From cb8a43d859ff2afff1ac519cce7df6136e33ccaf Mon Sep 17 00:00:00 2001 From: Horia Gunica Date: Wed, 13 Dec 2023 09:59:45 +0200 Subject: [PATCH] Added chatops and pre-commit update depedency files --- .github/workflows/apply-command.yml | 53 ++++++++++++++ .github/workflows/chatops.yml | 87 +++++++++++++++++++++++ .github/workflows/help-command.yml | 67 +++++++++++++++++ .github/workflows/idempotence-command.yml | 53 ++++++++++++++ .github/workflows/plan-command.yml | 52 ++++++++++++++ .github/workflows/pre-commit-update.yml | 34 +++++++++ .github/workflows/sca-command.yml | 79 ++++++++++++++++++++ .github/workflows/validate-command.yml | 53 ++++++++++++++ 8 files changed, 478 insertions(+) create mode 100644 .github/workflows/apply-command.yml create mode 100644 .github/workflows/chatops.yml create mode 100644 .github/workflows/help-command.yml create mode 100644 .github/workflows/idempotence-command.yml create mode 100644 .github/workflows/plan-command.yml create mode 100644 .github/workflows/pre-commit-update.yml create mode 100644 .github/workflows/sca-command.yml create mode 100644 .github/workflows/validate-command.yml diff --git a/.github/workflows/apply-command.yml b/.github/workflows/apply-command.yml new file mode 100644 index 00000000..ea7b85a4 --- /dev/null +++ b/.github/workflows/apply-command.yml @@ -0,0 +1,53 @@ +name: ChatOPS Apply +run-name: "On demand Apply test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}" + +permissions: + contents: read + +concurrency: chatops-apply + +on: + workflow_dispatch: + inputs: + paths: + description: Space delimited list of module paths to test + type: string + required: true + tf_version: + description: Terraform versions to use for tests, comma-separated list + type: string + pr-id: + description: ID of the PR that triggered this workflow + type: string + required: true + pr-title: + description: Title of the PR that triggered this workflow + type: string + required: true + comment-id: + description: 'The comment-id of the slash command' + type: string + required: true + branch: + description: Branch on which the tests should run + type: string + default: main + +jobs: + test: + name: Run apply test + permissions: + contents: read + pull-requests: write + id-token: write + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/test_command.yml@v2.3 + secrets: inherit + with: + cloud: azure + paths: ${{ inputs.paths }} + tf_version: ${{ inputs.tf_version }} + pr-id: ${{ inputs.pr-id }} + comment-id: ${{ inputs.comment-id }} + branch: ${{ inputs.branch }} + terratest_action: Apply + apply_timeout: 60 \ No newline at end of file diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml new file mode 100644 index 00000000..4fc21416 --- /dev/null +++ b/.github/workflows/chatops.yml @@ -0,0 +1,87 @@ +name: ChatOPS dispatcher +run-name: "ChatOPS bot for PR - (#${{ github.event.issue.number }}) ${{ github.event.issue.title }}" + +permissions: + contents: read + +on: + issue_comment: + types: [created] + +concurrency: + group: chat-${{ github.event.issue.number }} + cancel-in-progress: true + +jobs: + dispatch: + name: Dispatch a test job + if: ${{ github.event.issue.pull_request }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: get PR head branch + uses: actions/github-script@v6 + id: pr + with: + result-encoding: string + script: | + let pr = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number, + }) + console.log(pr.data.head.ref) + return pr.data.head.ref + + - name: Generate GitHub token + id: generate-token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ secrets.CHATOPS_APP_ID }} + private_key: ${{ secrets.CHATOPS_APP_PRIVATE_KEY }} + installation_retrieval_mode: id + installation_retrieval_payload: ${{ secrets.CHATOPS_APP_INSTALLATION_ID }} + + - name: "dispatch test command on branch: ${{ steps.pr.outputs.result }}" + id: scd + uses: peter-evans/slash-command-dispatch@v3 + with: + token: ${{ steps.generate-token.outputs.token }} + issue-type: pull-request + dispatch-type: workflow + permission: maintain + commands: | + validate + plan + apply + idempotence + sca + help + static-args: | + comment-id=${{ github.event.comment.id }} + pr-id=${{ github.event.issue.number }} + pr-title=${{ github.event.issue.title }} + branch=${{ steps.pr.outputs.result }} + + - name: Edit comment with error message + if: steps.scd.outputs.error-message + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ github.event.comment.id }} + body: | + > ${{ steps.scd.outputs.error-message }} + reactions: '-1' + reactions-edit-mode: replace + + - name: Concurency ratio fallback + if: cancelled() + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ github.event.comment.id }} + body: | + > ChatOPS run cancelled. + > See [job run log](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + reactions: 'confused' + reactions-edit-mode: replace \ No newline at end of file diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml new file mode 100644 index 00000000..8ebfeb7a --- /dev/null +++ b/.github/workflows/help-command.yml @@ -0,0 +1,67 @@ +name: ChatOPS Help +run-name: "Display ChatOPS help (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}" + +on: + workflow_dispatch: + inputs: + pr-id: + description: ID of the PR that triggered this workflow + type: string + required: true + pr-title: + description: Title of the PR that triggered this workflow + type: string + required: true + comment-id: + description: 'The comment-id of the slash command' + type: string + required: true + branch: + description: Branch on which the tests should run + type: string + default: main + +jobs: + help: + name: Add help comment to originating PR + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: add help comment + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ inputs.comment-id }} + issue-number: ${{ inputs.pr-id }} + body: | + + ## ChatOPS built in help: + + Currently supported commands include: + + * `/sca` - run all SCA tests via `pre-commit` + * `/validate` - run `terraform validate` + * `/plan` - plan the infrastructure (only examples) + * `/apply` - deploy the infrastructure and destroy afterwards (only examples) + * `/idempotence` - test idempotence: deploy, plan and destroy afterwards (only examples). + + The 1st command does not take arguments, the remaining take two: + + * `paths` - a space delimitied list of module paths + * `tf_version` - (optional, defaults to the latest available) a space delimited list of Terraform versions to test the infrastrucure against. + + Examples: + + ```bash + # run idempotence tests on listed modules with Terraform versions: 1.2 (latest patch available), 1.4 (latest patch available), 1.5.4. + /idempotence paths="examples/common_vmseries examples/panorama_standalone" tf_version="1.2 1.4 1.5.4" + ``` + + ```bash + # run validation tests with the latest available Terraform version on listed modules. + /validate paths="modules/vmseries modules/vnet examples/dedicated_vmseries" + ``` + + reactions: '+1' + reactions-edit-mode: replace \ No newline at end of file diff --git a/.github/workflows/idempotence-command.yml b/.github/workflows/idempotence-command.yml new file mode 100644 index 00000000..3c428b1b --- /dev/null +++ b/.github/workflows/idempotence-command.yml @@ -0,0 +1,53 @@ +name: ChatOPS Idempotence +run-name: "On demand Idempotence test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}" + +permissions: + contents: read + +concurrency: chatops-apply + +on: + workflow_dispatch: + inputs: + paths: + description: Space delimited list of module paths to test + type: string + required: true + tf_version: + description: Terraform versions to use for tests, comma-separated list + type: string + pr-id: + description: ID of the PR that triggered this workflow + type: string + required: true + pr-title: + description: Title of the PR that triggered this workflow + type: string + required: true + comment-id: + description: 'The comment-id of the slash command' + type: string + required: true + branch: + description: Branch on which the tests should run + type: string + default: main + +jobs: + test: + name: Run idempotence test + permissions: + contents: read + pull-requests: write + id-token: write + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/test_command.yml@v2.3 + secrets: inherit + with: + cloud: azure + paths: ${{ inputs.paths }} + tf_version: ${{ inputs.tf_version }} + pr-id: ${{ inputs.pr-id }} + comment-id: ${{ inputs.comment-id }} + branch: ${{ inputs.branch }} + terratest_action: Idempotence + apply_timeout: 60 \ No newline at end of file diff --git a/.github/workflows/plan-command.yml b/.github/workflows/plan-command.yml new file mode 100644 index 00000000..7ddf1274 --- /dev/null +++ b/.github/workflows/plan-command.yml @@ -0,0 +1,52 @@ +name: ChatOPS Plan +run-name: "On demand Plan test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}" + +permissions: + contents: read + +concurrency: chatops-plan + +on: + workflow_dispatch: + inputs: + paths: + description: Space delimited list of module paths to test + type: string + required: true + tf_version: + description: Terraform versions to use for tests, comma-separated list + type: string + pr-id: + description: ID of the PR that triggered this workflow + type: string + required: true + pr-title: + description: Title of the PR that triggered this workflow + type: string + required: true + comment-id: + description: 'The comment-id of the slash command' + type: string + required: true + branch: + description: Branch on which the tests should run + type: string + default: main + +jobs: + test: + name: Run plan test + permissions: + contents: read + pull-requests: write + id-token: write + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/test_command.yml@v2.3 + secrets: inherit + with: + cloud: azure + paths: ${{ inputs.paths }} + tf_version: ${{ inputs.tf_version }} + pr-id: ${{ inputs.pr-id }} + comment-id: ${{ inputs.comment-id }} + branch: ${{ inputs.branch }} + terratest_action: Plan \ No newline at end of file diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml new file mode 100644 index 00000000..53f0d496 --- /dev/null +++ b/.github/workflows/pre-commit-update.yml @@ -0,0 +1,34 @@ +name: Pre-Commit update +run-name: "Update Pre-Commit dependencies" + +permissions: + contents: write + pull-requests: write + +on: + workflow_dispatch: + schedule: + - cron: 0 1 1 * * # 1am of every 1st day of every month + +jobs: + update: + name: "Update Pre-Commit dependencies" + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/_pre-commit-update.yml@v2.3 + + pre-commit: + name: Run Pre-Commit with the udpated config + needs: [update] + if: needs.update.outputs.pr_operation == 'created' || needs.update.outputs.pr_operation == 'updated' + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/_pre_commit.yml@v2.3 + with: + pre-commit-hooks: terraform_fmt terraform_docs terraform_tflint checkov + branch: pre-commit-dependencies-update + + comment-pr: + name: Give comment on the PR if pre-commit failed + needs: [pre-commit, update] + if: always() && (needs.pre-commit.result == 'failure' || needs.pre-commit.result == 'success') + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/_comment_pr.yml@v2.3 + with: + pr_number: ${{ needs.update.outputs.pr_number }} + job_result: ${{ needs.pre-commit.result }} \ No newline at end of file diff --git a/.github/workflows/sca-command.yml b/.github/workflows/sca-command.yml new file mode 100644 index 00000000..78d92433 --- /dev/null +++ b/.github/workflows/sca-command.yml @@ -0,0 +1,79 @@ +name: ChatOPS SCA +run-name: "On demand SCA test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}" + +permissions: + contents: read + +on: + workflow_dispatch: + inputs: + pr-id: + description: ID of the PR that triggered this workflow + type: string + required: true + pr-title: + description: Title of the PR that triggered this workflow + type: string + required: true + comment-id: + description: 'The comment-id of the slash command' + type: string + required: true + branch: + description: Branch on which the tests should run + type: string + default: main + +jobs: + init: + name: Add a comment to originating PR with job ID + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + outputs: + paths: ${{ steps.paths_reformat.outputs.paths }} + steps: + - name: add comment + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ inputs.comment-id }} + issue-number: ${{ inputs.pr-id }} + body: | + > Testing job ID: [${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) + + - name: reformat paths input property + id: paths_reformat + env: + IN_PATHS: ${{ inputs.paths }} + run: echo "paths=$(echo $IN_PATHS | tr " " "," )" >> $GITHUB_OUTPUT + + test: + name: Run SCA test + needs: init + permissions: + contents: read + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/_pre_commit.yml@v2.3 + secrets: inherit + with: + pre-commit-hooks: terraform_fmt terraform_docs terraform_tflint checkov + branch: ${{ inputs.branch }} + + finish_comment_pr: + name: Add a comment to originating PR + needs: test + if: always() + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: add comment + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ inputs.comment-id }} + issue-number: ${{ inputs.pr-id }} + body: | + > Job result: ${{ needs.test.result == 'success' && 'SUCCESS' || 'FAILURE' }} + reactions: ${{ needs.test.result == 'success' && '+1' || '-1' }} + reactions-edit-mode: replace \ No newline at end of file diff --git a/.github/workflows/validate-command.yml b/.github/workflows/validate-command.yml new file mode 100644 index 00000000..4233716f --- /dev/null +++ b/.github/workflows/validate-command.yml @@ -0,0 +1,53 @@ +name: ChatOPS Validate +run-name: "On demand Validate test for PR - (#${{ github.event.inputs.pr-id }}) ${{ github.event.inputs.pr-title }}" + +permissions: + contents: read + +on: + workflow_dispatch: + inputs: + paths: + description: Space delimited list of module paths to test + type: string + required: true + tf_version: + description: Terraform versions to use for tests, comma-separated list + type: string + pr-id: + description: ID of the PR that triggered this workflow + type: string + required: true + pr-title: + description: Title of the PR that triggered this workflow + type: string + required: true + comment-id: + description: 'The comment-id of the slash command' + type: string + required: true + branch: + description: Branch on which the tests should run + type: string + default: main + +jobs: + test: + name: Run validate test + concurrency: + group: chatops-validate-${{ github.event.issue.number }} + cancel-in-progress: true + permissions: + contents: read + pull-requests: write + id-token: write + uses: PaloAltoNetworks/terraform-modules-vmseries-ci-workflows/.github/workflows/test_command.yml@v2.3 + secrets: inherit + with: + cloud: azure + paths: ${{ inputs.paths }} + tf_version: ${{ inputs.tf_version }} + pr-id: ${{ inputs.pr-id }} + comment-id: ${{ inputs.comment-id }} + branch: ${{ inputs.branch }} + terratest_action: Validate \ No newline at end of file