skip: add auto-test for codebuild

epam · Jul 1, 2024 · 902d2ab · 902d2ab
1 parent dbd1d48
commit 902d2ab
Show file tree

Hide file tree

Showing 16 changed files with 118 additions and 88 deletions.
diff --git a/.github/workflows/actions/tf-destroy/action.yml b/.github/workflows/actions/tf-destroy/action.yml
@@ -16,6 +16,8 @@ runs:
         if [ ${{ github.repository }} == 'epam/ecc-aws-rulepack' ]; then
           export TF_VAR_remote_state_region=$AWS_DEFAULT_REGION
           export TF_VAR_remote_state_bucket=$TF_BACKEND_STORAGE_NAME
+          TF_VAR_remote_state_key: "aws/states/common_resources/$COMPLINCE.tfstate"
+
           terraform init -backend-config="bucket=$TF_BACKEND_STORAGE_NAME" -backend-config="key=aws/states/${RESOURCE}/${COMPLINCE}.tfstate"  -backend-config="region=$AWS_DEFAULT_REGION"
         elif [ ${{ github.repository }} == 'epam/ecc-gcp-rulepack' ]; then
           echo 'TO DO'

diff --git a/.github/workflows/actions/tf-init-apply/action.yml b/.github/workflows/actions/tf-init-apply/action.yml
@@ -16,6 +16,8 @@ runs:
         if [ ${{ github.repository }} == 'epam/ecc-aws-rulepack' ]; then
           export TF_VAR_remote_state_region=$AWS_DEFAULT_REGION
           export TF_VAR_remote_state_bucket=$TF_BACKEND_STORAGE_NAME
+          TF_VAR_remote_state_key: "aws/states/common_resources/$COMPLINCE.tfstate"
+
           terraform init -backend-config="bucket=$TF_BACKEND_STORAGE_NAME" -backend-config="key=aws/states/$RESOURCE/$COMPLINCE.tfstate"  -backend-config="region=$AWS_DEFAULT_REGION"
         elif [ ${{ github.repository }} == 'epam/ecc-gcp-rulepack' ]; then
           echo 'TO DO'

diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml
@@ -25,7 +25,7 @@ env:
   TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
   TF_CLI_ARGS: "-no-color"
   AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
-  default_resource_priority_list: '[ "distribution"]'
+  default_resource_priority_list: '[ "codebuild"]'
   RED: '\033[0;31m'
 
 permissions:
@@ -167,7 +167,6 @@ jobs:
     env:
       COMPLINCE: ${{ matrix.compliance }}
       RESOURCE: ${{ matrix.resource }}
-      TF_VAR_remote_state_key: "aws/states/common_resources/${{ matrix.compliance }}.tfstate"
 
     steps:
       - name: Git clone the repository
@@ -224,7 +223,6 @@ jobs:
     env:
       COMPLINCE: ${{ matrix.compliance }}
       RESOURCE: ${{ matrix.resource }}
-      TF_VAR_remote_state_key: "aws/states/common_resources/${{ matrix.compliance }}.tfstate"
 
     steps:
       - name: Git clone the repository

diff --git a/auto_policy_testing/green/codebuild/codebuild.tf b/auto_policy_testing/green/codebuild/codebuild.tf
@@ -1,24 +1,23 @@
-resource "aws_codebuild_project" "a" {
-  name         = "${module.naming.resource_prefix.codebuild}"
+# An OAUTH connection is not supported by the API and must be created using the CodeBuild console.
 
