + access_token_lifetime: + required: false + type: number + default: 300 + description: 'Duration for which an access token remains valid.' + role_duration_seconds: + required: false + type: number + default: 900 + description: 'Duration of the session.' + + secrets: + WIP: + required: false + description: 'WIP Connected with Service Account' + SERVICE_ACCOUNT: + required: false + description: 'GCP service account' + BUILD_ROLE: + required: false + description: 'AWS OIDC role for AWS authentication.' + AWS_ACCESS_KEY_ID: + required: false + description: 'AWS Access Key ID' + AWS_SECRET_ACCESS_KEY: + required: false + description: 'AWS Secret Access Key' + AWS_SESSION_TOKEN: + required: false + description: 'AWS Session Token' + AZURE_CLIENT_ID: + required: false + description: 'Azure Client ID' + AZURE_CLIENT_SECRET: + required: false + description: 'Azure Client Secret' + AZURE_TENANT_ID: + required: false + description: 'Azure Tenant ID' + +jobs: + prowler: + runs-on: macos-latest + + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Install Homebrew + run: | + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" + + - name: Install Prowler + run: | + brew install prowler + + - name: Authenticate with Google Cloud + if: ${{ inputs.cloud_provider == 'gcp' }} + uses: google-github-actions/auth@v1 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.WIP }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} + access_token_lifetime: ${{ inputs.access_token_lifetime }} + project_id: ${{ inputs.project_id }} + + - name: Install AWS CLI + if: ${{ inputs.cloud_provider == 'aws' }} + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }} + role-to-assume: ${{ secrets.BUILD_ROLE }} + aws-region: ${{ inputs.aws_region }} + role-duration-seconds: ${{ inputs.role_duration_seconds }} + role-skip-session-tagging: true + + - name: Run Prowler for GCP + if: ${{ inputs.cloud_provider == 'gcp' }} + id: prowler-gcp + run: | + prowler gcp \ + --project-ids ${{ inputs.project_id }} \ + -o ${{ github.workspace }}/report/ + continue-on-error: true + + - name: Run Prowler for AWS + if: ${{ inputs.cloud_provider == 'aws' }} + id: prowler-aws + run: | + prowler aws -o ${{ github.workspace }}/report/ + continue-on-error: true + + - name: Run Prowler for Azure + if: ${{ inputs.cloud_provider == 'azure' }} + id: prowler-azure + run: | + export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }} + export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }} + export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }} + prowler azure --sp-env-auth -o ${{ github.workspace }}/report/ + continue-on-error: true + + - name: Upload report directory + uses: actions/upload-artifact@v3 + with: + name: compliance-report + path: ${{ github.workspace }}/report/ +... diff --git a/README.md b/README.md index 9fe5dd19..0d1c7792 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,15 @@ -

+[![Banner](https://github.com/clouddrove/terraform-module-template/assets/119565952/67a8a1af-2eb7-40b7-ae07-c94cde9ce062)][website]

GitHub Shared Workflows

+ +

GitHub shared workflow defines a workflow that we can use in multiple repos with a simple structure.

