From b2b02dacac679cfa962f7ef205ef0e1b5ae7b40b Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Fri, 1 Dec 2023 10:29:31 +0100 Subject: [PATCH 01/10] [EXP] try OIDC auth for CI tests --- .github/workflows/run-acceptance-tests.yml | 111 +++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index ed76efb1881..68f9ad3c01f 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -409,6 +409,117 @@ jobs: - dotnet - go - java + + test_oidc: + if: github.event_name == 'repository_dispatch' || + github.event.pull_request.head.repo.full_name == github.repository + name: test_oidc + needs: build_sdk + permissions: + contents: read + id-token: write + runs-on: pulumi-ubuntu-8core + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + ref: ${{ env.PR_COMMIT_SHA }} + submodules: true + - name: Checkout Scripts Repo + uses: actions/checkout@v3 + with: + path: ci-scripts + repository: pulumi/scripts + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + - name: Install Go + uses: actions/setup-go@v4 + with: + cache-dependency-path: | + sdk/go.sum + go-version: 1.21.x + - name: Install pulumictl + uses: jaxxstorm/action-install-gh-release@v1.5.0 + with: + repo: pulumi/pulumictl + - name: Install Pulumi CLI + uses: pulumi/actions@v4 + with: + pulumi-version: v3.77.1 + - name: Setup Node + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODEVERSION }} + registry-url: https://registry.npmjs.org + # - name: Setup DotNet + # uses: actions/setup-dotnet@v3 + # with: + # dotnet-version: ${{ env.DOTNETVERSION }} + # - name: Setup Python + # uses: actions/setup-python@v2 + # with: + # python-version: ${{ env.PYTHONVERSION }} + # - name: Setup Java + # uses: actions/setup-java@v3 + # with: + # cache: gradle + # distribution: temurin + # java-version: ${{ env.JAVAVERSION }} + # - name: Setup Gradle + # uses: gradle/gradle-build-action@v2 + # with: + # gradle-version: ${{ env.GRADLEVERSION }} + - name: Download provider + tfgen binaries + uses: actions/download-artifact@v2 + with: + name: ${{ env.PROVIDER }}-provider.tar.gz + path: ${{ github.workspace }}/bin + - name: Untar provider binaries + run: >- + tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ + github.workspace}}/bin + + find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; + - run: dotnet nuget add source ${{ github.workspace }}/nuget + - name: Download SDK + uses: actions/download-artifact@v2 + with: + name: ${{ matrix.language }}-sdk.tar.gz + path: ${{ github.workspace}}/sdk/ + - name: Uncompress SDK folder + run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ + github.workspace }}/sdk/${{ matrix.language }} + - name: Update path + run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" + # - name: Install Python deps + # run: |- + # pip3 install virtualenv==20.0.23 + # pip3 install pipenv + - name: Install dependencies + run: make install_${{ matrix.language}}_sdk + - name: Install gotestfmt + uses: GoTestTools/gotestfmt-action@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + version: v2.4.0 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: arn:aws:iam::894850187425:role/github-oidc + - name: Make upstream + run: make upstream + - name: Run tests + run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ + matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + strategy: + fail-fast: false + matrix: + language: + - nodejs + license_check: name: License Check uses: ./.github/workflows/license.yml From 8a772e22e58cbd280444c9b97b35022183eacd5e Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Sun, 3 Dec 2023 08:05:40 +0100 Subject: [PATCH 02/10] Add assumeRoleWithWebIdentity to creds validation #2252 --- provider/resources.go | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/provider/resources.go b/provider/resources.go index 4d8e02b0c90..03fb0b3fbae 100644 --- a/provider/resources.go +++ b/provider/resources.go @@ -541,25 +541,22 @@ func arrayValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []str return vals } -func durationFromConfig(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) (time.Duration, error) { +// returns a pointer so we can distinguish between a zero value and a missing value +func durationFromConfig(vars resource.PropertyMap, prop resource.PropertyKey) (*time.Duration, error) { val, ok := vars[prop] if ok && val.IsString() { secondsString := val.StringValue() if !strings.HasSuffix(secondsString, "s") { secondsString += "s" } - return time.ParseDuration(secondsString) - } - for _, env := range envs { - val, ok := os.LookupEnv(env) - if ok { - if !strings.HasSuffix(val, "s") { - val += "s" - } - return time.ParseDuration(val) + dur, err := time.ParseDuration(secondsString) + if err != nil { + return nil, err } + return &dur, nil } - return 0, nil + + return nil, nil } func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error { @@ -584,11 +581,13 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error