Skip to content

Commit

Permalink
feat/prowler shared workflow for AWS and GCP (#146)
Browse files Browse the repository at this point in the history
  • Loading branch information
Bharadwajshivam28 authored Aug 13, 2024
1 parent 1e5db60 commit 30407d0
Show file tree
Hide file tree
Showing 4 changed files with 261 additions and 4 deletions.
128 changes: 128 additions & 0 deletions .github/workflows/prowler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
---
name: Prowler Reusable Workflow

on:
workflow_call:
inputs:
cloud_provider:
required: true
type: string
description: 'Cloud Provider'
project_id:
required: false
type: string
description: 'Project ID for GCP'
aws_region:
required: false
type: string
description: 'AWS Region'
access_token_lifetime:
required: false
type: number
default: 300
description: 'Duration for which an access token remains valid.'
role_duration_seconds:
required: false
type: number
default: 900
description: 'Duration of the session.'

secrets:
WIP:
required: false
description: 'WIP Connected with Service Account'
SERVICE_ACCOUNT:
required: false
description: 'GCP service account'
BUILD_ROLE:
required: false
description: 'AWS OIDC role for AWS authentication.'
AWS_ACCESS_KEY_ID:
required: false
description: 'AWS Access Key ID'
AWS_SECRET_ACCESS_KEY:
required: false
description: 'AWS Secret Access Key'
AWS_SESSION_TOKEN:
required: false
description: 'AWS Session Token'
AZURE_CLIENT_ID:
required: false
description: 'Azure Client ID'
AZURE_CLIENT_SECRET:
required: false
description: 'Azure Client Secret'
AZURE_TENANT_ID:
required: false
description: 'Azure Tenant ID'

jobs:
prowler:
runs-on: macos-latest

steps:
- name: Check out code
uses: actions/checkout@v3

- name: Install Homebrew
run: |
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
- name: Install Prowler
run: |
brew install prowler
- name: Authenticate with Google Cloud
if: ${{ inputs.cloud_provider == 'gcp' }}
uses: google-github-actions/auth@v1
with:
token_format: access_token
workload_identity_provider: ${{ secrets.WIP }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
access_token_lifetime: ${{ inputs.access_token_lifetime }}
project_id: ${{ inputs.project_id }}

- name: Install AWS CLI
if: ${{ inputs.cloud_provider == 'aws' }}
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
role-to-assume: ${{ secrets.BUILD_ROLE }}
aws-region: ${{ inputs.aws_region }}
role-duration-seconds: ${{ inputs.role_duration_seconds }}
role-skip-session-tagging: true

- name: Run Prowler for GCP
if: ${{ inputs.cloud_provider == 'gcp' }}
id: prowler-gcp
run: |
prowler gcp \
--project-ids ${{ inputs.project_id }} \
-o ${{ github.workspace }}/report/
continue-on-error: true

- name: Run Prowler for AWS
if: ${{ inputs.cloud_provider == 'aws' }}
id: prowler-aws
run: |
prowler aws -o ${{ github.workspace }}/report/
continue-on-error: true

- name: Run Prowler for Azure
if: ${{ inputs.cloud_provider == 'azure' }}
id: prowler-azure
run: |
export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
prowler azure --sp-env-auth -o ${{ github.workspace }}/report/
continue-on-error: true

- name: Upload report directory
uses: actions/upload-artifact@v3
with:
name: compliance-report
path: ${{ github.workspace }}/report/
...
52 changes: 48 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
<p align="center"> <img src="images/logo.png" width="100" height="100"></p>
[![Banner](https://github.com/clouddrove/terraform-module-template/assets/119565952/67a8a1af-2eb7-40b7-ae07-c94cde9ce062)][website]

<h1 align="center">GitHub Shared Workflows</h1>



<p align="center">
GitHub shared workflow defines a workflow that we can use in multiple repos with a simple structure.
</p>



