From fbc1425da2ecafb17cecb924026e9b9714a35e42 Mon Sep 17 00:00:00 2001 From: "idan.nof" Date: Wed, 17 Jun 2026 12:12:46 +0300 Subject: [PATCH 1/4] COUN-4517: DSFKit | Add DRA v15.4.0.10 --- README.md | 10 +++++++++- modules/aws/core/globals/main.tf | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c497294..40202566 100644 --- a/README.md +++ b/README.md @@ -650,6 +650,14 @@ The following table lists the _latest_ DSF Kit releases, their release date and AWS EBS volumes are now encrypted by default. To opt out, set 'encrypted = false' in the relevant '*_ebs_details' / 'ebs' variable. + + TBD + + TBD + + 1. Added internal support for DRA version 15.4. Set the variable ‘dra_version’ to 15.4 to use it. + + @@ -852,7 +860,7 @@ Restrictions on modules may apply - DRA4.17.0.104.11.0.10 - 15.3.0.10 + DRA4.17.0.104.11.0.10 - 15.4.0.10 diff --git a/modules/aws/core/globals/main.tf b/modules/aws/core/globals/main.tf index e7fe1cc0..9e1fc61b 100644 --- a/modules/aws/core/globals/main.tf +++ b/modules/aws/core/globals/main.tf @@ -52,6 +52,9 @@ locals { locals { dra_version_map = { + "15.4" = "15.4.0.10.0.3", + "15.4.0.10" = "15.4.0.10.0.3", + "15.3" = "15.3.0.10.0.16", "15.3.0.10" = "15.3.0.10.0.16", From 366d92ca624ec4b9ef07207032ea25b8beaf44d3 Mon Sep 17 00:00:00 2001 From: roiklorin Date: Wed, 17 Jun 2026 16:36:22 +0300 Subject: [PATCH 2/4] Add 'dra' as a valid deployment_type option in matrix --- .github/workflows/dsf_poc_cli.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dsf_poc_cli.yml b/.github/workflows/dsf_poc_cli.yml index 46b94c39..f1601c75 100644 --- a/.github/workflows/dsf_poc_cli.yml +++ b/.github/workflows/dsf_poc_cli.yml @@ -46,7 +46,7 @@ on: default: false required: false deployment_type: - description: 'Choose the type of deployments to run: sonar-with-fam, all-products or all-permutations' + description: 'Choose the type of deployments to run: sonar-with-fam, all-products, all-permutations or dra' type: string default: 'all-permutations' required: false @@ -74,7 +74,7 @@ on: - 'dev' paths: - 'modules/aws/**' - - '!modules/aws/sonar-upgrader/*' + - '!modules/aws/sonar-upgrader/**' - '!modules/aws/statistics/*' - 'modules/null/**' - '!modules/null/statistics/*' @@ -106,7 +106,8 @@ jobs: MATRIX=$(jq -n --compact-output --arg var "$VAR" '{ "include": [ (if $var == "all-permutations" or $var == "all-products" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":true,"enable_dra":true} else empty end), - (if $var == "all-permutations" or $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end) + (if $var == "all-permutations" or $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_ciphertrust":false,"enable_dam":false,"enable_dra":true} else empty end) ] }') @@ -380,5 +381,3 @@ jobs: echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment" sleep $DESTROY_DELAY_SECONDS fi - - From b147ce883a201406f7b69bb01af9156d9bc4b048 Mon Sep 17 00:00:00 2001 From: roiklorin Date: Wed, 17 Jun 2026 16:42:30 +0300 Subject: [PATCH 3/4] Add 'dra' as a valid deployment_type option in matrix for Azure --- .github/workflows/dsf_poc_cli_azure.yml | 757 ++++++++++++------------ 1 file changed, 379 insertions(+), 378 deletions(-) diff --git a/.github/workflows/dsf_poc_cli_azure.yml b/.github/workflows/dsf_poc_cli_azure.yml index 8ea15eb9..a18f6b39 100644 --- a/.github/workflows/dsf_poc_cli_azure.yml +++ b/.github/workflows/dsf_poc_cli_azure.yml @@ -1,378 +1,379 @@ -name: 'DSF POC CLI - Azure' - -on: - workflow_call: - inputs: - use_modules_from_terraform_registry: - required: