move pipeline to cff concourse

change aws account keys remove arn_role update some of the tasks
cloudfoundry · Nov 14, 2024 · 7c49386 · 7c49386
1 parent 717c212
commit 7c49386
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 60 deletions.
diff --git a/ci/configure.sh b/ci/configure.sh
@@ -2,6 +2,6 @@
 
 set -eu
 
-fly -t bosh-ecosystem sp -p bosh-aws-cpi \
+fly -t bosh sp -p bosh-aws-cpi \
   -c ci/pipeline.yml
 
diff --git a/ci/pipeline.yml b/ci/pipeline.yml
@@ -7,9 +7,8 @@ shared:
   params: &prepare-director-params
     INFRASTRUCTURE: aws
     DIRECTOR_VARS_FILE: |
-      access_key_id: ((aws-cpi-integration-tests_assume_aws_access_key.username))
-      secret_access_key: ((aws-cpi-integration-tests_assume_aws_access_key.password))
-      role_arn: ((aws-cpi-integration-tests_assume_aws_access_key.role_arn))
+      access_key_id: ((aws-admin.username))
+      secret_access_key: ((aws-admin.password))
       region: us-west-1
 
 - &deploy-director
@@ -39,9 +38,8 @@ shared:
   file: bosh-cpi-src/ci/tasks/ensure-terminated.yml
   image: bosh-integration-image
   params:
-    AWS_ACCESS_KEY_ID: ((bosh_cpis_assume_aws_access_key.username))
-    AWS_SECRET_ACCESS_KEY: ((bosh_cpis_assume_aws_access_key.password))
-    AWS_ASSUME_ROLE_ARN: ((bosh_cpis_assume_aws_access_key.role_arn))
+    AWS_ACCESS_KEY_ID: ((aws-admin.username))
+    AWS_SECRET_ACCESS_KEY: ((aws-admin.password))
     AWS_DEFAULT_REGION: us-west-1
 
 - &teardown
@@ -99,12 +97,10 @@ jobs:
     file: bosh-cpi-src/ci/tasks/run-integration.yml
     image: bosh-integration-image
     params:
-      AWS_ACCESS_KEY_ID: ((aws-cpi-integration-tests_assume_aws_access_key.username))
-      AWS_SECRET_ACCESS_KEY: ((aws-cpi-integration-tests_assume_aws_access_key.password))
-      AWS_ROLE_ARN: ((aws-cpi-integration-tests_assume_aws_access_key.role_arn))
-      BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID: ((iam-permission-auditor_assume_aws_access_key.username))
-      BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY: ((iam-permission-auditor_assume_aws_access_key.password))
-      BOSH_AWS_PERMISSIONS_AUDITOR_ROLE_ARN: ((iam-permission-auditor_assume_aws_access_key.role_arn))
+      AWS_ACCESS_KEY_ID: ((aws-test-user.username))
+      AWS_SECRET_ACCESS_KEY: ((aws-test-user.password))
+      BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID: ((aws-permission-auditor.username))
+      BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY: ((aws-permission-auditor.password))
       AWS_DEFAULT_REGION: us-west-1
       BOSH_AWS_KMS_KEY_ARN: ((arn_keys.aws_kms_key_arn))
       BOSH_AWS_KMS_KEY_ARN_OVERRIDE: ((arn_keys.aws_kms_key_arn_override))
@@ -154,7 +150,6 @@ jobs:
           -o pipelines/shared/assets/ops/remove-hm.yml
           -o bosh-deployment/external-ip-with-registry-not-recommended.yml
           -o pipelines/shared/assets/ops/remove-provider-cert.yml
-          -o bosh-deployment/aws/cpi-assume-role-credentials.yml
     - do:
       - <<: *deploy-director
       - <<: *run-bats
@@ -206,7 +201,6 @@ jobs:
           -o bosh-deployment/external-ip-with-registry-not-recommended.yml
           -o pipelines/shared/assets/ops/remove-provider-cert.yml
           -o pipelines/aws/assets/ops/iam-instance-profile-ops-file.yml
-          -o bosh-deployment/aws/cpi-assume-role-credentials.yml
     - do:
       - <<: *deploy-director
       - <<: *run-end-2-end
@@ -311,7 +305,7 @@ jobs:
           provider: gcs
           options:
             credentials_source: static
-            json_key: '((cloud-foundry-gcp-credentials))'
+            json_key: '((gcp_json_key))'
   - put: bosh-cpi-src-out
     params:
       repository: release_repo
@@ -367,9 +361,8 @@ jobs:
     - get: ruby-release
       trigger: true
     - get: bosh-integration-image
-    - get: bosh-ecosystem-concourse-image
   - task: bump-ruby-package
-    image: bosh-ecosystem-concourse-image
+    image: bosh-integration-image
     file: ruby-release/ci/tasks/shared/bump-ruby-package.yml
     input_mapping:
       bosh-release: bosh-cpi-src
@@ -385,7 +378,7 @@ jobs:
           provider: gcs
           options:
             credentials_source: static
-            json_key: '((cloud-foundry-gcp-credentials))'
+            json_key: '((gcp_json_key))'
       RUBY_VERSION_PATH: src/bosh_aws_cpi/.ruby-version
   - task: run-unit-specs
     file: bosh-cpi-src/ci/tasks/run-unit-specs.yml
@@ -401,28 +394,28 @@ resource_types:
   type: registry-image
   source:
     repository: ljfranklin/terraform-resource
-    username: ((docker.username))
-    password: ((docker.password))
+    username: ((dockerhub_username))
+    password: ((dockerhub_password))
 - name: gcs
   type: registry-image
   source:
     repository: frodenas/gcs-resource
-    username: ((docker.username))
-    password: ((docker.password))
+    username: ((dockerhub_username))
+    password: ((dockerhub_password))
 