SourceIdentity: stringValue(details.ObjectValue(), "sourceIdentity", []string{}), TransitiveTagKeys: arrayValue(details.ObjectValue(), "transitiveTagKeys", []string{}), } - duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds", []string{}) + duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds") if err != nil { return err } - assumeRole.Duration = duration + if duration != nil { + assumeRole.Duration = *duration + } config.AssumeRole = &assumeRole } @@ -602,12 +601,13 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error WebIdentityToken: stringValue(details.ObjectValue(), "webIdentityToken", []string{}), WebIdentityTokenFile: stringValue(details.ObjectValue(), "webIdentityTokenFile", []string{}), } - duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds", []string{}) + duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds") if err != nil { return err } - assumeRole.Duration = duration - + if duration != nil { + assumeRole.Duration = *duration + } config.AssumeRoleWithWebIdentity = &assumeRole } From 12c9a2417f99099e3b1f188c5e258aecb2c5fd1d Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Sun, 3 Dec 2023 18:39:10 +0100 Subject: [PATCH 03/10] [EXP] OIDC via direct provider config --- .github/workflows/run-acceptance-tests.yml | 14 +++++++------- examples/bucket/index.ts | 12 +++++++++++- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 68f9ad3c01f..ab1959444d1 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -502,13 +502,13 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version: v2.4.0 - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: arn:aws:iam::894850187425:role/github-oidc + # - name: Configure AWS Credentials + # uses: aws-actions/configure-aws-credentials@v4 + # with: + # aws-region: ${{ env.AWS_REGION }} + # role-duration-seconds: 3600 + # role-session-name: ${{ env.PROVIDER }}@githubActions + # role-to-assume: arn:aws:iam::894850187425:role/github-oidc - name: Make upstream run: make upstream - name: Run tests diff --git a/examples/bucket/index.ts b/examples/bucket/index.ts index a4603bf7206..9b467f1503e 100644 --- a/examples/bucket/index.ts +++ b/examples/bucket/index.ts @@ -17,10 +17,20 @@ import * as pulumi from "@pulumi/pulumi"; // https://github.com/pulumi/pulumi-aws/issues/772 import { Bucket } from "@pulumi/aws/s3"; import * as aws from "@pulumi/aws"; +import * as gh from "@actions/core"; import * as s3 from "@aws-sdk/client-s3"; const config = new pulumi.Config("aws"); -const providerOpts = { provider: new aws.Provider("prov", { region: config.require("envRegion") }) }; +const providerOpts = { + provider: new aws.Provider("prov", { + region: config.require("envRegion"), + assumeRoleWithWebIdentity: { + roleArn: process.env["OIDC_ROLE_ARN"], + webIdentityToken: gh.getIDToken("sts.amazonaws.com"), + sessionName: "pulumi-bucket", + }, + }) +}; const bucket = new Bucket("testbucket", { serverSideEncryptionConfiguration: { From 71680b6d99fd57eaf42245f8213701ecd6c4eb6e Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Mon, 4 Dec 2023 07:33:07 +0100 Subject: [PATCH 04/10] Reset examples/bucket to master --- examples/bucket/index.ts | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/examples/bucket/index.ts b/examples/bucket/index.ts index 9b467f1503e..a4603bf7206 100644 --- a/examples/bucket/index.ts +++ b/examples/bucket/index.ts @@ -17,20 +17,10 @@ import * as pulumi from "@pulumi/pulumi"; // https://github.com/pulumi/pulumi-aws/issues/772 import { Bucket } from "@pulumi/aws/s3"; import * as aws from "@pulumi/aws"; -import * as gh from "@actions/core"; import * as s3 from "@aws-sdk/client-s3"; const config = new pulumi.Config("aws"); -const providerOpts = { - provider: new aws.Provider("prov", { - region: config.require("envRegion"), - assumeRoleWithWebIdentity: { - roleArn: process.env["OIDC_ROLE_ARN"], - webIdentityToken: gh.getIDToken("sts.amazonaws.com"), - sessionName: "pulumi-bucket", - }, - }) -}; +const providerOpts = { provider: new aws.Provider("prov", { region: config.require("envRegion") }) }; const bucket = new Bucket("testbucket", { serverSideEncryptionConfiguration: { From 40d3a9ded4fbb24463cbe8b0c86886bbbb2ffac2 Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Mon, 4 Dec 2023 07:36:06 +0100 Subject: [PATCH 05/10] Test manual OIDC with separate test. --- .github/workflows/run-acceptance-tests.yml | 23 +++++++------- examples/cloudwatchOidcManual/Pulumi.yaml | 3 ++ examples/cloudwatchOidcManual/README.md | 3 ++ examples/cloudwatchOidcManual/index.ts | 33 +++++++++++++++++++++ examples/cloudwatchOidcManual/package.json | 16 ++++++++++ examples/cloudwatchOidcManual/tsconfig.json | 18 +++++++++++ examples/examples_nodejs_test.go | 10 +++++++ 7 files changed, 96 insertions(+), 10 deletions(-) create mode 100644 examples/cloudwatchOidcManual/Pulumi.yaml create mode 100644 examples/cloudwatchOidcManual/README.md create mode 100644 