diff --git a/.github/actions/build-and-test-feature/action.yml b/.github/actions/build-and-test-feature/action.yml index 4c02bcd8..30562ee8 100644 --- a/.github/actions/build-and-test-feature/action.yml +++ b/.github/actions/build-and-test-feature/action.yml @@ -6,6 +6,7 @@ inputs: args: {type: string, required: true} gh_token: {type: string, defaut: '', required: false} vault_host: {type: string, defaut: '', required: false} + aws_role_arn: {type: string, defaut: '', required: false} rw_sccache_bucket: {type: string, defaut: '', required: false} rw_sccache_region: {type: string, defaut: '', required: false} @@ -30,5 +31,6 @@ runs: VAULT_S3_TTL: "900" # 15 minutes gh_token: "${{ inputs.gh_token }}" vault_host: "${{ inputs.vault_host }}" + aws_role_arn: "${{ inputs.aws_role_arn }}" rw_sccache_bucket: "${{ inputs.rw_sccache_bucket }}" rw_sccache_region: "${{ inputs.rw_sccache_region }}" diff --git a/.github/workflows/build-and-test-feature.yml b/.github/workflows/build-and-test-feature.yml index cedc9bdf..a0d514f8 100644 --- a/.github/workflows/build-and-test-feature.yml +++ b/.github/workflows/build-and-test-feature.yml @@ -38,5 +38,6 @@ jobs: args: "${{ inputs.args }}" gh_token: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN }}" vault_host: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN && 'https://vault.ops.k8s.rapids.ai' || '' }}" + aws_role_arn: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN && 'arn:aws:iam::279114543810:role/nv-gha-token-sccache-devs' || '' }}" rw_sccache_bucket: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN && 'rapids-sccache-devs' || '' }}" rw_sccache_region: "${{ vars.AWS_REGION }}" diff --git a/features/test/utils/scenarios.json b/features/test/utils/scenarios.json index 28b56a45..3d8f4349 100644 --- a/features/test/utils/scenarios.json +++ b/features/test/utils/scenarios.json @@ -5,6 +5,7 @@ "containerEnv": { "gh_token": "${localEnv:gh_token}", "vault_host": "${localEnv:vault_host}", + "aws_role_arn": "${localEnv:aws_role_arn}", "VAULT_S3_TTL": "${localEnv:VAULT_S3_TTL}", "rw_sccache_bucket": "${localEnv:rw_sccache_bucket}", "rw_sccache_region": "${localEnv:rw_sccache_region}" @@ -49,6 +50,7 @@ "containerEnv": { "gh_token": "${localEnv:gh_token}", "vault_host": "${localEnv:vault_host}", + "aws_role_arn": "${localEnv:aws_role_arn}", "VAULT_S3_TTL": "${localEnv:VAULT_S3_TTL}", "rw_sccache_bucket": "${localEnv:rw_sccache_bucket}", "rw_sccache_region": "${localEnv:rw_sccache_region}" @@ -93,6 +95,7 @@ "containerEnv": { "gh_token": "${localEnv:gh_token}", "vault_host": "${localEnv:vault_host}", + "aws_role_arn": "${localEnv:aws_role_arn}", "VAULT_S3_TTL": "${localEnv:VAULT_S3_TTL}", "rw_sccache_bucket": "${localEnv:rw_sccache_bucket}", "rw_sccache_region": "${localEnv:rw_sccache_region}" diff --git a/features/test/utils/ubuntu18.04.sh b/features/test/utils/ubuntu18.04.sh index d83f684d..06e80ba5 100644 --- a/features/test/utils/ubuntu18.04.sh +++ b/features/test/utils/ubuntu18.04.sh @@ -24,6 +24,7 @@ utils_profile_script="$(find /etc/profile.d/ -type f -name '*-devcontainer-utils reset_state() { export GH_TOKEN=; export VAULT_HOST=; + export AWS_ROLE_ARN=; export SCCACHE_BUCKET=; export SCCACHE_REGION=; export AWS_ACCESS_KEY_ID=; @@ -32,6 +33,7 @@ reset_state() { export -n GH_TOKEN; export -n VAULT_HOST; + export -n AWS_ROLE_ARN; export -n SCCACHE_BUCKET; export -n SCCACHE_REGION; export -n AWS_ACCESS_KEY_ID; @@ -40,6 +42,7 @@ reset_state() { unset GH_TOKEN; unset VAULT_HOST; + unset AWS_ROLE_ARN; unset SCCACHE_BUCKET; unset SCCACHE_REGION; unset AWS_ACCESS_KEY_ID; @@ -183,6 +186,63 @@ if test -n "${gh_token:-}" \ check "bad stored creds with