Publish CloudFormation templates to AWS S3 #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish CloudFormation templates to AWS S3 | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| canary: | ||
| type: boolean | ||
| default: false | ||
| description: 'Whether to deploy the canary versions of the templates' | ||
| secrets: | ||
| AWS_ASSET_UPLOAD_ROLE_ARN: | ||
| description: 'ARN of the IAM role to assume to upload assets to S3' | ||
| required: true | ||
| AWS_ACCOUNT_ID_FRESH_SETUP_TESTS: | ||
| description: 'AWS Account ID to use for setting up IAM permissions and running tests' | ||
| required: true | ||
| ARTILLERY_CLOUD_ENDPOINT_TEST: | ||
| description: 'Artillery Cloud endpoint for running tests' | ||
| required: true | ||
| ARTILLERY_CLOUD_API_KEY_TEST: | ||
| description: 'Artillery Cloud API Key for running tests' | ||
| required: true | ||
| workflow_dispatch: | ||
| inputs: | ||
| canary: | ||
| type: boolean | ||
| default: false | ||
| description: 'Whether to deploy the canary versions of the templates' | ||
| env: | ||
| CF_LAMBDA_TEMPLATE: ${{ inputs.canary && 'aws-iam-lambda-cf-template-canary.yml' || 'aws-iam-lambda-cf-template.yml' }} | ||
| CF_FARGATE_TEMPLATE: ${{ inputs.canary && 'aws-iam-fargate-cf-template-canary.yml' || 'aws-iam-fargate-cf-template.yml' }} | ||
| GH_OIDC_LAMBDA_TEMPLATE: ${{ inputs.canary && 'gh-oidc-lambda-canary.yml' || 'gh-oidc-lambda.yml' }} | ||
| GH_OIDC_FARGATE_TEMPLATE: ${{ inputs.canary && 'gh-oidc-fargate-canary.yml' || 'gh-oidc-fargate.yml' }} | ||
| jobs: | ||
| put-cloudformation-templates: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v2 | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| env: | ||
| SHOW_STACK_TRACE: true | ||
| with: | ||
| aws-region: us-east-1 | ||
| role-to-assume: ${{ secrets.AWS_ASSET_UPLOAD_ROLE_ARN }} | ||
| role-session-name: OIDCSession | ||
| mask-aws-account-id: true | ||
| - name: Update IAM CloudFormation templates | ||
| run: | | ||
| aws s3 cp --acl public-read ./packages/artillery/lib/platform/aws/iam-cf-templates/aws-iam-fargate-cf-template.yml s3://artilleryio-cf-templates/${{ env.CF_FARGATE_TEMPLATE }} | ||
| aws s3 cp --acl public-read ./packages/artillery/lib/platform/aws/iam-cf-templates/aws-iam-lambda-cf-template.yml s3://artilleryio-cf-templates/${{ env.CF_LAMBDA_TEMPLATE }} | ||
| aws s3 cp --acl public-read ./packages/artillery/lib/platform/aws/iam-cf-templates/gh-oidc-lambda.yml s3://artilleryio-cf-templates/${{ env.GH_OIDC_LAMBDA_TEMPLATE }} | ||
| aws s3 cp --acl public-read ./packages/artillery/lib/platform/aws/iam-cf-templates/gh-oidc-fargate.yml s3://artilleryio-cf-templates/${{ env.GH_OIDC_FARGATE_TEMPLATE }} | ||
| set-up-and-run-artillery-test-on-aws: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| strategy: | ||
| matrix: | ||
| service: [lambda, fargate] | ||
| include: | ||
| - service: lambda | ||
| template-name: ${{ env.GH_OIDC_LAMBDA_TEMPLATE }} | ||
|
Check failure on line 78 in .github/workflows/s3-publish-cf-templates.yml
|
||
| capitalized-service: Lambda | ||
| - service: fargate | ||
| template-name: ${{ env.GH_OIDC_FARGATE_TEMPLATE }} | ||
| capitalized-service: Fargate | ||
| max-parallel: 1 | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v2 | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| env: | ||
| SHOW_STACK_TRACE: true | ||
| with: | ||
| aws-region: us-east-1 | ||
