Merge pull request #91 from askulkarni2/feature/50-e2e-tests

Feature/e2e tests

.github/workflows/e2e-test.yml

@@ -0,0 +1,66 @@
+name: e2e-test
+
+on:
+  workflow_dispatch:
+
+jobs:
+    deploy:
+      name: Run e2e test
+      runs-on: ubuntu-latest
+
+      # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+      permissions:
+        id-token: write
+        contents: read
+
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v2
+
+        - name: Configure AWS credentials from Test account
+          uses: aws-actions/configure-aws-credentials@v1
+          with:
+            role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
+            aws-region: us-west-2
+            role-duration-seconds: 1800
+            role-session-name: GithubActions-Session
+
+        - name: Terraform Job
+          uses: hashicorp/setup-terraform@v1
+          with:
+            terraform_version: 1.0.11
+
+        - name: Terraform Fmt
+          id: fmt
+          run: terraform fmt -check -recursive -list -no-color
+          continue-on-error: false
+
+        - name: Terraform Init
+          id: init
+          run: terraform init
+          working-directory: deploy/eks-cluster-with-new-vpc
+          continue-on-error: false
+
+        - name: Terraform Validate
+          id: validate
+          working-directory: deploy/eks-cluster-with-new-vpc
+          run: terraform validate -no-color
+          continue-on-error: false
+
+        - name: Terraform Plan
+          id: plan
+          working-directory: deploy/eks-cluster-with-new-vpc
+          run: terraform plan -no-color
+          continue-on-error: false
+
+        - name: Terraform Apply
+          id: apply
+          working-directory: deploy/eks-cluster-with-new-vpc
+          run: terraform apply -no-color --auto-approve=true
+          continue-on-error: false
+
+        - name: Terraform Destroy
+          id: destroy
+          working-directory: deploy/eks-cluster-with-new-vpc
+          run: terraform destroy -no-color --auto-approve=true
+          continue-on-error: false

README.md

@@ -1,6 +1,7 @@
 # Amazon EKS SSP for Terraform
 
 ![GitHub](https://img.shields.io/github/license/aws-samples/aws-eks-accelerator-for-terraform)
+[![e2e-test](https://github.com/aws-samples/aws-eks-accelerator-for-terraform/actions/workflows/e2e-test.yml/badge.svg)](https://github.com/aws-samples/aws-eks-accelerator-for-terraform/actions/workflows/e2e-test.yml)
 
 Welcome to the Amazon EKS Shared Services Platform (SSP) for Terraform.
 

deploy/eks-cluster-with-new-vpc/main.tf

@@ -24,8 +24,10 @@ provider "aws" {
 }
 
 terraform {
-  backend "local" {
-    path = "local_tf_state/terraform-main.tfstate"
+  backend "s3" {
+    bucket = "terraform-ssp-github-actions-state"
+    key    = "tf-state"
+    region = "us-west-2"
   }
 }
 

docs/internal/ci.md

@@ -0,0 +1,61 @@
+# E2E tests
+
+We use GitHub Actions to run an end-to-end tests to verify all PRs. The GitHub Actions used are a combination of `aws-actions/configure-aws-credentials` and `hashicorp/setup-terraform@v1`. See the complete action definition [here](../../.github/workflows/e2e-test.yml).
+
+## Setup
+
+1. Use the following CloudFormation template to setup a new IAM role.
+
+```yaml
+Parameters:
+  GitHubOrg:
+    Type: String
+  RepositoryName:
+    Type: String
+  OIDCProviderArn:
+    Description: Arn for the GitHub OIDC Provider.
+    Default: ""
+    Type: String
+
+Conditions:
+  CreateOIDCProvider: !Equals
+    - !Ref OIDCProviderArn
+    - ""
+
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !If
+                - CreateOIDCProvider
+                - !Ref GithubOidc
+                - !Ref OIDCProviderArn
+            Condition:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - a031c46782e6e6c662c2c87c76da9aa62ccabd8e
+
+Outputs:
+  Role:
+    Value: !GetAtt Role.Arn
+```
+
+2. Add a permissible IAM Policy to the above create role. For our purpose `AdministratorAccess` works the best.
+
+3. Setup a GitHub repo secret called `ROLE_TO_ASSUME` and set it to ARN of the role created in 1.
+
+4. We use an S3 backend to test the canonical [example](../../deploy/eks-cluster-with-new-vpc/main.tf). This allows us to recover from any failures during the `apply` stage. If you are setting up your own CI pipeline change the s3 bucket name in backend configuration of the example.