From 31412fbe85058288444ebf574ea644e273e895fa Mon Sep 17 00:00:00 2001 From: VenelinMartinov Date: Fri, 22 Dec 2023 15:47:29 +0200 Subject: [PATCH] Revert "CI tests for OIDC authentication (#3074)" (#3175) This reverts commit 385a96abf969f22b9091b1a1da09240673236d88. Looks like the github action doesn't quite work and this prevents us from releasing the provider. --- .ci-mgmt.yaml | 97 --------------------- .github/workflows/command-dispatch.yml | 1 - .github/workflows/license.yml | 1 - .github/workflows/lint.yml | 1 - .github/workflows/master.yml | 93 -------------------- .github/workflows/nightly-test.yml | 1 - .github/workflows/prerelease.yml | 93 -------------------- .github/workflows/pull-request.yml | 1 - .github/workflows/release.yml | 93 -------------------- .github/workflows/resync-build.yml | 1 - .github/workflows/run-acceptance-tests.yml | 93 -------------------- examples/cloudwatchOidcManual/Pulumi.yaml | 3 - examples/cloudwatchOidcManual/README.md | 3 - examples/cloudwatchOidcManual/index.ts | 33 ------- examples/cloudwatchOidcManual/package.json | 16 ---- examples/cloudwatchOidcManual/tsconfig.json | 18 ---- examples/examples_nodejs_test.go | 10 --- provider/resources.go | 32 +++---- provider/resources_test.go | 4 +- 19 files changed, 18 insertions(+), 576 deletions(-) delete mode 100644 examples/cloudwatchOidcManual/Pulumi.yaml delete mode 100644 examples/cloudwatchOidcManual/README.md delete mode 100644 examples/cloudwatchOidcManual/index.ts delete mode 100644 examples/cloudwatchOidcManual/package.json delete mode 100644 examples/cloudwatchOidcManual/tsconfig.json diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index de3a8b46622..a68803ee4b5 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -8,7 +8,6 @@ providerVersion: github.com/hashicorp/terraform-provider-aws/version.ProviderVer env: PULUMI_MISSING_DOCS_ERROR: true AWS_REGION: "us-west-2" - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} makeTemplate: bridged checkoutSubmodules: true # TODO: remove XrunUpstreamTools flag after work to add docs replacement strategies to resources.go is completed @@ -95,99 +94,3 @@ extraTests: uses: codecov/codecov-action@v3 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - test_oidc: - if: github.event_name == 'repository_dispatch' || - github.event.pull_request.head.repo.full_name == github.repository - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: pulumi-ubuntu-8core - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - name: Checkout Scripts Repo - uses: actions/checkout@v3 - with: - path: ci-scripts - repository: pulumi/scripts - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags - - name: Install Go - uses: actions/setup-go@v4 - with: - cache-dependency-path: | - sdk/go.sum - go-version: 1.21.x - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@v1.5.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/actions@v4 - with: - pulumi-version: v3.77.1 - - name: Setup Node - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODEVERSION }} - registry-url: https://registry.npmjs.org - - name: Download provider + tfgen binaries - uses: actions/download-artifact@v2 - with: - name: ${{ env.PROVIDER }}-provider.tar.gz - path: ${{ github.workspace }}/bin - - name: Untar provider binaries - run: >- - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ - github.workspace}}/bin - - find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - - name: Download SDK - uses: actions/download-artifact@v2 - with: - name: ${{ matrix.language }}-sdk.tar.gz - path: ${{ github.workspace}}/sdk/ - - name: Uncompress SDK folder - run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ - github.workspace }}/sdk/${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - unset-current-credentials: true - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - if: failure() && github.event_name == 'push' - name: Notify Slack - uses: 8398a7/action-slack@v3 - with: - author_name: Failure in running ${{ matrix.language }} tests - fields: repo,commit,author,action - status: ${{ job.status }} - strategy: - fail-fast: false - matrix: - language: - - nodejs diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 1c1534b92d6..6580e03e8df 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -14,7 +14,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index dc009700442..9dd378ddb1b 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -20,7 +20,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a296f2f7e7e..a0b9f1c6001 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -19,7 +19,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index d922e072604..484b386a598 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -14,7 +14,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -287,7 +286,6 @@ jobs: - test - license_check - go_test_shim - - test_oidc runs-on: pulumi-ubuntu-8core steps: - name: Checkout Repo @@ -519,97 +517,6 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 - test_oidc: - if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: pulumi-ubuntu-8core - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - name: Checkout Scripts Repo - uses: actions/checkout@v3 - with: - path: ci-scripts - repository: pulumi/scripts - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags - - name: Install Go - uses: actions/setup-go@v4 - with: - cache-dependency-path: | - sdk/go.sum - go-version: 1.21.x - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@v1.5.