Merge branch 'main' into user-info

.github/workflows/ci-pull_request.yml

@@ -0,0 +1,105 @@
+name: Unit Tests and Lints
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "[0-9]+.[0-9]+"
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main
+      - "[0-9]+.[0-9]+"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Initialize hermit
+        shell: bash
+        run: |
+          ./bin/hermit env --raw >> "$GITHUB_ENV"
+
+      - name: Initialize poetry
+        shell: bash
+        run: |
+          pip3 install poetry
+          (cd security-policies && poetry install --no-root)
+
+      - name: Pre-commit Hooks
+        env:
+          # Skipping golangci-lint as it's tested by golangci-lint
+          SKIP: golangci-lint
+        shell: bash
+        run: |
+          pre-commit run --all-files
+
+      - name: golangci-lint
+        shell: bash
+        run: golangci-lint run --out-format github-actions
+
+      - name: Mage Check
+        shell: bash
+        run: mage check
+
+      - name: Mage checkLicenseHeaders
+        shell: bash
+        run: mage checkLicenseHeaders
+
+      - name: Validate mocks
+        shell: bash
+        run: just validate-mocks
+
+      - name: Terraform fmt
+        shell: bash
+        run: terraform fmt -check -recursive
+
+  unit-test:
+    name: Unit Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Initialize hermit
+        shell: bash
+        run: |
+          ./bin/hermit env --raw >> "$GITHUB_ENV"
+
+      - name: Build opa bundle
+        shell: bash
+        run: mage buildOpaBundle
+
+      - name: Unit-Test
+        shell: bash
+        run: |
+          go install gotest.tools/gotestsum
+          GOOS=linux TEST_DIRECTORY=./... gotestsum --format pkgname -- -race -coverpkg=./... -coverprofile=cover.out.tmp
+          cat cover.out.tmp | grep -v "mock_.*.go" > cover.out # remove mock files from coverage report
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-file
+          path: cover.out
+          overwrite: true
+
+      - name: Send coverage
+        env:
+          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          go install github.com/mattn/goveralls@latest
+          goveralls -coverprofile=cover.out -service=github

.github/workflows/ci.yml

@@ -29,100 +29,6 @@ jobs:
         with:
           init-tools: 'true'
 
-  lint:
-    name: Lint
-    runs-on: ubuntu-22.04
-    timeout-minutes: 60
-    steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event_name == 'push' && github.ref || format('refs/pull/{0}/merge', github.event.number) }}
-          # If the event is push to branch use the default ref.
-          # If the event is pull request (`pull_request_target` in our case) use merge commit as ref to run lint over the PR's code.
-
-      - name: Initialize hermit
-        shell: bash
-        run: |
-          ./bin/hermit env --raw >> "$GITHUB_ENV"
-
-      - name: Initialize poetry
-        shell: bash
-        run: |
-          pip3 install poetry
-          (cd security-policies && poetry install --no-root)
-
-      - name: Pre-commit Hooks
-        env:
-          # Skipping golangci-lint as it's tested by golangci-lint
-          SKIP: golangci-lint
-        shell: bash
-        run: |
-          pre-commit run --all-files
-
-      - name: golangci-lint
-        shell: bash
-        run: golangci-lint run --out-format github-actions
-
-      - name: Mage Check
-        shell: bash
-        run: mage check
-
-      - name: Mage checkLicenseHeaders
-        shell: bash
-        run: mage checkLicenseHeaders
-
-      - name: Validate mocks
-        shell: bash
-        run: just validate-mocks
-
-      - name: Terraform fmt
-        shell: bash
-        run: terraform fmt -check -recursive
-
-  unit-test:
-    name: Unit Test
-    runs-on: ubuntu-22.04
-    timeout-minutes: 60
-    steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event_name == 'push' && github.ref || format('refs/pull/{0}/merge', github.event.number) }}
-          # If the event is push to branch use the default ref.
-          # If the event is pull request (`pull_request_target` in our case) use merge commit as ref to run unit tests over the PR's code.
-
-      - name: Initialize hermit
-        shell: bash
-        run: |
-          ./bin/hermit env --raw >> "$GITHUB_ENV"
-
-      - name: Build opa bundle
-        shell: bash
-        run: mage buildOpaBundle
-
-      - name: Unit-Test
-        shell: bash
-        run: |
-          go install gotest.tools/gotestsum
-          GOOS=linux TEST_DIRECTORY=./... gotestsum --format pkgname -- -race -coverpkg=./... -coverprofile=cover.out.tmp
-          cat cover.out.tmp | grep -v "mock_.*.go" > cover.out # remove mock files from coverage report
-
-      - name: Upload coverage artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: coverage-file
-          path: cover.out
-          overwrite: true
-
-      - name: Send coverage
-        env:
-          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        shell: bash
-        run: |
-          go install github.com/mattn/goveralls@latest
-          goveralls -coverprofile=cover.out -service=github
-
   ci-azure:
     needs: [ init-hermit ]
     name: CIS Azure CI

