e2e test Terraform module #56
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: e2e test Terraform module | |
on: | |
workflow_dispatch: | |
inputs: | |
ref: | |
type: string | |
description: "Git ref to checkout" | |
required: false | |
cloudProvider: | |
description: "Which cloud provider to use." | |
type: choice | |
options: | |
- "aws" | |
- "gcp" | |
required: true | |
regionZone: | |
description: "Region or zone to create the cluster in. Leave empty for default region/zone." | |
type: string | |
required: true | |
image: | |
description: "Node image version of the cluster." | |
type: string | |
required: true | |
cliVersion: | |
description: "Constellation CLI version to use. Empty value means build from source." | |
type: string | |
default: "" | |
required: false | |
workflow_call: | |
inputs: | |
ref: | |
type: string | |
description: "Git ref to checkout" | |
required: false | |
cloudProvider: | |
description: "Which cloud provider to use." | |
type: string | |
required: true | |
regionZone: | |
description: "Which zone to use." | |
type: string | |
required: true | |
image: | |
description: "Node image reference which is compatible with the current dev release version." | |
type: string | |
required: true | |
cliVersion: | |
description: "Constellation CLI version to use. Empty value means build from source." | |
type: string | |
default: "" | |
required: false | |
jobs: | |
build: | |
runs-on: ubuntu-22.04 | |
permissions: | |
id-token: write | |
contents: read | |
packages: write | |
steps: | |
- name: Checkout | |
id: checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
with: | |
ref: ${{ inputs.ref || github.head_ref }} | |
- name: Upload module | |
uses: ./.github/actions/upload_terraform_module | |
- name: Download Terraform module | |
uses: actions/download-artifact@v3 | |
with: | |
name: terraform-module | |
- name: Unzip Terraform module | |
run: unzip terraform-module.zip | |
- name: Create resource prefix | |
id: create-prefix | |
shell: bash | |
run: | | |
run_id=${{ github.run_id }} | |
last_three="${run_id: -3}" | |
echo "prefix=e2e-${last_three}-${{ github.run_attempt }}" | tee -a "$GITHUB_OUTPUT" | |
- name: Create AWS Terraform variable input file | |
if: inputs.cloudProvider == 'aws' | |
working-directory: ./terraform-module/aws-constellation | |
run: | | |
cat > terraform.tfvars <<EOF | |
name = "${{ steps.create-prefix.outputs.prefix }}" | |
image = "${{ inputs.image }}" | |
zone = "${{ inputs.regionZone }}" | |
name_prefix = "${{ steps.create-prefix.outputs.prefix }}" | |
node_groups = { | |
control_plane_default = { | |
role = "control-plane" | |
zone = "${{ inputs.regionZone }}" | |
instance_type = "m6a.xlarge" | |
disk_size = 30 | |
disk_type = "gp3" | |
initial_count = 2 | |
}, | |
worker_default = { | |
role = "worker" | |
zone = "${{ inputs.regionZone }}" | |
instance_type = "m6a.xlarge" | |
disk_size = 30 | |
disk_type = "gp3" | |
initial_count = 2 | |
} | |
} | |
EOF | |
cat terraform.tfvars | |
- name: Create GCP Terraform variable input file | |
if: inputs.cloudProvider == 'gcp' | |
working-directory: ./terraform-module/gcp-constellation | |
run: | | |
cat > terraform.tfvars <<EOF | |
name = "${{ steps.create-prefix.outputs.prefix }}" | |
project = "${{ secrets.GCP_E2E_PROJECT }}" | |
service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa" | |
image = "${{ inputs.image }}" | |
zone = "${{ inputs.regionZone }}" | |
node_groups = { | |
control_plane_default = { | |
role = "control-plane" | |
zone = "${{ inputs.regionZone }}" | |
instance_type = "n2d-standard-4" | |
disk_size = 30 | |
disk_type = "pd-ssd" | |
initial_count = 2 | |
}, | |
worker_default = { | |
role = "worker" | |
zone = "${{ inputs.regionZone }}" | |
instance_type = "n2d-standard-4" | |
disk_size = 30 | |
disk_type = "pd-ssd" | |
initial_count = 2 | |
} | |
} | |
EOF | |
cat terraform.tfvars | |
- name: Install dependencies (Terraform) | |
run: | | |
sudo apt update && sudo apt install gpg | |
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint | |
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt update | |
sudo apt install terraform=1.4.4-* | |
- name: Log in to the Container registry | |
uses: ./.github/actions/container_registry_login | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup bazel | |
if: inputs.cliVersion == '' | |
uses: ./.github/actions/setup_bazel_nix | |
with: | |
useCache: "true" | |
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} | |
- name: Build CLI | |
if: inputs.cliVersion == '' | |
uses: ./.github/actions/build_cli | |
with: | |
outputPath: "constellation" | |
enterpriseCLI: true | |
push: true | |
- name: Download CLI | |
if: inputs.cliVersion != '' | |
shell: bash | |
run: | | |
mkdir build | |
curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64 | |
chmod u+x constellation | |
PATH_ADD=$(pwd) | |
export PATH="$PATH:$PATH_ADD" | |
constellation version | |
# Do not spam license server from pipeline | |
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' | |
- name: Login to AWS (IAM + Cluster role) | |
if: inputs.cloudProvider == 'aws' | |
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 | |
with: | |
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform | |
aws-region: eu-central-1 | |
# extend token expiry to 6 hours to ensure constellation can terminate | |
role-duration-seconds: 21600 | |
- name: Login to GCP (IAM + Cluster service account) | |
if: inputs.cloudProvider == 'gcp' | |
uses: ./.github/actions/login_gcp | |
with: | |
service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com" | |
- name: Apply Terraform Cluster | |
id: apply_terraform | |
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation | |
run: | | |
cp ../../constellation . | |
terraform init | |
terraform apply -var-file=terraform.tfvars -auto-approve | |
- name: Destroy Terraform Cluster | |
if: always() && steps.apply_terraform.outcome != 'skipped' | |
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation | |
run: | | |
terraform init | |
terraform destroy -var-file=terraform.tfvars -auto-approve | |
- name: Verify cleanup | |
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation | |
run: | | |
if [ -f constellation-mastersecret.json ] || [ -f constellation-conf.yaml ]; then | |
echo "Files constellation-mastersecret.json or constellation-conf.yaml still exist" | |
exit 1 | |
fi |