diff --git a/.github/test-infra/rke2-cluster/main.tf b/.github/test-infra/rke2-cluster/main.tf index 566db37..6e4a8ab 100644 --- a/.github/test-infra/rke2-cluster/main.tf +++ b/.github/test-infra/rke2-cluster/main.tf @@ -7,21 +7,14 @@ terraform { } } +# Use the default VPC data "aws_vpc" "vpc" { - filter { - name = "tag:Name" - values = [var.vpc_name] - } + default = true } data "aws_subnet" "test_subnet" { vpc_id = data.aws_vpc.vpc.id availability_zone = "${var.region}a" - - filter { - name = "tag:Name" - values = [var.subnet_name] - } } resource "random_password" "rke2_join_token" { @@ -41,14 +34,14 @@ resource "aws_key_pair" "example_key_pair" { } resource "aws_instance" "test_bootstrap_node" { - ami = var.ami_id - instance_type = var.control_plane_instance_type - key_name = aws_key_pair.example_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = "", AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) - subnet_id = data.aws_subnet.test_subnet.id + ami = var.ami_id + instance_type = var.control_plane_instance_type + key_name = aws_key_pair.example_key_pair.key_name + user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = "", AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) + subnet_id = data.aws_subnet.test_subnet.id user_data_replace_on_change = true - vpc_security_group_ids = [aws_security_group.test_node_sg.id] + vpc_security_group_ids = [aws_security_group.test_node_sg.id] associate_public_ip_address = true root_block_device { @@ -63,14 +56,14 @@ resource "aws_instance" "test_bootstrap_node" { resource "aws_instance" "test_control_plane_node" { count = var.control_plane_node_count - ami = var.ami_id - instance_type = var.control_plane_instance_type - key_name = aws_key_pair.example_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) - subnet_id = data.aws_subnet.test_subnet.id + ami = var.ami_id + instance_type = var.control_plane_instance_type + key_name = aws_key_pair.example_key_pair.key_name + user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) + subnet_id = data.aws_subnet.test_subnet.id user_data_replace_on_change = true - vpc_security_group_ids = [aws_security_group.test_node_sg.id] + vpc_security_group_ids = [aws_security_group.test_node_sg.id] associate_public_ip_address = true root_block_device { @@ -85,14 +78,14 @@ resource "aws_instance" "test_control_plane_node" { resource "aws_instance" "test_agent_node" { count = var.agent_node_count - ami = var.ami_id - instance_type = var.agent_instance_type - key_name = aws_key_pair.example_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = true, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) - subnet_id = data.aws_subnet.test_subnet.id + ami = var.ami_id + instance_type = var.agent_instance_type + key_name = aws_key_pair.example_key_pair.key_name + user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = true, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) + subnet_id = data.aws_subnet.test_subnet.id user_data_replace_on_change = true - vpc_security_group_ids = [aws_security_group.test_node_sg.id] + vpc_security_group_ids = [aws_security_group.test_node_sg.id] associate_public_ip_address = true root_block_device { diff --git a/.github/test-infra/rke2-cluster/variables.tf b/.github/test-infra/rke2-cluster/variables.tf index c912017..2210a9e 100644 --- a/.github/test-infra/rke2-cluster/variables.tf +++ b/.github/test-infra/rke2-cluster/variables.tf @@ -1,15 +1,3 @@ -variable "vpc_name" { - type = string - description = "VPC ID to deploy into" - default = "uds-ci-commercial-*" -} - -variable "subnet_name" { - type = string - description = "Name of subnet to use for testing. Can use a wildcard as long as it only matches one subnet per az." - default = "uds-ci-commercial-*-public*" -} - variable "region" { type = string description = "Region to use for deployment" diff --git a/.github/workflows/publish-aws.yaml b/.github/workflows/publish-aws.yaml index 1c9d7c5..50805dd 100644 --- a/.github/workflows/publish-aws.yaml +++ b/.github/workflows/publish-aws.yaml @@ -35,9 +35,13 @@ jobs: if [ "${{ matrix.aws_env }}" == "commercial" ]; then echo "AWS_REGION=us-west-2" >> $GITHUB_ENV echo "AWS_ORG_ROLE_TO_ASSUME=${{ secrets.AWS_COMMERCIAL_ORG_ROLE_TO_ASSUME }}" >> $GITHUB_ENV + echo "AWS_OLD_CI_ACCOUNT_ID"=${{ secrets.AWS_OLD_COMMERCIAL_CI_ACCOUNT_ID }}" >> $GITHUB_ENV + echo "AWS_ORG_ARN"=${{ secrets.AWS_COMMERCIAL_ORG_ARN }}" >> $GITHUB_ENV elif [ "${{ matrix.aws_env }}" == "govcloud" ]; then echo "AWS_REGION=us-gov-west-1" >> $GITHUB_ENV echo "AWS_ORG_ROLE_TO_ASSUME=${{ secrets.AWS_GOVCLOUD_ORG_ROLE_TO_ASSUME }}" >> $GITHUB_ENV + echo "AWS_OLD_CI_ACCOUNT_ID"=${{ secrets.AWS_OLD_GOVCLOUD_CI_ACCOUNT_ID }}" >> $GITHUB_ENV + echo "AWS_ORG_ARN"=${{ secrets.AWS_GOVCLOUD_ORG_ARN }}" >> $GITHUB_ENV fi - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 @@ -56,7 +60,7 @@ jobs: tofu_wrapper: false tofu_version: 1.6.2 - name: Publish ${{ matrix.base }} ${{ matrix.rke2_version }} AMI - run: uds run --no-progress publish-ami-${{ matrix.base }} --set AWS_REGION=${{ env.AWS_REGION }} --set