examples/cloudwatchOidcManual/index.ts create mode 100644 examples/cloudwatchOidcManual/package.json create mode 100644 examples/cloudwatchOidcManual/tsconfig.json diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index ab1959444d1..06cb8df5141 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -24,6 +24,7 @@ env: PULUMI_MISSING_DOCS_ERROR: true PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} @@ -284,6 +285,7 @@ jobs: run: exit 1 - name: Workflow is a success run: echo "🎉🎈🎉🎈🎉" + test: if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository @@ -502,18 +504,19 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version: v2.4.0 - # - name: Configure AWS Credentials - # uses: aws-actions/configure-aws-credentials@v4 - # with: - # aws-region: ${{ env.AWS_REGION }} - # role-duration-seconds: 3600 - # role-session-name: ${{ env.PROVIDER }}@githubActions - # role-to-assume: arn:aws:iam::894850187425:role/github-oidc - name: Make upstream run: make upstream - - name: Run tests - run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ - matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Run TestAccCloudWatch with manual OIDC + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: arn:aws:iam::894850187425:role/github-oidc + - name: Run TestAccCloudWatch with configure-aws-credentials OIDC + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt strategy: fail-fast: false matrix: diff --git a/examples/cloudwatchOidcManual/Pulumi.yaml b/examples/cloudwatchOidcManual/Pulumi.yaml new file mode 100644 index 00000000000..436e96218cd --- /dev/null +++ b/examples/cloudwatchOidcManual/Pulumi.yaml @@ -0,0 +1,3 @@ +name: CloudWatchOidcManual +runtime: nodejs +description: A simple example of using the `CloudWatch` APIs, with manual OIDC auth. diff --git a/examples/cloudwatchOidcManual/README.md b/examples/cloudwatchOidcManual/README.md new file mode 100644 index 00000000000..411d80a399d --- /dev/null +++ b/examples/cloudwatchOidcManual/README.md @@ -0,0 +1,3 @@ +# examples/cloudwatch + +A simple example of using the `CloudWatch` APIs. \ No newline at end of file diff --git a/examples/cloudwatchOidcManual/index.ts b/examples/cloudwatchOidcManual/index.ts new file mode 100644 index 00000000000..e8e1b42cec0 --- /dev/null +++ b/examples/cloudwatchOidcManual/index.ts @@ -0,0 +1,33 @@ +// Copyright 2016-2018, Pulumi Corporation. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +import * as pulumi from "@pulumi/pulumi"; +import * as aws from "@pulumi/aws"; +import * as gh from "@actions/core"; + +const config = new pulumi.Config("aws"); +const providerOpts = { + provider: new aws.Provider("prov", { + region: config.require("envRegion"), + assumeRoleWithWebIdentity: { + roleArn: process.env["OIDC_ROLE_ARN"], + webIdentityToken: gh.getIDToken("sts.amazonaws.com"), + sessionName: "cloudwatchOidcManual-githubActions", + }, + }) +}; + +const event = aws.cloudwatch.onSchedule("everyMinute", "rate(1 minute)", async (event) => { + console.log("Received event: " + JSON.stringify(event, null, 2)); +}, {}, providerOpts); diff --git a/examples/cloudwatchOidcManual/package.json b/examples/cloudwatchOidcManual/package.json new file mode 100644 index 00000000000..8163b9e7413 --- /dev/null +++ b/examples/cloudwatchOidcManual/package.json @@ -0,0 +1,16 @@ +{ + "name": "cloudwatch-oidc-manual", + "version": "0.0.1", + "license": "Apache-2.0", + "scripts": { + "build": "tsc" + }, + "dependencies": { + "@actions/core": "^1.10.1", + "@pulumi/aws": "^6.0.0", + "@pulumi/pulumi": "^3.0.0" + }, + "devDependencies": { + "@types/node": "^18.0.0" + } +} diff --git a/examples/cloudwatchOidcManual/tsconfig.json b/examples/cloudwatchOidcManual/tsconfig.json new file mode 100644 index 00000000000..ab65afa6135 --- /dev/null +++ b/examples/cloudwatchOidcManual/tsconfig.json @@ -0,0 +1,18 @@ +{ + "compilerOptions": { + "strict": true, + "outDir": "bin", + "target": "es2016", + "module": "commonjs", + "moduleResolution": "node", + "sourceMap": true, + "experimentalDecorators": true, + "pretty": true, + "noFallthroughCasesInSwitch": true, + "noImplicitReturns": true, + "forceConsistentCasingInFileNames": true + }, + "files": [ + "index.ts" + ] +} diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go index 7e4ac6d8072..3cf1d6803f9 100644 --- a/examples/examples_nodejs_test.go +++ b/examples/examples_nodejs_test.go @@ -120,6 +120,16 @@ func TestAccCloudWatch(t *testing.T) { integration.ProgramTest(t, &test) } +func TestAccCloudWatchOidcManual(t *testing.T) { + test := getJSBaseOptions(t). + With(integration.ProgramTestOptions{ + Dir: filepath.Join(getCwd(t), "cloudwatchOidcManual"), + RunUpdateTest: true, + }) + + integration.ProgramTest(t, &test) +} + func TestAccLogGroup(t *testing.T) { test := getJSBaseOptions(t). With(integration.ProgramTestOptions{ From 44eedca9172509afc150a8f86d77ea89f3da3d78 Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Mon, 