+

Licence @@ -69,21 +72,62 @@ Above example is just a simple example to call workflow from github shared workf 13. [ Readme Generation workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/readme.md) 14. [ AWS SSM Send Command workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/AWSSSMSendCommand.md) 15. [ Remote SSH Command workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/RemoteSSHCommand.md) +16. [ Prowler workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/prowler.md) ## Feedback If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/github-shared-workflows/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). If you have found it worth your time, go ahead and give us a β˜… on [our GitHub](https://github.com/clouddrove/github-shared-workflows)! -## About us +## :rocket: Our Accomplishment + +We have [*100+ Terraform modules*][terraform_modules] πŸ™Œ. You could consider them finished, but, with enthusiasts like yourself, we are able to ever improve them, so we call our status - improvement in progress. + +- [Terraform Module Registry:](https://registry.terraform.io/namespaces/clouddrove) Discover our Terraform modules here. + +- [Terraform Modules for AWS/Azure Modules:](https://github.com/clouddrove/toc) Explore our comprehensive Table of Contents for easy navigation through our documentation for modules pertaining to AWS, Azure & GCP. + +- [Terraform Modules for Digital Ocean:](https://github.com/terraform-do-modules/toc) Check out our specialized Terraform modules for Digital Ocean. + +## Join Our Slack Community + +Join our vibrant open-source slack community and embark on an ever-evolving journey with CloudDrove; helping you in moving upwards in your career path. +Join our vibrant Open Source Slack Community and embark on a learning journey with CloudDrove. Grow with us in the world of DevOps and set your career on a path of consistency. + +πŸŒπŸ’¬What you'll get after joining this Slack community: + +- πŸš€ Encouragement to upgrade your best version. +- 🌈 Learning companionship with our DevOps squad. +- 🌱 Relentless growth with daily updates on new advancements in technologies. + +Join our tech elites [Join Now][slack] πŸš€ + +## ✨ Contributors + +Big thanks to our contributors for elevating our project with their dedication and expertise! But, we do not wish to stop there, would like to invite contributions from the community in improving these projects and making them more versatile for better reach. Remember, every bit of contribution is immensely valuable, as, together, we are moving in only 1 direction, i.e. forward. + + + + +
+
+ +## Explore Our Blogs + + Click [here][blog] :books: :star2: + +## Tap into our capabilities +We provide a platform for organizations to engage with experienced top-tier DevOps & Cloud services. Tap into our pool of certified engineers and architects to elevate your DevOps and Cloud Solutions. -At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. +At [CloudDrove][website], has extensive experience in designing, building & migrating environments, securing, consulting, monitoring, optimizing, automating, and maintaining complex and large modern systems. With remarkable client footprints in American & European corridors, our certified architects & engineers are ready to serve you as per your requirements & schedule. Write to us at [business@clouddrove.com](mailto:business@clouddrove.com).

We are The Cloud Experts!

-

We ❀️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

+

We ❀️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

[website]: https://clouddrove.com + [blog]: https://blog.clouddrove.com + [slack]: https://www.launchpass.com/devops-talks [github]: https://github.com/clouddrove [linkedin]: https://cpco.io/linkedin [twitter]: https://twitter.com/clouddrove/ diff --git a/docs/helm.md b/docs/helm.md index 541b37d7..b28acfc1 100644 --- a/docs/helm.md +++ b/docs/helm.md @@ -45,6 +45,7 @@ jobs: #### Example for Azure cloud provider + ```yaml name: Helm Workflow Azure on: diff --git a/docs/prolwer.md b/docs/prolwer.md new file mode 100644 index 00000000..bd39a18d --- /dev/null +++ b/docs/prolwer.md @@ -0,0 +1,84 @@ +## [Prowler Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/prowler.yml) +Prowler an open cloud security platform for our cloud environment. We get a complete report of our cloud infra. + +### Usage +This workflow is used to run Prowler scan on your cloud infra for AWS, GCP or Azure. At the end of Workflow a report is also saved Artifacts. + +### Example for AWS cloud provider + +```yaml +name: Prowler on AWS +on: + push: + branches: + - + +jobs: + prowler_aws: + permissions: + contents: 'read' + id-token: 'write' + + uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@feat/master + with: + cloud_provider: aws + aws_region: ## AWS Region + + secrets: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + SERVICE_ACCOUNT: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }} + BUILD_ROLE: ${{ secrets.BUILD_ROLE }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} +``` + +### Example for Azure cloud provider + +```yaml +name: Prowler Azure +on: + push: + branches: + - + +jobs: + prowler_azure: + permissions: + contents: 'read' + id-token: 'write' + + uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@feat/master + with: + cloud_provider: azure + + secrets: + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} +``` + +### Example for GCP cloud provider + +```yaml +name: Prowler for GCP +on: + push: + branches: + - + +jobs: + prowler_gcp: + permissions: + contents: 'read' + id-token: 'write' + + uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@feat/master + with: + cloud_provider: gcp + project_id: ## Your GCP Project ID + + secrets: + WIP: ${{ secrets.WIP }} + SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }} +``` +