forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
157 lines (154 loc) · 6.64 KB
/
enos-run.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
---
name: enos
on:
# Only trigger this working using workflow_call. This workflow requires many
# secrets that must be inherited from the caller workflow.
workflow_call:
inputs:
# The name of the artifact that we're going to use for testing. This should
# match exactly to build artifacts uploaded to Github and Artifactory.
build-artifact-name:
required: true
type: string
# The base name of the file in ./github/enos-run-matrices that we use to
# determine which scenarios to run for the build artifact.
#
# They are named in the format of:
# $caller_workflow_name-$artifact_source-$vault_edition-$platform-$arch-$packing_type
#
# Where each are:
# caller_workflow_name: the Github Actions workflow that is calling
# this one
# artifact_source: where we're getting the artifact from. Either
# "github" or "artifactory"
# vault_edition: which edition of vault that we're testing. e.g. "oss"
# or "ent"
# platform: the vault binary target platform, e.g. "linux" or "macos"
# arch: the vault binary target architecture, e.g. "arm64" or "amd64"
# packing_type: how vault binary is packaged, e.g. "zip", "deb", "rpm"
#
# Examples:
# build-github-oss-linux-amd64-zip
matrix-file-name:
required: true
type: string
# The test group we want to run. This corresponds to the test_group attribute
# defined in the enos-run-matrices files.
matrix-test-group:
default: 0
type: string
runs-on:
# NOTE: The value should be JSON encoded as that's the only way we can
# pass arrays with workflow_call.
type: string
required: false
default: '"ubuntu-latest"'
ssh-key-name:
type: string
default: enos-ci-ssh-key
# Which edition of Vault we're using. e.g. "oss", "ent", "ent.hsm.fips1402"
vault-edition:
required: true
type: string
# The Git commit SHA used as the revision when building vault
vault-revision:
required: true
type: string
jobs:
metadata:
runs-on: ${{ fromJSON(inputs.runs-on) }}
outputs:
build-date: ${{ steps.metadata.outputs.build-date }}
matrix: ${{ steps.metadata.outputs.matrix }}
version: ${{ steps.metadata.outputs.version }}
version-minor: ${{ steps.metadata.outputs.matrix }}
env:
# Pass the vault edition as VAULT_METADATA so the CI make targets can create
# values that consider the edition.
VAULT_METADATA: ${{ inputs.vault-edition }}
# Pass in the matrix and matrix group for filtering
MATRIX_FILE: ./.github/enos-run-matrices/${{ inputs.matrix-file-name }}.json
MATRIX_TEST_GROUP: ${{ inputs.matrix-test-group }}
steps:
- uses: actions/checkout@v3
- id: metadata
run: |
echo "build-date=$(make ci-get-date)" >> $GITHUB_OUTPUT
echo "version=$(make ci-get-version)" >> $GITHUB_OUTPUT
filtered=$(make ci-filter-matrix)
echo "matrix=$(echo $filtered)}" >> $GITHUB_OUTPUT
# Run the Enos test scenarios
run:
needs: metadata
strategy:
fail-fast: false # don't fail as that can skip required cleanup steps for jobs
matrix: ${{ fromJson(needs.metadata.outputs.matrix) }}
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
# Pass in enos variables
ENOS_VAR_aws_region: ${{ matrix.aws_region }}
ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }}
ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }}
ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.version }}
ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
ENOS_VAR_vault_bundle_path: ./support/downloads/${{ inputs.build-artifact-name }}
ENOS_VAR_vault_license_path: ./support/vault.hclic
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
with:
# the Terraform wrapper will break Terraform execution in Enos because
# it changes the output to text when we expect it to be JSON.
terraform_wrapper: false
- uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ matrix.aws_region }}
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- uses: hashicorp/action-setup-enos@v1
with:
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
- name: Prepare scenario dependencies
run: |
mkdir -p ./enos/support/terraform-plugin-cache
echo "${{ secrets.ENOS_CI_SSH_KEY }}" > ./enos/support/private_key.pem
chmod 600 ./enos/support/private_key.pem
- if: contains(inputs.matrix-file-name, 'github')
uses: actions/download-artifact@v3
with:
name: ${{ inputs.build-artifact-name }}
path: ./enos/support/downloads
- if: contains(inputs.matrix-file-name, 'ent')
name: Configure Vault license
run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
- name: Run Enos scenario
id: run
# Continue once and retry to handle occasional blips when creating
# infrastructure.
continue-on-error: true
run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
- name: Retry Enos scenario if necessary
id: run_retry
if: steps.run.outcome == 'failure'
run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
- name: Ensure scenario has been destroyed
if: ${{ always() }}
# With Enos version 0.0.11 the destroy step returns an error if the infrastructure
# is already destroyed by enos run. So temporarily setting it to continue on error in GHA
continue-on-error: true
run: enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
- name: Clean up Enos runtime directories
if: ${{ always() }}
run: |
rm -rf /tmp/enos*
rm -rf ./enos/support
rm -rf ./enos/.enos