From 6262f3332f5d0bc58f6c82bfb959a39ecb92012a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Wed, 13 Mar 2024 21:12:15 +0100 Subject: [PATCH] Fix CI --- .github/workflows/check_deploy.yml | 192 +++++++++++++++-------------- tf/environments/dev/main.tf | 8 +- 2 files changed, 107 insertions(+), 93 deletions(-) diff --git a/.github/workflows/check_deploy.yml b/.github/workflows/check_deploy.yml index 98d894be..e11b8a19 100644 --- a/.github/workflows/check_deploy.yml +++ b/.github/workflows/check_deploy.yml @@ -10,108 +10,40 @@ on: - reopened - edited # title or body of a pull request was edited, or the base branch of a pull request was changed -env: - tf_actions_working_dir: "./tf/environments/dev" - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - jobs: - ansible: - needs: terraform - runs-on: ubuntu-latest - defaults: - run: - working-directory: ${{ env.tf_actions_working_dir }}/ansible - permissions: - pull-requests: write - steps: - - uses: actions/checkout@v4 - - - name: Install Ansible - run: | - sudo apt update - sudo apt install software-properties-common - sudo add-apt-repository --yes --update ppa:ansible/ansible-9 - sudo apt install -y ansible - - - name: Write devops ssh key to .ssh - run: | - mkdir -p ~/.ssh/ - chmod 700 ~/.ssh/ - echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem - chmod 600 ~/.ssh/ooni-devops-prod.pem - - - name: Run Ansible Playbook - id: playbook - env: - ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts" - run: | - echo "ansible_playbook<> "$GITHUB_OUTPUT" - echo "\$ ansible-playbook playbook.yml --check --diff -i inventory.ini" >> "$GITHUB_OUTPUT" - ansible-playbook playbook.yml --check --diff -i inventory.ini --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" - continue-on-error: true - - # This can be uncommmented to make it possible to ssh into the container to debug the run - #- name: Setup tmate session - # uses: mxschmitt/action-tmate@v3 - - - uses: actions/github-script@v6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const commentTitle = "Ansible Run Output"; - const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`; - const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/); - const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : ''; - - const commentBody = ` - #### Ansible Playbook Recap 🔍 - - \`\`\`\n - ${ansiblePlaybookRecap} - \`\`\` - - #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\` - -
Show Execution - - \`\`\`\n - ${ansiblePlaybookOutput} - \`\`\` - -
- - | | | - |-------------------|------------------------------------| - | Pusher | @${{ github.actor }} | - | Action | ${{ github.event_name }} | - | Working Directory | ${{ env.tf_actions_working_dir }} | - | Workflow | ${{ github.workflow }} | - | Last updated | ${(new Date()).toUTCString()} | - `; - - // Call the script to write the comment - const script = require('./scripts/ghactions/comment-on-pr.js'); - await script({github, context, core, commentTitle, commentBody}); - terraform: + strategy: + matrix: + environment: ["dev"] + runs-on: ubuntu-latest if: ${{ !startsWith(github.event.head_commit.message, 'skip-terraform:') }} defaults: run: - working-directory: ${{ env.tf_actions_working_dir }} + working-directory: tf/environments/${{ matrix.environment }} permissions: contents: write pull-requests: write - env: - TF_VAR_aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} - TF_VAR_aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - TF_VAR_ooni_pg_password: ${{ secrets.OONI_PG_PASSWORD }} steps: - uses: actions/checkout@v4 + - name: Configure AWS credentials + env: + AWS_ACCESS_KEY_ID: ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: eu-central-1 + run: | + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_DEFAULT_REGION + + # Create profile oonidevops_user + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile oonidevops_user + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile oonidevops_user + aws configure set default.region $AWS_DEFAULT_REGION --profile oonidevops_user + + - name: Configure Terraform key - name: Install Terraform run: | wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg @@ -194,7 +126,7 @@ jobs: |-------------------|------------------------------------| | Pusher | @${{ github.actor }} | | Action | ${{ github.event_name }} | - | Working Directory | ${{ env.tf_actions_working_dir }} | + | Environment | ${{ matrix.environment }} | | Workflow | ${{ github.workflow }} | | Last updated | ${ (new Date()).toUTCString() } | `; @@ -202,3 +134,83 @@ jobs: // Call the script to write the comment const script = require('./scripts/ghactions/comment-on-pr.js'); await script({github, context, core, commentTitle, commentBody}); + + # Temporarily disabled + # ansible: + # needs: terraform + # runs-on: ubuntu-latest + # defaults: + # run: + # working-directory: ${{ env.tf_actions_working_dir }}/ansible + # permissions: + # pull-requests: write + # steps: + # - uses: actions/checkout@v4 + + # - name: Install Ansible + # run: | + # sudo apt update + # sudo apt install software-properties-common + # sudo add-apt-repository --yes --update ppa:ansible/ansible-9 + # sudo apt install -y ansible + + # - name: Write devops ssh key to .ssh + # run: | + # mkdir -p ~/.ssh/ + # chmod 700 ~/.ssh/ + # echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem + # chmod 600 ~/.ssh/ooni-devops-prod.pem + + # - name: Run Ansible Playbook + # id: playbook + # env: + # ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts" + # run: | + # echo "ansible_playbook<> "$GITHUB_OUTPUT" + # echo "\$ ansible-playbook playbook.yml --check --diff -i inventory.ini" >> "$GITHUB_OUTPUT" + # ansible-playbook playbook.yml --check --diff -i inventory.ini --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT" + # echo "EOF" >> "$GITHUB_OUTPUT" + # continue-on-error: true + + # # This can be uncommmented to make it possible to ssh into the container to debug the run + # #- name: Setup tmate session + # # uses: mxschmitt/action-tmate@v3 + + # - uses: actions/github-script@v6 + # with: + # github-token: ${{ secrets.GITHUB_TOKEN }} + # script: | + # const commentTitle = "Ansible Run Output"; + # const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`; + # const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/); + # const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : ''; + + # const commentBody = ` + # #### Ansible Playbook Recap 🔍 + + # \`\`\`\n + # ${ansiblePlaybookRecap} + # \`\`\` + + # #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\` + + #
Show Execution + + # \`\`\`\n + # ${ansiblePlaybookOutput} + # \`\`\` + + #
+ + # | | | + # |-------------------|------------------------------------| + # | Pusher | @${{ github.actor }} | + # | Action | ${{ github.event_name }} | + # | Working Directory | ${{ env.tf_actions_working_dir }} | + # | Workflow | ${{ github.workflow }} | + # | Last updated | ${(new Date()).toUTCString()} | + # `; + + # // Call the script to write the comment + # const script = require('./scripts/ghactions/comment-on-pr.js'); + # await script({github, context, core, commentTitle, commentBody}); diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index f93b0367..255e646c 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -21,9 +21,11 @@ locals { provider "aws" { profile = "oonidevops_user" region = var.aws_region - assume_role { - role_arn = "arn:aws:iam::905418398257:role/oonidevops" - } + # You will have to setup your own credentials in ~/.aws/credentials like this: + # [oonidevops_user] + # aws_access_key_id = YYYY + # aws_secret_access_key = ZZZ + # role_arn = arn:aws:iam::905418398257:role/oonidevops } data "aws_availability_zones" "available" {}