-
Notifications
You must be signed in to change notification settings - Fork 15
162 lines (147 loc) · 6.4 KB
/
aws_integration_test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: AWS Conformance Test
on:
# TODO(phboneff): change this to main when I submit, leave like this for
# now to allow testing with the PR
pull_request:
branches:
- main
types:
- converted_to_draft
#push:
# branches:
# - main
# This prevents two workflows to run at the same time.
# This workflows calls terragrunt, which does not allow concurent runs.
# concurrency test!
concurrency:
group: aws-integration
cancel-in-progress: false
permissions:
contents: read
env:
TF_VERSION: "1.10.0"
TG_VERSION: "0.67.0"
TG_DIR: "deployment/live/aws/conformance/ci/"
TESSERA_PREFIX_NAME: trillian-tessera
ECR_REGISTRY: 864981736166.dkr.ecr.us-east-1.amazonaws.com
ECR_REPOSITORY_CONFORMANCE: trillian-tessera/conformance:latest
ECR_REPOSITORY_HAMMER: trillian-tessera/hammer:latest
AWS_REGION: us-east-1
jobs:
aws-integration:
runs-on: ubuntu-latest
steps:
## Authenticate to AWS with the credentials stored in Github Secrets.
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
# TODO(phboneff): use a better form of authentication
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
## Authenticate with ECR to push the conformance and hammer images.
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
## Build the conformance image and push it to ECR. This will be used
## later on by Terragrunt.
- name: Build, tag, and push Conformance image to Amazon ECR
id: build-publish-conformance
shell: bash
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ env.ECR_REPOSITORY_CONFORMANCE }}
run: |
docker build -f ./cmd/conformance/aws/Dockerfile . -t "$ECR_REGISTRY/$ECR_REPOSITORY"
docker push "$ECR_REGISTRY/$ECR_REPOSITORY"
echo "Pushed image to $ECR_REGISTRY/$ECR_REPOSITORY"
## Build the hammer image and push it to ECR. This will be used
## later on by Terragrunt.
- name: Build, tag, and push Hammer image to Amazon ECR
id: build-publish-hammer
shell: bash
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ env.ECR_REPOSITORY_HAMMER }}
run: |
docker build -f ./internal/hammer/Dockerfile . -t "$ECR_REGISTRY/$ECR_REPOSITORY"
docker push "$ECR_REGISTRY/$ECR_REPOSITORY"
echo "Pushed image to $ECR_REGISTRY/$ECR_REPOSITORY"
## Destroy any pre-existing deployment/live/aws/conformance/ci env.
## This might happen if a previous integration test workflow has failed.
- name: Terragrunt destroy pre conformance test
id: terragrunt-destroy-pre
uses: gruntwork-io/terragrunt-action@v2
with:
tf_version: ${{ env.TF_VERSION }}
tg_version: ${{ env.TG_VERSION }}
tg_dir: ${{ env.TG_DIR }}
tg_command: "destroy"
env:
TESSERA_SIGNER: unused
TESSERA_VERIFIER: unused
## Generate a new keys for the log to use, and export them to environment
## variables for Terragrunt to use.
- name: Generate Tessera keys
id: generate-keys
shell: bash
run: |
go run github.com/transparency-dev/serverless-log/cmd/generate_keys@80334bc9dc573e8f6c5b3694efad6358da50abd4 \
--key_name=tessera/test/conformance \
--out_priv=${{ runner.temp }}/key.sec \
--out_pub=${{ runner.temp }}/key.pub
cat ${{ runner.temp }}/key.pub
echo "TESSERA_SIGNER=$(cat ${{ runner.temp }}/key.sec)" >> "$GITHUB_ENV"
echo "TESSERA_VERIFIER=$(cat ${{ runner.temp }}/key.pub)" >> "$GITHUB_ENV"
## Apply the deployment/live/aws/conformance/ci terragrunt config.
## This will bring up the conformance infrastructure whitch consists of:
## - the storage module
## - a private S3 <--> ECS network link for the hammer to read the log
## - an ECS cluster to run Fargate tasks
## - a conformance service, with multiple conformance binary instances
## - a hammer task definition (but no execution)
# TODO(phboneff): AuroraDB take a long time to be brouht up and down
# consider keeping it around between tests / using Aurora Serveless
- name: Terragrunt apply
id: terragrunt-apply
uses: gruntwork-io/terragrunt-action@v2
with:
tf_version: ${{ env.TF_VERSION }}
tg_version: ${{ env.TG_VERSION }}
tg_dir: ${{ env.TG_DIR }}
tg_command: "apply"
env:
INPUT_POST_EXEC_1: |
echo "ECS_CLUSTER=$(terragrunt output -raw ecs_cluster)" >> "$GITHUB_ENV"
INPUT_POST_EXEC_2: |
echo "VPC_SUBNETS=$(terragrunt output -json vpc_subnets)" >> "$GITHUB_ENV"
## How we can run the hammer using the task definition, against the
## conformance service. This step returns the hammer task's exit code.
- name: Run Hammer
id: hammer
shell: bash
run: |
cat ${{ runner.temp }}/key.pub
echo "Will launch a hammer ECS task."
HAMMER_ARN=$(aws ecs run-task \
--cluster="$ECS_CLUSTER" \
--task-definition=hammer \
--count=1 \
--launch-type=FARGATE \
--network-configuration='{"awsvpcConfiguration": {"assignPublicIp":"ENABLED","subnets": '$VPC_SUBNETS'}}' \
--query 'tasks[0].taskArn')
echo "Hammer task running, ARN: $HAMMER_ARN."
echo "Waiting for task to stop..."
aws ecs wait tasks-stopped --cluster="$ECS_CLUSTER" --tasks=[$HAMMER_ARN]
echo "The task has stopped. Fetching exit code and returning this action with it."
exit $(aws ecs describe-tasks --cluster="$ECS_CLUSTER" --tasks=[$HAMMER_ARN] --query 'tasks[0].containers[0].exitCode')
- name: Terragrunt destroy post conformance test
id: terragrunt-destroy-post
uses: gruntwork-io/terragrunt-action@v2
with:
tf_version: ${{ env.TF_VERSION }}
tg_version: ${{ env.TG_VERSION }}
tg_dir: ${{ env.TG_DIR }}
tg_command: "destroy"