4 Dec 2023 18:30:52 +0100 Subject: [PATCH 06/10] Run OIDC tests in regular test job --- .github/workflows/run-acceptance-tests.yml | 135 +++------------------ 1 file changed, 20 insertions(+), 115 deletions(-) diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 06cb8df5141..e52e4945a9f 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -379,7 +379,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} version: v2.4.0 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-region: ${{ env.AWS_REGION }} @@ -392,9 +392,25 @@ jobs: - name: Run provider tests run: | cd provider && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Run tests - run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ - matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Run tests with access key auth + run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + unset-current-credentials: true + aws-region: ${{ env.AWS_REGION }} + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + unset-current-credentials: true + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} + - name: Run selected tests with configure-aws-credentials web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@v3 @@ -412,117 +428,6 @@ jobs: - go - java - test_oidc: - if: github.event_name == 'repository_dispatch' || - github.event.pull_request.head.repo.full_name == github.repository - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: pulumi-ubuntu-8core - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - name: Checkout Scripts Repo - uses: actions/checkout@v3 - with: - path: ci-scripts - repository: pulumi/scripts - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags - - name: Install Go - uses: actions/setup-go@v4 - with: - cache-dependency-path: | - sdk/go.sum - go-version: 1.21.x - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@v1.5.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/actions@v4 - with: - pulumi-version: v3.77.1 - - name: Setup Node - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODEVERSION }} - registry-url: https://registry.npmjs.org - # - name: Setup DotNet - # uses: actions/setup-dotnet@v3 - # with: - # dotnet-version: ${{ env.DOTNETVERSION }} - # - name: Setup Python - # uses: actions/setup-python@v2 - # with: - # python-version: ${{ env.PYTHONVERSION }} - # - name: Setup Java - # uses: actions/setup-java@v3 - # with: - # cache: gradle - # distribution: temurin - # java-version: ${{ env.JAVAVERSION }} - # - name: Setup Gradle - # uses: gradle/gradle-build-action@v2 - # with: - # gradle-version: ${{ env.GRADLEVERSION }} - - name: Download provider + tfgen binaries - uses: actions/download-artifact@v2 - with: - name: ${{ env.PROVIDER }}-provider.tar.gz - path: ${{ github.workspace }}/bin - - name: Untar provider binaries - run: >- - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ - github.workspace}}/bin - - find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - - run: dotnet nuget add source ${{ github.workspace }}/nuget - - name: Download SDK - uses: actions/download-artifact@v2 - with: - name: ${{ matrix.language }}-sdk.tar.gz - path: ${{ github.workspace}}/sdk/ - - name: Uncompress SDK folder - run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ - github.workspace }}/sdk/${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - # - name: Install Python deps - # run: |- - # pip3 install virtualenv==20.0.23 - # pip3 install pipenv - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run TestAccCloudWatch with manual OIDC - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: arn:aws:iam::894850187425:role/github-oidc - - name: Run TestAccCloudWatch with configure-aws-credentials OIDC - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - strategy: - fail-fast: false - matrix: - language: - - nodejs - license_check: name: License Check uses: ./.github/workflows/license.yml From 6b602a54876209433dc1b698651291356d2bb8c0 Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Tue, 5 Dec 2023 10:25:26 +0100 Subject: [PATCH 07/10] Correct tests yaml syntax, update names --- .github/workflows/run-acceptance-tests.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index e52e4945a9f..3042d30ed46 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -394,14 +394,14 @@ jobs: cd provider && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - name: Run tests with access key auth run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials + - name: Unset AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: unset-current-credentials: true aws-region: ${{ env.AWS_REGION }} - name: Run selected tests with manual web identity/OIDC auth run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials + - name: Configure AWS Credentials for OIDC uses: aws-actions/configure-aws-credentials@v4 with: unset-current-credentials: true @@ -410,7 +410,7 @@ jobs: role-session-name: ${{ env.PROVIDER }}@githubActions role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@v3 From 7fb886cc6a0b32eb3319df9b61189034aedbbd92 Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Tue, 5 Dec 2023 15:59:30 +0100 Subject: [PATCH 08/10] Re-order tests so we don't need to clear the aws-credentials config --- .github/workflows/run-acceptance-tests.