Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI tests for OIDC authentication #3074

Merged
merged 10 commits into from
Dec 20, 2023
Merged

CI tests for OIDC authentication #3074

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b2b02da
[EXP] try OIDC auth for CI tests
thomas11 Dec 1, 2023
8a772e2
Add assumeRoleWithWebIdentity to creds validation #2252
thomas11 Dec 3, 2023
12c9a24
[EXP] OIDC via direct provider config
thomas11 Dec 3, 2023
71680b6
Reset examples/bucket to master
thomas11 Dec 4, 2023
40d3a9d
Test manual OIDC with separate test.
thomas11 Dec 4, 2023
44eedca
Run OIDC tests in regular test job
thomas11 Dec 4, 2023
6b602a5
Correct tests yaml syntax, update names
thomas11 Dec 5, 2023
7fb886c
Re-order tests so we don't need to clear the aws-credentials config
thomas11 Dec 5, 2023
2aaa06b
Port GH workflow changes to ci-mgmt
thomas11 Dec 6, 2023
884c6d9
test fix
thomas11 Dec 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions .ci-mgmt.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ providerVersion: github.com/hashicorp/terraform-provider-aws/version.ProviderVer
env:
PULUMI_MISSING_DOCS_ERROR: true
AWS_REGION: "us-west-2"
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
makeTemplate: bridged
checkoutSubmodules: true
# TODO: remove XrunUpstreamTools flag after work to add docs replacement strategies to resources.go is completed
Expand Down Expand Up @@ -94,3 +95,99 @@ extraTests:
uses: codecov/codecov-action@v3
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

test_oidc:
if: github.event_name == 'repository_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
name: test_oidc
needs: build_sdk
permissions:
contents: read
id-token: write
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
uses: actions/checkout@v3
with:
ref: ${{ env.PR_COMMIT_SHA }}
submodules: true
- name: Checkout Scripts Repo
uses: actions/checkout@v3
with:
path: ci-scripts
repository: pulumi/scripts
- name: Unshallow clone for tags
run: git fetch --prune --unshallow --tags
- name: Install Go
uses: actions/setup-go@v4
with:
cache-dependency-path: |
sdk/go.sum
go-version: 1.21.x
- name: Install pulumictl
uses: jaxxstorm/action-install-gh-release@v1.5.0
with:
repo: pulumi/pulumictl
- name: Install Pulumi CLI
uses: pulumi/actions@v4
with:
pulumi-version: v3.77.1
- name: Setup Node
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODEVERSION }}
registry-url: https://registry.npmjs.org
- name: Download provider + tfgen binaries
uses: actions/download-artifact@v2
with:
name: ${{ env.PROVIDER }}-provider.tar.gz
path: ${{ github.workspace }}/bin
- name: Untar provider binaries
run: >-
tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
github.workspace}}/bin