+# https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens.html#access-tokens-github
+
+
+resource "aws_codebuild_project" "this1" {
+  name         = "${module.naming.resource_prefix.codebuild}-1"
   service_role = aws_iam_role.this.arn
 
   artifacts {
-    location            = aws_s3_bucket.this.bucket
+    location            = aws_s3_bucket.this.id
     type                = "S3"
     path                = "/"
     packaging           = "ZIP"
     encryption_disabled = false
   }
 
-  cache {
-    type     = "S3"
-    location = aws_s3_bucket.this.bucket
-  }
-
   environment {
     compute_type    = "BUILD_GENERAL1_SMALL"
-    image           = "aws/codebuild/standard:1.0"
+    image           = "aws/codebuild/standard:7.0"
     type            = "LINUX_CONTAINER"
     privileged_mode = false
 
@@ -32,56 +31,34 @@ resource "aws_codebuild_project" "a" {
   logs_config {
     cloudwatch_logs {
       status      = "ENABLED"
-      group_name  = "log-group-482-green"
-      stream_name = "log-stream-482-green"
-    }
-
-    s3_logs {
-      status              = "ENABLED"
-      location            = "${aws_s3_bucket.this.id}/build-log"
-      encryption_disabled = false
+      group_name  = aws_cloudwatch_log_group.this.name
     }
   }
 
   source {
-    type       = "GITHUB"
-    location   = var.github_location
+    type       = "BITBUCKET"
+    location   = var.bitbucket_location
   }
 }
 
-resource "aws_codebuild_project" "b" {
+resource "aws_codebuild_project" "this2" {
   name         = "${module.naming.resource_prefix.codebuild}-2"
-
   service_role = aws_iam_role.this.arn
 
   artifacts {
-    location            = aws_s3_bucket.this.bucket
-    type                = "S3"
-    path                = "/"
-    packaging           = "ZIP"
-    encryption_disabled = false
+    type = "NO_ARTIFACTS"
   }
 
   environment {
     compute_type    = "BUILD_GENERAL1_SMALL"
-    image           = "aws/codebuild/standard:1.0"
+    image           = "aws/codebuild/standard:7.0"
     type            = "LINUX_CONTAINER"
-    privileged_mode = false
-
-
-    environment_variable {
-      name  = "SOME_KEY1"
-      value = "SOME_VALUE1"
-    }
   }
 
   logs_config {
     cloudwatch_logs {
-      status      = "ENABLED"
-      group_name  = "log-group-482-green"
-      stream_name = "log-stream-482-green"
+      status = "DISABLED"
     }
-
     s3_logs {
       status              = "ENABLED"
       location            = "${aws_s3_bucket.this.id}/build-log"
@@ -95,7 +72,6 @@ resource "aws_codebuild_project" "b" {
   }
 }
 
-
 resource "aws_iam_role" "this" {
   name = "${module.naming.resource_prefix.codebuild}"
 
@@ -115,12 +91,6 @@ resource "aws_iam_role" "this" {
 EOF
 }
 
-resource "aws_s3_bucket" "this" {
-  bucket        = "${module.naming.resource_prefix.codebuild}-${random_integer.this.result}"
-  force_destroy = true
-}
-
-resource "random_integer" "this" {
-  min = 1
-  max = 10000000
-}
+resource "aws_cloudwatch_log_group" "this" {
+  name = "${module.naming.resource_prefix.cw_log_group}"
+}
diff --git a/auto_policy_testing/green/codebuild/outputs.tf b/auto_policy_testing/green/codebuild/outputs.tf
@@ -1,8 +1,7 @@
 output "codebuild" {
   value = {
-    codebuild = [
-      aws_codebuild_project.a.arn,
-      aws_codebuild_project.b.arn
-    ]
+    codebuild = aws_codebuild_project.this1.arn,
+    ecc-aws-482-codebuild_project_logging_enabled = [aws_codebuild_project.this1.arn, aws_codebuild_project.this2.arn],
+    ecc-aws-483-codebuild_project_s3_logs_encrypted = [aws_codebuild_project.this1.arn, aws_codebuild_project.this2.arn]
   }
 }
diff --git a/auto_policy_testing/green/codebuild/s3.tf b/auto_policy_testing/green/codebuild/s3.tf
@@ -0,0 +1,9 @@
+resource "aws_s3_bucket" "this" {
+  bucket        = "${module.naming.resource_prefix.codebuild}-${random_integer.this.result}"
+  force_destroy = true
+}
+
+resource "random_integer" "this" {
+  min = 10000
+  max = 99999
+}
diff --git a/auto_policy_testing/green/codebuild/variables.tf b/auto_policy_testing/green/codebuild/variables.tf
@@ -20,7 +20,7 @@ variable "remote_state_key" {
 