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 3042d30ed46..ff113de9aa9 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -378,6 +378,10 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version: v2.4.0 + - name: Make upstream + run: make upstream + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -387,20 +391,11 @@ jobs: role-duration-seconds: 3600 role-session-name: ${{ env.PROVIDER }}@githubActions role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} - - name: Make upstream - run: make upstream - name: Run provider tests run: | cd provider && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - name: Run tests with access key auth run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Unset AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - unset-current-credentials: true - aws-region: ${{ env.AWS_REGION }} - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - name: Configure AWS Credentials for OIDC uses: aws-actions/configure-aws-credentials@v4 with: From 2aaa06b1d083941a08c4e1090313af3202bb1197 Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Wed, 6 Dec 2023 15:11:40 +0100 Subject: [PATCH 09/10] Port GH workflow changes to ci-mgmt --- .ci-mgmt.yaml | 97 +++++++++++++++++ .github/workflows/command-dispatch.yml | 1 + .github/workflows/license.yml | 1 + .github/workflows/lint.yml | 1 + .github/workflows/master.yml | 93 ++++++++++++++++ .github/workflows/nightly-test.yml | 1 + .github/workflows/prerelease.yml | 93 ++++++++++++++++ .github/workflows/pull-request.yml | 1 + .github/workflows/release.yml | 93 ++++++++++++++++ .github/workflows/resync-build.yml | 1 + .github/workflows/run-acceptance-tests.yml | 119 +++++++++++++++++---- 11 files changed, 481 insertions(+), 20 deletions(-) diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index a68803ee4b5..de3a8b46622 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -8,6 +8,7 @@ providerVersion: github.com/hashicorp/terraform-provider-aws/version.ProviderVer env: PULUMI_MISSING_DOCS_ERROR: true AWS_REGION: "us-west-2" + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} makeTemplate: bridged checkoutSubmodules: true # TODO: remove XrunUpstreamTools flag after work to add docs replacement strategies to resources.go is completed @@ -94,3 +95,99 @@ extraTests: uses: codecov/codecov-action@v3 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + test_oidc: + if: github.event_name == 'repository_dispatch' || + github.event.pull_request.head.repo.full_name == github.repository + name: test_oidc + needs: build_sdk + permissions: + contents: read + id-token: write + runs-on: pulumi-ubuntu-8core + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + ref: ${{ env.PR_COMMIT_SHA }} + submodules: true + - name: Checkout Scripts Repo + uses: actions/checkout@v3 + with: + path: ci-scripts + repository: pulumi/scripts + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + - name: Install Go + uses: actions/setup-go@v4 + with: + cache-dependency-path: | + sdk/go.sum + go-version: 1.21.x + - name: Install pulumictl + uses: jaxxstorm/action-install-gh-release@v1.5.0 + with: + repo: pulumi/pulumictl + - name: Install Pulumi CLI + uses: pulumi/actions@v4 + with: + pulumi-version: v3.77.1 + - name: Setup Node + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODEVERSION }} + registry-url: https://registry.npmjs.org + - name: Download provider + tfgen binaries + uses: actions/download-artifact@v2 + with: + name: ${{ env.PROVIDER }}-provider.tar.gz + path: ${{ github.workspace }}/bin + - name: Untar provider binaries + run: >- + tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ + github.workspace}}/bin + + find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; + - name: Download SDK + uses: actions/download-artifact@v2 + with: + name: ${{ matrix.language }}-sdk.tar.gz + path: ${{ github.workspace}}/sdk/ + - name: Uncompress SDK folder + run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ + github.workspace }}/sdk/${{ matrix.language }} + - name: Update path + run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" + - name: Install dependencies + run: make install_${{ matrix.language}}_sdk + - name: Install gotestfmt + uses: GoTestTools/gotestfmt-action@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + version: v2.4.0 + - name: Make upstream + run: make upstream + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials for OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + unset-current-credentials: true + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} + - name: Run selected