chore: container hardening

cloud-gov · May 10, 2024 · 15eac35 · 15eac35
1 parent 1957031
commit 15eac35
Show file tree

Hide file tree

Showing 9 changed files with 133 additions and 150 deletions.
diff --git a/ci/partials/audit.yml b/ci/partials/audit.yml
@@ -0,0 +1,6 @@
+platform: linux
+inputs: [name: src]
+outputs: [name: src]
+run:
+  dir: src
+  path: ci/tasks/pip-audit.sh
diff --git a/ci/partials/build.yml b/ci/partials/build.yml
@@ -0,0 +1,10 @@
+platform: linux
+inputs:
+- name: src
+  path: .
+outputs:
+- name: image
+run:
+  path: build
+params:
+  BUILDKIT_SECRETTEXT_UA_TOKEN: ((ua-token))
diff --git a/ci/partials/deploy.yml b/ci/partials/deploy.yml
@@ -0,0 +1,7 @@
+platform: linux
+inputs:
+  - name: src
+  - name: image-repository
+run:
+  dir: src
+  path: ci/tasks/deploy.sh
diff --git a/ci/partials/restage.yml b/ci/partials/restage.yml
@@ -0,0 +1,5 @@
+platform: linux
+inputs: [name: src]
+run:
+  dir: src
+  path: ci/tasks/restage.sh
diff --git a/ci/partials/test.yml b/ci/partials/test.yml
@@ -0,0 +1,6 @@
+platform: linux
+inputs: [name: src]
+outputs: [name: src]
+run:
+  dir: src
+  path: ci/tasks/test.sh
diff --git a/ci/pipeline-dev.yml b/ci/pipeline-dev.yml
@@ -9,38 +9,6 @@ env-cf: &env-cf
   CF_ORG: gsa-18f-federalist
   CF_SPACE: ((deploy-env))
 
-python-image: &python-image
-  platform: linux
-  image_resource:
-    type: registry-image
-    source:
-      aws_access_key_id: ((ecr-aws-key))
-      aws_secret_access_key: ((ecr-aws-secret))
-      repository: pages-python-v3.11
-      aws_region: us-gov-west-1
-      tag: latest
-
-cf-image: &cf-image
-  platform: linux
-  image_resource:
-    type: registry-image
-    source:
-      aws_access_key_id: ((ecr-aws-key))
-      aws_secret_access_key: ((ecr-aws-secret))
-      repository: general-task
-      aws_region: us-gov-west-1
-      tag: latest
-
-test: &test
-  - task: test
-    config:
-      <<: *python-image
-      inputs: [name: src]
-      outputs: [name: src]
-      run:
-        dir: src
-        path: ci/tasks/test.sh
-
 ############################
 #  JOBS
 
@@ -72,8 +40,10 @@ jobs:
           status: pending
           base_context: concourse
           context: test-pages-build-container-((deploy-env))
-
-      - do: *test
+      - get: python
+      - task: test
+        image: python
+        file: src/ci/partials/test.yml
 
     on_success:
       put: src
@@ -108,41 +78,25 @@ jobs:
         resource: pr-((git-branch))
         trigger: true
         passed: [test-((deploy-env))]
+      - get: cf-image
+      - get: oci-build-task
       - task: build
         privileged: true
-        config:
-          platform: linux
-          image_resource:
-            type: registry-image
-            source:
-              repository: concourse/oci-build-task
-          inputs:
-          - name: src
-            path: .
-          outputs:
-          - name: image
-          run:
-            path: build
-          params:
-            BUILDKIT_SECRETTEXT_UA_TOKEN: ((ua-token))
-      - put: image-repository-((deploy-env))
+        image: oci-build-task
+        file: src/ci/partials/build.yml
+
+      - put: image-repository
         params:
           image: image/image.tar
       - task: deploy
-        config:
-          <<: *cf-image
-          inputs:
-            - name: src
-            - name: image-repository-((deploy-env))
-          run:
-            dir: src
-            path: ci/tasks/deploy.sh
+        image: cf-image
+        file: src/ci/partials/deploy.yml
         params:
           <<: *env-cf
           CF_APP_NAME: pages-build-container-((deploy-env))
           CF_MANIFEST: .cloudgov/manifest.yml
           CF_VARS_FILE: .cloudgov/vars/pages-((deploy-env)).yml
-          IMAGE_REPOSITORY: ../image-repository-((deploy-env))/repository
+          IMAGE_REPOSITORY: ../image-repository/repository
           IMAGE_TAG: pages-((deploy-env))
           CF_DOCKER_USERNAME: ((ecr-aws-key))
           CF_DOCKER_PASSWORD: ((ecr-aws-secret))
@@ -163,13 +117,10 @@ jobs:
         trigger: true
       - get: src
         resource: pr-((git-branch))
+      - get: cf-image
       - task: restage
-        config:
-          <<: *cf-image
-          inputs: [name: src]
-          run:
-            dir: src
-            path: ci/tasks/restage.sh
+        image: cf-image
+        file: src/ci/partials/restage.yml
         params:
           <<: *env-cf
           CF_APP_NAME: pages-build-container-((deploy-env))
@@ -207,14 +158,10 @@ jobs:
           base_context: concourse
           context: audit-dependencies
 
+      - get: python
       - task: pip-audit
-        config:
-          <<: *python-image
-          inputs: [name: src]
-          outputs: [name: src]
-          run:
-            dir: src
-            path: ci/tasks/pip-audit.sh
+        image: python
+        file: src/ci/partials/audit.yml
 
     on_failure:
       in_parallel:
@@ -278,7 +225,7 @@ resources:
     source:
       url: ((slack-webhook-url))
 
-  - name: image-repository-((deploy-env))
+  - name: image-repository
     type: registry-image
     source:
       aws_access_key_id: ((ecr-aws-key))
@@ -287,6 +234,33 @@ resources:
       aws_region: us-gov-west-1
       tag: pages-((deploy-env))
 
+  - name: python
+    type: registry-image
+    source:
+      aws_access_key_id: ((ecr-aws-key))
+      aws_secret_access_key: ((ecr-aws-secret))
+      repository: pages-python-v3.11
+      aws_region: us-gov-west-1
+      tag: latest
+
+  - name: cf-image
+    type: registry-image
+    source:
+      aws_access_key_id: ((ecr-aws-key))
+      aws_secret_access_key: ((ecr-aws-secret))
+      repository: general-task
+      aws_region: us-gov-west-1
+      tag: latest
+
+  - name: oci-build-task
+    type: registry-image
+    source:
+      aws_access_key_id: ((ecr-aws-key))
+      aws_secret_access_key: ((ecr-aws-secret))
+      repository: oci-build-task
+      aws_region: us-gov-west-1
+      tag: latest
+
 ############################
 #  RESOURCE TYPES