Skip to content

docs: Updates to the SOCI config (#1121) #103

docs: Updates to the SOCI config (#1121)

docs: Updates to the SOCI config (#1121) #103

name: e2e-parallel-full

Check failure on line 1 in .github/workflows/e2e-parallel-full.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/e2e-parallel-full.yml

Invalid workflow file

(Line: 54, Col: 9): matrix must define at least one vector
on:
workflow_dispatch:
inputs:
TFDestroy:
description: 'Destroy TF Automatically (false/true) - Default: true'
required: true
default: 'true'
concurrency: e2e-parallel-full
env:
IAMLIVE_VERSION: v0.48.0
BUCKET_NAME: doeks-iam-policies-examples
jobs:
prereq-cleanup:
name: Prerequisite Cleanup
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Auth AWS
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1
with:
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
aws-region: us-west-2
role-duration-seconds: 3600
role-session-name: GithubActions-Session
- name: Ensure log groups are removed
run: |
pip3 install boto3
python3 .github/workflows/delete-log-groups.py
deploy:
name: Run e2e test
runs-on: ubuntu-latest
needs: prereq-cleanup
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
strategy:
fail-fast: false
matrix:
include: []
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup backend
# Un-comment remote backend for use in workflow
run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf
- name: Auth AWS
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16
with:
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
aws-region: us-west-2
role-duration-seconds: 3600
role-session-name: GithubActions-Session
- name: Iamlive Setup & Run
run: |
#!/bin/bash
set -eox pipefail
wget -O iamlive.tar.gz "https://github.com/iann0036/iamlive/releases/download/${{ env.IAMLIVE_VERSION }}/iamlive-${{ env.IAMLIVE_VERSION }}-linux-amd64.tar.gz"
tar -xzf iamlive.tar.gz
chmod +x iamlive
IAMLIVE_PID=$(./iamlive --mode csm --output-file ${HOME}/policy.json --refresh-rate 1 --sort-alphabetical --force-wildcard-resource --background)
echo "iamlive_pid=$IAMLIVE_PID" >> $GITHUB_ENV
- name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2
with:
terraform_version: 1.0.0
- name: Terraform Apply
id: apply
working-directory: ${{ matrix.example_path }}
run: |
terraform init -upgrade=true
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1
terraform apply -target=module.vpc -no-color -input=false -auto-approve
terraform apply -target=module.vpc_endpoints_sg -no-color -input=false -auto-approve
terraform apply -target=module.vpc_endpoints -no-color -input=false -auto-approve
terraform apply -target=module.eks_blueprints -no-color -input=false -auto-approve
terraform apply -target=module.eks_blueprints_kubernetes_addons -no-color -input=false -auto-approve
terraform apply -no-color -input=false -auto-approve
- name: Terraform Destroy
if: github.event.inputs.TFDestroy == 'true' && (steps.apply.outcome == 'success' || steps.apply.outcome == 'failure')
working-directory: ${{ matrix.example_path }}
run: |
terraform init -upgrade=true
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1
terraform destroy -target=module.eks_blueprints_kubernetes_addons -no-color -input=false -auto-approve
terraform destroy -target=module.eks_blueprints -no-color -input=false -auto-approve
terraform destroy -no-color -input=false -auto-approve
- name: Fail if TF apply failed
if: steps.apply.outcome == 'failure'
run: |
echo "Terraform Apply step failed...Please check the logs of the Terraform Apply step."
echo "Failing the job to avoid false positives."
kill ${{ env.iamlive_pid }}
while $(kill -0 ${{ env.iamlive_pid }} 2>/dev/null); do sleep 1; done;
cat ${HOME}/policy.json
exit 1
- name: Iamlive Print & Upload Policy
if: ${{ always() }}
run: |
kill ${{ env.iamlive_pid }}
while $(kill -0 ${{ env.iamlive_pid }} 2>/dev/null); do sleep 1; done;
cat ${HOME}/policy.json
aws s3 cp ${HOME}/policy.json s3://${{ env.BUCKET_NAME }}/${{ matrix.example_path }}.json
post_deploy:
if: ${{ always() }}
needs: [deploy]
permissions:
id-token: write
contents: read
name: Merge Policies and Print Final IAM Policy
runs-on: ubuntu-latest
steps:
# Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code.
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Configure AWS credentials from Test account
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16
with:
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
aws-region: us-west-2
role-duration-seconds: 3600
role-session-name: GithubActions-Session
- name: Merge iamlive IAM policies and Print Final Policy
id: dirs
run: |
pip3 install boto3
python3 .github/workflows/iam-policy-generator.py