Feat/andrews actions

discover-changed/README.md

@@ -0,0 +1,3 @@
+# Discover Changed
+
+TODO

discover-changed/action.yml

@@ -0,0 +1,37 @@
+name: Discover Changed Targets
+description: Discovers a list of targets
+inputs:
+  targets:
+    description: A list of target folders to check. This should be a newline-delimited string of targets.
+    required: true
+outputs:
+  matrix:
+    description: A list of targets. This will be a JSON formatted array.
+    value: ${{ steps.set-matrix.outputs.matrix }}
+runs:
+  using: composite
+  steps:
+    - name: Get Changed Files
+      id: files
+      uses: tj-actions/changed-files@v34
+      with:
+        files: ${{ inputs.targets }}
+
+    - name: List Changed Files
+      id: set-matrix
+      shell: bash
+      run: |
+        folders=()
+        files="${{ steps.files.outputs.all_modified_files }}"
+        targets=(${{ inputs.targets }})
+        printf "files: %s\n" "${files}"
+        printf "targets: %s\n" "${targets[@]}"
+        if [ ! -z "$files" ]; then
+          for file in $files[@]; do
+            folders+=($(echo $file | cut -d'/' -f2))
+          done
+        fi
+
+        output="$(echo "${folders[@]}" | tr ' ' '\n' | sort -u | xargs echo -n | jq -R -s -c 'split(" ")')"
+        echo "matrix=${output}"        
+        echo "matrix=${output}" >> $GITHUB_OUTPUT

discover-filename/README.md

@@ -0,0 +1,3 @@
+# Discover Filename
+
+TODO

discover-filename/action.yml

@@ -0,0 +1,35 @@
+name: Discover Filenames Targets
+description: Discovers a list of targets
+inputs:
+  targets:
+    description: A list of target folders to check. This should be a newline-delimited string of targets.
+    required: true
+  filename:
+    description: The filename to discover
+    required: true
+outputs:
+  matrix:
+    description: A list of targets. This will be a JSON formatted array.
+    value: ${{ steps.set-matrix.outputs.matrix }}
+runs:
+  using: composite
+  steps:
+    - name: Set Matrix
+      id: set-matrix
+      shell: bash
+      run: |
+        folders=()
+        targets=(${{ inputs.targets }})
+        printf "filename: %s\n" ${{ inputs.filename }}
+        printf "targets: %s\n" "${targets[@]}"
+        for target in "${targets[@]}"; do
+          files=()
+          cd $(dirname $target)
+          for file in $(find $(basename $target) -mindepth 1 -name ${{ inputs.filename }}); do 
+            folders+=($(dirname $file))
+          done
+        done
+
+        output="$(echo "${folders[@]}" | tr ' ' '\n' | sort -u | xargs echo -n | jq -R -s -c 'split(" ")')"
+        echo "matrix=${output}"
+        echo "matrix=${output}" >> $GITHUB_OUTPUT

git-config-pat/README.md

@@ -0,0 +1,3 @@
+# Configure PAT
+
+TODO

git-config-pat/action.yml

@@ -0,0 +1,23 @@
+name: Git Config With PAT
+description: Git config global for use with PAT
+inputs:
+  token:
+    description: "GitHub API token. Used to query for pull request commits."
+    required: true
+outputs:
+  gitconfig:
+    description: The path to the .gitconfig file being configured
+    value: ${{ steps.git-config.outputs.gitconfig }}
+runs:
+  using: composite
+  steps:
+    - name: Git Config For Private Repo
+      shell: bash
+      id: git-config
+      env:
+        GH_PAT: ${{ inputs.token }}
+      run: |
+        git config --global url."https://${GITHUB_ACTOR}:${GH_PAT}@github.com".insteadOf ssh://[email protected]
+
+        echo "gitconfig=${HOME}/.gitconfig"
+        echo "gitconfig=${HOME}/.gitconfig" >> $GITHUB_OUTPUT