RKE2_VERSION=${{ matrix.rke2_version }} + run: uds run --no-progress publish-ami-${{ matrix.base }} --set AWS_REGION=${{ env.AWS_REGION }} --set RKE2_VERSION=${{ matrix.rke2_version }} --set AMI_USERS='[\"${{ env.AWS_OLD_CI_ACCOUNT_ID }}\"]' --set AWS_ORG_ARNS='[\"${{ env.AWS_ORG_ARN }}\"]' - name: Test ${{ matrix.base }} ${{ matrix.rke2_version }} AMI shell: bash -e -o pipefail {0} env: diff --git a/packer/aws/aws.pkr.hcl b/packer/aws/aws.pkr.hcl index 368051f..7ae9793 100644 --- a/packer/aws/aws.pkr.hcl +++ b/packer/aws/aws.pkr.hcl @@ -32,6 +32,8 @@ source "amazon-ebs" "base" { source_ami = data.amazon-ami.base-ami.id ami_groups = var.ami_groups skip_create_ami = var.skip_create_ami + ami_users = var.ami_users + ami_org_arns = var.ami_org_arns } build { diff --git a/packer/aws/variables.pkr.hcl b/packer/aws/variables.pkr.hcl index 92f3e64..1f7a8e5 100644 --- a/packer/aws/variables.pkr.hcl +++ b/packer/aws/variables.pkr.hcl @@ -60,3 +60,15 @@ variable "region" { description = "Region that AMI should be built in" default = "us-west-2" } + +variable "ami_users" { + type = list(string) + description = "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it." + default = [] +} + +variable "ami_org_arns" { + type = list(string) + description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s). By default no organizations have permission to launch the AMI." + default = [] +} diff --git a/tasks/aws.yaml b/tasks/aws.yaml index 0079ab3..5537680 100644 --- a/tasks/aws.yaml +++ b/tasks/aws.yaml @@ -14,6 +14,12 @@ variables: - name: PUBLISH_GROUPS default: "[]" description: "List of groups to allow access to the AMI. Only supports '[]' or '[\"all\"]'" + - name: AWS_ORG_ARNS + default: "[]" + description: "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s). By default no organizations have permission to launch the AMI." + - name: AMI_USERS + default: "[]" + description: "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it." - name: RKE2_VERSION default: "v1.29.10+rke2r1" description: "RKE2 version to build the AMI with" @@ -25,7 +31,7 @@ tasks: - cmd: | cd ${AWS_DIR} packer init . - packer build -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "rke2_version=${RKE2_VERSION}" . + packer build -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "aws_org_arns=${AWS_ORG_ARNS} -var "ami_users=${AMI_USERS} -var "rke2_version=${RKE2_VERSION}" . - name: publish-ami-rhel description: "Build and Publish the RHEL AMI for AWS" @@ -33,7 +39,7 @@ tasks: - cmd: | cd ${AWS_DIR} packer init . - packer build --var-file=rhel.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "rke2_version=${RKE2_VERSION}" . + packer build --var-file=rhel.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "aws_org_arns=${AWS_ORG_ARNS} -var "ami_users=${AMI_USERS} -var "rke2_version=${RKE2_VERSION}" . - name: build-ami-ubuntu description: "Build the Ubuntu AMI for AWS" diff --git a/tasks/test.yaml b/tasks/test.yaml index 1429e48..642f04b 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -42,13 +42,9 @@ tasks: - cmd: | # Set variables based on whether we are in govcloud or commercial if [ "$AWS_REGION" = "us-gov-west-1" ]; then - state_bucket="uds-ci-govcloud-us-gov-west-1-tfstate" - vpc_name="uds-ci-govcloud-*" - subnet_name="uds-ci-govcloud-*-public*" + state_bucket="uds-tf-state-20250206161918002400000003" else - state_bucket="uds-aws-ci-commercial-us-west-2-5246-tfstate" - vpc_name="uds-ci-commercial-*" - subnet_name="uds-ci-commercial-*-public*" + state_bucket="uds-tf-state-20250206161747757600000003" fi root_dir=$(pwd) TEST_AMI_ID=$(jq -r '.builds[-1].artifact_id' ${AWS_DIR}/manifest.json | cut -d ":" -f2) @@ -58,7 +54,7 @@ tasks: -backend-config="bucket=${state_bucket}" \ -backend-config="key=tfstate/ci/install/${SHA}-packer-${DISTRO}-${RKE2_VERSION}-rke2-startup-script.tfstate" \ -backend-config="region=${AWS_REGION}" - tofu apply -var="region=${AWS_REGION}" -var="vpc_name=${vpc_name}" -var="subnet_name=${subnet_name}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve + tofu apply -var="region=${AWS_REGION}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve source ${root_dir}/${E2E_TEST_DIR}/scripts/get-kubeconfig.sh shell: darwin: "bash" @@ -82,18 +78,10 @@ tasks: description: "Destroy test infrastructure" actions: - cmd: | - # Set variables based on whether we are in govcloud or commercial - if [ "$AWS_REGION" = "us-gov-west-1" ]; then - vpc_name="uds-ci-govcloud-*" - subnet_name="uds-ci-govcloud-*-public*" - else - vpc_name="uds-ci-commercial-*" - subnet_name="uds-ci-commercial-*-public*" - fi TEST_AMI_ID=$(jq -r '.builds[-1].artifact_id' ${AWS_DIR}/manifest.json | cut -d ":" -f2) echo "TEST AMI: ${TEST_AMI_ID}" cd ${E2E_TEST_DIR}/rke2-cluster - tofu destroy -var="region=${AWS_REGION}" -var="vpc_name=${vpc_name}" -var="subnet_name=${subnet_name}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve + tofu destroy -var="region=${AWS_REGION}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve - name: cleanup-ami description: "Cleans up snapshots and AMIs previously published"