CDCgov · jack-h-wang · Oct 24, 2024 · Oct 22, 2024 · Oct 22, 2024 · Oct 22, 2024
@@ -1,7 +1,7 @@
 ---
-name: UP Migrate Receiver - Move to Production
+name: UP Migrate Receiver - Move to Production and Monitor
 about: This is the third and final step in migrating a STLT to the UP 
-title: "[name of STLT] - UP Migration - Move to Production"
+title: "[name of STLT] - UP Migration - Move to Production and Monitor"
 labels: onboarding-ops, receiver
 assignees: ''
 

@@ -0,0 +1,4 @@
+.env
+*.crt
+*.key
+*.txt
@@ -0,0 +1,96 @@
+<div align="center"><h1>Actions Connect Open VPN</h1></div>
+
+>*Replaced deprecated [`set-output`](https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/)*
+
+> v2 switches to openvpn CLI for stability
+
+## Example file `.ovpn` to connect vpn
+
+[Example.ovpn](./example.ovpn)
+
+## Configuration with With
+
+The following settings must be passed as environment variables as shown in the
+example.
+
+| Key         | Value                                                                                                                           | Suggested Type | Required | Default         |
+| ----------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------- | -------- | --------------- |
+| `FILE_OVPN` | Location file open vpn and .                                                                                                    | `env`          | **Yes**  | `./config.ovpn` |
+| `PING_URL`  | URL for check status vpn connect pass or fail                                                                                   | `env`          | **Yes**  | `127.0.0.1`     |
+| `SECRET`    | Username password for access vpn`(Encode base 64 before set secret.)`[How to encode base 64 ?](https://www.base64encode.org/).  | `secret env`   | No       | `''`            |
+| `TLS_KEY`   | Tls-crypt for access vpn `(Encode base 64 before set secret.)`[How to encode base 64 ?](https://www.base64encode.org/).         | `secret env`   | No       | `''`            |
+
+## Configuration with Env
+
+The following settings must be passed as environment variables as shown in the
+example.
+
+| Key         | Value                                                                                                                           | Suggested Type | Required | Default |
+| ----------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------- | -------- | ------- |
+| `CA_CRT`    | Certificate for access vpn `(Encode base 64 before set secret.)`[How to encode base 64 ?](https://www.base64encode.org/).       | `secret env`   | **Yes**  | N/A     |
+| `USER_CRT`  | User certificate for access vpn. `(Encode base 64 before set secret.)`[How to encode base 64 ?](https://www.base64encode.org/). | `secret env`   | **Yes**  | N/A     |
+| `USER_KEY`  | User key for access vpn. `(Encode base 64 before set secret.)`[How to encode base 64 ?](https://www.base64encode.org/).         | `secret env`   | **Yes**  | N/A     |
+
+## Outputs
+
+### `STATUS`
+
+**Boolean** Can get status after connect `true` or `false`.
+
+## Example usage
+
+```yml
+  connect-open-vpn:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Install Open VPN
+        run: sudo apt-get install openvpn
+      - name: Connect VPN
+        uses: golfzaptw/action-connect-ovpn@master
+        id: connect_vpn
+        with:
+          PING_URL: '127.0.0.1'
+          FILE_OVPN: '.github/vpn/config.ovpn'
+          SECRET: ${{ secrets.SECRET_USERNAME_PASSWORD }}
+          TLS_KEY: ${{ secrets.TLS_KEY }}
+        env:
+          CA_CRT: ${{ secrets.CA_CRT}}
+          USER_CRT: ${{ secrets.USER_CRT }}
+          USER_KEY: ${{ secrets.USER_KEY }}
+      - name: Check Connect VPN
+        run: echo ${{ steps.connect_vpn.outputs.STATUS }}
+      - name: kill vpn
+        if: always()
+        run: sudo killall openvpn
+```
+
+## How to prepare file .ovpn
+
+### Step
+
+1. Copy the data inside the tags
+`<ca></ca>`
+`<cert></cert>`
+`<key></key>`
+and encode those values to base64. Then save those values (without a new line!) to the secrets in github actions
+
+2. In the .ovpn file in your repo, remove the tags
+`<ca></ca>`
+`<cert></cert>`
+`<key></key> `
+and replace the values with
+```
+ca ca.crt
+cert user.crt
+key user.key
+```
+
+This will allow the values to be filled in from Github secrets.
+
+3. If your open vpn configuration has a username and password please encode those in base64. After that, save the values in the github actions secrets.
+format username password
+username-vpn
+password-vpn
+
+4. If open vpn have tag `<tls></tls>` please repeat step 1 and 2 for the TLS records.
@@ -0,0 +1,64 @@
+name: 'Connect-VPN-action'
+description: 'Connect VPN action'
+branding:
+  icon: 'shield'
+  color: 'orange'
+inputs:
+  SECRET:
+    description: 'Username and password for access vpn'
+    required: false
+    default: ''
+  TLS_KEY:
+    description: 'User key for access vpn'
+    required: false
+    default: ''
+  PING_URL:
+    description: 'For check success or fail'
+    required: true
+    default: '127.0.0.1'
+  FILE_OVPN:
+    description: 'Location file open vpn'
+    required: true
+    default: './config.ovpn'
+outputs:
+  STATUS:
+    description: 'Status for check connect vpn'
+    value: ${{ steps.vpn_status.outputs.vpn-status }}
+runs:
+  using: "composite"
+  steps:
+    - name: Install OpenVPN
+      run: |
+        sudo apt-get update
+        sudo apt-get install openvpn
+        sudo apt-get install openvpn-systemd-resolved
+      shell: bash
+
+    - name: Connect VPN
+      env:
+        TLS_KEY: ${{ inputs.TLS_KEY }}
+        CA_CRT: ${{ env.CA_CRT}}
+        USER_CRT: ${{ env.USER_CRT }}
+        USER_KEY: ${{ env.USER_KEY }}
+        SECRET: ${{ inputs.SECRET }}
+      shell: bash
+      run: |
+        echo "$TLS_KEY" | base64 -d > tls.key
+        echo "$CA_CRT" | base64 -d > ca.crt
+        echo "$USER_CRT" | base64 -d > user.crt
+        echo "$USER_KEY" | base64 -d > user.key
+        echo "$SECRET" | base64 -d > secret.txt
+        sudo openvpn --config ${{ inputs.FILE_OVPN }} --daemon
+
+    - name: VPN Status
+      id: vpn_status
+      env:
+        PING_URL: ${{ inputs.PING_URL }}
+      shell: bash
+      run: |
+        sleep 5
+        if ping -c 2 $PING_URL > /dev/null 2>&1; then
+          echo "vpn-status=true" >> $GITHUB_OUTPUT
+        else
+          echo "vpn-status=false" >> $GITHUB_OUTPUT
+        fi
@@ -0,0 +1,38 @@
+// FULL FILE OVPN
+
+client
+dev tun
+proto udp
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+auth-nocache
+verb 3
+<ca>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            b1:b0:0b:1a:ad:05:54:0f
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVygAwIBAgIUbPYCDoO+XmScoS84AhQsbnKvd84wCgYIKoZIzj0EAwIw
+u1MjifHr6jMxwQ==
+-----END CERTIFICATE-----
+</ca>
+<cert>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            b1:b0:0b:1a:ad:05:54:0f
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVygAwIBAgIUbPYCDoO+XmScoS
+-----END CERTIFICATE-----
+</cert>
+<key>
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVygAwIBAgIUbPYCDoO+XmScoS84AhQsbn
+-----END CERTIFICATE-----
+</key>
@@ -138,7 +138,6 @@ runs:
           echo "::add-mask::$value"
           echo "$secret_get=$value" >> $GITHUB_OUTPUT
         done
-
 
