Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CI/CD workflows for terraform automation #183

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

DaMandal0rian
Copy link
Member

@DaMandal0rian DaMandal0rian commented Oct 3, 2023

The PR adds terraform automation with github actions CI for devnet, gemini-3(x) and ephemeral devnets.

Closes #184

- add transcrypt script
- workflow changes to terraform
@DaMandal0rian DaMandal0rian force-pushed the terraform-ci-workflows branch 2 times, most recently from 67239db to 24b2e7a Compare October 3, 2023 18:17
@DaMandal0rian DaMandal0rian marked this pull request as ready for review October 3, 2023 18:24
- fix permissions
- write to /tmp path and not directly in repo for transcrypt
- fix backend config path
@DaMandal0rian DaMandal0rian force-pushed the terraform-ci-workflows branch from 24b2e7a to 99a5ac2 Compare October 3, 2023 18:25
@DaMandal0rian
Copy link
Member Author

The checks will fail since other PRs need to be merged beforehand.

.github/workflows/devnet_main_deploy.yml Outdated Show resolved Hide resolved
.github/workflows/devnet_main_deploy.yml Show resolved Hide resolved
.github/workflows/terraform_gh_runner.yml Outdated Show resolved Hide resolved
Comment on lines +14 to +15
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't seem to be used, why setting?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The env variable needs to be set when calling github api, otherwise an error is thrown.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What and where calls those APIs? I don't see any usage of it.

Copy link
Member Author

@DaMandal0rian DaMandal0rian Oct 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GITHUB_TOKEN is needed in CI or bash cli for API calls. The API is called with curl via https://github.com/subspace/infra/pull/183/files/99a5ac25712fdda531fd88026a12f96aafeacb83#diff-b46b68b6df852ad5f8fc96162f55c2fe198f6d53eb2fe7d7ce12fcd4b2650ba6R39-R43

If you want to use the API in a GitHub Actions workflow, GitHub recommends that you authenticate with the built-in GITHUB_TOKEN

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What you linked doesn't use GITHUB_TOKEN environment variable, it uses $token that is obtained in a different way.

Copy link
Member Author

@DaMandal0rian DaMandal0rian Oct 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

@nazar-pc nazar-pc Oct 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, so it is not for curl, it was for gh CLI command, now it makes sense.

With that knowledge we understand why it is necessary. I think what we should do now in a secure way without using heavy tools like setting repo (I'm fairly certain simply setting environment variable wasn't) without using heavy tools like setting repo's secrets from workflow is to use outputs and mask them such that they are not visible in logs: https://github.com/orgs/community/discussions/25225#discussioncomment-3246942

That is the goal here: to pass the token from one step into another. What we had in earlier versions of this PR are various suboptimal/incorrect ways of achieving that ultimate goal.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, github cli, I should have been more clear about that "The GITHUB_TOKEN is needed in CI or bash cli for API calls" but couldn't remember exactly since it was a while ago. That being said the solution of masking the secret and just passing it is nice if using the ephemeral runners maybe but this solution and workflow is for the dedicated runners, where i need to retain the secret so I can unregister and delete runner if need be and remove it from github. See https://docs.github.com/en/free-pro-team@latest/rest/actions/self-hosted-runners?apiVersion=2022-11-28#delete-a-self-hosted-runner-from-an-organization

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But you mentioned that tokens only live for 1 hour, so you'll have to retrieve fresh token anyway. Why retaining it then at all?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token is not needed to deregister, a force delete can be done. So i've used the masking technique.

Comment on lines 32 to 33
env:
GH_TOKEN: ${{ github.token }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're using secrets.GITHUB_TOKEN above and github.token here, which are both the same thing. Would be nice to make it consistent.

But this environment doesn't seem to be used either.

Copy link
Member Author

@DaMandal0rian DaMandal0rian Oct 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is used with github api, will make consistent. It is needed for api calls to get the PAT token for github runner registration.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub API again? Which API, I don't see any usage of it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is linked code related to GH_TOKEN?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, for $token in the auth header of the curl request that is the pat token to authenticate to the repo and get the runner token. If i remove GH_TOKEN you will see an error in ci that you need to have GH_TOKEN to call github apis from workflow :). I wasn't using it before, but added it to fix the problem. Here is an old version:
https://github.com/subspace/infra/blob/bd296590f29cdd730ab29869c7ade1258cb395ae/.github/workflows/terraform_gh_runner.yml

.github/workflows/terraform_gh_runner.yml Show resolved Hide resolved
.github/workflows/terraform_gh_runner.yml Outdated Show resolved Hide resolved
@DaMandal0rian DaMandal0rian requested a review from nazar-pc October 6, 2023 13:51
- make tokens consistent and adjust some paths.
- add comments
- remove extra env variable set
@DaMandal0rian DaMandal0rian force-pushed the terraform-ci-workflows branch from 460596b to 4a6c180 Compare October 6, 2023 14:22
Copy link
Member

@nazar-pc nazar-pc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failed with Error: Invalid command-line option, which I think means something needs to be fixed.

Comment on lines +14 to +15
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What you linked doesn't use GITHUB_TOKEN environment variable, it uses $token that is obtained in a different way.

Comment on lines 32 to 33
env:
GH_TOKEN: ${{ github.token }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is linked code related to GH_TOKEN?

.github/workflows/terraform_gh_runner.yml Outdated Show resolved Hide resolved
- this is not needed with terraform cloud
- test (remove GH_TOKEN)
@DaMandal0rian DaMandal0rian force-pushed the terraform-ci-workflows branch from e7c5456 to 2d35eef Compare October 11, 2023 15:06
@vedhavyas
Copy link
Member

@DaMandal0rian is this ready to be reviewed? Looks like GH actions are still failing

- remove tfvars secret and storing in github, use the encrypted terraform.tfvars file with transcrypt.
- add branch as input
- change API token name and remove vars secret file
- change path for dedicated runners
@DaMandal0rian DaMandal0rian force-pushed the terraform-ci-workflows branch from 935a2a2 to d865c7c Compare December 5, 2023 12:06
@DaMandal0rian
Copy link
Member Author

DaMandal0rian commented Dec 5, 2023

@DaMandal0rian is this ready to be reviewed? Looks like GH actions are still failing

@vedhavyas yes the PR is ready. The reason is the tfvars file does not exist in the path, but i will upload the encrypted version in another PR for the resources. I've also made some changes.

- add genesis hash input
- add terraform apply and destroy inputs
@DaMandal0rian
Copy link
Member Author

tfvars file is added in PR https://github.com/subspace/infra/pull/226/files

Copy link
Member

@vedhavyas vedhavyas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I maybe be missing something here but looks like we can only run one ephemeral devnet at a time since TF uses the same working directory. This would also be a problem if multiple people want to deploy at the same time.

If its aws, can we deploy new instances instead ?
As for the hetzner, we should not allow new deployments unless the workspace is already destroyed so that machine can be re-used.

Though I'm not sure if this is out of scope for this PR.

@DaMandal0rian
Copy link
Member Author

DaMandal0rian commented Jan 2, 2024

@vedhavyas For hetzner can run the destroy input with workflow dispatch event. Also, please check the readme file which addresses this. This is outside the scope of this PR which deals with CI/CD. In another PR i can add a random generator to the backend (AWS) for terraform changes, but would rather dev's modify the backend and open a PR as instructions state in readme.

@jfrank-summit
Copy link
Member

@DaMandal0rian it has been awhile since this PR has progressed? Are there any updates?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Github CI pipelines for automation of networks with terraform
4 participants