Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

Initial setup for repo #39

Initial setup for repo

Initial setup for repo #39

name: Test AWS Init Package
on:
pull_request:
paths-ignore:
- "**.md"
- "**.jpg"
- "**.png"
- "**.gif"
- "**.svg"
- "adr/**"
- "docs/**"
- "CODEOWNERS"
workflow_dispatch:
inputs:
cluster_name_private:
type: string
default: "zarf-init-aws-private-test"
description: Name of the eks cluster for private ECR test
cluster_name_public:
type: string
default: "zarf-init-aws-public-test"
description: Name of the eks cluster for public ECR test
instance_type:
type: string
default: t3.medium
description: EC2 instance type to use for the EKS cluster nodes
permissions:
id-token: write
contents: read
# Abort prior jobs in the same workflow / PR
concurrency:
group: init-aws-${{ github.ref }}
cancel-in-progress: true
jobs:
# Build AWS init package and EKS package
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main
- name: Setup NodeJS
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 18
cache: "npm"
cache-dependency-path: "package-lock.json"
- name: Install Node dependencies
run: npm ci
- name: Setup Go
uses: defenseunicorns/zarf/.github/actions/golang@main
- name: Build ECR Pepr module
run: make build-module
- name: Build AWS init package
run: make aws-init-package
- name: Build EKS package
run: make eks-package
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: build-artifacts
path: build/
retention-days: 1
# Deploy and test AWS init package with private ECR registry
validate-private-ecr:
runs-on: ubuntu-latest
needs: build
env:
CLUSTER_NAME: ${{ inputs.cluster_name_private || 'zarf-init-aws-private-test' }}
PULUMI_CONFIG_PASSPHRASE: ""
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Download build artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: build-artifacts
path: build/
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
aws-region: us-east-1
role-duration-seconds: 14400
- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main
- name: Install Pulumi
run: curl -fsSL https://get.pulumi.com | sh
- name: Setup NodeJS
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 18
cache: "npm"
cache-dependency-path: "iam/package-lock.json"
- name: Install Node dependencies
working-directory: iam
run: npm ci
- name: Deploy EKS package
run: make deploy-eks-package CLUSTER_NAME="$CLUSTER_NAME" INSTANCE_TYPE=${{ inputs.instance_type }}
- name: Create IAM roles for IRSA authentication
id: iam-create
run: |
make create-iam CLUSTER_NAME="$CLUSTER_NAME"
cd iam || exit
echo "ecr-webhook-role-arn=$(pulumi stack output webhookRoleArn)" >> "$GITHUB_OUTPUT"
echo "ecr-credential-helper-role-arn=$(pulumi stack output credentialHelperRoleArn)" >> "$GITHUB_OUTPUT"
- name: Zarf init with private ECR registry
working-directory: build
run: |
REGISTRY_TYPE="private"
AWS_REGION="us-east-1"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
REGISTRY_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
ECR_AUTH_TOKEN=$(aws ecr get-login-password --region "${AWS_REGION}")
zarf init \
--registry-url="${REGISTRY_URL}" \
--registry-push-username="AWS" \
--registry-push-password="${ECR_AUTH_TOKEN}" \
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \
--set=AWS_REGION="${AWS_REGION}" \
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \
--components="zarf-ecr-credential-helper" \
-a amd64 \
-l debug \
--confirm
- name: Teardown the cluster
if: always()
run: make remove-eks-package
- name: Delete private ECR repositories
if: always()
run: |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper")
for repo in "${repos[@]}"
do
aws ecr delete-repository --repository-name "${repo}" --force || true
done
- name: Delete IAM roles
if: always()
run: make delete-iam
- name: Save logs
if: always()
uses: defenseunicorns/zarf/.github/actions/save-logs@main
# TODO: add slack webhook URL secret
# - name: Send trigger to Slack on workflow failure
# if: failure()
# uses: defenseunicorns/zarf/.github/actions/slack@main
# with:
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
# Deploy and test AWS init package with public ECR registry
validate-public-ecr:
runs-on: ubuntu-latest
needs: build
env:
CLUSTER_NAME: ${{ inputs.cluster_name_public || 'zarf-init-aws-public-test' }}
PULUMI_CONFIG_PASSPHRASE: ""
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Download build artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: build-artifacts
path: build/
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
aws-region: us-east-1
role-duration-seconds: 14400
- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main
- name: Install Pulumi
run: curl -fsSL https://get.pulumi.com | sh
- name: Setup NodeJS
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 18
cache: "npm"
cache-dependency-path: "iam/package-lock.json"
- name: Install Node dependencies
working-directory: iam
run: npm ci
- name: Deploy EKS package
run: make deploy-eks-package CLUSTER_NAME="$CLUSTER_NAME" INSTANCE_TYPE=${{ inputs.instance_type }}
- name: Create IAM roles for IRSA authentication
id: iam-create
run: |
make create-iam CLUSTER_NAME="$CLUSTER_NAME"
cd iam || exit
echo "ecr-webhook-role-arn=$(pulumi stack output webhookRoleArn)" >> "$GITHUB_OUTPUT"
echo "ecr-credential-helper-role-arn=$(pulumi stack output credentialHelperRoleArn)" >> "$GITHUB_OUTPUT"
- name: Zarf init with public ECR registry
working-directory: build
run: |
REGISTRY_TYPE="public"
AWS_REGION="us-east-1"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
REGISTRY_URL=$(aws ecr-public describe-registries --query 'registries[0].registryUri' --output text)
ECR_AUTH_TOKEN=$(aws ecr-public get-login-password --region "${AWS_REGION}")
zarf init \
--registry-url="${REGISTRY_URL}" \
--registry-push-username="AWS" \
--registry-push-password="${ECR_AUTH_TOKEN}" \
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \
--set=AWS_REGION="${AWS_REGION}" \
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \
--components="zarf-ecr-credential-helper" \
-a amd64 \
-l debug \
--confirm
- name: Teardown the cluster
if: always()
run: make remove-eks-package
- name: Delete public ECR repositories
if: always()
run: |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper")
for repo in "${repos[@]}"
do
aws ecr-public delete-repository --repository-name "${repo}" --force || true
done
- name: Delete IAM roles
if: always()
run: make delete-iam
- name: Save logs
if: always()
uses: defenseunicorns/zarf/.github/actions/save-logs@main
# TODO: add slack webhook URL secret
# - name: Send trigger to Slack on workflow failure
# if: failure()
# uses: defenseunicorns/zarf/.github/actions/slack@main
# with:
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}