tests with configure-aws-credentials web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - if: failure() && github.event_name == 'push' + name: Notify Slack + uses: 8398a7/action-slack@v3 + with: + author_name: Failure in running ${{ matrix.language }} tests + fields: repo,commit,author,action + status: ${{ job.status }} + strategy: + fail-fast: false + matrix: + language: + - nodejs diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 6580e03e8df..1c1534b92d6 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -14,6 +14,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 9dd378ddb1b..dc009700442 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -20,6 +20,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a0b9f1c6001..a296f2f7e7e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -19,6 +19,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 484b386a598..d922e072604 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -14,6 +14,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -286,6 +287,7 @@ jobs: - test - license_check - go_test_shim + - test_oidc runs-on: pulumi-ubuntu-8core steps: - name: Checkout Repo @@ -517,6 +519,97 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 + test_oidc: + if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository + name: test_oidc + needs: build_sdk + permissions: + contents: read + id-token: write + runs-on: pulumi-ubuntu-8core + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + ref: ${{ env.PR_COMMIT_SHA }} + submodules: true + - name: Checkout Scripts Repo + uses: actions/checkout@v3 + with: + path: ci-scripts + repository: pulumi/scripts + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + - name: Install Go + uses: actions/setup-go@v4 + with: + cache-dependency-path: | + sdk/go.sum + go-version: 1.21.x + - name: Install pulumictl + uses: jaxxstorm/action-install-gh-release@v1.5.0 + with: + repo: pulumi/pulumictl + - name: Install Pulumi CLI + uses: pulumi/actions@v4 + with: + pulumi-version: v3.77.1 + - name: Setup Node + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODEVERSION }} + registry-url: https://registry.npmjs.org + - name: Download provider + tfgen binaries + uses: actions/download-artifact@v2 + with: + name: ${{ env.PROVIDER }}-provider.tar.gz + path: ${{ github.workspace }}/bin + - name: Untar provider binaries + run: |- + tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin + find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; + - name: Download SDK + uses: actions/download-artifact@v2 + with: + name: ${{ matrix.language }}-sdk.tar.gz + path: ${{ github.workspace}}/sdk/ + - name: Uncompress SDK folder + run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} + - name: Update path + run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" + - name: Install dependencies + run: make install_${{ matrix.language}}_sdk + - name: Install gotestfmt + uses: GoTestTools/gotestfmt-action@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + version: v2.4.0 + - name: Make upstream + run: make upstream + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials for OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} + unset-current-credentials: true + - name: Run selected tests with configure-aws-credentials web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - if: failure() && github.event_name == 'push' + name: Notify Slack + uses: 8398a7/action-slack@v3 + with: + author_name: Failure in running ${{ matrix.language }} tests + fields: repo,commit,author,action + status: ${{ job.status }} + strategy: + fail-fast: false + matrix: + language: + - nodejs name: master on: diff --git a/.github/workflows/nightly-test.yml b/.github/workflows/nightly-test.yml index 3748a8f20ec..ab625791bab 100644 --- a/.github/workflows/nightly-test.yml +++ b/.github/workflows/nightly-test.yml @@ -14,6 +14,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 9d7f02aa4dc..defe05eab44 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -15,6 +15,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -229,6 +230,7 @@ jobs: - test - license_check - go_test_shim + - test_oidc runs-on: pulumi-ubuntu-8core steps: - name: Checkout Repo @@ -442,6 +444,97 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 + test_oidc: + if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository + name: test_oidc + needs: build_sdk + permissions: + contents: read + id-token: write + runs-on: pulumi-ubuntu-8core + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + ref: ${{ env.PR_COMMIT_SHA }} + submodules: true + - name: Checkout Scripts Repo + uses: actions/checkout@v3 + with: + path: ci-scripts + repository: pulumi/scripts + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + - name: Install Go + uses: actions/setup-go@v4 + with: + cache-dependency-path: | + sdk/go.sum + go-version: 1.21.x + - name: Install pulumictl + uses: jaxxstorm/action-install-gh-release@v1.5.0 + with: + repo: pulumi/pulumictl + - name: Install Pulumi CLI + uses: pulumi/actions@v4 + with: + pulumi-version: v3.77.1 + - name: Setup Node + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODEVERSION }} + registry-url: https://registry.npmjs.org + - name: Download provider + tfgen binaries + uses: actions/download-artifact@v2 + with: + name: ${{ env.PROVIDER }}-provider.tar.gz + path: ${{ github.workspace }}/bin + - name: Untar provider binaries + run: |- + tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin + find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; + - name: Download SDK + uses: actions/download-artifact@v2 + with: + name: ${{ matrix.language }}-sdk.tar.gz + path: ${{ github.workspace}}/sdk/ + - name: Uncompress SDK folder + run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} + - name: Update path + run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" + - name: Install dependencies + run: make install_${{ matrix.language}}_sdk + - name: Install gotestfmt + uses: GoTestTools/gotestfmt-action@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + version: v2.4.0 + - name: Make upstream + run: make upstream + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials for OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} + unset-current-credentials: true + - name: Run selected tests with configure-aws-credentials web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - if: failure() && github.event_name == 'push' + name: Notify Slack + uses: 8398a7/action-slack@v3 + with: + author_name: Failure in running ${{ matrix.language }} tests + fields: repo,commit,author,action + status: ${{ job.status }} + strategy: + fail-fast: false + matrix: + language: + - nodejs name: prerelease on: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 72fd2f9ac49..81acbc36513 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -14,6 +14,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1db1426a332..df8c2c60a7a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -242,6 +243,7 @@ jobs: - test - license_check - go_test_shim + - test_oidc runs-on: pulumi-ubuntu-8core steps: - name: Checkout Repo @@ -490,6 +492,97 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 + test_oidc: + if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository + name: test_oidc + needs: build_sdk + permissions: + contents: read + id-token: write + runs-on: pulumi-ubuntu-8core + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + ref: ${{ env.PR_COMMIT_SHA }} + submodules: true + - name: Checkout Scripts Repo + uses: actions/checkout@v3 + with: + path: ci-scripts + repository: pulumi/scripts + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + - name: Install Go + uses: actions/setup-go@v4 + with: + cache-dependency-path: | + sdk/go.sum + go-version: 1.21.x + - name: Install pulumictl + uses: jaxxstorm/action-install-gh-release@v1.5.0 + with: + repo: pulumi/pulumictl + - name: Install Pulumi CLI + uses: pulumi/actions@v4 + with: + pulumi-version: v3.77.1 + - name: Setup Node + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODEVERSION }} + registry-url: https://registry.npmjs.org + - name: Download provider + tfgen binaries + uses: actions/download-artifact@v2 + with: + name: ${{ env.PROVIDER }}-provider.tar.gz + path: ${{ github.workspace }}/bin + - name: Untar provider binaries + run: |- + tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin + find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; + - name: Download SDK + uses: actions/download-artifact@v2 + with: + name: ${{ matrix.language }}-sdk.tar.gz + path: ${{ github.workspace}}/sdk/ + - name: Uncompress SDK folder + run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} + - name: Update path + run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" + - name: Install dependencies + run: make install_${{ matrix.language}}_sdk + - name: Install gotestfmt + uses: GoTestTools/gotestfmt-action@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + version: v2.4.0 + - name: Make upstream + run: make upstream + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials for OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} + unset-current-credentials: true + - name: Run selected tests with configure-aws-credentials web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - if: failure() && github.event_name == 'push' + name: Notify Slack + uses: 8398a7/action-slack@v3 + with: + author_name: Failure in running ${{ matrix.language }} tests + fields: repo,commit,author,action + status: ${{ job.status }} + strategy: + fail-fast: false + matrix: + language: + - nodejs name: release on: diff --git a/.github/workflows/resync-build.yml b/.github/workflows/resync-build.yml index aaaf9f25d05..b87e505677f 100644 --- a/.github/workflows/resync-build.yml +++ b/.github/workflows/resync-build.yml @@ -16,6 +16,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index ff113de9aa9..d0bca40077a 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -15,6 +15,7 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -24,7 +25,6 @@ env: PULUMI_MISSING_DOCS_ERROR: true PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} @@ -278,6 +278,7 @@ jobs: - test - license_check - go_test_shim + - test_oidc runs-on: ubuntu-latest steps: - name: Workflow is not a success @@ -285,7 +286,6 @@ jobs: run: exit 1 - name: Workflow is a success run: echo "🎉🎈🎉🎈🎉" - test: if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository @@ -378,12 +378,8 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-region: ${{ env.AWS_REGION }} @@ -391,21 +387,14 @@ jobs: role-duration-seconds: 3600 role-session-name: ${{ env.PROVIDER }}@githubActions role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + - name: Make upstream + run: make upstream - name: Run provider tests run: | cd provider && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Run tests with access key auth - run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - unset-current-credentials: true - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Run tests + run: cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ + matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@v3 @@ -422,7 +411,6 @@ jobs: - dotnet - go - java - license_check: name: License Check uses: ./.github/workflows/license.yml @@ -453,6 +441,97 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 + test_oidc: + if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository + name: test_oidc + needs: build_sdk + permissions: + contents: read + id-token: write + runs-on: pulumi-ubuntu-8core + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + ref: ${{ env.PR_COMMIT_SHA }} + submodules: true + - name: Checkout Scripts Repo + uses: actions/checkout@v3 + with: + path: ci-scripts + repository: pulumi/scripts + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + - name: Install Go + uses: actions/setup-go@v4 + with: + cache-dependency-path: | + sdk/go.sum + go-version: 1.21.x + - name: Install pulumictl + uses: jaxxstorm/action-install-gh-release@v1.5.0 + with: + repo: pulumi/pulumictl + - name: Install Pulumi CLI + uses: pulumi/actions@v4 + with: + pulumi-version: v3.77.1 + - name: Setup Node + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODEVERSION }} + registry-url: https://registry.npmjs.org + - name: Download provider + tfgen binaries + uses: actions/download-artifact@v2 + with: + name: ${{ env.PROVIDER }}-provider.tar.gz + path: ${{ github.workspace }}/bin + - name: Untar provider binaries + run: |- + tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin + find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; + - name: Download SDK + uses: actions/download-artifact@v2 + with: + name: ${{ matrix.language }}-sdk.tar.gz + path: ${{ github.workspace}}/sdk/ + - name: Uncompress SDK folder + run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} + - name: Update path + run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" + - name: Install dependencies + run: make install_${{ matrix.language}}_sdk + - name: Install gotestfmt + uses: GoTestTools/gotestfmt-action@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + version: v2.4.0 + - name: Make upstream + run: make upstream + - name: Run selected tests with manual web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - name: Configure AWS Credentials for OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 3600 + role-session-name: ${{ env.PROVIDER }}@githubActions + role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} + unset-current-credentials: true + - name: Run selected tests with configure-aws-credentials web identity/OIDC auth + run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt + - if: failure() && github.event_name == 'push' + name: Notify Slack + uses: 8398a7/action-slack@v3 + with: + author_name: Failure in running ${{ matrix.language }} tests + fields: repo,commit,author,action + status: ${{ job.status }} + strategy: + fail-fast: false + matrix: + language: + - nodejs name: run-acceptance-tests on: From 884c6d9105a603775c75f99ed671f4747693c711 Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Wed, 6 Dec 2023 16:36:28 +0100 Subject: [PATCH 10/10] test fix --- provider/resources_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider/resources_test.go b/provider/resources_test.go index c29d4e03e51..c66d89465da 100644 --- a/provider/resources_test.go +++ b/provider/resources_test.go @@ -20,8 +20,8 @@ func TestParseDuration(t *testing.T) { valid := resource.PropertyMap{ "durationSeconds": resource.NewStringProperty(v), } - d, err := durationFromConfig(valid, "durationSeconds", []string{}) + d, err := durationFromConfig(valid, "durationSeconds") assert.NoError(t, err) - assert.True(t, d > 0) + assert.NotNil(t, d) } }