Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add GHA for publishing CF templates to S3 #2800

Merged
merged 23 commits into from
Jun 21, 2024
Merged

ci: add GHA for publishing CF templates to S3 #2800

merged 23 commits into from
Jun 21, 2024

Conversation

InesNi
Copy link
Contributor

@InesNi InesNi commented May 29, 2024
edited
Loading

Description

Creating a GHA for publishing 2 CloudFormation templates to S3. The templates are for creating IAM resources users need to run Lambda / Fargate tests.

Once the templates are hosted on S3, CloudFormation quick-create links can be created and added to the docs in button format, simplifying the set up process for users.

The templates will create an an ArtilleryDistributedTestingFargateRole/ ArtilleryDistributedTestingLambdaRole with the ArtilleryDistributedTestingFargatePolicy/ ArtilleryDistributedTestingLambdaPolicy respectively.

The policies used are the original ones from the docs, though the Lambda one needed a few fixes to function properly:

  • The Resource in the CreateLambdaPolicy was missing -*

  • The EcrPullImagePermissions needed to be changed so that instead of setting a Condition we set the Resource to the arn of the repository of the exact account we are pulling from

Testing

Manually tested both Cloudformation templates making sure that all the necessary resources are created, and tested e2e by running the Fargate and Lambda tests.

Tested that the GHA appropriately updates the templates on S3.

Notes

  • Currently a test bucket is used, waiting to see if a different bucket will be used to host the templates.

Pre-merge checklist

  • Does this require an update to the docs?
  • Does this require a changelog entry? Not sure

@InesNi InesNi changed the title ci: add gha for publishing cf templates to s3 ci: add GHA for publishing CF templates to S3 May 30, 2024
@InesNi InesNi marked this pull request as ready for review May 31, 2024 10:37
@InesNi InesNi marked this pull request as draft May 31, 2024 10:38
InesNi
InesNi commented May 31, 2024
View reviewed changes
packages/artillery/lib/platform/aws/iam-cf-templates/aws-iam-fargate-cf-template.json Outdated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The policy used here is the original one from the docs, the only difference is the account id being set dynamically.

The role is currently set to be able to be assumed by anyone/anything and should be appropriately restricted by user.

InesNi
InesNi commented May 31, 2024
View reviewed changes
packages/artillery/lib/platform/aws/iam-cf-templates/aws-iam-lambda-cf-template.json Outdated
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The policy used here is the original one from the docs with some changes, as it had a few mistakes that needed to be adjusted as seen in comments below.

The role is currently set to be able to be assumed by anyone/anything and should be appropriately restricted by user.

InesNi
InesNi commented May 31, 2024
View reviewed changes
packages/artillery/lib/platform/aws/iam-cf-templates/aws-iam-lambda-cf-template.json Outdated
"Sid": "CreateLambdaPolicy",
"Effect": "Allow",
"Action": ["iam:CreatePolicy"],
"Resource": {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/artilleryio-lambda-policy-*"}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the original policy from the docs Resource here was missing -* at the end.

InesNi
InesNi commented May 31, 2024
View reviewed changes
packages/artillery/lib/platform/aws/iam-cf-templates/aws-iam-lambda-cf-template.json Outdated
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "arn:aws:ecr:*:248481025674:repository/artillery-worker"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The EcrPullImagePermissions needed to be changed so that instead of setting a Condition we set the Resource to the arn of the repository of the exact account we are pulling from.

The initial policy from the docs was using:

{
  "Sid": "EcrPullImagePermissions",
  "Effect": "Allow",
  "Action": [
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchGetImage"
                  ],
  "Resource": "*",
  "Condition": {
     "StringLike": {
          "aws:sourceArn": "arn:aws:lambda:*:123456789000:function:artilleryio-*"
        }
  }
}

@InesNi InesNi marked this pull request as ready for review June 12, 2024 15:10
@InesNi InesNi mentioned this pull request Jun 14, 2024
Merged
2 tasks
InesNi added 20 commits June 21, 2024 12:08
@InesNi
feat(cli): add cloudformation templates for fargate and lambda
275984c
@InesNi
ci: add gha for publishing cf templates
1c8b643
@InesNi
refactor: fix path
064dc01
@InesNi
refactor: try without install
a6b3f82
@InesNi
refactor: remove aws cli install step
2599f0c
@InesNi
refactor: adjust trigger
72bf786
@InesNi
refactor: fix templates
30abe0f
@InesNi
refactor: allow any principal to assume the role
86b9b21
@InesNi
refactor: add workflow_dispatch to GHA to test changes
5637315
@InesNi
refactor: fix lambda template
ca415d7
@InesNi
refactor: change name to match
98233e7
@InesNi
refactor: set the Principal of the IAM roles to the account
99149b1
@InesNi
refactor: fix role names in output
19cdc44
@InesNi
feat: updating templates with parameters for easier setup
791a9f5
@InesNi
refactor: fix param name
14da7de
@InesNi
refactor: use new role and bucket
5709164
@InesNi
refactor: set public read explicitly
c5c2f89
@InesNi
refactor: try updating individual files
d9d2b1a
@InesNi
refactor: make parameters more descriptive
a06e4ad
@InesNi
refactor(cf): order parameters correctly
f014286
@InesNi InesNi force-pushed the simplify-deployment-with-cloudformation branch from 722e883 to 74e7827 Compare June 21, 2024 11:16
@InesNi InesNi merged commit a05832f into main Jun 21, 2024
11 checks passed
@InesNi InesNi deleted the simplify-deployment-with-cloudformation branch June 21, 2024 16:21
@InesNi InesNi mentioned this pull request Jun 24, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bernardobridge bernardobridge bernardobridge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@InesNi @bernardobridge