-
Notifications
You must be signed in to change notification settings - Fork 3
295 lines (273 loc) · 12.6 KB
/
test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Run tests / create artifacts
on:
push:
branches: [master]
pull_request:
types: [opened, synchronize, reopened, labeled, ready_for_review]
branches: [master]
jobs:
test-build-deploy:
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
env:
AWS_REGION: us-west-2
defaults:
run:
working-directory: ./cdk
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.9
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Setup nodejs
uses: actions/setup-node@v2
with:
node-version: 18
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.6
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install awscli build
- name: Install aws-cdk
run: npm install -g aws-cdk@$(pip freeze | grep aws-cdk-lib | sed -e 's/.*==//')
- name: Lint with flake8/black/isort
run: |
set -x
export FILES=(*.py domino_cdk tests ../convert/)
for f in ${FILES[@]}; do
# stop the build if there are Python syntax errors or undefined names
flake8 $f --count --select=E9,F63,F7,F82 --show-source --statistics
# exit-zero treats all errors as warnings.
flake8 $f --count --ignore=E501,W503 --exit-zero --statistics
black $f --check
isort $f --check
done
- name: Test with pytest
run: |
coverage run -m pytest tests
- name: Coverage report
run: |
coverage report
- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@v3
with:
unset-current-credentials: true
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Create/lint default config
env:
AWS_ACCOUNT_ID: ${{ secrets.DELTA_ACCOUNT_ID }}
GITHUB_SHA: ${{ github.sha }}
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
ACM_CERT_ARN: ${{ secrets.DELTA_ACM_CERT_ARN }}
BASE_DOMAIN: ${{ secrets.DELTA_BASE_DOMAIN }}
JSII_SILENCE_WARNING_DEPRECATED_NODE_VERSION: 1
run: |
export NAME=cdk-${GITHUB_SHA:0:6}-$(date +%s)
echo "NAME=$NAME" >> $GITHUB_ENV
./util.py generate_config_template --name $NAME --aws-region=$AWS_REGION --aws-account-id=$AWS_ACCOUNT_ID --dev --platform-nodegroups 2 --registry-username $REGISTRY_USERNAME --registry-password $REGISTRY_PASSWORD --hostname $NAME.$BASE_DOMAIN --acm-cert-arn $ACM_CERT_ARN --disable-flow-logs | tee config.yaml
./util.py load_config -f ./config.yaml
- name: Test default config (single and nested stacks)
env:
JSII_SILENCE_WARNING_DEPRECATED_NODE_VERSION: 1
run: |
echo 'CDK acknowledge: AWS CDK v1 End-of-Support June 1, 2023'
cdk acknowledge 19836
echo 'CDK acknowledge: (eks) eks overly permissive trust policies'
cdk acknowledge 25674
cdk synth --context singlestack=true -q
cdk synth -q
- name: Upload distribution artifacts
env:
DOMINO_CDK_VERSION: "0.0.0+${{ github.sha }}"
DATEDIR: "date +%Y%m%d"
run: |
cd ..
make clean && make dist
for suffix in "" "-terraform"; do
filename="domino-cdk$suffix-$DOMINO_CDK_VERSION.tar.gz"
aws s3 cp --acl=public-read ./dist/$filename s3://domino-artifacts/cdk/$($DATEDIR)/$filename
urlfile=$(python -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))' <<< "$filename")
echo "Artifact url: https://domino-artifacts.s3.amazonaws.com/cdk/$($DATEDIR)/$urlfile"
done
- name: Bootstrap CDK
env:
AWS_ACCOUNT_ID: ${{ secrets.DELTA_ACCOUNT_ID }}
AWS_REGION: ${{ env.AWS_REGION }}
JSII_SILENCE_WARNING_DEPRECATED_NODE_VERSION: 1
run: cdk bootstrap "aws://$AWS_ACCOUNT_ID/$AWS_REGION"
- name: Deploy CDK
if: contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master'
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
JSII_SILENCE_WARNING_DEPRECATED_NODE_VERSION: 1
run: |
docker login -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD quay.io
cdk deploy --require-approval never --outputs-file outputs.json
$(jq -r ".[].ekskubeconfigcmd" outputs.json) --kubeconfig ./kubeconfig
- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@v3
with:
unset-current-credentials: true
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Collect diagnostic data
if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
env:
KUBECONFIG: ./kubeconfig
LOG_DIR: /tmp/k8s-cluster-state/cdk
run: |
set +e
curl -Lo /usr/local/bin/kubectl "https://dl.k8s.io/release/v1.23.6/bin/linux/amd64/kubectl"
for ns in domino-platform domino-compute domino-system kube-system; do
mkdir -p $LOG_DIR/$ns
kubectl -n $ns get ing -o yaml > $LOG_DIR/$ns/ingress.txt
kubectl -n $ns get po -o yaml > $LOG_DIR/$ns/pods.txt
kubectl -n $ns describe po > $LOG_DIR/$ns/pods-described.txt
kubectl -n $ns get pvc -o yaml > $LOG_DIR/$ns/pvcs.txt
kubectl -n $ns get svc -o yaml > $LOG_DIR/$ns/svcs.txt
kubectl -n $ns describe svc > $LOG_DIR/$ns/svcs-described.txt
kubectl -n $ns get events > $LOG_DIR/$ns/events.txt
done
