Update SAR source #921
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update SAR source | |
| on: | |
| schedule: | |
| - cron: '0 12 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| update: | |
| name: Update | |
| runs-on: macos-11 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v1 | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| credentials_file_path: gcreds | |
| - name: Azure Login | |
| uses: azure/login@v1 | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS }} | |
| - name: Manual | |
| run: | | |
| curl https://raw.githubusercontent.com/duo-labs/parliament/main/utils/update_iam_data.py -o update_iam_data.py | |
| pip3 install bs4 requests pyyaml | |
| mkdir -p gcp/roles/ | |
| cd gcp | |
| rm -rf google-api-go-client | |
| git clone --depth 1 https://github.com/googleapis/google-api-go-client.git | |
| rm -rf google-api-go-client/.git | |
| cd .. | |
| gcloud iam roles list --show-deleted --format json > gcp/predefined_roles.json | |
| gcloud iam roles list --show-deleted --format json | jq -r '.[]|[.name,(.name | split("/")[-1])] | @tsv' | | |
| while IFS=$'\t' read -r name shortname; do | |
| echo "Writing $shortname.json" | |
| gcloud iam roles describe "$name" --format json > gcp/roles/$shortname.json || echo "Failure to write $shortname.json" | |
| done | |
| python3 util/gcp_get_methods.py || true | |
| python3 util/gcp_get_permissions.py || true | |
| python3 util/gcp_compare_datasources.py || true | |
| rm -rf gcp/google-api-go-client | |
| rm gcreds | |
| az provider operation list > azure/provider-operations.json | |
| az role definition list --query '[?roleType == `BuiltInRole`].{assignableScopes: assignableScopes, description: description, permissions: permissions, roleName: roleName, roleType: roleType, type: type}' > azure/built-in-roles-raw.json | |
| python3 util/azure_process_roles.py > azure/built-in-roles.json | |
| python3 update_iam_data.py > util/aws_js/iam_definition.json | |
| sleep 1 | |
| python3 util/aws_patch_iam_definition.py | |
| sleep 1 | |
| rm -rf docs/ update_iam_data.py | |
| # sudo apt -y install git nodejs | |
| git clone https://github.com/z0ph/MAMIP.git | |
| git clone https://github.com/primeharbor/sensitive_iam_actions.git | |
| python3 util/aws_add_managed_policies.py | |
| python3 util/aws_generate_tags.py | |
| cd util/aws_js | |
| npm i | |
| npm update aws-sdk | |
| node aws_add_docs.js | |
| cd ../.. | |
| rm -f aws/docs.json | |
| mv util/aws_js/docs.json aws/docs.json | |
| python3 util/aws_update_counts.py | |
| - name: Commit files | |
| env: | |
| BOT_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }} | |
| run: | | |
| set -eux | |
| git config --local user.email "githubbot@ian.mn" | |
| git config --local user.name "Ian Mckay [bot]" | |
| git add . | |
| git commit -m "Update SAR data" -a || exit 0 | |
| remote_repo="https://iann0036-bot:${BOT_GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" | |
| git push "${remote_repo}" HEAD:main |