 variable "github_location" {
   type        = string
-  default     = "https://github.com/mitchellh/packer.git"
+  default     = "https://github.com/cloud-custodian/cloud-custodian"
 }
 
 variable "bitbucket_location" {

diff --git a/auto_policy_testing/green/common_resources/outputs.tf b/auto_policy_testing/green/common_resources/outputs.tf
@@ -64,4 +64,4 @@ output "wafregional_acl_id" {
 
 output "waf_web_acl_id" {
   value = aws_waf_web_acl.this.id
-}
+}
diff --git a/auto_policy_testing/red/codebuild/MessageUtil.zip b/auto_policy_testing/red/codebuild/MessageUtil.zip
diff --git a/auto_policy_testing/red/codebuild/codebuild.tf b/auto_policy_testing/red/codebuild/codebuild.tf
@@ -1,38 +1,32 @@
-resource "aws_s3_bucket" "input_bucket" {
-  bucket        = "${module.naming.resource_prefix.codebuild}-${random_integer.this.result}"
-  force_destroy = true
-}
-resource "aws_s3_bucket" "output_bucket" {
-  bucket        = "${module.naming.resource_prefix.codebuild}-${random_integer.this.result}-2"
-  force_destroy = true
-}
+# CodeBuild only allows a single credential to be saved in a given AWS account in a given region
 
-resource "random_integer" "this" {
-  min = 1
-  max = 10000000
+resource "aws_codebuild_source_credential" "github" {
+  auth_type   = "PERSONAL_ACCESS_TOKEN"
+  server_type = "GITHUB"
+  token       = "test"
 }
 
-resource "aws_s3_object" "object" {
-  bucket = aws_s3_bucket.input_bucket.id
-  key    = "MessageUtil.zip"
-  source = "MessageUtil.zip"
+resource "aws_codebuild_source_credential" "bitbucket_passw" {
+  auth_type   = "BASIC_AUTH"
+  server_type = "BITBUCKET"
+  token       = "password-test"
+  user_name   = "username-test"
 }
 
-resource "aws_codebuild_project" "this" {
-  name = "${module.naming.resource_prefix.codebuild}"
-
-  service_role = aws_iam_role.this.arn
+resource "aws_codebuild_project" "this1" {
   provider     = aws.provider2
-
+  name = "${module.naming.resource_prefix.codebuild}-1"
+  service_role = aws_iam_role.this.arn
+
   artifacts {
     type                = "S3"
-    location            = aws_s3_bucket.output_bucket.id
+    location            = aws_s3_bucket.this.id
     encryption_disabled = true
   }
 
   environment {
     compute_type    = "BUILD_GENERAL1_SMALL"
-    image           = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+    image           = "aws/codebuild/standard:7.0"
     type            = "LINUX_CONTAINER"
     privileged_mode = true
 
@@ -50,20 +44,63 @@ resource "aws_codebuild_project" "this" {
     cloudwatch_logs {
       status = "DISABLED"
     }
+    s3_logs {
+      status   = "DISABLED"
+    }
+  }
+
+  source {
+    type       = "GITHUB"
+    location   = var.github_location
+  }
 
+  secondary_sources {
+    source_identifier = "test1"
+    type       = "BITBUCKET"
+    location   = var.bitbucket_location
+  }
+  secondary_sources {
+    source_identifier = "test2"
+    type       = "GITLAB"
+    location   = "https://gitlab.com/test/test.git"
+  }
+}
+
+resource "aws_codebuild_project" "this2" {
+  name = "${module.naming.resource_prefix.codebuild}-2"
+  service_role = aws_iam_role.this.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = "aws/codebuild/standard:7.0"
+    type            = "LINUX_CONTAINER"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status = "DISABLED"
+    }
     s3_logs {
-      status   = "ENABLED"
-      location = "${aws_s3_bucket.output_bucket.id}/build-log"
+      status              = "ENABLED"
+      location            = "${aws_s3_bucket.this.id}/build-log"
       encryption_disabled = true
     }
   }
 
   source {
-    type     = "S3"
-    location = "${aws_s3_bucket.input_bucket.id}/MessageUtil.zip"
+    type       = "BITBUCKET"
+    location   = var.bitbucket_location
   }
 