.github/workflows/cloudformation-ci.yml

@@ -9,6 +9,13 @@ on:
     paths:
       - deploy/cloudformation/*.yml
       - .github/workflows/cloudformation-ci.yml
+  push:
+    branches:
+      - main
+      - "[0-9]+.[0-9]+"
+    paths:
+      - deploy/cloudformation/*.yml
+      - .github/workflows/cloudformation-ci.yml
 
 env:
   WORKING_DIR: deploy/test-environments
@@ -115,3 +122,63 @@ jobs:
           terraform destroy --auto-approve -target="module.ec_deployment" -target="module.ec_project"
           aws cloudformation delete-stack --stack-name ${{ env.CNVM_STACK_NAME }}
           aws cloudformation wait stack-delete-complete --stack-name ${{ env.CNVM_STACK_NAME }}
+
+
+  Deploy-CloudFormation-DirectKeys:
+    name: "Deploy CloudFormation DirectKeys"
+    runs-on: ubuntu-latest
+    timeout-minutes: 40
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
+        with:
+          init-tools: 'true'
+
+      - name: Set up unique deployment names
+        run: |
+          suffix="$(date +%s | tail -c 3)"
+          echo "DIRECT_KEY_STACK_NAME=direct-key-stack-pr${{ github.event.number }}-$suffix" >> $GITHUB_ENV
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
+          aws-region: "eu-west-1"
+
+      - name: Deploy CloudFormation stack
+        env:
+          CF_FILE: 'deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml'
+        run: |
+          aws cloudformation validate-template --template-body file://${{ env.CF_FILE }}
+          aws cloudformation create-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --template-body file://${{ env.CF_FILE }} --capabilities CAPABILITY_NAMED_IAM
+          aws cloudformation wait stack-create-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }}
+
+      - name: Get Direct Keys
+        id: direct-keys
+        shell: bash
+        run: |
+          BODY="$(aws cloudformation describe-stacks --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --query 'Stacks[0].Outputs' --output json)"
+          NEW_ACCESS_KEY_ID="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("AccessKeyId")) | .OutputValue')"
+          echo "::add-mask::$NEW_ACCESS_KEY_ID"
+          NEW_SECRET_ACCESS_KEY="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("SecretAccessKey")) | .OutputValue')"
+          echo "::add-mask::$NEW_SECRET_ACCESS_KEY"
+          echo "NEW_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}" >> $GITHUB_OUTPUT
+          echo "NEW_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}" >> $GITHUB_OUTPUT
+
+      - name: Run AWS integration tests
+        uses: ./.github/actions/aws-ci
+        with:
+          elk-version: ${{ env.ELK_VERSION }}
+          aws-access-key-id: ${{ steps.direct-keys.outputs.NEW_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ steps.direct-keys.outputs.NEW_SECRET_ACCESS_KEY }}
+          aws-account-type: single-account
+
+      - name: Cleanup Environment
+        if: always()
+        run: |
+          aws cloudformation delete-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }}
+          aws cloudformation wait stack-delete-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }}

.mergify.yml

@@ -287,3 +287,16 @@ pull_request_rules:
         labels:
           - "backport"
         title: "[{{ destination_branch }}](backport #{{ number }}) {{ title }}"
+  - name: backport patches to 8.14 branch
+    conditions:
+      - merged
+      - label=backport-v8.14.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.14"
+        labels:
+          - "backport"
+        title: "[{{ destination_branch }}](backport #{{ number }}) {{ title }}"

deploy/aws/cloudbeat-aws.yml

@@ -6,7 +6,7 @@ cloudbeat:
         credentials:
           access_key_id: ${AWS_ACCESS_KEY_ID:""}
           secret_access_key: ${AWS_SECRET_ACCESS_KEY:""}
-          account_type: ${AWS_ACCOUNT_TYPE:""}
+        account_type: ${AWS_ACCOUNT_TYPE:""}
   type: cloudbeat/cis_aws
   # Defines how often an event is sent to the output
   period: 30s

deploy/azure/ARM-for-organization-account.dev.json

@@ -27,7 +27,7 @@
             "metadata": {
                 "description": "The version of elastic-agent to install"
             },
-            "defaultValue": "8.14.0"
+            "defaultValue": "8.15.0"
         },
         "FleetUrl": {
             "type": "string",

deploy/azure/ARM-for-organization-account.json

@@ -27,7 +27,7 @@
             "metadata": {
                 "description": "The version of elastic-agent to install"
             },
-            "defaultValue": "8.14.0"
+            "defaultValue": "8.15.0"
         },
         "FleetUrl": {
             "type": "string",

deploy/azure/ARM-for-single-account.dev.json

@@ -14,7 +14,7 @@
             "metadata": {
                 "description": "The version of elastic-agent to install"
             },
-            "defaultValue": "8.14.0"
+            "defaultValue": "8.15.0"
         },
         "FleetUrl": {
             "type": "string",

deploy/azure/ARM-for-single-account.json

@@ -14,7 +14,7 @@
             "metadata": {
                 "description": "The version of elastic-agent to install"
             },
-            "defaultValue": "8.14.0"
+            "defaultValue": "8.15.0"
         },
         "FleetUrl": {
             "type": "string",