-
Notifications
You must be signed in to change notification settings - Fork 11
/
entrypoint.sh
156 lines (121 loc) · 5.23 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/bin/sh -l
REPORT_NAME=accurics_report.json
process_args() {
# Input from command line
INPUT_DEBUG_MODE=$1
INPUT_TERRAFORM_VERSION=$2
INPUT_DIRECTORIES=$3
INPUT_PLAN_ARGS=$4
INPUT_ENV_ID=$5
INPUT_APP_ID=$6
INPUT_REPO_NAME=$7
INPUT_URL=$8
INPUT_FAIL_ON_VIOLATIONS=$9
INPUT_FAIL_ON_ALL_ERRORS=${10}
INPUT_SCAN_MODE=${11}
INPUT_PIPELINE=${12}
# If all config parameters are specified, use the config params passed in instead of the config file checked into the repository
[ "$INPUT_ENV_ID" = "" ] && echo "Error: The env-id parameter is required and not set." && exit 1
[ "$INPUT_APP_ID" = "" ] && echo "Error: The app-id parameter is required and not set." && exit 2
[ "$INPUT_URL" = "" ] && echo "Error: The url parameter is required and not set." && exit 3
[ "$INPUT_REPO_NAME" = "" ] && INPUT_REPO_NAME=__empty__
export ACCURICS_URL=$INPUT_URL
export ACCURICS_ENV_ID=$INPUT_ENV_ID
export ACCURICS_APP_ID=$INPUT_APP_ID
export ACCURICS_REPO_NAME=$INPUT_REPO_NAME
}
install_terraform() {
local terraform_ver=$1
local url
[ "$terraform_ver" = "latest" ] && terraform_ver=`curl -sL https://releases.hashicorp.com/terraform/index.json | jq -r '.versions[].version' | grep -v '[-].*' | sort -rV | head -n 1`
url="https://releases.hashicorp.com/terraform/$terraform_ver/terraform_${terraform_ver}_linux_amd64.zip"
echo "Downloading Terraform: $terraform_ver from $url"
curl -s -S -L -o /tmp/terraform_${terraform_ver}_linux_amd64.zip ${url}
[ "$?" -ne 0 ] && echo "Error while downloading Terraform $terraform_ver" && exit 150
unzip -d /usr/local/bin /tmp/terraform_${terraform_ver}_linux_amd64.zip
[ "$?" -ne 0 ] && echo "Error while unzipping Terraform $terraform_ver" && exit 151
}
run_accurics() {
local params=$1
local plan_args=$2
touch config
terrascan version
local runMode="plan"
local pipeline_mode=""
if [ "$INPUT_SCAN_MODE" = "scan" ]; then
echo "running scan mode"
runMode="scan"
else
echo "running plan mode"
accurics init
fi
echo "TF_CLI_CONFIG_FILE:$TF_CLI_CONFIG_FILE"
if [ "$INPUT_PIPELINE" = true ]; then
echo "INPUT_PIPELINE="$INPUT_PIPELINE
echo "running pipeline mode"
pipeline_mode="-mode=pipeline"
else
echo "INPUT_PIPELINE="$INPUT_PIPELINE
fi
# Run accurics plan
accurics $runMode $params $plan_args $pipeline_mode
ACCURICS_PLAN_ERR=$?
}
process_errors() {
# Default error code
EXIT_CODE=0
# If INPUT_FAIL_ON_ALL_ERRORS is set and accurics plan returns an error, propagate that error
[ "$INPUT_FAIL_ON_ALL_ERRORS" = "true" ] && [ "$ACCURICS_PLAN_ERR" -ne 0 ] && EXIT_CODE=100
# If INPUT_FAIL_ON_VIOLATIONS is set and violations are found, return an error
VIOLATIONS=`grep violation $REPORT_NAME | head -1 | awk '{ print $2 }' |cut -d, -f1`
[ "$INPUT_FAIL_ON_VIOLATIONS" = "true" ] && [ "$VIOLATIONS" != "null" ] && [ "$VIOLATIONS" -gt 0 ] && EXIT_CODE=101
}
process_output() {
num_violations=$VIOLATIONS
repo=$ACCURICS_REPO_NAME
env_name=`grep envName $REPORT_NAME | head -1 | cut -d\" -f4`
num_resources=`grep resources $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
high=`grep high $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
medium=`grep medium $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
low=`grep low $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
native=`grep native $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
inherited=`grep inherit $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
drift=`grep drift $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
iac_drift=`grep iacdrift $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
cloud_drift=`grep clouddrift $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
has_errors=`grep HasErrors $REPORT_NAME | head -1 | awk '{ print $2 }' | cut -d, -f1`
echo "::set-output name=env-name::$env_name"
echo "::set-output name=repo::$repo"
echo "::set-output name=num-violations::$num_violations"
echo "::set-output name=num-resources::$num_resources"
echo "::set-output name=high::$high"
echo "::set-output name=medium::$medium"
echo "::set-output name=low::$low"
echo "::set-output name=native::$native"
echo "::set-output name=inherited::$inherited"
echo "::set-output name=drift::$drift"
echo "::set-output name=iacdrift::$iacdrift"
echo "::set-output name=clouddrift::$clouddrift"
echo "::set-output name=has-errors::$has_errors"
}
INPUT_DEBUG_MODE=$1
[ "$INPUT_DEBUG_MODE" = "true" ] && set -x
process_args "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "${10}" "${11}" "${12}"
install_terraform $INPUT_TERRAFORM_VERSION
for d in $INPUT_DIRECTORIES; do
cd $d
run_params=""
echo "======================================================================"
echo " Running the Accurics Action for directory: "
echo " $d"
echo "======================================================================"
run_accurics "$run_params" "$INPUT_PLAN_ARGS"
echo "======================================================================"
echo " Done!"
echo "======================================================================"
cd -
process_errors
process_output
[ "$EXIT_CODE" -ne 0 ] && break
done
exit $EXIT_CODE