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_FRESH_SETUP_TESTS }}:role/ResetAccountForRunningTests | ||
| role-session-name: OIDCSession | ||
| mask-aws-account-id: true | ||
| - name: Install aws-nuke | ||
| run: | | ||
| curl -sL https://github.com/rebuy-de/aws-nuke/releases/download/v2.25.0/aws-nuke-v2.25.0-linux-amd64.tar.gz | tar -xz | ||
| sudo install aws-nuke-v2.25.0-linux-amd64 /usr/local/bin/aws-nuke | ||
| - name: Run aws-nuke | ||
| run: | | ||
| cat <<EOF > aws-nuke-config.yml | ||
| regions: | ||
| - "global" | ||
| - "us-east-2" | ||
| - "us-east-1" | ||
| - "us-west-1" | ||
| - "us-west-2" | ||
| - "ap-south-1" | ||
| - "ap-northeast-3" | ||
| - "ap-northeast-2" | ||
| - "ap-southeast-1" | ||
| - "ap-southeast-2" | ||
| - "ap-northeast-1" | ||
| - "ca-central-1" | ||
| - "eu-central-1" | ||
| - "eu-west-1" | ||
| - "eu-west-2" | ||
| - "eu-west-3" | ||
| - "eu-north-1" | ||
| - "sa-east-1" | ||
| account-blocklist: | ||
| - 111111111111 | ||
| resource-types: | ||
| targets: | ||
| - IAMRole | ||
| - IAMPolicy | ||
| - IAMRolePolicyAttachment | ||
| - IAMOpenIDConnectProvider | ||
| - S3Bucket | ||
| - S3Object | ||
| - LambdaFunction | ||
| - ECSTaskDefinition | ||
| - ECSCluster | ||
| - ECSContainerInstance | ||
| - CloudFormationStack | ||
| - SQSQueue | ||
| - CloudWatchLogGroup | ||
| - CloudWatchLogStream | ||
| - SSMParameter | ||
| accounts: | ||
| "${{ secrets.AWS_ACCOUNT_ID_FRESH_SETUP_TESTS }}": | ||
| filters: | ||
| IAMRole: | ||
| - property: Name | ||
| type: "glob" | ||
| value: "AWS*" | ||
| - property: Name | ||
| type: "glob" | ||
| value: "nidhi*" | ||
| - property: Name | ||
| type: "glob" | ||
| value: "Organization*" | ||
| IAMRolePolicyAttachment: | ||
| - property: RoleName | ||
| type: "glob" | ||
| value: "AWS*" | ||
| - property: RoleName | ||
| type: "glob" | ||
| value: "nidhi*" | ||
| - property: RoleName | ||
| value: "ResetAccountForRunningTests" | ||
| - property: RoleName | ||
| type: "glob" | ||
| value: "Organization*" | ||
| IAMOpenIDConnectProvider: | ||
| - property: Arn | ||
| type: "contains" | ||
| value: "oidc-provider/token.actions.githubusercontent.com" | ||
| invert: true | ||
| EOF | ||
| aws-nuke --config aws-nuke-config.yml --force --force-sleep 4 --no-dry-run | ||
| - name: Fetch CloudFormation Template | ||
| run: | | ||
| aws s3 cp s3://artillery-cf-templates/${{ matrix.template-name }} template.yml | ||
| - name: Deploy CloudFormation Template | ||
| run: | | ||
| aws cloudformation create-stack \ | ||
| --stack-name iam-${{ matrix.service }}-setup \ | ||
| --template-body file://template.yml \ | ||
| --parameters ParameterKey=GitHubRepository,ParameterValue="artilleryio/artillery" \ | ||
| --capabilities CAPABILITY_NAMED_IAM | ||
| aws cloudformation wait stack-create-complete --stack-name iam-${{ matrix.service }}-setup | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| env: | ||
| SHOW_STACK_TRACE: true | ||
| with: | ||
| aws-region: us-east-1 | ||
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_FRESH_SETUP_TESTS }}:role/ArtilleryGitHubOIDCFor${{ matrix.capitalized-service }}Role | ||
| role-session-name: OIDCSession | ||
| mask-aws-account-id: true | ||
| - name: Run Artillery Test | ||
| env: | ||
| ARTILLERY_CLOUD_ENDPOINT: ${{ secrets.ARTILLERY_CLOUD_ENDPOINT_TEST }} | ||
| ARTILLERY_CLOUD_API_KEY: ${{ secrets.ARTILLERY_CLOUD_API_KEY_TEST }} | ||
| run: | | ||
| npm run test:cf:iam:${{ matrix.service }} | ||
