Merge pull request #12 from Nullify-Platform/fix-pipeline

Fix pipeline

Author: vik-nullify

.github/workflows/helm-release.yml

@@ -6,6 +6,8 @@ on:
     paths:
       - 'aws-integration-setup/charts/**'
       - '.github/workflows/helm-release.yml'
+    tags:
+      - 'v*'
   workflow_dispatch:
 
 permissions:
@@ -36,6 +38,46 @@ jobs:
       with:
         version: v3.14.0
 
+    - name: Determine version
+      id: version
+      run: |
+        if [[ $GITHUB_REF == refs/tags/* ]]; then
+          # Use tag version (remove 'v' prefix)
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Using tag version: $VERSION"
+        else
+          # Auto-increment patch version for main branch commits
+          LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
+          LATEST_VERSION=${LATEST_TAG#v}
+          
+          # Parse semantic version
+          IFS='.' read -ra VERSION_PARTS <<< "$LATEST_VERSION"
+          MAJOR=${VERSION_PARTS[0]:-0}
+          MINOR=${VERSION_PARTS[1]:-0}
+          PATCH=${VERSION_PARTS[2]:-0}
+          
+          # Increment patch version
+          NEW_PATCH=$((PATCH + 1))
+          NEW_VERSION="$MAJOR.$MINOR.$NEW_PATCH"
+          
+          echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
+          echo "Auto-incremented version: $LATEST_VERSION -> $NEW_VERSION"
+        fi
+
+    - name: Update Chart version
+      run: |
+        VERSION="${{ steps.version.outputs.version }}"
+        
+        # Update Chart.yaml with new version
+        sed -i "s/^version:.*/version: $VERSION/" aws-integration-setup/charts/nullify-k8s-collector/Chart.yaml
+        
+        # Optionally update appVersion to match
+        sed -i "s/^appVersion:.*/appVersion: \"$VERSION\"/" aws-integration-setup/charts/nullify-k8s-collector/Chart.yaml
+        
+        echo "Updated Chart.yaml to version $VERSION"
+        cat aws-integration-setup/charts/nullify-k8s-collector/Chart.yaml | grep -E "^(version|appVersion):"
+
     - name: Add Helm repos (if chart has dependencies)
       run: |
         helm repo add bitnami https://charts.bitnami.com/bitnami || true

.github/workflows/pr-validation.yml

@@ -21,6 +21,58 @@ This template creates:
    - AWS CLI configured with appropriate permissions
    - IAM permissions to create roles and policies
 
+3. **For EKS Integration** (optional):
+   - EKS cluster with OIDC provider enabled
+   - OIDC provider URL (see [Getting EKS OIDC URL](#getting-eks-oidc-url) below)
+
+## Getting EKS OIDC URL
+
+If you're enabling EKS integration, you'll need the OIDC provider URL from your EKS cluster.
+
+### Method 1: AWS CLI (Recommended)
+```bash
+# Get OIDC URL for your cluster
+aws eks describe-cluster --name YOUR_CLUSTER_NAME --query 'cluster.identity.oidc.issuer' --output text
+
+# Remove the https:// prefix for the CloudFormation parameter
+aws eks describe-cluster --name YOUR_CLUSTER_NAME --query 'cluster.identity.oidc.issuer' --output text | sed 's|https://||'
+```
+
+**Example output:**
+```
+https://oidc.eks.us-west-2.amazonaws.com/id/ABCDEF1234567890ABCDEF1234567890
+```
+
+**For CloudFormation parameter (without https://):**
+```
+oidc.eks.us-west-2.amazonaws.com/id/ABCDEF1234567890ABCDEF1234567890
+```
+
+### Method 2: AWS Console
+1. Go to **Amazon EKS** in the AWS Console
+2. Click on your cluster name
+3. Go to the **Configuration** tab
+4. Under **Details**, look for **OpenID Connect provider URL**
+
+### Method 3: kubectl (if you have cluster access)
+```bash
+kubectl get configmap aws-auth -n kube-system -o yaml | grep "oidc"
+```
+
+### OIDC URL Format
+- **Full URL format**: `https://oidc.eks.REGION.amazonaws.com/id/CLUSTER_ID`
+- **For CloudFormation parameter**: Use only the part **after** `https://`
+- **Example**: If full URL is `https://oidc.eks.us-west-2.amazonaws.com/id/ABC123`, use `oidc.eks.us-west-2.amazonaws.com/id/ABC123`
+
+### Enabling OIDC on EKS (if not already enabled)
+```bash
+# Check if OIDC is enabled
+aws eks describe-cluster --name YOUR_CLUSTER_NAME --query 'cluster.identity.oidc'
+
+# If null, enable OIDC provider
+eksctl utils associate-iam-oidc-provider --cluster YOUR_CLUSTER_NAME --approve
+```
+
 ## Quick Start
 
 ### 1. Deploy via AWS Console
@@ -43,7 +95,7 @@ aws cloudformation create-stack \
     ParameterKey=CustomerName,ParameterValue=yourcompany \
     ParameterKey=ExternalID,ParameterValue=YOUR-EXTERNAL-ID \
     ParameterKey=CrossAccountRoleArn,ParameterValue=arn:aws:iam::NULLIFY-ACCOUNT:role/NULLIFY-ROLE \
-    ParameterKey=S3BucketName,ParameterValue=NULLIFY-BUCKET \
+    ParameterKey=NullifyS3Bucket,ParameterValue=NULLIFY-BUCKET \
   --capabilities CAPABILITY_NAMED_IAM
 