 resources:
 - name: bosh-cpi-dev-artifacts
   type: gcs
   source:
     versioned_file: bosh-aws-cpi-dev-release.tgz
     bucket: bosh-aws-cpi-pipeline
-    json_key: ((cloud-foundry-gcp-credentials))
+    json_key: ((gcp_json_key))
 - name: bosh-cpi-release-notes
   type: gcs
   source:
     versioned_file: release-notes
     bucket: bosh-aws-cpi-pipeline
-    json_key: ((cloud-foundry-gcp-credentials))
+    json_key: ((gcp_json_key))
 - name: bosh-cpi-src-in
   type: git
   source:
@@ -454,26 +447,25 @@ resources:
     key: current-version # dev-release version
     bucket: bosh-aws-cpi-pipeline
     driver: gcs
-    json_key: ((cloud-foundry-gcp-credentials))
+    json_key: ((gcp_json_key))
 - name: release-version-semver
   type: semver
   source:
     key: release-current-version
     bucket: bosh-aws-cpi-pipeline
     driver: gcs
-    json_key: ((cloud-foundry-gcp-credentials))
+    json_key: ((gcp_json_key))
 - name: environment
   type: terraform_type
   source:
     backend_type: gcs
     backend_config:
       bucket: bosh-aws-cpi-pipeline
       prefix: terraform
-      credentials: ((cloud-foundry-gcp-credentials))
+      credentials: ((gcp_json_key))
     vars:
-      access_key: ((bosh_cpis_assume_aws_access_key.username))
-      secret_key: ((bosh_cpis_assume_aws_access_key.password))
-      role_arn: ((bosh_cpis_assume_aws_access_key.role_arn))
+      access_key: ((aws-admin.username))
+      secret_key: ((aws-admin.password))
       region: us-west-1
       public_key: ((integration_vm_keypair.public_key))
 - name: pipelines
@@ -508,33 +500,28 @@ resources:
   type: registry-image
   source:
     repository: bosh/integration
-    username: ((docker.username))
-    password: ((docker.password))
+    username: ((dockerhub_username))
+    password: ((dockerhub_password))
 - name: bosh-ruby-release-registry-image
   type: registry-image
   source:
     repository: bosh/ruby-release
-    username: ((docker.username))
-    password: ((docker.password))
+    username: ((dockerhub_username))
+    password: ((dockerhub_password))
 - name: ruby-release
   type: git
   source:
     uri: https://github.com/cloudfoundry/bosh-package-ruby-release.git
-- name: bosh-ecosystem-concourse-image
-  type: registry-image
-  source:
-    repository: bosh/bosh-ecosystem-concourse
-    username: ((docker.username))
-    password: ((docker.password))
 - name: bosh-security-scanner-registry-image
   type: registry-image
   source:
     repository: bosh/security-scanner
-    username: ((docker.username))
-    password: ((docker.password))
+    username: ((dockerhub_username))
+    password: ((dockerhub_password))
 - name: weekly
   type: time
   source:
     start: 3:00 -0700
     stop: 4:30 -0700
     days: [ Saturday ]
+    initial_version: true
diff --git a/ci/tasks/ensure-terminated.sh b/ci/tasks/ensure-terminated.sh
@@ -7,17 +7,15 @@ set -e
 : ${AWS_DEFAULT_REGION:?}
 