-  depends_on = [aws_s3_bucket.input_bucket, aws_s3_bucket.output_bucket]
+  secondary_sources {
+    source_identifier = "test1"
+    type       = "BITBUCKET"
+    location   = "https://username:token@bitbucket.org/test1/test.git"
+  }
 }
 
 resource "aws_iam_role" "this" {

diff --git a/auto_policy_testing/red/codebuild/main.tf b/auto_policy_testing/red/codebuild/main.tf
@@ -13,3 +13,4 @@ data "terraform_remote_state" "common" {
     region = var.remote_state_region
   }
 }
+
diff --git a/auto_policy_testing/red/codebuild/outputs.tf b/auto_policy_testing/red/codebuild/outputs.tf
@@ -1,5 +1,6 @@
 output "codebuild" {
   value = {
-    codebuild = aws_codebuild_project.this.arn
+    codebuild = aws_codebuild_project.this1.arn,
+    ecc-aws-483-codebuild_project_s3_logs_encrypted = aws_codebuild_project.this2.arn
   }
 }
diff --git a/auto_policy_testing/red/codebuild/s3.tf b/auto_policy_testing/red/codebuild/s3.tf
@@ -0,0 +1,9 @@
+resource "aws_s3_bucket" "this" {
+  bucket        = "${module.naming.resource_prefix.codebuild}-${random_integer.this.result}"
+  force_destroy = true
+}
+
+resource "random_integer" "this" {
+  min = 10000
+  max = 99999
+}
diff --git a/auto_policy_testing/red/codebuild/variables.tf b/auto_policy_testing/red/codebuild/variables.tf
@@ -20,10 +20,10 @@ variable "remote_state_key" {
 
 variable "github_location" {
   type        = string
-  default     = "https://github.com/mitchellh/packer.git"
+  default     = "https://github.com/cloud-custodian/cloud-custodian"
 }
 
 variable "bitbucket_location" {
   type        = string
-  default     = "https://bitbucket.org/ansible/ansible"
+  default     = "https://bitbucket.org/test/test"
 }
diff --git a/auto_policy_testing/red/common_resources/outputs.tf b/auto_policy_testing/red/common_resources/outputs.tf
@@ -20,4 +20,4 @@ output "vpc_subnet_3_id" {
 
 output "sg_1_id" {
   value = aws_security_group.this.id
-}
+}
diff --git a/auto_policy_testing/scripts/exception_rules.py b/auto_policy_testing/scripts/exception_rules.py
@@ -1,6 +1,7 @@
 aws = {
     "green": [
         "ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account",
+        "ecc-aws-071-codebuild_project_source_repo_url_check", # require update
         "ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled", #manual
         "ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks",
         "ecc-aws-207-rds_aurora_logging_enabled",
@@ -26,6 +27,7 @@
         "ecc-aws-022-ebs_volumes_too_old_snapshots",
         "ecc-aws-046-ensure_no_root_account_access_key_exists",
         "ecc-aws-059-config_enabled_all_regions",
+        "ecc-aws-071-codebuild_project_source_repo_url_check", # require update
         "ecc-aws-115-expired_certificates_are_removed_from_acm",
         "ecc-aws-128-expired_route53_domain_names",
         "ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks",
-Original file line number
+Diff line change
@@ Expand Up / @@ -64,4 +64,4 @@ output "wafregional_acl_id" { @@
     output "waf_web_acl_id" {
       value = aws_waf_web_acl.this.id
-    }
+    }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,3 +13,4 @@ data "terraform_remote_state" "common" {
		region = var.remote_state_region
		}
		}