This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (116 loc) · 4.59 KB
/
test-aws-init-package.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Test AWS Init Package
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch: ## Give us the ability to run this manually
inputs:
cluster_name:
type: string
default: zarf-init-aws-test
description: Name of the eks cluster that the test will create
instance_type:
type: string
default: t3.medium
description: EC2 instance type to use for the EKS cluster nodes
permissions:
id-token: write
contents: read
# Abort prior jobs in the same workflow / PR
concurrency:
group: init-aws-${{ github.ref }}
cancel-in-progress: true
jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
# - name: Install latest version of Zarf
# uses: defenseunicorns/setup-zarf@main
- name: Setup Go
uses: defenseunicorns/zarf/.github/actions/golang@main
- name: Build Zarf binary from source
run: |
tmpdir="$(mktemp -d)"
git clone --depth 1 https://github.com/defenseunicorns/zarf.git "$tmpdir"
cd "$tmpdir"
make build-cli-linux-amd
chmod +x build/zarf
sudo mv build/zarf /usr/local/bin
zarf version
# TODO:
# - ensure IAM role has permissions for both public and private ECR
# - create IAM roles for Pepr webhook and credential helper
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
aws-region: us-east-1
role-duration-seconds: 14400
- name: Build the AWS init package
run: make aws-init-package
- name: Build the eks package
run: make eks-package
- name: Deploy the eks package
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=deploy-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name || 'zarf-init-aws-test' }} \
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type || 't3.medium' }} \
--confirm
- name: Create IAM roles for IRSA authentication
working-directory: bootstrap/iam
id: iam-create
run: ./iam.sh create ${{ inputs.cluster_name || 'zarf-init-aws-test' }}
- name: Zarf init with private ECR registry
working-directory: ./build
run: |
REGISTRY_TYPE="private"
AWS_REGION="us-east-1"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
REGISTRY_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
ECR_AUTH_TOKEN=$(aws ecr get-login-password --region "${AWS_REGION}")
zarf init \
--registry-url="${REGISTRY_URL}" \
--registry-push-username="AWS" \
--registry-push-password="${ECR_AUTH_TOKEN}" \
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \
--set=AWS_REGION="${AWS_REGION}" \
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \
--components="zarf-ecr-credential-helper" \
-a amd64 \
-l debug \
--confirm
- name: Teardown the cluster
if: always()
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=teardown-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name || 'zarf-init-aws-test' }} \
--confirm
- name: Delete ECR repositories
if: always()
run: |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper")
for repo in "${repos[@]}"
do
aws ecr delete-repository --repository-name "${repo}" --force || true
done
- name: Delete IAM roles
if: always()
working-directory: bootstrap/iam
run: ./iam.sh delete
- name: Save logs
if: always()
uses: defenseunicorns/zarf/.github/actions/save-logs@main
# TODO: add slack webhook URL secret
# - name: Send trigger to Slack on workflow failure
# if: failure()
# uses: defenseunicorns/zarf/.github/actions/slack@main
# with:
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}