GH_TOKEN, VAULT_HOST, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_VAULT_HOST_and_SCCACHE_BUCKET_should_regenerate_credentials; fi +if test -n "${gh_token:-}" \ +&& test -n "${aws_role_arn:-}" \ +&& test -n "${rw_sccache_bucket:-}"; then + + no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials() { + reset_state; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "no creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should generate credentials" no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials; + + existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials() { + mv ~/.aws /tmp/; + reset_state; + cp -ar /tmp/.aws ~/; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "existing creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should reuse credentials" existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials; + + should_use_provided_AWS_envvar_credentials() { + reset_state; + export SCCACHE_BUCKET="${rw_sccache_bucket}"; + export SCCACHE_REGION="${rw_sccache_region}"; + export AWS_ACCESS_KEY_ID="$(sed -n 's/aws_access_key_id=//p' /tmp/.aws/credentials 2>/dev/null)"; + export AWS_SESSION_TOKEN="$(sed -n 's/aws_session_token=//p' /tmp/.aws/credentials 2>/dev/null)"; + export AWS_SECRET_ACCESS_KEY="$(sed -n 's/aws_secret_access_key=//p' /tmp/.aws/credentials 2>/dev/null)"; + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "should use provided AWS envvar credentials" should_use_provided_AWS_envvar_credentials; + + bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials() { + reset_state; + write_bad_creds; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "bad stored creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials; +fi + # Report result # If any of the checks above exited with a non-zero exit code, the test will fail. reportResults diff --git a/features/test/utils/ubuntu20.04.sh b/features/test/utils/ubuntu20.04.sh index d83f684d..06e80ba5 100644 --- a/features/test/utils/ubuntu20.04.sh +++ b/features/test/utils/ubuntu20.04.sh @@ -24,6 +24,7 @@ utils_profile_script="$(find /etc/profile.d/ -type f -name '*-devcontainer-utils reset_state() { export GH_TOKEN=; export VAULT_HOST=; + export AWS_ROLE_ARN=; export SCCACHE_BUCKET=; export SCCACHE_REGION=; export AWS_ACCESS_KEY_ID=; @@ -32,6 +33,7 @@ reset_state() { export -n GH_TOKEN; export -n VAULT_HOST; + export -n AWS_ROLE_ARN; export -n SCCACHE_BUCKET; export -n SCCACHE_REGION; export -n AWS_ACCESS_KEY_ID; @@ -40,6 +42,7 @@ reset_state() { unset GH_TOKEN; unset VAULT_HOST; + unset AWS_ROLE_ARN; unset SCCACHE_BUCKET; unset SCCACHE_REGION; unset AWS_ACCESS_KEY_ID; @@ -183,6 +186,63 @@ if test -n "${gh_token:-}" \ check "bad stored creds with GH_TOKEN, VAULT_HOST, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_VAULT_HOST_and_SCCACHE_BUCKET_should_regenerate_credentials; fi +if test -n "${gh_token:-}" \ +&& test -n "${aws_role_arn:-}" \ +&& test -n "${rw_sccache_bucket:-}"; then + + no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials() { + reset_state; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "no creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should generate credentials" no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials; + + existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials() { + mv ~/.aws /tmp/; + reset_state; + cp -ar /tmp/.aws ~/; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "existing creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should reuse credentials" existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials; + + should_use_provided_AWS_envvar_credentials() { + reset_state; + export SCCACHE_BUCKET="${rw_sccache_bucket}"; + export SCCACHE_REGION="${rw_sccache_region}"; + export