Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

Commit

Permalink
Replace IAM role shell script with pulumi typescript program
Browse files Browse the repository at this point in the history
  • Loading branch information
Lucas Rodriguez committed Oct 12, 2023
1 parent fe59a0f commit 10c9973
Show file tree
Hide file tree
Showing 14 changed files with 2,393 additions and 106 deletions.
38 changes: 28 additions & 10 deletions .github/workflows/test-aws-init-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ jobs:
validate-private-ecr:
runs-on: ubuntu-latest
needs: build
env:
CLUSTER_NAME: ${{ inputs.cluster_name_private || 'zarf-init-aws-private-test' }}
PULUMI_CONFIG_PASSPHRASE: ""
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
Expand All @@ -80,18 +83,25 @@ jobs:
- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main

- name: Install Pulumi
run: curl -fsSL https://get.pulumi.com | sh

- name: Deploy EKS package
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=deploy-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name_private || 'zarf-init-aws-private-test' }} \
--set=EKS_CLUSTER_NAME="$CLUSTER_NAME" \
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type }} \
--confirm
- name: Create IAM roles for IRSA authentication
working-directory: hack/iam
id: iam-create
run: ./iam.sh create ${{ inputs.cluster_name_private || 'zarf-init-aws-private-test' }}
run: |
make create-iam CLUSTER_NAME="$CLUSTER_NAME"
cd infra/iam || exit
echo "ecr-webhook-role-arn=$(pulumi stack output webhookRoleArn)" >> "$GITHUB_OUTPUT"
echo "ecr-credential-helper-role-arn=$(pulumi stack output credentialHelperRoleArn)" >> "$GITHUB_OUTPUT"
- name: Zarf init with private ECR registry
working-directory: build
Expand Down Expand Up @@ -136,8 +146,7 @@ jobs:
- name: Delete IAM roles
if: always()
working-directory: hack/iam
run: ./iam.sh delete
run: make delete-iam

- name: Save logs
if: always()
Expand All @@ -154,6 +163,9 @@ jobs:
validate-public-ecr:
runs-on: ubuntu-latest
needs: build
env:
CLUSTER_NAME: ${{ inputs.cluster_name_public || 'zarf-init-aws-public-test' }}
PULUMI_CONFIG_PASSPHRASE: ""
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
Expand All @@ -174,18 +186,25 @@ jobs:
- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main

- name: Install Pulumi
run: curl -fsSL https://get.pulumi.com | sh

- name: Deploy EKS package
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=deploy-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name_public || 'zarf-init-aws-public-test' }} \
--set=EKS_CLUSTER_NAME="$CLUSTER_NAME" \
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type }} \
--confirm
- name: Create IAM roles for IRSA authentication
working-directory: hack/iam
id: iam-create
run: ./iam.sh create ${{ inputs.cluster_name_public || 'zarf-init-aws-public-test' }}
run: |
make create-iam CLUSTER_NAME="$CLUSTER_NAME"
cd infra/iam || exit
echo "ecr-webhook-role-arn=$(pulumi stack output webhookRoleArn)" >> "$GITHUB_OUTPUT"
echo "ecr-credential-helper-role-arn=$(pulumi stack output credentialHelperRoleArn)" >> "$GITHUB_OUTPUT"
- name: Zarf init with public ECR registry
working-directory: build
Expand Down Expand Up @@ -230,8 +249,7 @@ jobs:
- name: Delete IAM roles
if: always()
working-directory: hack/iam
run: ./iam.sh delete
run: make delete-iam

- name: Save logs
if: always()
Expand Down
4 changes: 1 addition & 3 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# Ignore node_modules and Pepr build artifacts
node_modules
dist
insecure*
coverage

# Ignore build/ directory
build
Pulumi.**.yaml
18 changes: 13 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,9 @@

# Provide a default value for the operating system architecture used in tests, e.g. " APPLIANCE_MODE=true|false make test-e2e ARCH=arm64"
ARCH ?= amd64
KEY ?= ""
CLUSTER_NAME ?= ""
######################################################################################

