chore(base update): update from base repo

Enterprise-CMCS · Mar 27, 2023 · 5b9f6a5 · 5b9f6a5
1 parent 1b56d84
commit 5b9f6a5
Show file tree

Hide file tree

Showing 16 changed files with 2,030 additions and 1,919 deletions.
diff --git a/.github/workflows/auto-create-jira-comment.yml b/.github/workflows/auto-create-jira-comment.yml
@@ -0,0 +1,44 @@
+on:
+  pull_request:
+    types: [opened, edited]
+name: Jira Issue Commenter
+
+jobs:
+  search:
+    runs-on: ubuntu-latest
+    name: Search PR for mentioned Jira Issues
+    outputs:
+      issues: ${{ steps.search.outputs.issues }}
+    steps:
+      - name: find issues
+        id: search
+        env:
+          JIRA_BASE_URL: https://qmacbis.atlassian.net/browse/
+          JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }}
+          BODY: ${{ github.event.pull_request.body }}
+        if: env.JIRA_TOKEN != ''
+        run: |
+          printenv BODY > .tmp.body.txt
+          issues=(`grep -oP "(?<=${JIRA_BASE_URL})[A-Z]+\d+-\d+" .tmp.body.txt || true`)
+          issueJson=`jq -c -n '$ARGS.positional' --args "${issues[@]}"`
+          echo "issues=$issueJson" >> $GITHUB_OUTPUT
+  comment:
+    runs-on: ubuntu-latest
+    name: Comment on Jira Issues
+    needs: search
+    if: needs.search.outputs.issues && needs.search.outputs.issues != '[]'
+    strategy:
+      matrix:
+        value: ${{fromJson(needs.search.outputs.issues)}}
+    steps:
+      - name: Login
+        uses: atlassian/gajira-login@v3
+        env:
+          JIRA_API_TOKEN: ${{ secrets.JIRA_TOKEN }}
+          JIRA_BASE_URL: https://qmacbis.atlassian.net
+          JIRA_USER_EMAIL: ${{ secrets.JIRA_USERNAME }}
+      - name: Comment on issue
+        uses: atlassian/gajira-comment@v3
+        with:
+          issue: ${{ matrix.value }}
+          comment: This issue was mentioned on ${{ github.event.pull_request._links.html.href }}
diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml
@@ -2,8 +2,6 @@ name: Dependency Update
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * MON"
 
 concurrency:
   group: ${{ github.workflow }}

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -21,15 +21,6 @@ permissions:
 jobs:
   init:
     runs-on: ubuntu-20.04
-    environment:
-      name: ${{ github.ref_name }}
-    env:
-      STAGE_NAME: ${{ github.ref_name }}
-    permissions:
-      id-token: write
-      contents: write
-      issues: write
-      pull-requests: write
     steps:
       - name: Validate stage name
         run: |
@@ -105,7 +96,7 @@ jobs:
       - uses: ./.github/actions/setup
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
           aws-region: us-east-1

diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
@@ -35,7 +35,7 @@ jobs:
       - uses: ./.github/actions/setup
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
           aws-region: us-east-1

diff --git a/.github/workflows/running-stage-notifier.yml b/.github/workflows/running-stage-notifier.yml
@@ -2,7 +2,7 @@ name: Running Stage Notifier
 
 on:
   schedule:
-    - cron: "30 21 * * 1-5"
+    - cron: "30 20 * * 1-5"
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/security-hub-jira-sync.yml b/.github/workflows/security-hub-jira-sync.yml
@@ -28,16 +28,46 @@ jobs:
       - uses: ./.github/actions/setup
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
           aws-region: us-east-1
           role-duration-seconds: 10800
 
       - name: Invoke Security Hub Jira Sync
+        id: jiraUpdates
         env:
           JIRA_HOST: qmacbis.atlassian.net
           JIRA_PROJECT: OY2
           JIRA_USERNAME: ${{ secrets.JIRA_USERNAME }}
           JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }}
-        run: run securityHubJiraSync
+        run: |
+          jiraUpdates=$(run securityHubJiraSync)
+          jiraUpdatesFormatted=$(echo "$jiraUpdates" | jq -r '.[] | "\(.action) - <\(.webUrl)|\(.summary)>"' | tr '\n' '\r')
+          echo "jiraUpdates=$jiraUpdatesFormatted" >> $GITHUB_ENV
+
+      - name: Slack Notification - notify of Security Hub Jira issues updates
+        uses: rtCamp/action-slack-notify@v2
+        if: env.SLACK_WEBHOOK != '' && env.jiraUpdates != ''
+        env:
+          SLACK_MSG_AUTHOR: ${{ github.repository }}
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_ICON: https://github.com/${{ github.repository_owner }}.png?size=48
+          SLACK_TITLE: Security Hub Jira Sync
+          SLACK_MESSAGE: ${{ env.jiraUpdates }}
+          SLACK_USERNAME: ${{ github.repository }} - ${{ github.workflow }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          MSG_MINIMAL: true
+
+      - name: Slack Notification - notify of failure reporting on Security Hub Jira issues updates
+        uses: rtCamp/action-slack-notify@v2
+        if: env.SLACK_WEBHOOK != '' && failure()
+        env:
+          SLACK_MSG_AUTHOR: ${{ github.repository }}
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_ICON: https://github.com/${{ github.repository_owner }}.png?size=48
+          SLACK_TITLE: Failure reporting on Security Hub Jira Sync
+          SLACK_MESSAGE: Failure reporting on Security Hub Jira Sync
+          SLACK_USERNAME: ${{ github.repository }} - ${{ github.workflow }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          MSG_MINIMAL: true
diff --git a/.github/workflows/workspace-setup.yml b/.github/workflows/workspace-setup.yml
@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
           aws-region: us-east-1