<p align="center">
<a href="LICENSE">
<img src="https://img.shields.io/badge/License-APACHE-blue.svg" alt="Licence">
Expand Down Expand Up @@ -69,21 +72,62 @@ Above example is just a simple example to call workflow from github shared workf
13. [ Readme Generation workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/readme.md)
14. [ AWS SSM Send Command workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/AWSSSMSendCommand.md)
15. [ Remote SSH Command workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/RemoteSSHCommand.md)
16. [ Prowler workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/docs/prowler.md)
## Feedback
If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/github-shared-workflows/issues), or feel free to drop us an email at [[email protected]](mailto:[email protected]).
If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/github-shared-workflows)!
## About us
## :rocket: Our Accomplishment
We have [*100+ Terraform modules*][terraform_modules] 🙌. You could consider them finished, but, with enthusiasts like yourself, we are able to ever improve them, so we call our status - improvement in progress.
- [Terraform Module Registry:](https://registry.terraform.io/namespaces/clouddrove) Discover our Terraform modules here.
- [Terraform Modules for AWS/Azure Modules:](https://github.com/clouddrove/toc) Explore our comprehensive Table of Contents for easy navigation through our documentation for modules pertaining to AWS, Azure & GCP.
- [Terraform Modules for Digital Ocean:](https://github.com/terraform-do-modules/toc) Check out our specialized Terraform modules for Digital Ocean.
## Join Our Slack Community
Join our vibrant open-source slack community and embark on an ever-evolving journey with CloudDrove; helping you in moving upwards in your career path.
Join our vibrant Open Source Slack Community and embark on a learning journey with CloudDrove. Grow with us in the world of DevOps and set your career on a path of consistency.
🌐💬What you'll get after joining this Slack community:
- 🚀 Encouragement to upgrade your best version.
- 🌈 Learning companionship with our DevOps squad.
- 🌱 Relentless growth with daily updates on new advancements in technologies.
Join our tech elites [Join Now][slack] 🚀
## ✨ Contributors
Big thanks to our contributors for elevating our project with their dedication and expertise! But, we do not wish to stop there, would like to invite contributions from the community in improving these projects and making them more versatile for better reach. Remember, every bit of contribution is immensely valuable, as, together, we are moving in only 1 direction, i.e. forward.
<a href="https://github.com/clouddrove/github-shared-workflows/graphs/contributors">
<img src="https://contrib.rocks/image?repo=clouddrove/github-shared-workflows&max" />
</a>
<br>
<br>
## Explore Our Blogs
Click [here][blog] :books: :star2:
## Tap into our capabilities
We provide a platform for organizations to engage with experienced top-tier DevOps & Cloud services. Tap into our pool of certified engineers and architects to elevate your DevOps and Cloud Solutions.
At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
At [CloudDrove][website], has extensive experience in designing, building & migrating environments, securing, consulting, monitoring, optimizing, automating, and maintaining complex and large modern systems. With remarkable client footprints in American & European corridors, our certified architects & engineers are ready to serve you as per your requirements & schedule. Write to us at [[email protected]](mailto:[email protected]).
<p align="center">We are <b> The Cloud Experts!</b></p>
<hr />
<p align="center">We ❤️ <a href="https://github.com/clouddrove">Open Source</a> and you can check out <a href="https://github.com/clouddrove">our other modules</a> to get help with your new Cloud ideas.</p>
<p align="center">We ❤️ <a href="https://github.com/clouddrove">Open Source</a> and you can check out <a href="https://registry.terraform.io/namespaces/clouddrove">our other modules</a> to get help with your new Cloud ideas.</p>
[website]: https://clouddrove.com
[blog]: https://blog.clouddrove.com
[slack]: https://www.launchpass.com/devops-talks
[github]: https://github.com/clouddrove
[linkedin]: https://cpco.io/linkedin
[twitter]: https://twitter.com/clouddrove/
Expand Down
1 change: 1 addition & 0 deletions docs/helm.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ jobs:
#### Example for Azure cloud provider
```yaml
name: Helm Workflow Azure
on:
Expand Down
84 changes: 84 additions & 0 deletions docs/prolwer.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
## [Prowler Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/prowler.yml)
Prowler an open cloud security platform for our cloud environment. We get a complete report of our cloud infra.

### Usage
This workflow is used to run Prowler scan on your cloud infra for AWS, GCP or Azure. At the end of Workflow a report is also saved Artifacts.

### Example for AWS cloud provider

```yaml
name: Prowler on AWS
on:
push:
branches:
- <Your_Branch>

jobs:
prowler_aws:
permissions:
contents: 'read'
id-token: 'write'

uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@feat/master
with:
cloud_provider: aws
aws_region: ## AWS Region

secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
SERVICE_ACCOUNT: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
```
### Example for Azure cloud provider
```yaml
name: Prowler Azure
on:
push:
branches:
- <Your_Branch>

jobs:
prowler_azure:
permissions:
contents: 'read'
id-token: 'write'

uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@feat/master
with:
cloud_provider: azure

secrets:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
```
### Example for GCP cloud provider
```yaml
name: Prowler for GCP
on:
push:
branches:
- <Your_Branch>

jobs:
prowler_gcp:
permissions:
contents: 'read'
id-token: 'write'

uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@feat/master
with:
cloud_provider: gcp
project_id: ## Your GCP Project ID

secrets:
WIP: ${{ secrets.WIP }}
SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
```

0 comments on commit 30407d0

Please sign in to comment.