Skip to content

gcp-monitor

gcp-monitor #286

Workflow file for this run

# This is a basic workflow to help you get started with Actions
name: gcp-monitor
on:
# Triggers the workflow on push or pull request events but only for the "main" branch
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onschedule
schedule:
- cron: '0 23 * * *'
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "monitoring"
monitoring:
strategy:
matrix:
include:
- environment: workload-idenity-federation
credentials: TERRAFORM_SERVICE_ACCOUNT_KEY
# - environment: dena-opf-payment-dev-gcp
# credentials: ${{ secrets.DENA_OPF_PAYMENT_DEV_GCP_CREDENTIALS }}
# TODO 本番
# - environment: dena-mbga-sb-gcp
# credentials:
# - environment: dena-mbga-gcp
# credentials:
# - environment: dena-opf-payment-gcp
# credentials:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
run:
shell: bash
working-directory: ./workflows_helper/gcp_monitor
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/workflows_helper/gcp_monitor/Gemfile
TZ: "Asia/Tokyo"
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: 'GCP auth'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets[matrix.credentials] }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
# Runs a single command using the runners shell
- name: Get the date
id: get_date
# 今日の日付 YYYY-MM-DD
# モニタリングは平日しか走らないため、
# 月曜の場合、三日前の日付を取得します
# それ以外の場合、一日前の日付を取得します
run: |
echo "past_date=$(date -d '1 day ago' '+%Y-%m-%d')" >> $GITHUB_OUTPUT
echo "current_date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set up ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
# なぜかcacheを使うとエラーになる
bundler-cache: true
- name: Search for all gcp resources
run: |
gcloud asset search-all-resources \
--scope=projects/${{ matrix.environment }} \
--order-by="updateTime DESC, assetType" \
--query="updateTime>=${{ steps.get_date.outputs.past_date }} OR createTime>=${{ steps.get_date.outputs.past_date }}" \
--format="json(name, displayName, assetType, project, createTime, updateTime)" > resources-${{ matrix.environment }}-${{ steps.get_date.outputs.current_date }}.json
bundle exec ruby "app.rb" --type=other ${{ secrets.SLACK_WEBHOOK_URL_FOR_GCP_MONITOR }} ${{ matrix.environment }} resources-${{ matrix.environment }}-${{ steps.get_date.outputs.current_date }}.json
- name: search for all iam policies
run: |
gcloud asset search-all-iam-policies --scope=projects/${{ matrix.environment }} --format=json > iam-policies-${{ matrix.environment }}-${{ steps.get_date.outputs.current_date }}.json
gcloud storage cp iam-policies-${{ matrix.environment }}-${{ steps.get_date.outputs.current_date }}.json gs://cloud-asset-inventory-${{ matrix.environment }}
# Runs a set of commands using the runners shell
# https://stackoverflow.com/a/74232400
# https://github.com/github/docs/issues/21529
- name: get old iam policies file
run: |
gcloud storage cp gs://cloud-asset-inventory-${{ matrix.environment }}/iam-policies-${{ matrix.environment }}-${{ steps.get_date.outputs.past_date }}.json .
- name: iam policies diff calculate
run: bundle exec ruby "app.rb" --type=iam ${{ secrets.SLACK_WEBHOOK_URL_FOR_GCP_MONITOR }} ${{ matrix.environment }} "iam-policies-${{ matrix.environment }}-${{ steps.get_date.outputs.past_date }}.json" "iam-policies-${{ matrix.environment }}-${{ steps.get_date.outputs.current_date }}.json"