     - name: Create ssl key file
       if: env.USE_DCT == 'true'
@@ -152,7 +151,7 @@ runs:
       shell: bash
       env:
         SSL_KEY: ${{ steps.key-vault.outputs[env.KEY_NAME] }}
-    
+
     - name: Confirm if runner is a signer
       if: env.USE_DCT == 'true'
       working-directory: prime-router
@@ -333,7 +332,10 @@ runs:
 
     - name: Validate function app checksum
       if: inputs.checksum-validation == 'true'
+
       uses: JosiahSiegel/checksum-validate-action@ebdf8c12c00912d18de93c483b935d51582f9236
+      ## DevSecOps - Aquia (Replace) uses: ./.github/actions/checksum-validate-action
+
       with:
         key: backend
         validate: true

@@ -41,6 +41,8 @@ runs:
       shell: bash
 
     - uses: josiahsiegel/action-connect-ovpn@794339aff94452216c97f609476c367a43a31295
+    ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/action-connect-ovpn
+
       if: inputs.env-name && inputs.ca-cert != 'false'
       id: connect_vpn
       with:
@@ -79,7 +81,7 @@ runs:
         $env:ARM_CLIENT_SECRET = $servicePrincipal.clientSecret
         $env:ARM_SUBSCRIPTION_ID = $servicePrincipal.subscriptionId
         $env:ARM_TENANT_ID = $servicePrincipal.tenantId
-          
+
         # Save environment variable setup for subsequent steps
         Get-ChildItem -Path Env: -Recurse -Include ARM_* | ForEach-Object {Write-Output "$($_.Name)=$($_.Value)"} >> $env:GITHUB_ENV
       shell: pwsh
@@ -120,6 +120,11 @@ updates:
     schedule:
       interval: "daily"
 
