forked from tenable/accurics-action
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathentrypoint.sh
190 lines (150 loc) · 6.21 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/bin/sh -l
REPORT_NAME=accurics_report.json
process_args() {
# Input from command line
INPUT_DEBUG_MODE=$1
INPUT_TERRAFORM_VERSION=$2
INPUT_DIRECTORIES=$3
INPUT_PLAN_ARGS=$4
INPUT_ENV_ID=$5
INPUT_APP_ID=$6
INPUT_REPO_NAME=$7
INPUT_URL=$8
INPUT_FAIL_ON_VIOLATIONS=$9
INPUT_FAIL_ON_ALL_ERRORS=${10}
INPUT_SCAN_MODE=${11}
INPUT_PIPELINE=${12}
INPUT_RUN_MODE=${13}
INPUT_TERRAGRUNT_VERSION=${14}
# If all config parameters are specified, use the config params passed in instead of the config file checked into the repository
[ "$INPUT_ENV_ID" = "" ] && echo "Error: The env-id parameter is required and not set." && exit 1
[ "$INPUT_APP_ID" = "" ] && echo "Error: The app-id parameter is required and not set." && exit 2
[ "$INPUT_URL" = "" ] && echo "Error: The url parameter is required and not set." && exit 3
[ "$INPUT_REPO_NAME" = "" ] && INPUT_REPO_NAME=__empty__
export ACCURICS_URL=$INPUT_URL
export ACCURICS_ENV_ID=$INPUT_ENV_ID
export ACCURICS_APP_ID=$INPUT_APP_ID
export ACCURICS_REPO_NAME=$INPUT_REPO_NAME
}
install_terragrunt() {
local tgVersion=$1
local url
url="https://github.com/gruntwork-io/terragrunt/releases/download/${tgVersion}/terragrunt_linux_amd64"
echo "Downloading Terragrunt ${tgVersion}"
curl -s -S -L -o /tmp/terragrunt ${url}
if [ "${?}" -ne 0 ]; then
echo "Failed to download Terragrunt ${tgVersion}"
exit 1
fi
echo "Successfully downloaded Terragrunt ${tgVersion}"
echo "Moving Terragrunt ${tgVersion} to PATH"
chmod +x /tmp/terragrunt
mv /tmp/terragrunt /usr/local/bin/terragrunt
if [ "${?}" -ne 0 ]; then
echo "Failed to move Terragrunt ${tgVersion}"
exit 1
fi
echo "Successfully moved Terragrunt ${tgVersion}"
}
install_terraform() {
local terraform_ver=$1
local url
[ "$terraform_ver" = "latest" ] && terraform_ver=`curl -sL https://releases.hashicorp.com/terraform/index.json | jq -r '.versions[].version' | grep -v '[-].*' | sort -rV | head -n 1`
url="https://releases.hashicorp.com/terraform/$terraform_ver/terraform_${terraform_ver}_linux_amd64.zip"
echo "Downloading Terraform: $terraform_ver from $url"
curl -s -S -L -o /tmp/terraform_${terraform_ver}_linux_amd64.zip ${url}
[ "$?" -ne 0 ] && echo "Error while downloading Terraform $terraform_ver" && exit 150
unzip -d /usr/local/bin /tmp/terraform_${terraform_ver}_linux_amd64.zip
[ "$?" -ne 0 ] && echo "Error while unzipping Terraform $terraform_ver" && exit 151
}
run_accurics() {
local params=$1
local plan_args=$2
touch config
terrascan version
local runMode="plan"
local pipeline_mode=""
if [ "$INPUT_SCAN_MODE" = "scan" ]; then
echo "running scan mode"
runMode="scan"
else
echo "running plan mode"
accurics init
fi
if [ "$INPUT_PIPELINE" = true ]; then
echo "INPUT_PIPELINE="$INPUT_PIPELINE
echo "running pipeline mode"
pipeline_mode="-mode=pipeline"
else
echo "INPUT_PIPELINE="$INPUT_PIPELINE
fi
# Run accurics plan
accurics $INPUT_RUN_MODE $params $plan_args $pipeline_mode
ACCURICS_PLAN_ERR=$?
}
process_errors() {
# Default error code
EXIT_CODE=0
# If INPUT_FAIL_ON_ALL_ERRORS is set and accurics plan returns an error, propagate that error
[ "$INPUT_FAIL_ON_ALL_ERRORS" = "true" ] && [ "$ACCURICS_PLAN_ERR" -ne 0 ] && EXIT_CODE=100
# If INPUT_FAIL_ON_VIOLATIONS is set and violations are found, return an error
VIOLATIONS=`grep violation $REPORT_NAME | head -1 | awk '{ print $2 }' |cut -d, -f1`
[ "$INPUT_FAIL_ON_VIOLATIONS" = "true" ] && [ "$VIOLATIONS" != "null" ] && [ "$VIOLATIONS" -gt 0 ] && EXIT_CODE=101
}
process_output() {
num_violations=$VIOLATIONS
repo=$ACCURICS_REPO_NAME
env_name=`grep envName $REPORT_NAME | head -1 | cut -d\" -f4`
num_resources=`grep resources $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
high=`grep high $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
medium=`grep medium $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
low=`grep low $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
native=`grep native $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
inherited=`grep inherit $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
drift=`grep drift $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
iac_drift=`grep iacdrift $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
cloud_drift=`grep clouddrift $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
has_errors=`grep HasErrors $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
echo "::set-output name=env-name::$env_name"
echo "::set-output name=repo::$repo"
echo "::set-output name=num-violations::$num_violations"
echo "::set-output name=num-resources::$num_resources"
echo "::set-output name=high::$high"
echo "::set-output name=medium::$medium"
echo "::set-output name=low::$low"
echo "::set-output name=native::$native"
echo "::set-output name=inherited::$inherited"
echo "::set-output name=drift::$drift"
echo "::set-output name=iacdrift::$iacdrift"
echo "::set-output name=clouddrift::$clouddrift"
echo "::set-output name=has-errors::$has_errors"
}
INPUT_DEBUG_MODE=$1
[ "$INPUT_DEBUG_MODE" = "true" ] && set -x
process_args "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "${10}" "${11}" "${12}" "${13}" "${14}"
install_terraform $INPUT_TERRAFORM_VERSION
if [[ "${INPUT_RUN_MODE}" == "tgplan" ]]; then
echo "line 156" $?
echo "Installing kubegrunt and terragrunt"
install_terragrunt $INPUT_TERRAGRUNT_VERSION
fi
#2.35.2 github update
git config --global --add safe.directory "$GITHUB_WORKSPACE"
for d in $INPUT_DIRECTORIES; do
cd $d
run_params=""
echo "======================================================================"
echo " Running the Accurics Action for directory: "
echo " $d"
echo " Github_workspace $GITHUB_WORKSPACE"
echo "======================================================================"
run_accurics "$run_params" "$INPUT_PLAN_ARGS"
echo "======================================================================"
echo " Done!"
echo "======================================================================"
process_errors
process_output
cd -
[ "$EXIT_CODE" -ne 0 ] && break
done
exit $EXIT_CODE