build-attack-destroy-azure #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build-attack-destroy-azure | |
on: | |
workflow_dispatch: # Manually trigger the workflow | |
schedule: | |
- cron: '30 8 * * *' | |
jobs: | |
build-attack-destroy-azure: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Install System Packages | |
run: | | |
sudo apt update -qq | |
sudo apt install -y openssh-client | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.9' #Available versions here - https://github.com/actions/python-versions/releases easy to change/make a matrix/use pypy | |
architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified | |
- uses: Azure/login@v2 | |
with: | |
creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}' | |
- name: Install SSH key | |
uses: shimataro/ssh-key-action@v2 | |
with: | |
key: ${{ secrets.AR_SSH_PRIVATE_KEY }} | |
name: ar-github-actions | |
known_hosts: unnecessary | |
if_key_exists: fail | |
- name: Store public key | |
run: | | |
echo ${{ secrets.AR_SSH_PUBLIC_KEY }} > ~/.ssh/ar-github-actions.pub | |
- uses: hashicorp/setup-terraform@v3 | |
- name: Install Packer | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - | |
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | |
sudo apt-get update && sudo apt-get install packer | |
- name: Install Dependencies using Poetry | |
run: | | |
pip3 install poetry | |
poetry install | |
- name: Copy Attack Range config | |
run: | | |
cp -f configs/github_actions_config_azure.yml attack_range.yml | |
sed -i "s/xxx/${{ secrets.SUBSCRIPTION_ID }}/g" attack_range.yml | |
- name: Test Terraform Build, Attack, Destroy | |
run: | | |
export ARM_CLIENT_ID="${{ secrets.CLIENT_ID }}" | |
export ARM_CLIENT_SECRET="${{ secrets.CLIENT_SECRET }}" | |
export ARM_SUBSCRIPTION_ID="${{ secrets.SUBSCRIPTION_ID }}" | |
export ARM_TENANT_ID="${{ secrets.TENANT_ID }}" | |
poetry run python attack_range.py build | |
poetry run python attack_range.py simulate --target ar-win-ar-github-actions-ar-0 --technique T1003.002 | |
poetry run python attack_range.py destroy | |
- name: Cleanup terraform on failures | |
if: failure() | |
run: | | |
poetry run python attack_range.py destroy | |