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/action-connect-ovpn"
+    schedule:
+      interval: "daily"
+
   # Frontend
   - package-ecosystem: "npm"
     directory: "/frontend-react"
@@ -334,7 +339,7 @@ updates:
       time: "04:17"
       timezone: "US/Eastern"
     rebase-strategy: "disabled"
-    
+
   # Backend
   - package-ecosystem: "gradle"
     directory: "/prime-router"

@@ -0,0 +1,21 @@
+
+client
+dev tun
+proto tcp
+remote 188.94.28.233 443
+verify-x509-name "C=de, L=Hamburg, O=IT works Consulting GmbH, CN=inf-gw-r1-06, [email protected]"
+route remote_host 255.255.255.255 net_gateway
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+auth-user-pass secret.txt
+cipher AES-256-CBC
+auth SHA256
+comp-lzo no
+route-delay 4
+verb 3
+reneg-sec 0
+ca ca.crt
+cert user.crt
+key user.key
@@ -26,9 +26,12 @@ jobs:
           user-key: ${{ secrets.USER_KEY }}
           sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
           tf-auth: true
-          
+
       - name: Collect Terraform stats
+
         uses: josiahsiegel/terraform-stats@68b8cbe42c494333fbf6f8d90ac86da1fb69dcc2
+        ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/terraform-stats
+
         id: stats1
         with:
           terraform-directory: operations/app/terraform/vars/${{ matrix.env }}
@@ -46,7 +49,7 @@ jobs:
           echo "resource-drifts=$(echo '${{ steps.stats1.outputs.resource-drifts }}' \
             | sed 's/\"/\\\"/g' | sed 's/\\\\\"/\\\\\\"/g')" >> $GITHUB_OUTPUT
           echo "$EOF" >> $GITHUB_OUTPUT
-          
+
       - name: Slack Notification
         if: ${{ steps.format_out.outputs.CHANGES  != '' }}
         uses: ./.github/actions/notifications
@@ -57,9 +60,8 @@ jobs:
             "change-count": "${{ steps.stats1.outputs.change-count }}"
             "drift-count": "${{ steps.stats1.outputs.drift-count }}"
             "resource-drifts": "${{ env.resource-drifts }}"
-          
+
           icon-emoji: ':bell:'
           channel: pagerduty-alert-dump
           webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
           color: warning
-
@@ -51,7 +51,10 @@ jobs:
           sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
           tf-auth: true
       - name: Collect Terraform stats
+
         uses: josiahsiegel/terraform-stats@68b8cbe42c494333fbf6f8d90ac86da1fb69dcc2
+        ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/terraform-stats
+
         id: stats1
         with:
           terraform-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}

@@ -12,7 +12,10 @@ jobs:
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
       - name: Workflow Housekeeper - workflows NOT in default branch
+
         uses: JosiahSiegel/workflow-housekeeper@731cc20bb613208b34efb6ac74aab4ba147abb50
+        ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/workflow-housekeeper
+
         env:
           GITHUB_TOKEN: ${{ secrets.LOG_MANAGEMENT_TOKEN }}
         with:
@@ -21,7 +24,10 @@ jobs:
           retain-run-count: 0
           dry-run: false
       - name: Workflow Housekeeper - workflows in default branch
+
         uses: JosiahSiegel/workflow-housekeeper@731cc20bb613208b34efb6ac74aab4ba147abb50
+        ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/workflow-housekeeper
+
         env:
           GITHUB_TOKEN: ${{ secrets.LOG_MANAGEMENT_TOKEN }}
         with:

@@ -27,13 +27,19 @@ jobs:
           echo "Branch name: \"${BRANCH_NAME}\""
 
       - name: "Create branch '${{ env.BRANCH_NAME }}' to contain the changes for the deployment on ${{ env.DEPLOYMENT_DATE }}"
+
         uses: JosiahSiegel/remote-branch-action@dbe7a2138eb064fbfdb980abee918091a7501fbe
+        ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/remote-branch-action
+
         with:
           branch: "${{ env.BRANCH_NAME }}"
 
       - name: "Prepare a Pull Request from ${{ env.BRANCH_NAME }} into production branch"
         id: pr
+
         uses: JosiahSiegel/reliable-pull-request-action@ae8d0c88126329ee363a35392793d0bc94cb82e7
+        ## DevSecOps - Aquia (Replace) - uses: ./.github/actions/reliable-pull-request-action
+
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-Original file line number
+Diff line change
@@ -0,0 +1,4 @@
+    .env
+    *.crt
+    *.key
+    *.txt