 
-if [ -n "${AWS_ASSUME_ROLE_ARN}" ]; then
-  aws configure --profile creds_account set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
-  aws configure --profile creds_account set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
-  aws configure --profile resource_account set source_profile "creds_account"
-  aws configure --profile resource_account set role_arn "${AWS_ASSUME_ROLE_ARN}"
-  aws configure --profile resource_account set region "${AWS_DEFAULT_REGION}"
-  unset AWS_ACCESS_KEY_ID
-  unset AWS_SECRET_ACCESS_KEY
-  unset AWS_DEFAULT_REGION
-  export AWS_PROFILE=resource_account
-fi
+aws configure --profile creds_account set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+aws configure --profile creds_account set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
+aws configure --profile resource_account set source_profile "creds_account"
+aws configure --profile resource_account set region "${AWS_DEFAULT_REGION}"
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset AWS_DEFAULT_REGION
+export AWS_PROFILE=resource_account
+
 metadata=$(cat environment/metadata)
 vpc_id=$(echo ${metadata} | jq --raw-output ".vpc_id")
 

diff --git a/ci/tasks/ensure-terminated.yml b/ci/tasks/ensure-terminated.yml
@@ -12,4 +12,3 @@ params:
   AWS_ACCESS_KEY_ID:     ""
   AWS_SECRET_ACCESS_KEY: ""
   AWS_DEFAULT_REGION:    ""
-  AWS_ASSUME_ROLE_ARN:   ""
diff --git a/ci/tasks/run-integration.sh b/ci/tasks/run-integration.sh
@@ -27,9 +27,7 @@ export BOSH_AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
 if [ "${AWS_SESSION_TOKEN}" ]; then
 	export BOSH_AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
 fi
-if [ "${AWS_ROLE_ARN}" ]; then
-	export BOSH_AWS_ROLE_ARN=${AWS_ROLE_ARN}
-fi
+
 export BOSH_AWS_DEFAULT_KEY_NAME=$(echo ${metadata} | jq -e --raw-output ".default_key_name")
 export BOSH_AWS_REGION=$(echo ${metadata} | jq -e --raw-output ".region")
 export BOSH_AWS_SUBNET_ID=$(echo ${metadata} | jq -e --raw-output ".subnet_id")

diff --git a/ci/tasks/run-integration.yml b/ci/tasks/run-integration.yml
@@ -12,12 +12,10 @@ run:
 params:
   AWS_ACCESS_KEY_ID:                       ""
   AWS_SECRET_ACCESS_KEY:                   ""
-  AWS_ROLE_ARN:                            ""
   AWS_DEFAULT_REGION:                      ""
   BOSH_AWS_KMS_KEY_ARN:                    ""
   BOSH_AWS_KMS_KEY_ARN_OVERRIDE:           ""
   BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID:     ""
   BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY: ""
-  BOSH_AWS_PERMISSIONS_AUDITOR_ROLE_ARN:   ""
   BOSH_AWS_CPI_API_VERSION:
   BOSH_AWS_WINDOWS_IMAGE_ID: