constellation/.github/workflows/e2e-test-tf-module.yml
2023-11-10 13:32:18 +01:00

223 lines
8.0 KiB
YAML

name: e2e test Terraform module
on:
workflow_dispatch:
inputs:
ref:
type: string
description: "Git ref to checkout"
required: false
cloudProvider:
description: "Which cloud provider to use."
type: choice
options:
- "aws"
- "gcp"
required: true
regionZone:
description: "Region or zone to create the cluster in. Leave empty for default region/zone."
type: string
image:
description: "Node image version of the cluster."
type: string
required: true
cliVersion:
description: "Constellation CLI version to use. Empty value means build from source."
type: string
default: ""
required: false
workflow_call:
inputs:
ref:
type: string
description: "Git ref to checkout"
required: false
cloudProvider:
description: "Which cloud provider to use."
type: string
required: true
regionZone:
description: "Which zone to use."
type: string
image:
description: "Node image reference which is compatible with the current dev release version."
type: string
required: true
cliVersion:
description: "Constellation CLI version to use. Empty value means build from source."
type: string
default: ""
required: false
jobs:
build:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
packages: write
steps:
- name: Checkout
id: checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Upload module
uses: ./.github/actions/upload_terraform_module
- name: Download Terraform module
uses: actions/download-artifact@v3
with:
name: terraform-module
- name: Unzip Terraform module
run: unzip terraform-module.zip
- name: Create resource prefix
id: create-prefix
shell: bash
run: |
run_id=${{ github.run_id }}
last_three="${run_id: -3}"
echo "prefix=e2e-${last_three}-${{ github.run_attempt }}" | tee -a "$GITHUB_OUTPUT"
- name: Create AWS Terraform variable input file
if: inputs.cloudProvider == 'aws'
working-directory: ./terraform-module/aws-constellation
run: |
cat > terraform.tfvars <<EOF
name = "${{ steps.create-prefix.outputs.prefix }}"
image = "${{ inputs.image }}"
zone = "${{ inputs.regionZone || 'us-east-2c' }}"
name_prefix = "${{ steps.create-prefix.outputs.prefix }}"
node_groups = {
control_plane_default = {
role = "control-plane"
zone = "${{ inputs.regionZone || 'us-east-2c' }}"
instance_type = "m6a.xlarge"
disk_size = 30
disk_type = "gp3"
initial_count = 2
},
worker_default = {
role = "worker"
zone = "${{ inputs.regionZone || 'us-east-2c' }}"
instance_type = "m6a.xlarge"
disk_size = 30
disk_type = "gp3"
initial_count = 2
}
}
EOF
cat terraform.tfvars
- name: Create GCP Terraform variable input file
if: inputs.cloudProvider == 'gcp'
working-directory: ./terraform-module/gcp-constellation
run: |
cat > terraform.tfvars <<EOF
name = "${{ steps.create-prefix.outputs.prefix }}"
project = "${{ secrets.GCP_E2E_PROJECT }}"
service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
image = "${{ inputs.image }}"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
node_groups = {
control_plane_default = {
role = "control-plane"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
instance_type = "n2d-standard-4"
disk_size = 30
disk_type = "pd-ssd"
initial_count = 2
},
worker_default = {
role = "worker"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
instance_type = "n2d-standard-4"
disk_size = 30
disk_type = "pd-ssd"
initial_count = 2
}
}
EOF
cat terraform.tfvars
- name: Install dependencies (Terraform)
run: |
sudo apt update && sudo apt install gpg
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
sudo apt install terraform=1.4.4-*
- name: Log in to the Container registry
uses: ./.github/actions/container_registry_login
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup bazel
if: inputs.cliVersion == ''
uses: ./.github/actions/setup_bazel_nix
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build CLI
if: inputs.cliVersion == ''
uses: ./.github/actions/build_cli
with:
outputPath: "constellation"
enterpriseCLI: true
push: true
- name: Download CLI
if: inputs.cliVersion != ''
shell: bash
run: |
curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64
chmod u+x ./constellation
./constellation version
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
- name: Login to AWS (IAM + Cluster role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
aws-region: eu-central-1
# extend token expiry to 6 hours to ensure constellation can terminate
role-duration-seconds: 21600
- name: Login to GCP (IAM + Cluster service account)
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"
- name: Apply Terraform Cluster
id: apply_terraform
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
run: |
cp ../../constellation .
terraform init
terraform apply -var-file=terraform.tfvars -auto-approve
- name: Destroy Terraform Cluster
# outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
if: always() && steps.apply_terraform.outcome != 'skipped'
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
run: |
terraform init
terraform destroy -var-file=terraform.tfvars -auto-approve
- name: Verify cleanup
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
run: |
if [ -f constellation-mastersecret.json ] || [ -f constellation-conf.yaml ]; then
echo "Files constellation-mastersecret.json or constellation-conf.yaml still exist"
exit 1
fi