Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

Initial setup for repo #3

Initial setup for repo

Initial setup for repo #3

name: Test AWS Init Package
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch: ## Give us the ability to run this manually
inputs:
cluster_name:
type: string
default: zarf-init-aws-test
description: Name of the eks cluster that the test will create
instance_type:
type: string
default: t3.medium
description: EC2 instance type to use for the EKS cluster nodes
permissions:
id-token: write
contents: read
# Abort prior jobs in the same workflow / PR
concurrency:
group: init-aws-${{ github.ref }}
cancel-in-progress: true
jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
# - name: Install latest version of Zarf
# uses: defenseunicorns/setup-zarf@main
- name: Setup Go
uses: defenseunicorns/zarf/.github/actions/golang@main
- name: Build Zarf binary from source
run: |
tmpdir="$(mktemp -d)"
git clone --depth 1 https://github.com/defenseunicorns/zarf.git "$tmpdir"
cd "$tmpdir"
make build-cli-linux-amd
chmod +x build/zarf
sudo mv build/zarf /usr/local/bin
zarf version
# TODO:
# - ensure IAM role has permissions for both public and private ECR
# - create IAM roles for Pepr webhook and credential helper
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
aws-region: us-east-1
role-duration-seconds: 14400
- name: Build the AWS init package
run: make aws-init-package
- name: Build the eks package
run: make eks-package
- name: Deploy the eks package
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=deploy-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name || 'zarf-init-aws-test' }} \
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type || 't3.medium' }} \
--confirm
- name: Create IAM roles for IRSA authentication
working-directory: bootstrap/iam
id: iam-create
run: ./iam.sh create ${{ inputs.cluster_name || 'zarf-init-aws-test' }}
- name: Zarf init with private ECR registry
working-directory: ./build
run: |
REGISTRY_TYPE="private"
AWS_REGION="us-east-1"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
REGISTRY_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
ECR_AUTH_TOKEN=$(aws ecr get-login-password --region "${AWS_REGION}")
zarf init \
--registry-url="${REGISTRY_URL}" \
--registry-push-username="AWS" \
--registry-push-password="${ECR_AUTH_TOKEN}" \
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \
--set=AWS_REGION="${AWS_REGION}" \
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \
--components="zarf-ecr-credential-helper" \
-a amd64 \
-l debug \
--confirm
- name: Teardown the cluster
if: always()
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=teardown-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name || 'zarf-init-aws-test' }} \
--confirm
- name: Delete ECR repositories
if: always()
run: |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper")
for repo in "${repos[@]}"
do
aws ecr delete-repository --repository-name "${repo}" --force || true
done
- name: Delete IAM roles
if: always()
working-directory: bootstrap/iam
run: ./iam.sh delete
- name: Save logs
if: always()
uses: defenseunicorns/zarf/.github/actions/save-logs@main
# TODO: add slack webhook URL secret
# - name: Send trigger to Slack on workflow failure
# if: failure()
# uses: defenseunicorns/zarf/.github/actions/slack@main
# with:
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}