CLI_VERSION ?= $(if $(shell git describe --tags),$(shell git describe --tags),"UnknownVersion")
GIT_SHA := $(if $(shell git rev-parse HEAD),$(shell git rev-parse HEAD),"")
BUILD_DATE := $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
BUILD_ARGS := -s -w -X 'github.com/defenseunicorns/zarf/src/config.CLIVersion=$(CLI_VERSION)' -X 'k8s.io/component-base/version.gitVersion=v0.0.0+zarf$(CLI_VERSION)' -X 'k8s.io/component-base/version.gitCommit=$(GIT_SHA)' -X 'k8s.io/component-base/version.buildDate=$(BUILD_DATE)'
.DEFAULT_GOAL := help

.PHONY: help
Expand Down Expand Up @@ -47,3 +43,15 @@ aws-init-package: ## Build the AWS Zarf init package

eks-package: ## Build the EKS package
zarf package create packages/eks -o build --confirm

create-iam: ## Create AWS IAM policies and roles used in CI
cd infra/iam || exit \
&& pulumi logout \
&& pulumi login --local \
&& PULUMI_CONFIG_PASSPHRASE="" pulumi stack init ci \
&& PULUMI_CONFIG_PASSPHRASE="" CLUSTER_NAME="$(CLUSTER_NAME)" pulumi up --yes

delete-iam: ## Delete AWS IAM policies and roles used in CI
cd infra/iam || exit \
&& PULUMI_CONFIG_PASSPHRASE="" pulumi down --yes \
&& PULUMI_CONFIG_PASSPHRASE="" pulumi stack rm ci --yes
88 changes: 0 additions & 88 deletions hack/iam/iam.sh

This file was deleted.

3 changes: 3 additions & 0 deletions infra/iam/Pulumi.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
name: iam
runtime: nodejs
description: IaC to provision IAM resources for IRSA authentication in CI
File renamed without changes.
File renamed without changes.
78 changes: 78 additions & 0 deletions infra/iam/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
import { Output } from "@pulumi/pulumi";
import {
createPolicy,
createRole,
attachPolicyToRole,
getAccountId,
getClusterId,
} from "./utils";

// Resource names
const webhookRoleName = "ecr-webhook-role";
const webhookPolicyName = "ecr-webhook-policy";
const credentialHelperRoleName = "ecr-credential-helper-role";
const credentialHelperPolicyName = "ecr-credential-helper-policy";

// File names for IAM resources
const webhookPolicyPath = "ecr-webhook-policy.json";
const webhookRolePath = "ecr-webhook-role.json";
const credentialHelperPolicyPath = "ecr-credential-helper-policy.json";
const credentialHelperRolePath = "ecr-credential-helper-role.json";

const main = async () => {
const clusterId = await getClusterId();
const accountId = await getAccountId();

// Create webhook IAM policy
const webhookPolicy = createPolicy(webhookPolicyPath, webhookPolicyName);

// Create webhook IAM role
const webhookRole = createRole(
webhookRolePath,
webhookRoleName,
accountId,
clusterId as string,
);

// Create credential helper IAM policy
const credentialHelperPolicy = createPolicy(
credentialHelperPolicyPath,
credentialHelperPolicyName,
);

// Create credential helper IAM role
const credentialHelperRole = createRole(
credentialHelperRolePath,
credentialHelperRoleName,
accountId,
clusterId as string,
);

// Attach webhook policy to role
attachPolicyToRole(
"ecr-webhook-policy-attachment",
webhookRole.name as unknown as string,
webhookPolicy.arn as unknown as string,
);

// Attach credential helper policy to role
attachPolicyToRole(
"ecr-credential-helper-policy-attachment",
credentialHelperRole.name as unknown as string,
credentialHelperPolicy.arn as unknown as string,
);

const webhookRoleArn = webhookRole.arn;
const credentialHelperRoleArn = credentialHelperRole.arn;

return [webhookRoleArn, credentialHelperRoleArn];
};

const outputs = main();

export const webhookRoleArn: Promise<Output<string>> = outputs.then(
result => result[0],
);
export const credentialHelperRoleArn: Promise<Output<string>> = outputs.then(
result => result[1],
);
Loading

0 comments on commit 10c9973

Please sign in to comment.