Add workflow file

pulumi · May 7, 2023 · f597206 · f597206
1 parent 4a2259a
commit f597206
Show file tree

Hide file tree

Showing 17 changed files with 1,375 additions and 23 deletions.
diff --git a/.github/workflows/run-example.yml b/.github/workflows/run-example.yml
@@ -0,0 +1,139 @@
+name: Run individual example
+
+on:
+  workflow_dispatch:
+    inputs:
+      example_path:
+        type: string
+        description: The path to the example to run
+      examples_api_stack:
+        type: string
+        description: The stack containing the Examples API infrastructure
+        default: moolumi/examples-api/dev
+
+env:
+  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_ENVIRONMENT: public
+  ARM_LOCATION: westus
+  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+  AWS_ACCESS_KEY_ID: " ${{ secrets.AWS_ACCESS_KEY_ID }}"
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  AWS_REGION: us-west-2
+  CLOUDSDK_CORE_DISABLE_PROMPTS: 1
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_ORG: moolumi
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+jobs:
+  run-example:
+    runs-on: ${{ matrix.platform }}
+
+    permissions:
+      contents: read
+      id-token: write
+
+    strategy:
+      matrix:
+        dotnetversion:
+          - 3.1.301
+        goversion:
+          - 1.19.x
+        nodeversion:
+          - 16.x
+        platform:
+          - ubuntu-latest
+        pythonversion:
+          - 3.9
+
+    steps:
+
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: ${{matrix.dotnetversion}}
+
+    - name: Setup Node
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{matrix.nodeversion}}
+        registry-url: https://registry.npmjs.org
+
+    - name: Setup Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{matrix.pythonversion}}
+
+    - name: Install Python deps
+      run: |
+        pip3 install virtualenv==20.0.23
+        pip3 install pipenv
+
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{matrix.goversion}}
+
+    - name: Install aws-iam-authenticator
+      run: |
+        curl https://amazon-eks.s3-us-west-2.amazonaws.com/1.13.7/2019-06-11/bin/linux/amd64/aws-iam-authenticator -o aws-iam-authenticator
+        chmod +x ./aws-iam-authenticator
+        sudo mv aws-iam-authenticator /usr/local/bin
+
+    - name: Install Kubectl
+      run: |
+        curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+        chmod +x ./kubectl
+        sudo mv kubectl /usr/local/bin
+
+    - name: Install + Configure Helm
+      run: |
+        curl -o- -L https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get |
+        bash
+        helm init -c
+        helm repo add bitnami https://charts.bitnami.com/bitnami
+
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v0
+      with:
+        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
+        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
+
+    - name: Setup gcloud auth
+      uses: google-github-actions/setup-gcloud@v0
+      with:
+        install_components: gke-gcloud-auth-plugin
+
+    - name: Login to Google Cloud Registry
+      run: gcloud --quiet auth configure-docker
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-region: ${{ env.AWS_REGION }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        role-duration-seconds: 3600
+        role-session-name: examples@githubActions
+        role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
+
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@v4
+
+    - name: Run example
+      run: ./infrastructure/runner/run.sh ${{ github.event.inputs.example_path }}
+      env:
+        EXAMPLES_API_STACK: ${{ github.event.inputs.examples_api_stack }}
diff --git a/aws-js-s3-folder/index.js b/aws-js-s3-folder/index.js
@@ -2,10 +2,12 @@
 
 const aws = require("@pulumi/aws");
 const pulumi = require("@pulumi/pulumi");
+const path = require("path");
+const fs = require("fs");
 const mime = require("mime");
 
 // Create a bucket and expose a website index document
-let siteBucket = new aws.s3.Bucket("s3-website-bucket", {
+const siteBucket = new aws.s3.Bucket("s3-website-bucket", {
     website: {
         indexDocument: "index.html",
     },
@@ -28,36 +30,31 @@ const publicAccessBlock = new aws.s3.BucketPublicAccessBlock("public-access-bloc
 let siteDir = "www"; // directory for content files
 
