From 6676f61c63f9247b08d565439e8894add90c32e0 Mon Sep 17 00:00:00 2001 From: Julien Poissonnier Date: Thu, 25 Jul 2024 17:10:54 +0200 Subject: [PATCH] Test AWS CLI and tempaltes Test that the aws CLI is working and can login. Test that the aws-${sdk} templates work. This requires the following secrets in GHA: * AWS_ACCESS_KEY_ID * AWS_SECRET_ACCESS_KEY Ref https://github.com/pulumi/pulumi-docker-containers/issues/209 --- .github/workflows/ci.yml | 61 +++++++++++++++++++++++++++++++++++++--- CHANGELOG.md | 4 +++ tests/containers_test.go | 33 +++++++++++++++++++--- 3 files changed, 90 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67804ec3..764c0d87 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,6 +38,7 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + AWS_REGION: "us-west-2" jobs: comment-notification: @@ -97,6 +98,15 @@ jobs: working-directory: tests run: | GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./... + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 14400 # 4 hours + role-session-name: pulumi-docker-containers@githubActions + role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} - name: Run Pulumi Template Tests run: | docker run \ @@ -107,6 +117,10 @@ jobs: -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ -e ARM_TENANT_ID=${ARM_TENANT_ID} \ -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ + -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ + -e AWS_REGION=${AWS_REGION} \ --volume /tmp:/src \ --entrypoint /bin/bash \ ${{ env.DOCKER_USERNAME }}/pulumi:${{ env.PULUMI_VERSION }} \ @@ -122,6 +136,10 @@ jobs: -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ -e ARM_TENANT_ID=${ARM_TENANT_ID} \ -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ + -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ + -e AWS_REGION=${AWS_REGION} \ --volume /tmp:/src \ --entrypoint /bin/bash \ ${{ env.DOCKER_USERNAME }}/pulumi:${{ env.PULUMI_VERSION }} \ @@ -167,6 +185,15 @@ jobs: working-directory: tests run: | GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./... + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 14400 # 4 hours + role-session-name: pulumi-docker-containers@githubActions + role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} - name: Run Pulumi Template Tests run: | docker run \ @@ -177,6 +204,10 @@ jobs: -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ -e ARM_TENANT_ID=${ARM_TENANT_ID} \ -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ + -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ + -e AWS_REGION=${AWS_REGION} \ --volume /tmp:/src \ --entrypoint /bin/bash \ ${{ env.DOCKER_USERNAME }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }} \ @@ -252,7 +283,6 @@ jobs: working-directory: tests run: | GOOS=linux GOARCH=${{ matrix.arch }} go test -c -o /tmp/pulumi-test-containers ./... - - name: Set SDKS_TO_TEST (dotnet) if: ${{ matrix.sdk == 'dotnet' }} run: echo "SDKS_TO_TEST=csharp" >> $GITHUB_ENV @@ -262,7 +292,15 @@ jobs: - name: Set SDKS_TO_TEST (default) if: ${{ matrix.sdk != 'dotnet' && matrix.sdk != 'nodejs' }} run: echo "SDKS_TO_TEST=${{ matrix.sdk}}" >> $GITHUB_ENV - + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 14400 # 4 hours + role-session-name: pulumi-docker-containers@githubActions + role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} - name: Run Pulumi Template Tests run: | docker run \ @@ -274,6 +312,10 @@ jobs: -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ -e ARM_TENANT_ID=${ARM_TENANT_ID} \ -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ + -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ + -e AWS_REGION=${AWS_REGION} \ --volume /tmp:/src \ --entrypoint /bin/bash \ --platform ${{ matrix.arch }} \ @@ -324,7 +366,6 @@ jobs: working-directory: tests run: | GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./... - - name: Set SDKS_TO_TEST (dotnet) if: ${{ matrix.sdk == 'dotnet' }} run: echo "SDKS_TO_TEST=csharp" >> $GITHUB_ENV @@ -334,7 +375,15 @@ jobs: - name: Set SDKS_TO_TEST (default) if: ${{ matrix.sdk != 'dotnet' && matrix.sdk != 'nodejs' }} run: echo "SDKS_TO_TEST=${{ matrix.sdk}}" >> $GITHUB_ENV - + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 14400 # 4 hours + role-session-name: pulumi-docker-containers@githubActions + role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} - name: Run Pulumi Template Tests run: | docker run \ @@ -346,6 +395,10 @@ jobs: -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ -e ARM_TENANT_ID=${ARM_TENANT_ID} \ -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ + -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ + -e AWS_REGION=${AWS_REGION} \ --volume /tmp:/src \ --entrypoint /bin/bash \ ${{ env.DOCKER_USERNAME }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi \ diff --git a/CHANGELOG.md b/CHANGELOG.md index e64220a4..8baebc9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## Unreleased + +- Test AWS CLI and templates in the `pulumi/pulumi` image + ([#213](https://github.com/pulumi/pulumi-docker-containers/pull/213)) + - Fix compilation issue when running `azure-java` in `pulumi-java` ([#212](https://github.com/pulumi/pulumi-docker-containers/pull/212)) diff --git a/tests/containers_test.go b/tests/containers_test.go index 278d6c4c..8111dd99 100644 --- a/tests/containers_test.go +++ b/tests/containers_test.go @@ -40,10 +40,15 @@ func TestPulumiTemplateTests(t *testing.T) { t.Parallel() // Confirm we have credentials. + // Azure mustEnv(t, "PULUMI_ACCESS_TOKEN") mustEnv(t, "ARM_CLIENT_ID") mustEnv(t, "ARM_CLIENT_SECRET") mustEnv(t, "ARM_TENANT_ID") + // AWS + mustEnv(t, "AWS_ACCESS_KEY_ID") + mustEnv(t, "AWS_SECRET_ACCESS_KEY") + mustEnv(t, "AWS_SESSION_TOKEN") stackOwner := mustEnv(t, "PULUMI_ORG") @@ -51,11 +56,12 @@ func TestPulumiTemplateTests(t *testing.T) { if os.Getenv("SDKS_TO_TEST") != "" { sdksToTest = strings.Split(os.Getenv("SDKS_TO_TEST"), ",") } - clouds := []string{"azure" /*, "aws", "gcp"*/} + clouds := []string{"azure", "aws" /* , "gcp"*/} configs := map[string]map[string]string{ "azure": { "azure-native:location": "EastUS", }, + "aws": {}, } testCases := []testCase{} @@ -87,8 +93,9 @@ func TestPulumiTemplateTests(t *testing.T) { for _, test := range testCases { test := test t.Run(test.template, func(t *testing.T) { - t.Parallel() - + // TODO: Not running these in parallel to help with disk space. + // https://github.com/pulumi/pulumi-docker-containers/issues/215 + // t.Parallel() e := ptesting.NewEnvironment(t) defer func() { e.RunCommand("pulumi", "stack", "rm", "--force", "--yes") @@ -130,9 +137,27 @@ func TestCLIToolTests(t *testing.T) { out, err := cmd.Output() require.NoError(t, err) result := map[string]interface{}{} - json.Unmarshal(out, &result) + require.NoError(t, json.Unmarshal(out, &result)) require.Equal(t, subscriptionId, result["id"]) }) + + t.Run("AWS CLI", func(t *testing.T) { + t.Parallel() + + mustEnv(t, "AWS_ACCESS_KEY_ID") + mustEnv(t, "AWS_SECRET_ACCESS_KEY") + mustEnv(t, "AWS_SESSION_TOKEN") + mustEnv(t, "AWS_REGION") + + cmd := exec.Command("aws", "sts", "get-caller-identity") + out, err := cmd.Output() + require.NoError(t, err) + result := map[string]interface{}{} + require.NoError(t, json.Unmarshal(out, &result)) + arn, ok := result["Arn"].(string) + require.True(t, ok) + require.Contains(t, arn, "pulumi-docker-containers@githubActions") + }) } func mustEnv(t *testing.T, env string) string {