 # Check deployment status
@@ -62,82 +114,31 @@ aws cloudformation describe-stacks \
 
 ```bash
 # For EKS clusters, enable integration
+# First, get your OIDC URL (see "Getting EKS OIDC URL" section above)
+OIDC_URL=$(aws eks describe-cluster --name YOUR_CLUSTER_NAME --query 'cluster.identity.oidc.issuer' --output text | sed 's|https://||')
+
 aws cloudformation create-stack \
   --stack-name nullify-aws-integration \
   --template-body file://nullify-cloudformation-template.json \
   --parameters \
     ParameterKey=CustomerName,ParameterValue=yourcompany \
     ParameterKey=ExternalID,ParameterValue=YOUR-EXTERNAL-ID \
     ParameterKey=CrossAccountRoleArn,ParameterValue=arn:aws:iam::NULLIFY-ACCOUNT:role/NULLIFY-ROLE \
-    ParameterKey=S3BucketName,ParameterValue=NULLIFY-BUCKET \
+    ParameterKey=NullifyS3Bucket,ParameterValue=NULLIFY-BUCKET \
     ParameterKey=EnableEKSIntegration,ParameterValue=true \
-    ParameterKey=EKSOidcProviderURL,ParameterValue=oidc.eks.us-east-1.amazonaws.com/id/YOUR-OIDC-ID \
+    ParameterKey=EKSOidcProviderURL,ParameterValue=$OIDC_URL \
   --capabilities CAPABILITY_NAMED_IAM
-```
 
-## Parameters
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `CustomerName` | String | Yes | Your company/customer identifier (1-10 chars) |
-| `ExternalID` | String | Yes | External ID provided by Nullify support |
-| `CrossAccountRoleArn` | String | Yes | Nullify's cross-account role ARN |
-| `S3BucketName` | String | Yes | S3 bucket name for data collection (provided by Nullify support) |
-| `AWSRegion` | String | No | AWS region (default: us-east-1) |
-| `EnableEKSIntegration` | String | No | Enable EKS integration (default: false) |
-| `EKSOidcProviderURL` | String | No* | EKS OIDC provider URL (*required if EKS enabled) |
-
-## Resources Created
-
-1. **IAMViewOnlyRole**: Main IAM role for Nullify integration
-2. **ReadOnlyAccessPolicy**: Part 1 of AWS service permissions
-3. **ReadOnlyAccessPolicy2**: Part 2 of AWS service permissions
-4. **S3AccessPolicy**: S3 permissions for data collection
-5. **DenyActionsPolicy**: Security controls to deny sensitive operations
-
-## Outputs
-
-- `RoleArn`: ARN of the created IAM role
-- `RoleName`: Name of the created IAM role
-
-## Security Features
-
-### Access Controls
-- **Cross-Account Trust**: Only trusts specified Nullify role ARN
-- **External ID**: Prevents confused deputy attacks
-- **Read-Only Permissions**: Comprehensive read access across AWS services
-- **Deny Policy**: Explicitly denies sensitive operations like downloading container images
-
-### EKS Integration
-- **OIDC Provider**: Supports EKS service account integration
-- **Conditional Logic**: EKS resources only created when enabled
-- **Service Account Trust**: Specific trust for `nullify:nullify-k8s-collector-sa`
-
-## Troubleshooting
-
-### Common Issues
-
-1. **Stack Creation Failed - Customer Name Invalid**
-   ```
-   Error: Customer name must start with a letter and can only contain letters, numbers, underscores, and hyphens
-   ```
-   **Solution**: Use only alphanumeric characters, underscores, and hyphens (1-10 characters)
-
-2. **Stack Creation Failed - OIDC Provider Not Found**
-   ```
-   Error: Invalid identity provider
-   ```
-   **Solution**: Ensure EKS cluster has OIDC provider enabled and URL is correct
-
-3. **External ID Mismatch**
-   ```
-   Error: Access denied during role assumption
-   ```
-   **Solution**: Verify external ID with Nullify support
-
-## Next Steps
-
-1. ✅ Note the role ARN from stack outputs
-2. ✅ Provide role ARN to Nullify support team
-3. ✅ Verify integration in Nullify dashboard
-4. ✅ Monitor CloudTrail for role assumption events 
+# Or manually with a specific OIDC URL:
+aws cloudformation create-stack \
+  --stack-name nullify-aws-integration \
+  --template-body file://nullify-cloudformation-template.json \
+  --parameters \
+    ParameterKey=CustomerName,ParameterValue=yourcompany \
+    ParameterKey=ExternalID,ParameterValue=YOUR-EXTERNAL-ID \
+    ParameterKey=CrossAccountRoleArn,ParameterValue=arn:aws:iam::NULLIFY-ACCOUNT:role/NULLIFY-ROLE \
+    ParameterKey=NullifyS3Bucket,ParameterValue=NULLIFY-BUCKET \
+    ParameterKey=EnableEKSIntegration,ParameterValue=true \
+    ParameterKey=EKSOidcProviderURL,ParameterValue=A78D8794A06CAE5791C5812CDB164C7D.gr7.ap-southeast-2.eks.amazonaws.com \
+  --capabilities CAPABILITY_NAMED_IAM
+```