kubectl get pv -o yaml > $LOG_DIR/pvs.txt
kubectl get no -o yaml > $LOG_DIR/nodes.txt
kubectl describe no > $LOG_DIR/nodes-described.txt
- name: Setup cloudformation-only user for safe stack deletion
if: (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
working-directory: ./convert/cloudformation-only
run: |
echo "{\"region\":\"us-west-2\",\"tags\":{},\"suffix\":\"$NAME\"}" | tee terraform.tfvars.json
terraform init
terraform plan -out=terraform.plan
terraform apply -auto-approve terraform.plan
- name: Install hcledit
run: |
hcledit_version="0.2.9"
hcledit_artifact=hcledit_${hcledit_version}_linux_amd64.tar.gz
curl -fsSL -o "${hcledit_artifact}" "https://github.com/minamijoyo/hcledit/releases/download/v${hcledit_version}/${hcledit_artifact}"
tar xvzf "${hcledit_artifact}"
sudo mv hcledit /usr/local/bin/ && rm "${hcledit_artifact}" && hcledit version
- name: Install tfvar
run: |
tfvar_version="0.8.0"
tfvar_artifact="tfvar_linux_amd64.tar.gz"
curl -fsSL -o "${tfvar_artifact}" "https://github.com/shihanng/tfvar/releases/download/v${tfvar_version}/${tfvar_artifact}"
tar xvzf "${tfvar_artifact}"
sudo mv tfvar /usr/local/bin/ && rm "${tfvar_artifact}" && tfvar --version
- name: Setup terraform-aws-eks conversion process
if: (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
working-directory: ./convert
run: |
pip install -r requirements.txt
ssh-keygen -t rsa -f dummy.pem -N ''
export DEPLOY_ID="$NAME"
export MOD_VALIDATION_OFF="ON"
export MOD_VERSION="miguelhar.DOM-52551-gov-cloud"
envsubst < config.tpl | tee config.yaml
./convert.py check-requirements
./convert.py print-stack --verbose --yaml >stack-data.yaml
./convert.py setup-tf-modules
./convert.py create-tfvars --ssh-key-path ./dummy.pem
./convert.py set-imports
- name: Run terraform
if: (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
working-directory: ./convert
run: |
set -euo pipefail
pushd "$NAME" >/dev/null || { echo "Error changing into $NAME." && exit 1; }
if ! source "meta.sh"; then
echo "There was an error sourcing meta.sh"
exit 1
fi
for component in cdk_tf infra cluster nodes; do
echo "Running terraform for $component"
if ! ./tf.sh "$component" 'init'; then
echo "Initialization for $component failed. Exiting..."
exit 1
fi
if ! ./tf.sh "$component" 'plan_out'; then
echo "Plan for $component failed. Exiting..."
exit 1
fi
echo "Checking plan for resource deletes.."
if ! ./tf.sh "$component" 'show_plan_json' | \
sed -n '/^{.*}$/p' | \
jq '.resource_changes[] | select(.change.actions | contains(["delete"]))' | \
tee "${component}-tf-deletes.plan.json"; then
echo "Error processing json plan for deletes inspection. Exiting..."
exit 1
fi
if [ -s "${component}-tf-deletes.plan.json" ]; then
echo "Detected deletions, bailing..."
exit 1
else
echo "No deletes found"
fi
if ! ./tf.sh "$component" 'apply_plan'; then
echo "Apply plan for $component failed. Exiting..."
exit 1
fi
done
popd >/dev/null || exit 1
- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@v3
with:
unset-current-credentials: true
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Clean and delete stack
if: (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
working-directory: ./convert
run: |
./convert.py clean-stack --remove-security-group-references --delete
./convert.py delete-stack --delete
- name: Upload diagnostic data
if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
uses: actions/upload-artifact@v2
with:
name: Diagnostic Data
path: ./
retention-days: 14
- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@v3
if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
with:
role-duration-seconds: 7200
unset-current-credentials: true
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Delete stack w/CDK
if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
env:
JSII_SILENCE_WARNING_DEPRECATED_NODE_VERSION: 1
working-directory: ./cdk
run: |
cdk destroy --force
- name: Destroy Infrastructure tf
if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
working-directory: ./convert
run: |
cd "$NAME"
for component in 'nodes' 'cluster' 'infra' 'cdk_tf'; do
echo "Running terraform for $component"
./tf.sh "$component" destroy
done
- name: Destroy Infrastructure cf
if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
working-directory: ./convert/cloudformation-only
run: |
terraform destroy -auto-approve
- name: Fail without deploy
if: ${{ github.event.pull_request.draft == false && ! (contains(github.event.pull_request.labels.*.name, 'deploy-test') || contains(github.event.pull_request.labels.*.name, 'no-deploy-needed') || github.ref == 'refs/heads/master') }}
run: |
echo "Deploy tests required on non-draft PRs. Please add 'deploy-test' label".
exit 1