 // For each file in the directory, create an S3 object stored in `siteBucket`
-for (let item of require("fs").readdirSync(siteDir)) {
-    let filePath = require("path").join(siteDir, item);
+for (let item of fs.readdirSync(siteDir)) {
+    let filePath = path.join(siteDir, item);
     let object = new aws.s3.BucketObject(item, {
         bucket: siteBucket,                               // reference the s3.Bucket object
         source: new pulumi.asset.FileAsset(filePath),     // use FileAsset to point to a file
         contentType: mime.getType(filePath) || undefined, // set the MIME type of the file
     }, { dependsOn: [ownershipControls, publicAccessBlock] });
 }
 
-// Create an S3 Bucket Policy to allow public read of all objects in bucket
-function publicReadPolicyForBucket(bucketName) {
-    return {
+// Set the access policy for the bucket so all objects are readable
+const bucketPolicy = new aws.s3.BucketPolicy("bucketPolicy", {
+    bucket: siteBucket.id, // refer to the bucket created earlier
+    policy: pulumi.jsonStringify({
         Version: "2012-10-17",
         Statement: [{
             Effect: "Allow",
             Principal: "*",
             Action: [
-                "s3:GetObject"
+                "s3:GetObject",
             ],
             Resource: [
-                `arn:aws:s3:::${bucketName}/*` // policy refers to bucket name explicitly
-            ]
-        }]
-    };
-}
-
-// Set the access policy for the bucket so all objects are readable
-let bucketPolicy = new aws.s3.BucketPolicy("bucketPolicy", {
-    bucket: siteBucket.bucket, // refer to the bucket created earlier
-    policy: siteBucket.bucket.apply(publicReadPolicyForBucket) // use output property `siteBucket.bucket`
+                pulumi.interpolate `${siteBucket.arn}/*`,
+            ],
+        }],
+    }),
 }, { dependsOn: [ownershipControls, publicAccessBlock] });
 
 // Stack exports

diff --git a/aws-ts-s3-folder/index.ts b/aws-ts-s3-folder/index.ts
@@ -2,6 +2,7 @@
 
 import * as aws from "@pulumi/aws";
 import * as pulumi from "@pulumi/pulumi";
+import * as path from "path";
 import * as fs from "fs";
 import * as mime from "mime";
 
@@ -12,16 +13,30 @@ const siteBucket = new aws.s3.Bucket("s3-website-bucket", {
     },
 });
 
-const siteDir = "www"; // directory for content files
+// Configure ownership controls for the new S3 bucket
+const ownershipControls = new aws.s3.BucketOwnershipControls("ownership-controls", {
+    bucket: siteBucket.id,
+    rule: {
+        objectOwnership: "ObjectWriter",
+    },
+});
+
+// Configure public ACL block on the new S3 bucket
+const publicAccessBlock = new aws.s3.BucketPublicAccessBlock("public-access-block", {
+    bucket: siteBucket.id,
+    blockPublicAcls: false,
+});
+
+let siteDir = "www"; // directory for content files
 
 // For each file in the directory, create an S3 object stored in `siteBucket`
-for (const item of fs.readdirSync(siteDir)) {
-    const filePath = require("path").join(siteDir, item);
-    const siteObject = new aws.s3.BucketObject(item, {
+for (let item of fs.readdirSync(siteDir)) {
+    let filePath = path.join(siteDir, item);
+    let object = new aws.s3.BucketObject(item, {
         bucket: siteBucket,                               // reference the s3.Bucket object
         source: new pulumi.asset.FileAsset(filePath),     // use FileAsset to point to a file
         contentType: mime.getType(filePath) || undefined, // set the MIME type of the file
-    });
+    }, { dependsOn: [ownershipControls, publicAccessBlock] });
 }
 
 // Set the access policy for the bucket so all objects are readable
@@ -40,7 +55,7 @@ const bucketPolicy = new aws.s3.BucketPolicy("bucketPolicy", {
             ],
         }],
     }),
-});
+}, { dependsOn: [ownershipControls, publicAccessBlock] });
 
 // Stack exports
 export const bucketName = siteBucket.bucket;

diff --git a/infrastructure/api/.gitignore b/infrastructure/api/.gitignore
@@ -0,0 +1,2 @@
+/bin/
+/node_modules/
diff --git a/infrastructure/api/Pulumi.yaml b/infrastructure/api/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: examples-api
+runtime: nodejs
+description: The infrastructure for the Examples API