-
Notifications
You must be signed in to change notification settings - Fork 1
64 lines (60 loc) · 2.97 KB
/
audit-account.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Audit Account
on:
schedule:
- cron: "0 16 * * 1" # Every Monday at 1600 UTC
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.ref }}
cancel-in-progress: false
permissions:
id-token: write
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: set variable values
run: ./.github/build_vars.sh set_values
env:
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
- name: Configure AWS credentials for GitHub Actions
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Collect resources from account
run: pushd .github && aws resourcegroupstaggingapi get-resources > resources.json
- name: List active resources created by CI pipeline
run: pushd .github && ./audit-account.sh ci_active resources.json
- name: List orphaned resources created by CI pipeline
run: pushd .github && ./audit-account.sh ci_inactive resources.json
- name: List resources created by Cloudformation but not from CI pipeline
run: pushd .github && ./audit-account.sh cf_other resources.json
- name: List untagged resources
run: pushd .github && ./audit-account.sh untagged resources.json
- name: Create reports dir
run: pushd .github && mkdir -p reports
- name: Assemble CSV files
run: |
#!/bin/bash
pushd .github
echo "Reports with no entries will be omitted"
CI_ACTIVE="$(./audit-account.sh ci_active resources.json)"
[[ $(jq -r 'length' <<< "${CI_ACTIVE}") -gt 0 ]] && jq -r '(.[0]
| keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${CI_ACTIVE}" > reports/ci_active.csv || :
CI_INACTIVE="$(./audit-account.sh ci_inactive resources.json)"
[[ $(jq -r 'length' <<< "${CI_INACTIVE}") -gt 0 ]] && jq -r '(.[0]
| keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${CI_INACTIVE}" > reports/ci_inactive.csv || :
CF_OTHER="$(./audit-account.sh cf_other resources.json)"
[[ $(jq -r 'length' <<< "${CF_OTHER}") -gt 0 ]] && jq -r '(.[0]
| keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${CF_OTHER}" > reports/cf_other.csv || :
UNTAGGED="$(./audit-account.sh untagged resources.json)"
[[ $(jq -r 'length' <<< "${UNTAGGED}") -gt 0 ]] && jq -r '(.[0]
| keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' <<< "${UNTAGGED}" > reports/untagged.csv || :
- name: Upload reports
uses: actions/upload-artifact@v4
with:
name: resource-reports
path: .github/reports/
retention-days: 14