This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
Initial setup for repo #30
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test AWS Init Package | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
inputs: | |
cluster_name_private: | |
type: string | |
default: "zarf-init-aws-private-test" | |
description: Name of the eks cluster for private ECR test | |
cluster_name_public: | |
type: string | |
default: "zarf-init-aws-public-test" | |
description: Name of the eks cluster for public ECR test | |
instance_type: | |
type: string | |
default: t3.medium | |
description: EC2 instance type to use for the EKS cluster nodes | |
permissions: | |
id-token: write | |
contents: read | |
# Abort prior jobs in the same workflow / PR | |
concurrency: | |
group: init-aws-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
# Build AWS init package and EKS package | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Install latest version of Zarf | |
uses: defenseunicorns/setup-zarf@main | |
- name: Build AWS init package | |
run: make aws-init-package | |
- name: Build EKS package | |
run: make eks-package | |
# Upload the contents of the build directory for later stages to use | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: build-artifacts | |
path: build/ | |
retention-days: 1 | |
# Deploy and test AWS init package with private ECR registry | |
validate-private-ecr: | |
runs-on: ubuntu-latest | |
needs: build | |
env: | |
CLUSTER_NAME: ${{ inputs.cluster_name_private || 'zarf-init-aws-private-test' }} | |
PULUMI_CONFIG_PASSPHRASE: "" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: build-artifacts | |
path: build/ | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 | |
with: | |
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }} | |
aws-region: us-east-1 | |
role-duration-seconds: 14400 | |
- name: Install latest version of Zarf | |
uses: defenseunicorns/setup-zarf@main | |
- name: Install Pulumi | |
run: curl -fsSL https://get.pulumi.com | sh | |
- name: Setup NodeJS | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
with: | |
node-version: 18 | |
cache: "npm" | |
cache-dependency-path: "iam/package-lock.json" | |
- name: Install Node dependencies | |
working-directory: iam | |
run: npm ci | |
- name: Deploy EKS package | |
run: | | |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.4.tar.zst \ | |
--components=deploy-eks-cluster \ | |
--set=EKS_CLUSTER_NAME="$CLUSTER_NAME" \ | |
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type }} \ | |
--confirm | |
- name: Create IAM roles for IRSA authentication | |
id: iam-create | |
run: | | |
make create-iam CLUSTER_NAME="$CLUSTER_NAME" | |
cd iam || exit | |
echo "ecr-webhook-role-arn=$(pulumi stack output webhookRoleArn)" >> "$GITHUB_OUTPUT" | |
echo "ecr-credential-helper-role-arn=$(pulumi stack output credentialHelperRoleArn)" >> "$GITHUB_OUTPUT" | |
- name: Zarf init with private ECR registry | |
working-directory: build | |
run: | | |
REGISTRY_TYPE="private" | |
AWS_REGION="us-east-1" | |
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) | |
REGISTRY_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" | |
ECR_AUTH_TOKEN=$(aws ecr get-login-password --region "${AWS_REGION}") | |
zarf init \ | |
--registry-url="${REGISTRY_URL}" \ | |
--registry-push-username="AWS" \ | |
--registry-push-password="${ECR_AUTH_TOKEN}" \ | |
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \ | |
--set=AWS_REGION="${AWS_REGION}" \ | |
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \ | |
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \ | |
--components="zarf-ecr-credential-helper" \ | |
-a amd64 \ | |
-l debug \ | |
--confirm | |
- name: Teardown the cluster | |
if: always() | |
run: zarf package remove build/zarf-package-distro-eks-multi-0.0.4.tar.zst --confirm | |
- name: Delete private ECR repositories | |
if: always() | |
run: | | |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper") | |
for repo in "${repos[@]}" | |
do | |
aws ecr delete-repository --repository-name "${repo}" --force || true | |
done | |
- name: Delete IAM roles | |
if: always() | |
run: make delete-iam | |
- name: Save logs | |
if: always() | |
uses: defenseunicorns/zarf/.github/actions/save-logs@main | |
# TODO: add slack webhook URL secret | |
# - name: Send trigger to Slack on workflow failure | |
# if: failure() | |
# uses: defenseunicorns/zarf/.github/actions/slack@main | |
# with: | |
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
# Deploy and test AWS init package with public ECR registry | |
validate-public-ecr: | |
runs-on: ubuntu-latest | |
needs: build | |
env: | |
CLUSTER_NAME: ${{ inputs.cluster_name_public || 'zarf-init-aws-public-test' }} | |
PULUMI_CONFIG_PASSPHRASE: "" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: build-artifacts | |
path: build/ | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 | |
with: | |
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }} | |
aws-region: us-east-1 | |
role-duration-seconds: 14400 | |
- name: Install latest version of Zarf | |
uses: defenseunicorns/setup-zarf@main | |
- name: Install Pulumi | |
run: curl -fsSL https://get.pulumi.com | sh | |
- name: Setup NodeJS | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
with: | |
node-version: 18 | |
cache: "npm" | |
cache-dependency-path: "iam/package-lock.json" | |
- name: Install Node dependencies | |
working-directory: iam | |
run: npm ci | |
- name: Deploy EKS package | |
run: | | |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.4.tar.zst \ | |
--components=deploy-eks-cluster \ | |
--set=EKS_CLUSTER_NAME="$CLUSTER_NAME" \ | |
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type }} \ | |
--confirm | |
- name: Create IAM roles for IRSA authentication | |
id: iam-create | |
run: | | |
make create-iam CLUSTER_NAME="$CLUSTER_NAME" | |
cd iam || exit | |
echo "ecr-webhook-role-arn=$(pulumi stack output webhookRoleArn)" >> "$GITHUB_OUTPUT" | |
echo "ecr-credential-helper-role-arn=$(pulumi stack output credentialHelperRoleArn)" >> "$GITHUB_OUTPUT" | |
- name: Zarf init with public ECR registry | |
working-directory: build | |
run: | | |
REGISTRY_TYPE="public" | |
AWS_REGION="us-east-1" | |
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) | |
REGISTRY_URL=$(aws ecr-public describe-registries --query 'registries[0].registryUri' --output text) | |
ECR_AUTH_TOKEN=$(aws ecr-public get-login-password --region "${AWS_REGION}") | |
zarf init \ | |
--registry-url="${REGISTRY_URL}" \ | |
--registry-push-username="AWS" \ | |
--registry-push-password="${ECR_AUTH_TOKEN}" \ | |
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \ | |
--set=AWS_REGION="${AWS_REGION}" \ | |
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \ | |
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \ | |
--components="zarf-ecr-credential-helper" \ | |
-a amd64 \ | |
-l debug \ | |
--confirm | |
- name: Teardown the cluster | |
if: always() | |
run: zarf package remove build/zarf-package-distro-eks-multi-0.0.4.tar.zst --confirm | |
- name: Delete public ECR repositories | |
if: always() | |
run: | | |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper") | |
for repo in "${repos[@]}" | |
do | |
aws ecr-public delete-repository --repository-name "${repo}" --force || true | |
done | |
- name: Delete IAM roles | |
if: always() | |
run: make delete-iam | |
- name: Save logs | |
if: always() | |
uses: defenseunicorns/zarf/.github/actions/save-logs@main | |
# TODO: add slack webhook URL secret | |
# - name: Send trigger to Slack on workflow failure | |
# if: failure() | |
# uses: defenseunicorns/zarf/.github/actions/slack@main | |
# with: | |
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} |