-
Notifications
You must be signed in to change notification settings - Fork 17
198 lines (171 loc) · 7.21 KB
/
re-test-e2e.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# Reusable workflow for running end-to-end tests
name: End-to-End Test
on:
workflow_call:
inputs:
environment:
required: true
type: string
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
URS_USERNAME:
required: true
URS_PASSWORD:
required: true
# Optional
AWS_ROLE_ARN:
required: false
URS_CLIENT_ID:
required: false
EDL_APP_UID:
required: false
EDL_APP_PASSWORD:
required: false
jobs:
# Deploy to the test environment and run end to end tests
test-end-to-end:
# Version of gdal installed depends on ubuntu version
runs-on: ubuntu-22.04
environment: ${{ inputs.environment }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
DEPENDENCY_NAME: tea-dependencylayer-run.${{ github.run_id }}.zip
CODE_NAME: tea-code-run.${{ github.run_id }}.zip
YAML_NAME: tea-cloudformation-run.${{ github.run_id }}.yaml
steps:
- uses: actions/checkout@v4
- name: Load environment defaults
run: cat .github/workflows/config-public/${{ inputs.environment }}.env >> $GITHUB_ENV
- uses: actions/download-artifact@v4
- name: Upload to AWS
env:
S3_PATH_PREFIX: s3://${{ env.CODE_BUCKET }}/${{ env.CODE_PREFIX }}
run: |
aws s3 cp ./dependency-layer/thin-egress-app-dependencies.zip ${S3_PATH_PREFIX}${DEPENDENCY_NAME}
aws s3 cp ./code/thin-egress-app-code.zip ${S3_PATH_PREFIX}${CODE_NAME}
aws s3 cp ./cloudformation/thin-egress-app.yaml ${S3_PATH_PREFIX}${YAML_NAME}
- name: Update JWT secret
if: env.JWT_KEY_SECRET_NAME == ''
run: |
JWT_KEY_SECRET_NAME="$STACK_NAME-jwt-key"
echo "JWT_KEY_SECRET_NAME=$JWT_KEY_SECRET_NAME" >> $GITHUB_ENV
# Check if the secret exists
secret_arn=$(aws secretsmanager describe-secret \
--secret-id "$JWT_KEY_SECRET_NAME" \
--query "ARN" --output=text 2>&1 \
| grep -v ResourceNotFoundException)
if [ -z "$secret_arn" ]; then
echo "Creating JWT secret '$JWT_KEY_SECRET_NAME'"
ssh-keygen -t rsa -b 4096 -m PEM -N '' -f "$JWT_KEY_SECRET_NAME"
rsa_priv_key=$(openssl base64 -in "$JWT_KEY_SECRET_NAME" -A)
rsa_pub_key=$(openssl base64 -in "$JWT_KEY_SECRET_NAME.pub" -A)
cat << EOF > keys.txt
{
"rsa_priv_key": "$rsa_priv_key",
"rsa_pub_key": "$rsa_pub_key"
}
EOF
aws secretsmanager create-secret \
--name "$JWT_KEY_SECRET_NAME" \
--description "JWT keys for TEA $STACK_NAME created by GitHub Actions" \
--secret-string file://keys.txt
shred keys.txt
else
echo "JWT secret '$JWT_KEY_SECRET_NAME' already exists"
fi
- name: Update URS secret
if: env.URS_AUTH_CREDS_SECRET_NAME == ''
run: |
URS_AUTH_CREDS_SECRET_NAME="$STACK_NAME-jwt-key"
echo "URS_AUTH_CREDS_SECRET_NAME=$URS_AUTH_CREDS_SECRET_NAME" >> $GITHUB_ENV
# Check if the secret exists
secret_arn=$(aws secretsmanager describe-secret \
--secret-id "$URS_AUTH_CREDS_SECRET_NAME" \
--query "ARN" --output=text 2>&1 \
| grep -v ResourceNotFoundException)
urs_auth=$(echo -n "${{ secrets.EDL_APP_UID }}:${{ secrets.EDL_APP_PASSWORD }}" | base64)
cat << EOF > secret.txt
{
"UrsAuth": "$urs_auth",
"UrsId": "${{ secrets.URS_CLIENT_ID }}"
}
EOF
if [ -z "$secret_arn" ]; then
echo ">> Creating URS secret '$URS_AUTH_CREDS_SECRET_NAME'"
aws secretsmanager create-secret \
--name "$URS_AUTH_CREDS_SECRET_NAME" \
--description "URS creds for TEA $STACK_NAME created by GitHub Actions" \
--secret-string file://secret.txt
else
echo ">> Updating URS secret '$URS_AUTH_CREDS_SECRET_NAME'"
aws secretsmanager put-secret-value \
--secret-id "$URS_AUTH_CREDS_SECRET_NAME" \
--secret-string file://secret.txt
fi
shred secret.txt
- name: Update CloudFormation stack description
run: |
cp ./cloudformation/thin-egress-app.yaml ./cloudformation/thin-egress-app-deployed.yaml
sed -i -E "s;^(Description:.*)\";\1 Job: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\";" ./cloudformation/thin-egress-app-deployed.yaml
- name: Deploy CloudFormation stack
run: |
aws cloudformation deploy \
--stack-name "$STACK_NAME" \
--template-file "./cloudformation/thin-egress-app-deployed.yaml" \
--capabilities "CAPABILITY_NAMED_IAM" \
--parameter-overrides \
AuthBaseUrl="$URS_URL" \
BucketMapFile="$BUCKET_MAP_FILE" \
BucketnamePrefix="$BUCKETNAME_PREFIX" \
ConfigBucket="$CONFIG_BUCKET" \
CookieDomain="$COOKIE_DOMAIN" \
DomainCertArn="$DOMAIN_CERT_ARN" \
DomainName="$DOMAIN_NAME" \
EnableApiGatewayLogToCloudWatch="False" \
EnableS3CredentialsEndpoint="True" \
JwtAlgo="RS256" \
JwtKeySecretName="$JWT_KEY_SECRET_NAME" \
LambdaCodeDependencyArchive="${CODE_PREFIX}${DEPENDENCY_NAME}" \
LambdaCodeS3Bucket="$CODE_BUCKET" \
LambdaCodeS3Key="${CODE_PREFIX}${CODE_NAME}" \
LambdaMemory="128" \
LambdaTimeout="20" \
Loglevel="DEBUG" \
Logtype="json" \
Maturity="TEST"\
StageName="API" \
URSAuthCredsSecretName="$URS_AUTH_CREDS_SECRET_NAME" \
UseCorsCookieDomain="True" \
UseReverseBucketMap="False" \
DownloadRoleArn= \
DownloadRoleInRegionArn= \
HtmlTemplateDir= \
PermissionsBoundaryName= \
PrivateBucketsFile= \
PrivateVPC= \
PublicBucketsFile= \
VPCSecurityGroupIDs= \
VPCSubnetIDs=
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install GDAL library
run: |
sudo apt-get update
sudo apt-get install -y libgdal-dev
- name: Run end to end tests
env:
URS_USERNAME: ${{ secrets.URS_USERNAME }}
URS_PASSWORD: ${{ secrets.URS_PASSWORD }}
run: |
pip install -r requirements/requirements-test.txt GDAL==3.4.1
pytest tests_e2e \
--stack-name=$STACK_NAME \
--test-results=asf.public.code/thin-egress-app/testresults.json \
--log-cli-level=DEBUG