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/actions@v4 - with: - pulumi-version: v3.77.1 - - name: Setup Node - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODEVERSION }} - registry-url: https://registry.npmjs.org - - name: Download provider + tfgen binaries - uses: actions/download-artifact@v2 - with: - name: ${{ env.PROVIDER }}-provider.tar.gz - path: ${{ github.workspace }}/bin - - name: Untar provider binaries - run: |- - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin - find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - - name: Download SDK - uses: actions/download-artifact@v2 - with: - name: ${{ matrix.language }}-sdk.tar.gz - path: ${{ github.workspace}}/sdk/ - - name: Uncompress SDK folder - run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - if: failure() && github.event_name == 'push' - name: Notify Slack - uses: 8398a7/action-slack@v3 - with: - author_name: Failure in running ${{ matrix.language }} tests - fields: repo,commit,author,action - status: ${{ job.status }} - strategy: - fail-fast: false - matrix: - language: - - nodejs name: master on: diff --git a/.github/workflows/nightly-test.yml b/.github/workflows/nightly-test.yml index ab625791bab..3748a8f20ec 100644 --- a/.github/workflows/nightly-test.yml +++ b/.github/workflows/nightly-test.yml @@ -14,7 +14,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index defe05eab44..9d7f02aa4dc 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -15,7 +15,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -230,7 +229,6 @@ jobs: - test - license_check - go_test_shim - - test_oidc runs-on: pulumi-ubuntu-8core steps: - name: Checkout Repo @@ -444,97 +442,6 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 - test_oidc: - if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: pulumi-ubuntu-8core - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - name: Checkout Scripts Repo - uses: actions/checkout@v3 - with: - path: ci-scripts - repository: pulumi/scripts - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags - - name: Install Go - uses: actions/setup-go@v4 - with: - cache-dependency-path: | - sdk/go.sum - go-version: 1.21.x - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@v1.5.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/actions@v4 - with: - pulumi-version: v3.77.1 - - name: Setup Node - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODEVERSION }} - registry-url: https://registry.npmjs.org - - name: Download provider + tfgen binaries - uses: actions/download-artifact@v2 - with: - name: ${{ env.PROVIDER }}-provider.tar.gz - path: ${{ github.workspace }}/bin - - name: Untar provider binaries - run: |- - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin - find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - - name: Download SDK - uses: actions/download-artifact@v2 - with: - name: ${{ matrix.language }}-sdk.tar.gz - path: ${{ github.workspace}}/sdk/ - - name: Uncompress SDK folder - run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - if: failure() && github.event_name == 'push' - name: Notify Slack - uses: 8398a7/action-slack@v3 - with: - author_name: Failure in running ${{ matrix.language }} tests - fields: repo,commit,author,action - status: ${{ job.status }} - strategy: - fail-fast: false - matrix: - language: - - nodejs name: prerelease on: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 81acbc36513..72fd2f9ac49 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -14,7 +14,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index df8c2c60a7a..1db1426a332 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -243,7 +242,6 @@ jobs: - test - license_check - go_test_shim - - test_oidc runs-on: pulumi-ubuntu-8core steps: - name: Checkout Repo @@ -492,97 +490,6 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 - test_oidc: - if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: pulumi-ubuntu-8core - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - name: Checkout Scripts Repo - uses: actions/checkout@v3 - with: - path: ci-scripts - repository: pulumi/scripts - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags - - name: Install Go - uses: actions/setup-go@v4 - with: - cache-dependency-path: | - sdk/go.sum - go-version: 1.21.x - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@v1.5.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/actions@v4 - with: - pulumi-version: v3.77.1 - - name: Setup Node - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODEVERSION }} - registry-url: https://registry.npmjs.org - - name: Download provider + tfgen binaries - uses: actions/download-artifact@v2 - with: - name: ${{ env.PROVIDER }}-provider.tar.gz - path: ${{ github.workspace }}/bin - - name: Untar provider binaries - run: |- - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin - find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - - name: Download SDK - uses: actions/download-artifact@v2 - with: - name: ${{ matrix.language }}-sdk.tar.gz - path: ${{ github.workspace}}/sdk/ - - name: Uncompress SDK folder - run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - if: failure() && github.event_name == 'push' - name: Notify Slack - uses: 8398a7/action-slack@v3 - with: - author_name: Failure in running ${{ matrix.language }} tests - fields: repo,commit,author,action - status: ${{ job.status }} - strategy: - fail-fast: false - matrix: - language: - - nodejs name: release on: diff --git a/.github/workflows/resync-build.yml b/.github/workflows/resync-build.yml index b87e505677f..aaaf9f25d05 100644 --- a/.github/workflows/resync-build.yml +++ b/.github/workflows/resync-build.yml @@ -16,7 +16,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index d0bca40077a..ed76efb1881 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -15,7 +15,6 @@ env: NODEVERSION: 20.x NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -278,7 +277,6 @@ jobs: - test - license_check - go_test_shim - - test_oidc runs-on: ubuntu-latest steps: - name: Workflow is not a success @@ -441,97 +439,6 @@ jobs: name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 timeout-minutes: 60 - test_oidc: - if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: pulumi-ubuntu-8core - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - name: Checkout Scripts Repo - uses: actions/checkout@v3 - with: - path: ci-scripts - repository: pulumi/scripts - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags - - name: Install Go - uses: actions/setup-go@v4 - with: - cache-dependency-path: | - sdk/go.sum - go-version: 1.21.x - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@v1.5.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/actions@v4 - with: - pulumi-version: v3.77.1 - - name: Setup Node - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODEVERSION }} - registry-url: https://registry.npmjs.org - - name: Download provider + tfgen binaries - uses: actions/download-artifact@v2 - with: - name: ${{ env.PROVIDER }}-provider.tar.gz - path: ${{ github.workspace }}/bin - - name: Untar provider binaries - run: |- - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin - find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - - name: Download SDK - uses: actions/download-artifact@v2 - with: - name: ${{ matrix.language }}-sdk.tar.gz - path: ${{ github.workspace}}/sdk/ - - name: Uncompress SDK folder - run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Make upstream - run: make upstream - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - if: failure() && github.event_name == 'push' - name: Notify Slack - uses: 8398a7/action-slack@v3 - with: - author_name: Failure in running ${{ matrix.language }} tests - fields: repo,commit,author,action - status: ${{ job.status }} - strategy: - fail-fast: false - matrix: - language: - - nodejs name: run-acceptance-tests on: diff --git a/examples/cloudwatchOidcManual/Pulumi.yaml b/examples/cloudwatchOidcManual/Pulumi.yaml deleted file mode 100644 index 436e96218cd..00000000000 --- a/examples/cloudwatchOidcManual/Pulumi.yaml +++ /dev/null @@ -1,3 +0,0 @@ -name: CloudWatchOidcManual -runtime: nodejs -description: A simple example of using the `CloudWatch` APIs, with manual OIDC auth. diff --git a/examples/cloudwatchOidcManual/README.md b/examples/cloudwatchOidcManual/README.md deleted file mode 100644 index 411d80a399d..00000000000 --- a/examples/cloudwatchOidcManual/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# examples/cloudwatch - -A simple example of using the `CloudWatch` APIs. \ No newline at end of file diff --git a/examples/cloudwatchOidcManual/index.ts b/examples/cloudwatchOidcManual/index.ts deleted file mode 100644 index e8e1b42cec0..00000000000 --- a/examples/cloudwatchOidcManual/index.ts +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2016-2018, Pulumi Corporation. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -import * as pulumi from "@pulumi/pulumi"; -import * as aws from "@pulumi/aws"; -import * as gh from "@actions/core"; - -const config = new pulumi.Config("aws"); -const providerOpts = { - provider: new aws.Provider("prov", { - region: config.require("envRegion"), - assumeRoleWithWebIdentity: { - roleArn: process.env["OIDC_ROLE_ARN"], - webIdentityToken: gh.getIDToken("sts.amazonaws.com"), - sessionName: "cloudwatchOidcManual-githubActions", - }, - }) -}; - -const event = aws.cloudwatch.onSchedule("everyMinute", "rate(1 minute)", async (event) => { - console.log("Received event: " + JSON.stringify(event, null, 2)); -}, {}, providerOpts); diff --git a/examples/cloudwatchOidcManual/package.json b/examples/cloudwatchOidcManual/package.json deleted file mode 100644 index 8163b9e7413..00000000000 --- a/examples/cloudwatchOidcManual/package.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "cloudwatch-oidc-manual", - "version": "0.0.1", - "license": "Apache-2.0", - "scripts": { - "build": "tsc" - }, - "dependencies": { - "@actions/core": "^1.10.1", - "@pulumi/aws": "^6.0.0", - "@pulumi/pulumi": "^3.0.0" - }, - "devDependencies": { - "@types/node": "^18.0.0" - } -} diff --git a/examples/cloudwatchOidcManual/tsconfig.json b/examples/cloudwatchOidcManual/tsconfig.json deleted file mode 100644 index ab65afa6135..00000000000 --- a/examples/cloudwatchOidcManual/tsconfig.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "bin", - "target": "es2016", - "module": "commonjs", - "moduleResolution": "node", - "sourceMap": true, - "experimentalDecorators": true, - "pretty": true, - "noFallthroughCasesInSwitch": true, - "noImplicitReturns": true, - "forceConsistentCasingInFileNames": true - }, - "files": [ - "index.ts" - ] -} diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go index 3cf1d6803f9..7e4ac6d8072 100644 --- a/examples/examples_nodejs_test.go +++ b/examples/examples_nodejs_test.go @@ -120,16 +120,6 @@ func TestAccCloudWatch(t *testing.T) { integration.ProgramTest(t, &test) } -func TestAccCloudWatchOidcManual(t *testing.T) { - test := getJSBaseOptions(t). - With(integration.ProgramTestOptions{ - Dir: filepath.Join(getCwd(t), "cloudwatchOidcManual"), - RunUpdateTest: true, - }) - - integration.ProgramTest(t, &test) -} - func TestAccLogGroup(t *testing.T) { test := getJSBaseOptions(t). With(integration.ProgramTestOptions{ diff --git a/provider/resources.go b/provider/resources.go index 14d18b98c02..a096af7955b 100644 --- a/provider/resources.go +++ b/provider/resources.go @@ -542,22 +542,25 @@ func arrayValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []str return vals } -// returns a pointer so we can distinguish between a zero value and a missing value -func durationFromConfig(vars resource.PropertyMap, prop resource.PropertyKey) (*time.Duration, error) { +func durationFromConfig(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) (time.Duration, error) { val, ok := vars[prop] if ok && val.IsString() { secondsString := val.StringValue() if !strings.HasSuffix(secondsString, "s") { secondsString += "s" } - dur, err := time.ParseDuration(secondsString) - if err != nil { - return nil, err + return time.ParseDuration(secondsString) + } + for _, env := range envs { + val, ok := os.LookupEnv(env) + if ok { + if !strings.HasSuffix(val, "s") { + val += "s" + } + return time.ParseDuration(val) } - return &dur, nil } - - return nil, nil + return 0, nil } func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error { @@ -582,13 +585,11 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error SourceIdentity: stringValue(details.ObjectValue(), "sourceIdentity", []string{}), TransitiveTagKeys: arrayValue(details.ObjectValue(), "transitiveTagKeys", []string{}), } - duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds") + duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds", []string{}) if err != nil { return err } - if duration != nil { - assumeRole.Duration = *duration - } + assumeRole.Duration = duration config.AssumeRole = &assumeRole } @@ -602,13 +603,12 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error WebIdentityToken: stringValue(details.ObjectValue(), "webIdentityToken", []string{}), WebIdentityTokenFile: stringValue(details.ObjectValue(), "webIdentityTokenFile", []string{}), } - duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds") + duration, err := durationFromConfig(details.ObjectValue(), "durationSeconds", []string{}) if err != nil { return err } - if duration != nil { - assumeRole.Duration = *duration - } + assumeRole.Duration = duration + config.AssumeRoleWithWebIdentity = &assumeRole } diff --git a/provider/resources_test.go b/provider/resources_test.go index 3cfea066214..5b9a280f2e2 100644 --- a/provider/resources_test.go +++ b/provider/resources_test.go @@ -22,9 +22,9 @@ func TestParseDuration(t *testing.T) { valid := resource.PropertyMap{ "durationSeconds": resource.NewStringProperty(v), } - d, err := durationFromConfig(valid, "durationSeconds") + d, err := durationFromConfig(valid, "durationSeconds", []string{}) assert.NoError(t, err) - assert.NotNil(t, d) + assert.True(t, d > 0) } }