AWS_ACCESS_KEY_ID="$(sed -n 's/aws_access_key_id=//p' /tmp/.aws/credentials 2>/dev/null)"; + export AWS_SESSION_TOKEN="$(sed -n 's/aws_session_token=//p' /tmp/.aws/credentials 2>/dev/null)"; + export AWS_SECRET_ACCESS_KEY="$(sed -n 's/aws_secret_access_key=//p' /tmp/.aws/credentials 2>/dev/null)"; + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "should use provided AWS envvar credentials" should_use_provided_AWS_envvar_credentials; + + bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials() { + reset_state; + write_bad_creds; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "bad stored creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials; +fi + # Report result # If any of the checks above exited with a non-zero exit code, the test will fail. reportResults diff --git a/features/test/utils/ubuntu22.04.sh b/features/test/utils/ubuntu22.04.sh index d83f684d..06e80ba5 100644 --- a/features/test/utils/ubuntu22.04.sh +++ b/features/test/utils/ubuntu22.04.sh @@ -24,6 +24,7 @@ utils_profile_script="$(find /etc/profile.d/ -type f -name '*-devcontainer-utils reset_state() { export GH_TOKEN=; export VAULT_HOST=; + export AWS_ROLE_ARN=; export SCCACHE_BUCKET=; export SCCACHE_REGION=; export AWS_ACCESS_KEY_ID=; @@ -32,6 +33,7 @@ reset_state() { export -n GH_TOKEN; export -n VAULT_HOST; + export -n AWS_ROLE_ARN; export -n SCCACHE_BUCKET; export -n SCCACHE_REGION; export -n AWS_ACCESS_KEY_ID; @@ -40,6 +42,7 @@ reset_state() { unset GH_TOKEN; unset VAULT_HOST; + unset AWS_ROLE_ARN; unset SCCACHE_BUCKET; unset SCCACHE_REGION; unset AWS_ACCESS_KEY_ID; @@ -183,6 +186,63 @@ if test -n "${gh_token:-}" \ check "bad stored creds with GH_TOKEN, VAULT_HOST, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_VAULT_HOST_and_SCCACHE_BUCKET_should_regenerate_credentials; fi +if test -n "${gh_token:-}" \ +&& test -n "${aws_role_arn:-}" \ +&& test -n "${rw_sccache_bucket:-}"; then + + no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials() { + reset_state; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "no creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should generate credentials" no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials; + + existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials() { + mv ~/.aws /tmp/; + reset_state; + cp -ar /tmp/.aws ~/; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "existing creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should reuse credentials" existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials; + + should_use_provided_AWS_envvar_credentials() { + reset_state; + export SCCACHE_BUCKET="${rw_sccache_bucket}"; + export SCCACHE_REGION="${rw_sccache_region}"; + export AWS_ACCESS_KEY_ID="$(sed -n 's/aws_access_key_id=//p' /tmp/.aws/credentials 2>/dev/null)"; + export AWS_SESSION_TOKEN="$(sed -n 's/aws_session_token=//p' /tmp/.aws/credentials 2>/dev/null)"; + export AWS_SECRET_ACCESS_KEY="$(sed -n 's/aws_secret_access_key=//p' /tmp/.aws/credentials 2>/dev/null)"; + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "should use provided AWS envvar credentials" should_use_provided_AWS_envvar_credentials; + + bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials() { + reset_state; + write_bad_creds; + GH_TOKEN="${gh_token}" \ + AWS_ROLE_ARN="${aws_role_arn}" \ + SCCACHE_BUCKET="${rw_sccache_bucket}" \ + SCCACHE_REGION="${rw_sccache_region}" \ + devcontainer-utils-post-attach-command; + expect_s3_cache_is_used; + } + + check "bad stored creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials; +fi + # Report result # If any of the checks above exited with a non-zero exit code, the test will fail. reportResults