github-download-release/action.yml

@@ -0,0 +1,87 @@
+name: Github Download Release
+description: Downloads the specified release using curl
+inputs:
+  token:
+    description: "GitHub API token. Used to query for pull request commits."
+    required: true
+  owner:
+    description: The repo owner
+    required: true
+  repo:
+    description: The repo name
+    required: true
+  release:
+    description: The release tag or number
+    required: true
+  format-ext:
+    description: The type of archive
+    required: false
+    default: linux_amd64.tar.gz
+  file:
+    description: The explicit filename to use ... format-ext will be ignored.
+    required: false
+outputs:
+  filename:
+    description: The name of the downloaded tarball
+    value: ${{ steps.download-asset.outputs.filename }}
+runs:
+  using: composite
+  steps:
+
+    - name: CURL Download Asset
+      shell: bash
+      id: download-asset
+      env:
+        GH_PAT: ${{ inputs.token }}
+        GITHUB_REPO: ${{ inputs.repo }}
+        GITHUB_REPO_OWNER: ${{ inputs.owner }}
+        RELEASE_NAME: ${{ inputs.release }}
+        DOWNLOAD_FORMAT_EXT: ${{ inputs.format-ext }}
+        FILE: ${{ inputs.file }}
+      run: |
+        function gh_curl_releases() { 
+          local base_url="https://${GITHUB_API_URL}"
+          curl -H "Authorization: token ${GH_PAT}" -H "Accept: application/vnd.github.v3.raw" -o releases.tmp.json ${base_url}$@
+        }
+
+        function gh_curl_asset() { 
+          local base_url="https://${GH_PAT}:@${GITHUB_API_URL}"
+          curl -sL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" ${base_url}$@
+        }
+
+        export RELEASE_TAG=$(echo "${RELEASE_NAME}" | sed s/^v//g)
+        export REPO="${GITHUB_REPO_OWNER}/${GITHUB_REPO}"
+        export FILE_DEFAULT="${GITHUB_REPO}_${RELEASE_TAG}_${DOWNLOAD_FORMAT_EXT}"
+        [ -z "$FILE" -o "${FILE}x" = "x" ] && export FILE="$FILE_DEFAULT"
+
+        if [ "$RELEASE_NAME" = "latest" ]; then
+          # Github should return the latest release first.
+          JQ_PARSER_ASSET_ID=".[0].assets | map(select(.name == \"$FILE\"))[0].id"
+        else
+          JQ_PARSER_ASSET_ID=". | map(select(.tag_name == \"$RELEASE_NAME\"))[0].assets | map(select(.name == \"$FILE\"))[0].id"
+        fi
+
+        printf "Getting asset id from '%s' ...\n" "https://${GITHUB_API_URL}/repos/${REPO}/releases"
+        gh_curl_releases "/repos/${REPO}/releases"
+        ASSET_ID=$(cat releases.tmp.json | jq "$JQ_PARSER_ASSET_ID")
+        if [ -z "$ASSET_ID" -o "$ASSET_ID" = "null" ]; then
+          echo "ERROR: version not found $RELEASE_NAME" >&2
+          exit 1
+        fi
+
+        printf "Getting asset '%s' ...\n" "$ASSET_ID"
+        URL_BASE_PATH="/repos/${REPO}/releases"
+        gh_curl_asset "/repos/${REPO}/releases/assets/${ASSET_ID}" > $FILE
+
+        ls -lah $FILE
+
+        echo "filename=${FILE}"
+        echo "filename=${FILE}" >> $GITHUB_OUTPUT
+
+        ASSET_URL="https://${GITHUB_API_URL}/repos/${REPO}/releases/assets/${ASSET_ID}"
+        echo "asset=${ASSET_URL}"
+        echo "asset=${ASSET_URL}" >> $GITHUB_OUTPUT
+
+        WEB_URL="https://github.com/${REPO}/releases/download/${RELEASE_NAME}/${FILE}"
+        echo "web=${WEB_URL}"
+        echo "web=${WEB_URL}" >> $GITHUB_OUTPUT

replace-secret-and-base64-encode/action.yml

@@ -0,0 +1,38 @@
+name: Replace Secret and Base64 Encode
+description: Replaces the secret token and base64 encodes to string
+inputs:
+  token:
+    description: The secret token to replace
+    required: true
+  file:
+    description: The name of the specific account to use
+    required: true
+  replace-key-entropy:
+    description: openssl rand -hex <entropy>
+    required: false
+    default: "8"
+outputs:
+  base64-encoded:
+    description: The base64 encoded file with pat replaced
+    value: ${{ steps.encode.outputs.base64-encoded }}
+  replacement-key:
+    description: The pat replacement key
+    value: ${{ steps.encode.outputs.replacement-key }}
+
+runs:
+  using: composite
+  steps:
+    - name: Base64 Encode File
+      shell: bash
+      env:
+        FILE_PATH: ${{ inputs.file }}
+      id: encode
+      run: |
+        big_rand="$(openssl rand -hex ${{ inputs.replace-key-entropy }})" || { print "There was a problem openssl. Exiting ...\n" >&2; exit 1; }
+        encoded=$(echo $(cat "${FILE_PATH}" | sed "s/${{ inputs.token }}/${big_rand}/g" | base64))
+
+        echo "base64-encoded=$(echo ${encoded})"
+        echo "base64-encoded=$(echo ${encoded})" >> $GITHUB_OUTPUT
+
+        echo "replacement-key=${big_rand}"
+        echo "replacement-key=${big_rand}" >> $GITHUB_OUTPUT

