File: aws_integration_test.yml

package info (click to toggle)
golang-github-transparency-dev-tessera 1.0.1-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 3,612 kB
  • sloc: sql: 33; sh: 17; makefile: 12
file content (161 lines) | stat: -rw-r--r-- 6,918 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
 
name: AWS Conformance Test

on:
  push:
    branches:
    - main

# This prevents two workflows from running at the same time.
# This workflows calls terragrunt, which does not allow concurrent runs.
concurrency:
  group: aws-conformance
  cancel-in-progress: false

permissions:
  id-token: write
  contents: read

env:
  TOFU_VERSION: "1.10.0"
  TG_VERSION: "0.77.22"
  TG_DIR: "deployment/live/aws/conformance/ci/"
  TESSERA_PREFIX_NAME: trillian-tessera
  ECR_REGISTRY: 864981736166.dkr.ecr.us-east-1.amazonaws.com
  ECR_REPOSITORY_CONFORMANCE: trillian-tessera/conformance:latest
  ECR_REPOSITORY_HAMMER: trillian-tessera/hammer:latest
  AWS_REGION: us-east-1

jobs:
  aws-integration:
    runs-on: ubuntu-latest

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
        with:
          role-to-assume: ${{ vars.AWS_IAMROLE_GITHUB_CI }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false

      ## Authenticate with ECR to push the conformance and hammer images.
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1

      ## Build the conformance image and push it to ECR. This will be used
      ## later on by Terragrunt.
      - name: Build, tag, and push Conformance image to Amazon ECR
        id: build-publish-conformance
        shell: bash
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: ${{ env.ECR_REPOSITORY_CONFORMANCE }}
        run: |
          docker build -f ./cmd/conformance/aws/Dockerfile . -t "$ECR_REGISTRY/$ECR_REPOSITORY"
          docker push "$ECR_REGISTRY/$ECR_REPOSITORY"
          echo "Pushed image to $ECR_REGISTRY/$ECR_REPOSITORY"

      ## Build the hammer image and push it to ECR. This will be used
      ## later on by Terragrunt.
      - name: Build, tag, and push Hammer image to Amazon ECR
        id: build-publish-hammer
        shell: bash
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: ${{ env.ECR_REPOSITORY_HAMMER }}
        run: |
          docker build -f ./internal/hammer/Dockerfile . -t "$ECR_REGISTRY/$ECR_REPOSITORY"
          docker push "$ECR_REGISTRY/$ECR_REPOSITORY"
          echo "Pushed image to $ECR_REGISTRY/$ECR_REPOSITORY"

      ## Destroy any pre-existing deployment/live/aws/conformance/ci env.
      ## This might happen if a previous integration test workflow has failed.
      - name: Terragrunt destroy pre conformance test
        id: terragrunt-destroy-pre
        uses: gruntwork-io/terragrunt-action@95fc057922e3c3d4cc021a81a213f088f333ddef # v3.0.2
        with:
          tofu_version: ${{ env.TOFU_VERSION }}
          tg_version: ${{ env.TG_VERSION }}
          tg_dir: ${{ env.TG_DIR }}
          tg_command: "destroy"
        env:
          ECS_EXECUTION_ROLE: ${{ vars.AWS_IAMROLE_ECS_EXECUTION }}
          ECS_CONFORMANCE_TASK_ROLE: ${{ vars.AWS_IAMROLE_ECS_CONFORMANCE_TASK }}
          TESSERA_SIGNER: unused
          TESSERA_VERIFIER: unused

      ## Generate a new keys for the log to use, and export them to environment
      ## variables for Terragrunt to use.
      - name: Generate Tessera keys
        id: generate-keys
        shell: bash
        run: |
          go run github.com/transparency-dev/serverless-log/cmd/generate_keys@80334bc9dc573e8f6c5b3694efad6358da50abd4 \
            --key_name=tessera/test/conformance \
            --out_priv=${{ runner.temp }}/key.sec \
            --out_pub=${{ runner.temp }}/key.pub
          cat ${{ runner.temp }}/key.pub
          echo "TESSERA_SIGNER=$(cat ${{ runner.temp }}/key.sec)" >> "$GITHUB_ENV"
          echo "TESSERA_VERIFIER=$(cat ${{ runner.temp }}/key.pub)" >> "$GITHUB_ENV"

      ## Apply the deployment/live/aws/conformance/ci terragrunt config.
      ## This will bring up the conformance infrastructure which consists of:
      ##   - the storage module
      ##   - a private S3 <--> ECS network link for the hammer to read the log
      ##   - an ECS cluster to run Fargate tasks
      ##   - a conformance service, with multiple conformance binary instances
      ##   - a hammer task definition (but no execution)
      # TODO(phboneff): AuroraDB takes a long time to be brought up and down
      #  consider keeping it around between tests / using Aurora Serveless
      - name: Terragrunt apply
        id: terragrunt-apply
        uses: gruntwork-io/terragrunt-action@95fc057922e3c3d4cc021a81a213f088f333ddef # v3.0.2
        with:
          tofu_version: ${{ env.TOFU_VERSION }}
          tg_version: ${{ env.TG_VERSION }}
          tg_dir: ${{ env.TG_DIR }}
          tg_command: "apply"
        env:
          ECS_EXECUTION_ROLE: ${{ vars.AWS_IAMROLE_ECS_EXECUTION }}
          ECS_CONFORMANCE_TASK_ROLE: ${{ vars.AWS_IAMROLE_ECS_CONFORMANCE_TASK }}
          INPUT_POST_EXEC_1: |
            echo "ECS_CLUSTER=$(terragrunt output -raw ecs_cluster)" >> "$GITHUB_ENV"
          INPUT_POST_EXEC_2: |
            echo "VPC_SUBNETS=$(terragrunt output -json vpc_subnets)" >> "$GITHUB_ENV"

      ## Now we can run the hammer using the task definition, against the
      ## conformance service. This step returns the hammer task's exit code.
      - name: Run Hammer
        id: hammer
        shell: bash
        run: |
          cat ${{ runner.temp }}/key.pub
          echo "Will launch a hammer ECS task."
          HAMMER_ARN=$(aws ecs run-task \
            --cluster="$ECS_CLUSTER" \
            --task-definition=hammer \
            --count=1 \
            --launch-type=FARGATE \
            --network-configuration='{"awsvpcConfiguration": {"assignPublicIp":"ENABLED","subnets": '$VPC_SUBNETS'}}' \
            --query 'tasks[0].taskArn')
          echo "Hammer task running, ARN: $HAMMER_ARN."
          echo "Waiting for task to stop..."
          aws ecs wait tasks-stopped --cluster="$ECS_CLUSTER" --tasks=[$HAMMER_ARN]
          echo "The task has stopped. Fetching exit code and returning this action with it."
          exit $(aws ecs describe-tasks --cluster="$ECS_CLUSTER" --tasks=[$HAMMER_ARN] --query 'tasks[0].containers[0].exitCode')

      - name: Terragrunt destroy post conformance test
        id: terragrunt-destroy-post
        uses: gruntwork-io/terragrunt-action@95fc057922e3c3d4cc021a81a213f088f333ddef # v3.0.2
        with:
          tofu_version: ${{ env.TOFU_VERSION }}
          tg_version: ${{ env.TG_VERSION }}
          tg_dir: ${{ env.TG_DIR }}
          tg_command: "destroy"
        env:
          ECS_EXECUTION_ROLE: ${{ vars.AWS_IAMROLE_ECS_EXECUTION }}
          ECS_CONFORMANCE_TASK_ROLE: ${{ vars.AWS_IAMROLE_ECS_CONFORMANCE_TASK }}