Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/e2e tests #91

Merged
merged 1 commit into from
Dec 1, 2021
Merged

Feature/e2e tests #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/e2e-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: e2e-test

on:
workflow_dispatch:

jobs:
deploy:
name: Run e2e test
runs-on: ubuntu-latest

# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read

steps:
- name: Checkout
uses: actions/checkout@v2

- name: Configure AWS credentials from Test account
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
aws-region: us-west-2
role-duration-seconds: 1800
role-session-name: GithubActions-Session

- name: Terraform Job
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.0.11

- name: Terraform Fmt
id: fmt
run: terraform fmt -check -recursive -list -no-color
continue-on-error: false

- name: Terraform Init
id: init
run: terraform init
working-directory: deploy/eks-cluster-with-new-vpc
continue-on-error: false

- name: Terraform Validate
id: validate
working-directory: deploy/eks-cluster-with-new-vpc
run: terraform validate -no-color
continue-on-error: false

- name: Terraform Plan
id: plan
working-directory: deploy/eks-cluster-with-new-vpc
run: terraform plan -no-color
continue-on-error: false

- name: Terraform Apply
id: apply
working-directory: deploy/eks-cluster-with-new-vpc
run: terraform apply -no-color --auto-approve=true
continue-on-error: false

- name: Terraform Destroy
id: destroy
working-directory: deploy/eks-cluster-with-new-vpc
run: terraform destroy -no-color --auto-approve=true
continue-on-error: false
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Amazon EKS SSP for Terraform

![GitHub](https://img.shields.io/github/license/aws-samples/aws-eks-accelerator-for-terraform)
[![e2e-test](https://github.com/aws-samples/aws-eks-accelerator-for-terraform/actions/workflows/e2e-test.yml/badge.svg)](https://github.com/aws-samples/aws-eks-accelerator-for-terraform/actions/workflows/e2e-test.yml)

Welcome to the Amazon EKS Shared Services Platform (SSP) for Terraform.

Expand Down
6 changes: 4 additions & 2 deletions deploy/eks-cluster-with-new-vpc/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ provider "aws" {
}

terraform {
backend "local" {
path = "local_tf_state/terraform-main.tfstate"
backend "s3" {
bucket = "terraform-ssp-github-actions-state"
key = "tf-state"
region = "us-west-2"
}
}

Expand Down
61 changes: 61 additions & 0 deletions docs/internal/ci.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# E2E tests

We use GitHub Actions to run an end-to-end tests to verify all PRs. The GitHub Actions used are a combination of `aws-actions/configure-aws-credentials` and `hashicorp/setup-terraform@v1`. See the complete action definition [here](../../.github/workflows/e2e-test.yml).

## Setup

1. Use the following CloudFormation template to setup a new IAM role.

```yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice to have this as a TF resource

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vara-bonthu, I spoke to @kcoleman731 and since this is meant for our internal usage we do not need a terraform example here.

Parameters:
GitHubOrg:
Type: String
RepositoryName:
Type: String
OIDCProviderArn:
Description: Arn for the GitHub OIDC Provider.
Default: ""
Type: String

Conditions:
CreateOIDCProvider: !Equals
- !Ref OIDCProviderArn
- ""

Resources:
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !If
- CreateOIDCProvider
- !Ref GithubOidc
- !Ref OIDCProviderArn
Condition:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*

GithubOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- a031c46782e6e6c662c2c87c76da9aa62ccabd8e

Outputs:
Role:
Value: !GetAtt Role.Arn
```

2. Add a permissible IAM Policy to the above create role. For our purpose `AdministratorAccess` works the best.

3. Setup a GitHub repo secret called `ROLE_TO_ASSUME` and set it to ARN of the role created in 1.

4. We use an S3 backend to test the canonical [example](../../deploy/eks-cluster-with-new-vpc/main.tf). This allows us to recover from any failures during the `apply` stage. If you are setting up your own CI pipeline change the s3 bucket name in backend configuration of the example.