true - type: boolean - explicit_ref: - required: true - type: string - deployment_type: - required: false - type: string - default: 'all' - product_full_version: - type: string - default: 'latest' - required: false - - secrets: - AWS_ACCESS_KEY_ID: - required: true - AWS_SECRET_ACCESS_KEY: - required: true - SLACK_WEBHOOK_URL: - required: true - ARM_CLIENT_SECRET: - required: true - DAM_LICENSE: - required: true - ALLOWED_SSH_CIDRS: - required: true - - workflow_dispatch: - inputs: - use_modules_from_terraform_registry: - type: boolean - required: false - delay_destroy: - description: 'Delay the destroy step and subsequent steps to allow investigation' - type: boolean - default: false - required: false - deployment_type: - description: 'Choose the type of deployments to run: all (default), sonar, dam, dra' - type: string - default: 'all' - required: false - product_full_version: - description: 'Product (DAM, DRA, SONAR) version to deploy, default is latest. For DAM and Sonar use the full version number (e.g. 4.17.0.10.0) and for DRA use the build number (e.g. 4.17.0.10.0.6_31077)' - type: string - default: 'latest' - required: false - - push: - branches: - - 'dev' - paths: - - 'modules/azurerm/**' - - 'modules/null/**' - - 'examples/azure/poc/dsf_deployment/*' - - pull_request: - types: - - 'opened' - - 'reopened' - branches: - - 'dev' - paths: - - 'modules/azurerm/**' - - 'modules/null/**' - - 'examples/azure/poc/dsf_deployment/*' - -env: - TF_CLI_ARGS: "-no-color" - TF_INPUT: 0 - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} # aws creds are needed for s3 backend - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - DESTROY_DELAY_SECONDS: 1800 -permissions: - contents: read - -jobs: - prepare-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - deployment_version: ${{ steps.set-deployment-version.outputs.deployment_version }} - steps: - - name: Set Matrix - id: set-matrix - env: - VAR: ${{ github.event.inputs.deployment_type || 'all' }} - run: | - MATRIX=$(jq -n --compact-output --arg var "$VAR" '{ - "include": [ - (if $var == "all" then {"name":"DSF POC","workspace":"azure_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end), - (if $var == "all" or $var == "sonar" then {"name":"DSF POC - SONAR","workspace":"azure_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end) - ] - }') - - echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT" - - - name: Set deployment version - id: set-deployment-version - run: | - DEPLOYMENT_VERSION="" - if [[ "${{ github.event.inputs.product_full_version }}" != "latest" && -n "${{ github.event.inputs.product_full_version }}" ]]; then - if [[ "${{ github.event.inputs.deployment_type }}" == "dam" ]]; then - DEPLOYMENT_VERSION="dam_version=${{ github.event.inputs.product_full_version }}" - elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar" ]]; then - DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_full_version }}" - elif [[ "${{ github.event.inputs.deployment_type }}" == "dra" ]]; then - DEPLOYMENT_VERSION="dra_version=${{ github.event.inputs.product_full_version }}" - fi - fi - echo "deployment_version=$DEPLOYMENT_VERSION" >> $GITHUB_OUTPUT - - terraform: - needs: prepare-matrix - strategy: - fail-fast: false - matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }} - name: '${{ matrix.name }}' - runs-on: ubuntu-latest - env: - EXAMPLE_DIR: ./examples/azure/poc/dsf_deployment - TF_VAR_enable_sonar: ${{ matrix.enable_sonar }} - TF_VAR_enable_dam: ${{ matrix.enable_dam }} - TF_VAR_enable_dra: ${{ matrix.enable_dra }} - TF_VAR_allowed_ssh_cidrs: ${{ vars.ALLOWED_SSH_CIDRS }} - DEPLOYMENT_VERSION: ${{ needs.prepare-matrix.outputs.deployment_version }} - - environment: test - - # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest - defaults: - run: - shell: bash - steps: - - name: Pick ref - run: | - if [ -z "${{ inputs.explicit_ref }}" ]; then - echo REF=${{ github.ref }} >> $GITHUB_ENV; - else - echo REF=${{ inputs.explicit_ref }} >> $GITHUB_ENV; - fi - - - name: Set Workspace Name - run: | - echo "Event Name: ${{ github.event_name }}" - if [ ${{ github.event_name }} == 'schedule' ]; then - echo TF_WORKSPACE=${{ matrix.workspace }}${{ github.event_name }}-$REF >> $GITHUB_ENV - else - echo TF_WORKSPACE=${{ matrix.workspace }}${{ github.run_number }}-${{ github.run_attempt }}-${{ inputs.explicit_ref }} >> $GITHUB_ENV - echo TMP_WORKSPACE_NAME=${{ matrix.workspace }}${{ github.run_number }}-${{ github.run_attempt }}-${{ inputs.explicit_ref }} >> $GITHUB_ENV - fi - - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - with: - ref: ${{ env.REF }} - - - name: Change the modules source to local - if: ${{ inputs.use_modules_from_terraform_registry == false }} - run: | - find $EXAMPLE_DIR -type f -exec sed -i -f sed.expr {} \; - - - name: Create terraform backend file - run: | - cat << EOF > $EXAMPLE_DIR/backend.tf - terraform { - backend "s3" { - bucket = "terraform-state-bucket-dsfkit-github-tests" - key = "states/terraform.tfstate" - dynamodb_table = "terraform-state-lock" - region = "us-east-1" - } - } - EOF - - - name: Set parameters in azure storage account - run: | - if [ "${{ github.event.inputs.deployment_type }}" == "dra" ] && [ "${{ github.event.inputs.product_full_version }}" != "latest" ] && [ -n "${{ github.event.inputs.product_full_version }}" ]; then - PATH_TO_DRA_ANALYTICS_VHD="DRA-${{ github.event.inputs.product_full_version }}_x86_64-Analytics.vhd" - PATH_TO_DRA_ADMIN_VHD="DRA-${{ github.event.inputs.product_full_version }}_x86_64-Admin.vhd" - else - PATH_TO_DRA_ANALYTICS_VHD="DRA-4.17.0.10.0.6_31077_x86_64-Analytics.vhd" - PATH_TO_DRA_ADMIN_VHD="DRA-4.17.0.10.0.6_31077_x86_64-Admin.vhd" - fi - - if [ "${{ github.event.inputs.deployment_type }}" == "sonar" ] && [ "${{ github.event.inputs.product_full_version }}" != "latest" ] && [ -n "${{ github.event.inputs.product_full_version }}" ]; then - AZ_BLOB_SONAR="jsonar-${{ github.event.inputs.product_full_version }}.tar.gz" - else - AZ_BLOB_SONAR="jsonar-4.17.0.10.0.tar.gz" - fi - - echo "PATH_TO_DRA_ANALYTICS_VHD=$PATH_TO_DRA_ANALYTICS_VHD" >> $GITHUB_ENV - echo "PATH_TO_DRA_ADMIN_VHD=$PATH_TO_DRA_ADMIN_VHD" >> $GITHUB_ENV - echo "AZ_BLOB_SONAR=$AZ_BLOB_SONAR" >> $GITHUB_ENV - - - name: Create terraform.tfvars file - run: | - cat << EOF > $EXAMPLE_DIR/terraform.tfvars - resource_group_location = "East US" - tarball_location = { - az_resource_group = "dsf-rg" - az_storage_account = "dsfinstallation" - az_container = "sonar" - az_blob = "$AZ_BLOB_SONAR" - } - dam_agent_installation_location = { - az_resource_group = "dsf-rg" - az_storage_account = "dsfinstallation" - az_container = "dam" - az_blob = "Imperva-ragent-UBN-px86_64-b14.6.0.60.0.636085.bsx" - } - simulation_db_types_for_agent=["PostgreSql", "MySql"] - dra_admin_vhd_details = { - storage_account_name = "dsfinstallation" - container_name = "dra" - path_to_vhd = "$PATH_TO_DRA_ADMIN_VHD" - } - dra_analytics_vhd_details = { - storage_account_name = "dsfinstallation" - container_name = "dra" - path_to_vhd = "$PATH_TO_DRA_ANALYTICS_VHD" - } - - EOF - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - terraform_version: ~1.7.0 - - - name: Setup jq - uses: sergeysova/jq-action@v2 - - - name: Create License File - env: - MY_SECRET: ${{ secrets.DAM_LICENSE }} - run: | - echo "${{ secrets.DAM_LICENSE }}" | base64 -d > $EXAMPLE_DIR/license.mprv - cat $EXAMPLE_DIR/license.mprv - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform -chdir=$EXAMPLE_DIR init - env: - TF_WORKSPACE: default - - - name: Cleaning environment - run: | - if [ ${{ github.event_name }} == 'schedule' ]; then - mv $EXAMPLE_DIR/main.tf{,_} - mv $EXAMPLE_DIR/outputs.tf{,_} - mv $EXAMPLE_DIR/sonar.tf{,_} - mv $EXAMPLE_DIR/dam.tf{,_} - mv $EXAMPLE_DIR/dra.tf{,_} - mv $EXAMPLE_DIR/agent_sources.tf{,_} - mv $EXAMPLE_DIR/agentless_sources.tf{,_} - mv $EXAMPLE_DIR/networking.tf{,_} - ls -la $EXAMPLE_DIR - terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve - mv $EXAMPLE_DIR/main.tf{_,} - mv $EXAMPLE_DIR/outputs.tf{_,} - mv $EXAMPLE_DIR/sonar.tf{_,} - mv $EXAMPLE_DIR/dam.tf{_,} - mv $EXAMPLE_DIR/dra.tf{_,} - mv $EXAMPLE_DIR/agent_sources.tf{_,} - mv $EXAMPLE_DIR/agentless_sources.tf{_,} - mv $EXAMPLE_DIR/networking.tf{_,} - fi - - - name: Terraform Validate - run: terraform -chdir=$EXAMPLE_DIR validate - - # Generates an execution plan for Terraform - - name: Terraform Plan - run: | - terraform -chdir=$EXAMPLE_DIR workspace list - # Only pass DEPLOYMENT_VERSION if it's not empty - if [[ -n "${{ env.DEPLOYMENT_VERSION }}" && "${{ env.DEPLOYMENT_VERSION }}" != $'\n' ]]; then - terraform -chdir=$EXAMPLE_DIR plan -var dam_license=license.mprv -var "${{ env.DEPLOYMENT_VERSION }}" - else - terraform -chdir=$EXAMPLE_DIR plan -var dam_license=license.mprv - fi - - - # On push to "main", build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - id: apply - # if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' || github.event_name == 'workflow_dispatch' - run: | - if [[ -n "${{ env.DEPLOYMENT_VERSION }}" && "${{ env.DEPLOYMENT_VERSION }}" != $'\n' ]]; then - terraform -chdir=$EXAMPLE_DIR apply -var dam_license=license.mprv -var "${{ env.DEPLOYMENT_VERSION }}" -auto-approve - else - terraform -chdir=$EXAMPLE_DIR apply -var dam_license=license.mprv -auto-approve - fi - - - name: Terraform Output - if: always() - run: terraform -chdir=$EXAMPLE_DIR output -json - - - name: Collect Artifacts - id: collect-artifacts - if: always() - uses: actions/upload-artifact@v4 - with: - name: collected-keys-${{ env.TF_WORKSPACE }} - path: | - ${{ env.EXAMPLE_DIR }}/ssh_keys - - - name: Check how was the workflow run - id: check-trigger - if: ${{ failure() }} - run: | - if [ "${{ github.event_name }}" == "schedule" ]; then - echo "run-by=Automation" >> $GITHUB_OUTPUT - else - echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT - fi - - # This step allows time for investigation of the failed resources before destroying them - - name: Conditional Delay - if: ${{ failure() }} - run: | - echo "delay_destroy: ${{ inputs.delay_destroy }}" - if [ "${{ inputs.delay_destroy }}" == "true" ]; then - echo "Terraform workspace: $TF_WORKSPACE" - curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} - echo "" - echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment" - sleep $DESTROY_DELAY_SECONDS - fi - - - name: Terraform Destroy - id: destroy - if: always() - run: | - if [[ -n "${{ env.DEPLOYMENT_VERSION }}" && "${{ env.DEPLOYMENT_VERSION }}" != $'\n' ]]; then - terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -var "${{ env.DEPLOYMENT_VERSION }}" -auto-approve - else - terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve - fi - - - - - name: Terraform Delete Workspace - if: always() - run: | - if [ '${{ steps.destroy.conclusion }}' == 'success' ] && [ ${{ github.event_name }} != 'schedule' ]; then - terraform -chdir=$EXAMPLE_DIR workspace delete $TMP_WORKSPACE_NAME - fi - env: - TF_WORKSPACE: default - - # Send job failure to Slack - - name: Send Slack When Failure - run: | - if [ ${{ env.REF }} == 'master' ]; then - curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} Prod ${{ inputs.workspace }} automation on Azure Failed*\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#dsfkit-prod"}' ${{ secrets.SLACK_WEBHOOK_URL }} - elif [ ${{ env.REF }} == 'dev' ]; then - curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} dev ${{ inputs.workspace }} automation on Azure Failed*\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} - else - curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} private branch ${{ inputs.workspace }} automation on Azure Failed*\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} - fi - if: ${{ failure() }} +name: 'DSF POC CLI - Azure' + +on: + workflow_call: + inputs: + use_modules_from_terraform_registry: + required: true + type: boolean + explicit_ref: + required: true + type: string + deployment_type: + required: false + type: string + default: 'all' + product_full_version: + type: string + default: 'latest' + required: false + + secrets: + AWS_ACCESS_KEY_ID: + required: true + AWS_SECRET_ACCESS_KEY: + required: true + SLACK_WEBHOOK_URL: + required: true + ARM_CLIENT_SECRET: + required: true + DAM_LICENSE: + required: true + ALLOWED_SSH_CIDRS: + required: true + + workflow_dispatch: + inputs: + use_modules_from_terraform_registry: + type: boolean + required: false + delay_destroy: + description: 'Delay the destroy step and subsequent steps to allow investigation' + type: boolean + default: false + required: false + deployment_type: + description: 'Choose the type of deployments to run: all (default), sonar, dam, dra' + type: string + default: 'all' + required: false + product_full_version: + description: 'Product (DAM, DRA, SONAR) version to deploy, default is latest. For DAM and Sonar use the full version number (e.g. 4.17.0.10.0) and for DRA use the build number (e.g. 4.17.0.10.0.6_31077)' + type: string + default: 'latest' + required: false + + push: + branches: + - 'dev' + paths: + - 'modules/azurerm/**' + - 'modules/null/**' + - 'examples/azure/poc/dsf_deployment/*' + + pull_request: + types: + - 'opened' + - 'reopened' + branches: + - 'dev' + paths: + - 'modules/azurerm/**' + - 'modules/null/**' + - 'examples/azure/poc/dsf_deployment/*' + +env: + TF_CLI_ARGS: "-no-color" + TF_INPUT: 0 + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} # aws creds are needed for s3 backend + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + DESTROY_DELAY_SECONDS: 1800 +permissions: + contents: read + +jobs: + prepare-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + deployment_version: ${{ steps.set-deployment-version.outputs.deployment_version }} + steps: + - name: Set Matrix + id: set-matrix + env: + VAR: ${{ github.event.inputs.deployment_type || 'all' }} + run: | + MATRIX=$(jq -n --compact-output --arg var "$VAR" '{ + "include": [ + (if $var == "all" then {"name":"DSF POC","workspace":"azure_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end), + (if $var == "all" or $var == "sonar" then {"name":"DSF POC - SONAR","workspace":"azure_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "dra" then {"name":"DSF POC - DRA","workspace":"azure_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end) + ] + }') + + echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT" + + - name: Set deployment version + id: set-deployment-version + run: | + DEPLOYMENT_VERSION="" + if [[ "${{ github.event.inputs.product_full_version }}" != "latest" && -n "${{ github.event.inputs.product_full_version }}" ]]; then + if [[ "${{ github.event.inputs.deployment_type }}" == "dam" ]]; then + DEPLOYMENT_VERSION="dam_version=${{ github.event.inputs.product_full_version }}" + elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar" ]]; then + DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_full_version }}" + elif [[ "${{ github.event.inputs.deployment_type }}" == "dra" ]]; then + DEPLOYMENT_VERSION="dra_version=${{ github.event.inputs.product_full_version }}" + fi + fi + echo "deployment_version=$DEPLOYMENT_VERSION" >> $GITHUB_OUTPUT + + terraform: + needs: prepare-matrix + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }} + name: '${{ matrix.name }}' + runs-on: ubuntu-latest + env: + EXAMPLE_DIR: ./examples/azure/poc/dsf_deployment + TF_VAR_enable_sonar: ${{ matrix.enable_sonar }} + TF_VAR_enable_dam: ${{ matrix.enable_dam }} + TF_VAR_enable_dra: ${{ matrix.enable_dra }} + TF_VAR_allowed_ssh_cidrs: ${{ vars.ALLOWED_SSH_CIDRS }} + DEPLOYMENT_VERSION: ${{ needs.prepare-matrix.outputs.deployment_version }} + + environment: test + + # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + defaults: + run: + shell: bash + steps: + - name: Pick ref + run: | + if [ -z "${{ inputs.explicit_ref }}" ]; then + echo REF=${{ github.ref }} >> $GITHUB_ENV; + else + echo REF=${{ inputs.explicit_ref }} >> $GITHUB_ENV; + fi + + - name: Set Workspace Name + run: | + echo "Event Name: ${{ github.event_name }}" + if [ ${{ github.event_name }} == 'schedule' ]; then + echo TF_WORKSPACE=${{ matrix.workspace }}${{ github.event_name }}-$REF >> $GITHUB_ENV + else + echo TF_WORKSPACE=${{ matrix.workspace }}${{ github.run_number }}-${{ github.run_attempt }}-${{ inputs.explicit_ref }} >> $GITHUB_ENV + echo TMP_WORKSPACE_NAME=${{ matrix.workspace }}${{ github.run_number }}-${{ github.run_attempt }}-${{ inputs.explicit_ref }} >> $GITHUB_ENV + fi + + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ env.REF }} + + - name: Change the modules source to local + if: ${{ inputs.use_modules_from_terraform_registry == false }} + run: | + find $EXAMPLE_DIR -type f -exec sed -i -f sed.expr {} \; + + - name: Create terraform backend file + run: | + cat << EOF > $EXAMPLE_DIR/backend.tf + terraform { + backend "s3" { + bucket = "terraform-state-bucket-dsfkit-github-tests" + key = "states/terraform.tfstate" + dynamodb_table = "terraform-state-lock" + region = "us-east-1" + } + } + EOF + + - name: Set parameters in azure storage account + run: | + if [ "${{ github.event.inputs.deployment_type }}" == "dra" ] && [ "${{ github.event.inputs.product_full_version }}" != "latest" ] && [ -n "${{ github.event.inputs.product_full_version }}" ]; then + PATH_TO_DRA_ANALYTICS_VHD="DRA-${{ github.event.inputs.product_full_version }}_x86_64-Analytics.vhd" + PATH_TO_DRA_ADMIN_VHD="DRA-${{ github.event.inputs.product_full_version }}_x86_64-Admin.vhd" + else + PATH_TO_DRA_ANALYTICS_VHD="DRA-4.17.0.10.0.6_31077_x86_64-Analytics.vhd" + PATH_TO_DRA_ADMIN_VHD="DRA-4.17.0.10.0.6_31077_x86_64-Admin.vhd" + fi + + if [ "${{ github.event.inputs.deployment_type }}" == "sonar" ] && [ "${{ github.event.inputs.product_full_version }}" != "latest" ] && [ -n "${{ github.event.inputs.product_full_version }}" ]; then + AZ_BLOB_SONAR="jsonar-${{ github.event.inputs.product_full_version }}.tar.gz" + else + AZ_BLOB_SONAR="jsonar-4.17.0.10.0.tar.gz" + fi + + echo "PATH_TO_DRA_ANALYTICS_VHD=$PATH_TO_DRA_ANALYTICS_VHD" >> $GITHUB_ENV + echo "PATH_TO_DRA_ADMIN_VHD=$PATH_TO_DRA_ADMIN_VHD" >> $GITHUB_ENV + echo "AZ_BLOB_SONAR=$AZ_BLOB_SONAR" >> $GITHUB_ENV + + - name: Create terraform.tfvars file + run: | + cat << EOF > $EXAMPLE_DIR/terraform.tfvars + resource_group_location = "East US" + tarball_location = { + az_resource_group = "dsf-rg" + az_storage_account = "dsfinstallation" + az_container = "sonar" + az_blob = "$AZ_BLOB_SONAR" + } + dam_agent_installation_location = { + az_resource_group = "dsf-rg" + az_storage_account = "dsfinstallation" + az_container = "dam" + az_blob = "Imperva-ragent-UBN-px86_64-b14.6.0.60.0.636085.bsx" + } + simulation_db_types_for_agent=["PostgreSql", "MySql"] + dra_admin_vhd_details = { + storage_account_name = "dsfinstallation" + container_name = "dra" + path_to_vhd = "$PATH_TO_DRA_ADMIN_VHD" + } + dra_analytics_vhd_details = { + storage_account_name = "dsfinstallation" + container_name = "dra" + path_to_vhd = "$PATH_TO_DRA_ANALYTICS_VHD" + } + + EOF + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_wrapper: false + terraform_version: ~1.7.0 + + - name: Setup jq + uses: sergeysova/jq-action@v2 + + - name: Create License File + env: + MY_SECRET: ${{ secrets.DAM_LICENSE }} + run: | + echo "${{ secrets.DAM_LICENSE }}" | base64 -d > $EXAMPLE_DIR/license.mprv + cat $EXAMPLE_DIR/license.mprv + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform -chdir=$EXAMPLE_DIR init + env: + TF_WORKSPACE: default + + - name: Cleaning environment + run: | + if [ ${{ github.event_name }} == 'schedule' ]; then + mv $EXAMPLE_DIR/main.tf{,_} + mv $EXAMPLE_DIR/outputs.tf{,_} + mv $EXAMPLE_DIR/sonar.tf{,_} + mv $EXAMPLE_DIR/dam.tf{,_} + mv $EXAMPLE_DIR/dra.tf{,_} + mv $EXAMPLE_DIR/agent_sources.tf{,_} + mv $EXAMPLE_DIR/agentless_sources.tf{,_} + mv $EXAMPLE_DIR/networking.tf{,_} + ls -la $EXAMPLE_DIR + terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve + mv $EXAMPLE_DIR/main.tf{_,} + mv $EXAMPLE_DIR/outputs.tf{_,} + mv $EXAMPLE_DIR/sonar.tf{_,} + mv $EXAMPLE_DIR/dam.tf{_,} + mv $EXAMPLE_DIR/dra.tf{_,} + mv $EXAMPLE_DIR/agent_sources.tf{_,} + mv $EXAMPLE_DIR/agentless_sources.tf{_,} + mv $EXAMPLE_DIR/networking.tf{_,} + fi + + - name: Terraform Validate + run: terraform -chdir=$EXAMPLE_DIR validate + + # Generates an execution plan for Terraform + - name: Terraform Plan + run: | + terraform -chdir=$EXAMPLE_DIR workspace list + # Only pass DEPLOYMENT_VERSION if it's not empty + if [[ -n "${{ env.DEPLOYMENT_VERSION }}" && "${{ env.DEPLOYMENT_VERSION }}" != $'\n' ]]; then + terraform -chdir=$EXAMPLE_DIR plan -var dam_license=license.mprv -var "${{ env.DEPLOYMENT_VERSION }}" + else + terraform -chdir=$EXAMPLE_DIR plan -var dam_license=license.mprv + fi + + + # On push to "main", build or change infrastructure according to Terraform configuration files + # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + - name: Terraform Apply + id: apply + # if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' || github.event_name == 'workflow_dispatch' + run: | + if [[ -n "${{ env.DEPLOYMENT_VERSION }}" && "${{ env.DEPLOYMENT_VERSION }}" != $'\n' ]]; then + terraform -chdir=$EXAMPLE_DIR apply -var dam_license=license.mprv -var "${{ env.DEPLOYMENT_VERSION }}" -auto-approve + else + terraform -chdir=$EXAMPLE_DIR apply -var dam_license=license.mprv -auto-approve + fi + + - name: Terraform Output + if: always() + run: terraform -chdir=$EXAMPLE_DIR output -json + + - name: Collect Artifacts + id: collect-artifacts + if: always() + uses: actions/upload-artifact@v4 + with: + name: collected-keys-${{ env.TF_WORKSPACE }} + path: | + ${{ env.EXAMPLE_DIR }}/ssh_keys + + - name: Check how was the workflow run + id: check-trigger + if: ${{ failure() }} + run: | + if [ "${{ github.event_name }}" == "schedule" ]; then + echo "run-by=Automation" >> $GITHUB_OUTPUT + else + echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT + fi + + # This step allows time for investigation of the failed resources before destroying them + - name: Conditional Delay + if: ${{ failure() }} + run: | + echo "delay_destroy: ${{ inputs.delay_destroy }}" + if [ "${{ inputs.delay_destroy }}" == "true" ]; then + echo "Terraform workspace: $TF_WORKSPACE" + curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} + echo "" + echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment" + sleep $DESTROY_DELAY_SECONDS + fi + + - name: Terraform Destroy + id: destroy + if: always() + run: | + if [[ -n "${{ env.DEPLOYMENT_VERSION }}" && "${{ env.DEPLOYMENT_VERSION }}" != $'\n' ]]; then + terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -var "${{ env.DEPLOYMENT_VERSION }}" -auto-approve + else + terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve + fi + + + + - name: Terraform Delete Workspace + if: always() + run: | + if [ '${{ steps.destroy.conclusion }}' == 'success' ] && [ ${{ github.event_name }} != 'schedule' ]; then + terraform -chdir=$EXAMPLE_DIR workspace delete $TMP_WORKSPACE_NAME + fi + env: + TF_WORKSPACE: default + + # Send job failure to Slack + - name: Send Slack When Failure + run: | + if [ ${{ env.REF }} == 'master' ]; then + curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} Prod ${{ inputs.workspace }} automation on Azure Failed*\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#dsfkit-prod"}' ${{ secrets.SLACK_WEBHOOK_URL }} + elif [ ${{ env.REF }} == 'dev' ]; then + curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} dev ${{ inputs.workspace }} automation on Azure Failed*\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} + else + curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ matrix.name }} private branch ${{ inputs.workspace }} automation on Azure Failed*\n\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }} + fi + if: ${{ failure() }} From cf06a11832543e821c46195b50c54191e93cae26 Mon Sep 17 00:00:00 2001 From: roiklorin Date: Wed, 17 Jun 2026 17:00:14 +0300 Subject: [PATCH 4/4] Remove dra from set-deployment-version in Azure workflow - version is handled via VHD path --- .github/workflows/dsf_poc_cli_azure.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/dsf_poc_cli_azure.yml b/.github/workflows/dsf_poc_cli_azure.yml index a18f6b39..ef642afd 100644 --- a/.github/workflows/dsf_poc_cli_azure.yml +++ b/.github/workflows/dsf_poc_cli_azure.yml @@ -116,8 +116,6 @@ jobs: DEPLOYMENT_VERSION="dam_version=${{ github.event.inputs.product_full_version }}" elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar" ]]; then DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_full_version }}" - elif [[ "${{ github.event.inputs.deployment_type }}" == "dra" ]]; then - DEPLOYMENT_VERSION="dra_version=${{ github.event.inputs.product_full_version }}" fi fi echo "deployment_version=$DEPLOYMENT_VERSION" >> $GITHUB_OUTPUT