diff --git a/docs/docs/workflows/auto-create-jira-comment.md b/docs/docs/workflows/auto-create-jira-comment.md
@@ -0,0 +1,39 @@
+---
+layout: default
+title: Jira Issue Commenter
+parent: GitHub Workflows
+nav_order: 2
+---
+
+# Jira Issue Commenter
+{: .no_toc }
+
+Automatically links Pull Requests to Jira Issues mentioned in the PR body.
+{: .fs-6 .fw-300 }
+---
+
+## Summary
+
+The {{ site.repo.name }} project uses GitHub Pull Requests to review and merge and code change.  A GitHub pull request is a feature that allows developers to propose changes to a project's codebase. When a developer wants to suggest changes to a project, they create a pull request which includes the code changes they've made. The pull request then allows other developers to review the proposed changes, discuss any potential issues, and ultimately merge the changes into the main codebase.
+
+The {{ site.repo.name }} project uses Jira to plan, schedule, and track development work items.
+
+As a general rule, most pull requests should be related to a Jira Issue.  In fact our PR template has a section where you may list related issues.
+
+The auto-create-jira-comment workflow is meant to scan pull requests for Jira Issue links; any issues that it finds receives a new comment "This issue was referenced on (link to pull request)".  If it finds no issue links in the PR, nothing happens.  If it finds one, two, or 'n' issues, they all receive that same "This issue was referenced..." comment.  While this workflow will not automatically close issues in Jira, it works to create that link between work item and pull request, provided the team can add Jira Issue links to PRs.
+
+## Configuration, Notes, YSK
+
+### Set JIRA_USERNAME and JIRA_TOKEN as github secrets
+
+The workflow file expects two secrets to be set, JIRA_USERNAME and JIRA_TOKEN.  IF they're not set, the workflow will not fail, but it will be unable to comment on Jira issues.
+
+You'll need to create username and token secrets for a jira user.  The token is more accurately called a Personal Access Token (PAT) in Jira, and can be created by logging into Jira in a web browser and following [these instructions](https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html#UsingPersonalAccessTokens-CreatingPATsintheapplication).
+
+On MACPro, we use a service user; you probably should, too.  If you're on MACPro, you may be able to leverage our existing service user; reach out to {{ site.contact_email }} or Nathan O'Donnell about possible access.
+
+Load these values for JIRA_USERNAME and JIRA_TOKEN into the repository's actions secrets, and the workflow functionality will be operational.
+
+### Review/Update the JIRA_BASE_URL in the workflow file
+
+In the [workflow definition](../../../.github/workflows/autom-create-jira-comment.yml), there is a hardcoded value for JIRA_BASE_URL.  This is used to more precisely find Jira issue links.  As this value is the same for MACPro projects, it was hardcoded to reduce configuration burden.  But if your project uses a different Jira than the one listed, update this value to your Jira base url.
diff --git a/docs/docs/workflows/security-hub-jira-sync.md b/docs/docs/workflows/security-hub-jira-sync.md
@@ -2,7 +2,7 @@
 layout: default
 title: Security Hub Jira Sync
 parent: GitHub Workflows
-nav_order: 6
+nav_order: 1
 ---
 
 # Security Hub Jira Sync

diff --git a/package.json b/package.json
@@ -20,7 +20,7 @@
   "license": "CC0-1.0",
   "homepage": "https://github.com/Enterprise-CMCS/macpro-om-template#readme",
   "devDependencies": {
-    "@enterprise-cmcs/macpro-security-hub-sync": "^1.3.0",
+    "@enterprise-cmcs/macpro-security-hub-sync": "^1.5.0",
     "@enterprise-cmcs/macpro-serverless-running-stages": "^1.0.4",
     "@enterprise-cmcs/serverless-waf-plugin": "^1.3.0",
     "@serverless/compose": "^1.3.0",

diff --git a/src/run.ts b/src/run.ts
@@ -283,6 +283,8 @@ yargs(process.argv.slice(2))
         customJiraFields: {
           customfield_14117: [{ value: "Platform Team" }],
           customfield_14151: [{ value: "Not Applicable " }],
+          customfield_14068:
+            "* All findings of this type are resolved or suppressed, indicated by a Workflow Status of Resolved or Suppressed.  (Note:  this ticket will automatically close when the AC is met.)",
         },
       }).sync();
     }

diff --git a/src/services/.oidc/serverless.yml b/src/services/.oidc/serverless.yml
@@ -36,7 +36,7 @@ custom:
     - arn:aws:iam::${aws:accountId}:policy/ADO-Restriction-Policy
     - arn:aws:iam::${aws:accountId}:policy/CMSApprovedAWSServices
     - arn:aws:iam::aws:policy/AdministratorAccess
-  SubjectClaimFilters: "repo:Enterprise-CMCS/macpro-om-template:*"
+  SubjectClaimFilters: "repo:Enterprise-CMCS/macpro-base-template:${param:claimFilter}"
 resources:
   Resources:
     GitHubActionsServiceRole:

diff --git a/src/services/dashboard/handlers/templatizeCloudWatchDashboard.ts b/src/services/dashboard/handlers/templatizeCloudWatchDashboard.ts
@@ -46,7 +46,7 @@ export const handler = async (
     const { service, accountId, stage, region } = process.env;
     const client = new CloudWatch({});
     const dashboard = await client.getDashboard({
-      DashboardName: `${stage}-dashboard`,
+      DashboardName: `${service}-${stage}`,
     });
 
     const replacables = {