This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
Initial setup for repo #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test AWS Init Package | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: ## Give us the ability to run this manually | |
| inputs: | |
| cluster_name: | |
| type: string | |
| default: zarf-init-aws-test | |
| description: Name of the eks cluster that the test will create | |
| instance_type: | |
| type: string | |
| default: t3.medium | |
| description: EC2 instance type to use for the EKS cluster nodes | |
| permissions: | |
| id-token: write | |
| contents: read | |
| # Abort prior jobs in the same workflow / PR | |
| concurrency: | |
| group: init-aws-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
| # - name: Install latest version of Zarf | |
| # uses: defenseunicorns/setup-zarf@main | |
| - name: Build Zarf binary from source | |
| run: | | |
| tmpdir="$(mktemp -d)" | |
| git clone --depth 1 https://github.com/defenseunicorns/zarf.git "$tmpdir" | |
| cd "$tmpdir" | |
| make build-cli-linux-amd | |
| chmod +x build/zarf | |
| sudo mv build/zarf /usr/local/bin | |
| zarf version | |
| # TODO: | |
| # - ensure IAM role has permissions for both public and private ECR | |
| # - create IAM roles for Pepr webhook and credential helper | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }} | |
| aws-region: us-east-1 | |
| role-duration-seconds: 14400 | |
| - name: Build the AWS init package | |
| run: make aws-init-package | |
| - name: Build the eks package | |
| run: make eks-package | |
| - name: Deploy the eks package | |
| run: | | |
| zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \ | |
| --components=deploy-eks-cluster \ | |
| --set=EKS_CLUSTER_NAME=${{ inputs.cluster_name || 'zarf-init-aws-test' }} \ | |
| --set=EKS_INSTANCE_TYPE=${{ inputs.instance_type || 't3.medium' }} \ | |
| --confirm | |
| - name: Create IAM roles for IRSA authentication | |
| working-directory: bootstrap/iam | |
| id: iam-create | |
| run: ./iam.sh create ${{ inputs.cluster_name || 'zarf-init-aws-test' }} | |
| - name: Zarf init with private ECR registry | |
| working-directory: ./build | |
| run: | | |
| REGISTRY_TYPE="private" | |
| AWS_REGION="us-east-1" | |
| AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) | |
| REGISTRY_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" | |
| ECR_AUTH_TOKEN=$(aws ecr get-login-password --region "${AWS_REGION}") | |
| zarf init \ | |
| --registry-url="${REGISTRY_URL}" \ | |
| --registry-push-username="AWS" \ | |
| --registry-push-password="${ECR_AUTH_TOKEN}" \ | |
| --set=REGISTRY_TYPE="${REGISTRY_TYPE}" \ | |
| --set=AWS_REGION="${AWS_REGION}" \ | |
| --set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \ | |
| --set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \ | |
| --components="zarf-ecr-credential-helper" \ | |
| -a amd64 \ | |
| -l debug \ | |
| --confirm | |
| - name: Teardown the cluster | |
| if: always() | |
| run: | | |
| zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \ | |
| --components=teardown-eks-cluster \ | |
| --set=EKS_CLUSTER_NAME=${{ inputs.cluster_name || 'zarf-init-aws-test' }} \ | |
| --confirm | |
| - name: Delete ECR repositories | |
| if: always() | |
| run: | | |
| repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper") | |
| for repo in "${repos[@]}" | |
| do | |
| aws ecr delete-repository --repository-name "${repo}" --force || true | |
| done | |
| - name: Delete IAM roles | |
| if: always() | |
| working-directory: bootstrap/iam | |
| run: ./iam.sh delete | |
| - name: Save logs | |
| if: always() | |
| uses: defenseunicorns/zarf/.github/actions/save-logs@main | |
| # TODO: add slack webhook URL secret | |
| # - name: Send trigger to Slack on workflow failure | |
| # if: failure() | |
| # uses: defenseunicorns/zarf/.github/actions/slack@main | |
| # with: | |
| # slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} |