find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
- name: Download SDK
uses: actions/download-artifact@v2
with:
name: ${{ matrix.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{
github.workspace }}/sdk/${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Install gotestfmt
uses: GoTestTools/gotestfmt-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: v2.4.0
- name: Make upstream
run: make upstream
- name: Run selected tests with manual web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- name: Configure AWS Credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
unset-current-credentials: true
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 3600
role-session-name: ${{ env.PROVIDER }}@githubActions
role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
- name: Run selected tests with configure-aws-credentials web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- if: failure() && github.event_name == 'push'
name: Notify Slack
uses: 8398a7/action-slack@v3
with:
author_name: Failure in running ${{ matrix.language }} tests
fields: repo,commit,author,action
status: ${{ job.status }}
strategy:
fail-fast: false
matrix:
language:
- nodejs
1 change: 1 addition & 0 deletions .github/workflows/command-dispatch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/license.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
93 changes: 93 additions & 0 deletions .github/workflows/master.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down Expand Up @@ -286,6 +287,7 @@ jobs:
- test
- license_check
- go_test_shim
- test_oidc
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
Expand Down Expand Up @@ -517,6 +519,97 @@ jobs:
name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v3
timeout-minutes: 60
test_oidc:
if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
name: test_oidc
needs: build_sdk
permissions:
contents: read
id-token: write
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
uses: actions/checkout@v3
with:
ref: ${{ env.PR_COMMIT_SHA }}
submodules: true
- name: Checkout Scripts Repo
uses: actions/checkout@v3
with:
path: ci-scripts
repository: pulumi/scripts
- name: Unshallow clone for tags
run: git fetch --prune --unshallow --tags
- name: Install Go
uses: actions/setup-go@v4
with:
cache-dependency-path: |
sdk/go.sum
go-version: 1.21.x
- name: Install pulumictl
uses: jaxxstorm/action-install-gh-release@v1.5.0
with:
repo: pulumi/pulumictl
- name: Install Pulumi CLI
uses: pulumi/actions@v4
with:
pulumi-version: v3.77.1
- name: Setup Node
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODEVERSION }}
registry-url: https://registry.npmjs.org
- name: Download provider + tfgen binaries
uses: actions/download-artifact@v2
with:
name: ${{ env.PROVIDER }}-provider.tar.gz
path: ${{ github.workspace }}/bin
- name: Untar provider binaries
run: |-
tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
- name: Download SDK
uses: actions/download-artifact@v2
with:
name: ${{ matrix.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Install gotestfmt
uses: GoTestTools/gotestfmt-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: v2.4.0
- name: Make upstream
run: make upstream
- name: Run selected tests with manual web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- name: Configure AWS Credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 3600
role-session-name: ${{ env.PROVIDER }}@githubActions
role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
unset-current-credentials: true
- name: Run selected tests with configure-aws-credentials web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- if: failure() && github.event_name == 'push'
name: Notify Slack
uses: 8398a7/action-slack@v3
with:
author_name: Failure in running ${{ matrix.language }} tests
fields: repo,commit,author,action
status: ${{ job.status }}
strategy:
fail-fast: false
matrix:
language:
- nodejs

name: master
on:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/nightly-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
93 changes: 93 additions & 0 deletions .github/workflows/prerelease.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down Expand Up @@ -229,6 +230,7 @@ jobs:
- test
- license_check
- go_test_shim
- test_oidc
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
Expand Down Expand Up @@ -442,6 +444,97 @@ jobs:
name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v3
timeout-minutes: 60
test_oidc:
if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
name: test_oidc
needs: build_sdk
permissions:
contents: read
id-token: write
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
uses: actions/checkout@v3
with:
ref: ${{ env.PR_COMMIT_SHA }}
submodules: true
- name: Checkout Scripts Repo
uses: actions/checkout@v3
with:
path: ci-scripts
repository: pulumi/scripts
- name: Unshallow clone for tags
run: git fetch --prune --unshallow --tags
- name: Install Go
uses: actions/setup-go@v4
with:
cache-dependency-path: |
sdk/go.sum
go-version: 1.21.x
- name: Install pulumictl
uses: jaxxstorm/action-install-gh-release@v1.5.0
with:
repo: pulumi/pulumictl
- name: Install Pulumi CLI
uses: pulumi/actions@v4
with:
pulumi-version: v3.77.1
- name: Setup Node
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODEVERSION }}
registry-url: https://registry.npmjs.org
- name: Download provider + tfgen binaries
uses: actions/download-artifact@v2
with:
name: ${{ env.PROVIDER }}-provider.tar.gz
path: ${{ github.workspace }}/bin
- name: Untar provider binaries
run: |-
tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
- name: Download SDK
uses: actions/download-artifact@v2
with:
name: ${{ matrix.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Install gotestfmt
uses: GoTestTools/gotestfmt-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: v2.4.0
- name: Make upstream
run: make upstream
- name: Run selected tests with manual web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- name: Configure AWS Credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 3600
role-session-name: ${{ env.PROVIDER }}@githubActions
role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
unset-current-credentials: true
- name: Run selected tests with configure-aws-credentials web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- if: failure() && github.event_name == 'push'
name: Notify Slack
uses: 8398a7/action-slack@v3
with:
author_name: Failure in running ${{ matrix.language }} tests
fields: repo,commit,author,action
status: ${{ job.status }}
strategy:
fail-fast: false
matrix:
language:
- nodejs

name: prerelease
on:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
Loading
Loading