terraform-compliance-terragrunt/README.md

@@ -0,0 +1,3 @@
+# Terraform Compliance with Terragrunt
+
+TODO

terraform-compliance-terragrunt/action.yml

@@ -0,0 +1,77 @@
+name: AWS Terraform Compliance
+description: Checks terraform complicance with aws
+inputs:
+  target-folder:
+    description: The target folder
+    required: true
+  subfolders:
+    description: A space delimited list of sub-folders with terragrunt.hcl files
+    required: false
+    default: ""
+  planfile:
+    description: Name of plan file
+    required: true
+  features:
+    description: Features dir or repo
+    required: false
+    default: git:https://github.com/terraform-compliance/user-friendly-features.git
+  options:
+    description: Optional parameters (https://terraform-compliance.com/pages/usage/)
+    required: false
+    default: |
+      -n
+runs:
+  using: composite
+  steps:
+    - name: Install Terraform Compliance
+      shell: bash
+      run: pip install terraform-compliance
+
+    - name: Terraform Compliance
+      id: compliance
+      shell: bash
+      env:
+        TARGET_FOLDER: ${{ inputs.target-folder }}
+        SUBFOLDERS: ${{ inputs.subfolders }}
+        COMPLIANCE_COMMAND_OPTS: ${{ inputs.options }}
+        PLAN_FILE: ${{ inputs.planfile }}
+        COMPLIANCE_FEATURES: ${{ inputs.features }}
+      run: |
+        export TARGET_FOLDER="${TARGET_FOLDER:-.}"
+        export SUBFOLDERS="${SUBFOLDERS:-.}"
+        export SUBFOLDERS=($SUBFOLDERS)
+
+        # Use $RANDOM to avoid naming collisions
+        export RANDOM_PLAN_FILE="${PLAN_FILE}.${RANDOM}"
+        export RANDOM_PLAN_FILE_JSON="${RANDOM_PLAN_FILE}.json"
+        command_opts=(
+         -p "${RANDOM_PLAN_FILE_JSON}"
+         -f "${COMPLIANCE_FEATURES}"
+        )
+        for param in "${COMPLIANCE_COMMAND_OPTS[@]}"; do command_opts+=($param); done
+        export COMPLIANCE_COMMAND_OPTS="${command_opts[@]}"
+        export COMPLIANCE_COMMAND=terraform-compliance
+
+        cd $TARGET_FOLDER
+
+        printf "Current Target: %s\n" "$(pwd)"
+
+        for folder in "${SUBFOLDERS[@]}"; do
+          fulldir="${TARGET_FOLDER}/${folder}"
+          echo "##################################################################################################################"
+          echo "TERRAFORM COMPLIANCE PATH ${fulldir}"
+          echo "##################################################################################################################"
+          pushd $folder
+          printf "Current Subfolder: %s\n" "$(pwd)"
+          ls -l
+          [ -f "${PLAN_FILE}" ] || terragrunt plan -lock=false --out "${PLAN_FILE}"
+          printf "Renaming '%s' to '%s' ...\n" "${PLAN_FILE}" "${RANDOM_PLAN_FILE}"
+          mv "${PLAN_FILE}" "${RANDOM_PLAN_FILE}"
+          printf "Creating json planfile '%s' ...\n" "${RANDOM_PLAN_FILE_JSON}"
+          terragrunt show -json "${RANDOM_PLAN_FILE}" > "${RANDOM_PLAN_FILE_JSON}"
+          printf "Running '%s' ...\n" "${COMPLIANCE_COMMAND} ${COMPLIANCE_COMMAND_OPTS[@]}"
+          ${COMPLIANCE_COMMAND} ${COMPLIANCE_COMMAND_OPTS[@]}
+          echo "##################################################################################################################"
+          rm "${RANDOM_PLAN_FILE_JSON}"
+          popd
+        done

terraform-compliance-terragrunt/docker/Dockerfile

@@ -0,0 +1,19 @@
+ARG TERRAFORM_COMPLIANCE_VERSION=latest
+
+ARG TERRAGRUNT_IMAGE_VERSION=latest
+FROM alpine/terragrunt:$TERRAGRUNT_IMAGE_VERSION as builder
+RUN which terragrunt >> /tmp/alpine_terragrunt_binaries && \
+    which terraform >> /tmp/alpine_terragrunt_binaries && \
+    mkdir -p /custom && \
+    for file in $(echo $(cat /tmp/alpine_terragrunt_binaries)); \
+    do \
+      mv $file /custom/; \
+    done
+
+FROM eerkunt/terraform-compliance:$TERRAFORM_COMPLIANCE_VERSION
+COPY --from=builder /custom/* /opt/bin/
+ENV PATH="/opt/bin:${PATH}"
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]