apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
  name: steampipe-aws-report
spec:
  schedule: "0 8 * * *"
  timezone: "Asia/Seoul"
  workflowSpec:
    entrypoint: bash-script-example
    volumes:
    - name: script-volume
      configMap:
        name: steampipe-script 
    - name: kubeconfig
      secret:
        secretName: my-kubeconfig      
    volumeClaimTemplates:
    - metadata:
        name: shared-data
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi  

    templates:
    - name: bash-script-example
      dag:
        tasks:
          - name: git-steampipe
            template: git-steampipe
          - name: steampipe
            template: steampipe
            dependencies:
              - git-steampipe
          - name: git-argo-workflows
            template: git-argo-workflows
            dependencies:
              - steampipe

    - name: steampipe
      script:
        image: ghcr.io/turbot/steampipe:latest
        command: [bash]
        volumeMounts:
        - name: shared-data
          mountPath: /shared-data
        - name: script-volume
          mountPath: /scripts      
        - name: kubeconfig
          mountPath: /kubeconfig        
        env:
        - name: AWS_REGION
          valueFrom:
            secretKeyRef:
              name: aws-creds
              key: AWS_REGION
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              name: aws-creds
              key: AWS_ACCESS_KEY_ID
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              name: aws-creds
              key: AWS_SECRET_ACCESS_KEY
        - name: KMS_ARN
          valueFrom:
            secretKeyRef:
              name: aws-creds
              key: KMS_ARN
        - name: KUBECONFIG
          value: /kubeconfig/config
        source: |
          # 쿼리 결과를 공유 볼륨에 저장
          steampipe plugin install aws
          sleep 3
          steampipe service restart --force
          sleep 1
          cd /shared-data/steampipe-mod-aws-compliance
          steampipe check benchmark.foundational_security --output=md > ../README.md
          sleep 1

    - name: git-steampipe
      script:
        image: alpine/git:latest
        command: [sh]
        volumeMounts:
        - name: shared-data
          mountPath: /shared-data
        - name: script-volume
          mountPath: /scripts        
        env:
        - name: GIT_USERNAME
          valueFrom:
            secretKeyRef:
              name: git-credentials
              key: username
        - name: GIT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: git-credentials
              key: password              
        source: |
          cd /shared-data/
          git clone https://github.com/turbot/steampipe-mod-aws-compliance.git

    - name: git-argo-workflows
      script:
        image: alpine/git:latest
        command: [sh]
        volumeMounts:
        - name: shared-data
          mountPath: /shared-data
        - name: script-volume
          mountPath: /scripts        
        env:
        - name: GIT_USERNAME
          valueFrom:
            secretKeyRef:
              name: git-credentials
              key: username
        - name: GIT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: git-credentials
              key: password              
        source: |
          cd /shared-data/
          git config --global credential.helper 'store --file /tmp/credentials'
          echo "https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com" > /tmp/credentials
          git config --global user.email "havelight@ex-em.com"
          git config --global user.name "jaehee-jung"

          git clone https://github.com/CloudMOA/argo-workflows.git
          # 공유 볼륨에서 쿼리 결과 읽기
          cp README.md argo-workflows/README.md
          # 커밋 및 푸시 작업 수행
          cd argo-workflows
          git add README.md
          git commit -m "Update README with query result"
          git push