From 0b3abb81e04d22b8b508d3545de16413b5878a20 Mon Sep 17 00:00:00 2001 From: Bryce Lampe Date: Wed, 11 Dec 2024 11:56:25 -0800 Subject: [PATCH 1/2] Simplify OIDC extraTest --- .ci-mgmt.yaml | 63 ---------------------- .github/workflows/master.yml | 63 ---------------------- .github/workflows/prerelease.yml | 63 ---------------------- .github/workflows/release.yml | 63 ---------------------- .github/workflows/run-acceptance-tests.yml | 63 ---------------------- examples/examples_nodejs_test.go | 62 ++++++++++++++++++++- 6 files changed, 60 insertions(+), 317 deletions(-) diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index b55955056c9..10f498951f9 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -127,69 +127,6 @@ extraTests: cd upstream make provider-lint - test_oidc: - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - tool-cache: false - swap-storage: false - dotnet: ${{ matrix.language != 'dotnet' }} - - name: Checkout Repo - uses: actions/checkout@v4 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - uses: pulumi/provider-version-action@v1 - with: - set-env: 'PROVIDER_VERSION' - - name: Setup tools - uses: ./.github/actions/setup-tools - with: - tools: pulumictl, pulumi, go, node - - name: Prepare local workspace - run: make prepare_local_workspace - - name: Download bin - uses: ./.github/actions/download-bin - - name: Download SDK - uses: ./.github/actions/download-sdk - with: - language: ${{ matrix.language }} - - name: Restore makefile progress - run: make --touch provider schema build_${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - unset-current-credentials: true - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: aws@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - strategy: - fail-fast: false - matrix: - language: - - nodejs - provider_test: name: provider_test needs: build_sdk diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index fdba7f7e878..f2a2f9a69f8 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -101,7 +101,6 @@ jobs: - license_check - go_test_shim - provider_test - - test_oidc - upstream_lint uses: ./.github/workflows/publish.yml secrets: inherit @@ -307,68 +306,6 @@ jobs: - dotnet - go - java - test_oidc: - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - dotnet: ${{ matrix.language != 'dotnet' }} - swap-storage: false - tool-cache: false - - name: Checkout Repo - uses: actions/checkout@v4 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - uses: pulumi/provider-version-action@v1 - with: - set-env: PROVIDER_VERSION - - name: Setup tools - uses: ./.github/actions/setup-tools - with: - tools: pulumictl, pulumi, go, node - - name: Prepare local workspace - run: make prepare_local_workspace - - name: Download bin - uses: ./.github/actions/download-bin - - name: Download SDK - uses: ./.github/actions/download-sdk - with: - language: ${{ matrix.language }} - - name: Restore makefile progress - run: make --touch provider schema build_${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: aws@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - strategy: - fail-fast: false - matrix: - language: - - nodejs upstream_lint: name: Run upstream provider-lint runs-on: ubuntu-latest diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index b0d390a4731..c7993ab00f9 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -61,7 +61,6 @@ jobs: - license_check - go_test_shim - provider_test - - test_oidc - upstream_lint uses: ./.github/workflows/publish.yml secrets: inherit @@ -247,68 +246,6 @@ jobs: - dotnet - go - java - test_oidc: - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - dotnet: ${{ matrix.language != 'dotnet' }} - swap-storage: false - tool-cache: false - - name: Checkout Repo - uses: actions/checkout@v4 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - uses: pulumi/provider-version-action@v1 - with: - set-env: PROVIDER_VERSION - - name: Setup tools - uses: ./.github/actions/setup-tools - with: - tools: pulumictl, pulumi, go, node - - name: Prepare local workspace - run: make prepare_local_workspace - - name: Download bin - uses: ./.github/actions/download-bin - - name: Download SDK - uses: ./.github/actions/download-sdk - with: - language: ${{ matrix.language }} - - name: Restore makefile progress - run: make --touch provider schema build_${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: aws@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - strategy: - fail-fast: false - matrix: - language: - - nodejs upstream_lint: name: Run upstream provider-lint runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28b75d36f4e..2dd22eb98c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,7 +67,6 @@ jobs: - license_check - go_test_shim - provider_test - - test_oidc - upstream_lint uses: ./.github/workflows/publish.yml secrets: inherit @@ -253,68 +252,6 @@ jobs: - dotnet - go - java - test_oidc: - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - dotnet: ${{ matrix.language != 'dotnet' }} - swap-storage: false - tool-cache: false - - name: Checkout Repo - uses: actions/checkout@v4 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - uses: pulumi/provider-version-action@v1 - with: - set-env: PROVIDER_VERSION - - name: Setup tools - uses: ./.github/actions/setup-tools - with: - tools: pulumictl, pulumi, go, node - - name: Prepare local workspace - run: make prepare_local_workspace - - name: Download bin - uses: ./.github/actions/download-bin - - name: Download SDK - uses: ./.github/actions/download-sdk - with: - language: ${{ matrix.language }} - - name: Restore makefile progress - run: make --touch provider schema build_${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: aws@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - strategy: - fail-fast: false - matrix: - language: - - nodejs upstream_lint: name: Run upstream provider-lint runs-on: ubuntu-latest diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 53b1bdae190..579615f90dd 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -96,7 +96,6 @@ jobs: - license_check - go_test_shim - provider_test - - test_oidc - upstream_lint runs-on: ubuntu-latest steps: @@ -308,68 +307,6 @@ jobs: - dotnet - go - java - test_oidc: - name: test_oidc - needs: build_sdk - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - dotnet: ${{ matrix.language != 'dotnet' }} - swap-storage: false - tool-cache: false - - name: Checkout Repo - uses: actions/checkout@v4 - with: - ref: ${{ env.PR_COMMIT_SHA }} - submodules: true - - uses: pulumi/provider-version-action@v1 - with: - set-env: PROVIDER_VERSION - - name: Setup tools - uses: ./.github/actions/setup-tools - with: - tools: pulumictl, pulumi, go, node - - name: Prepare local workspace - run: make prepare_local_workspace - - name: Download bin - uses: ./.github/actions/download-bin - - name: Download SDK - uses: ./.github/actions/download-sdk - with: - language: ${{ matrix.language }} - - name: Restore makefile progress - run: make --touch provider schema build_${{ matrix.language }} - - name: Update path - run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - - name: Install dependencies - run: make install_${{ matrix.language}}_sdk - - name: Install gotestfmt - uses: GoTestTools/gotestfmt-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - version: v2.4.0 - - name: Run selected tests with manual web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - - name: Configure AWS Credentials for OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ env.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: aws@githubActions - role-to-assume: ${{ secrets.OIDC_ROLE_ARN }} - unset-current-credentials: true - - name: Run selected tests with configure-aws-credentials web identity/OIDC auth - run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt - strategy: - fail-fast: false - matrix: - language: - - nodejs upstream_lint: name: Run upstream provider-lint runs-on: ubuntu-latest diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go index 90d6dcb601f..aa14b80b323 100644 --- a/examples/examples_nodejs_test.go +++ b/examples/examples_nodejs_test.go @@ -6,6 +6,7 @@ package examples import ( "bytes" + "context" "encoding/json" "io" "os" @@ -14,6 +15,8 @@ import ( "testing" "time" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials/stscreds" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/lambda" @@ -143,12 +146,45 @@ func TestAccCloudWatch(t *testing.T) { With(integration.ProgramTestOptions{ Dir: filepath.Join(getCwd(t), "cloudwatch"), RunUpdateTest: true, + // Inherit ambient credentials. }) skipRefresh(&test) integration.ProgramTest(t, &test) } -func TestAccCloudWatchOidcManual(t *testing.T) { +func TestAccCloudWatchWithOIDC(t *testing.T) { + ctx := context.Background() + + // Generate credentials for OIDC_ROLE_ARN. + cfg, err := config.LoadDefaultConfig(ctx, + config.WithRegion(os.Getenv("AWS_REGION")), + config.WithAssumeRoleCredentialOptions(func(opts *stscreds.AssumeRoleOptions) { + opts.Duration = 3600 * time.Second + opts.RoleSessionName = "aws@githubActions" + opts.RoleARN = os.Getenv("OIDC_ROLE_ARN") + })) + require.NoError(t, err) + + creds, err := cfg.Credentials.Retrieve(ctx) + require.NoError(t, err) + + test := getJSBaseOptions(t). + With(integration.ProgramTestOptions{ + Dir: filepath.Join(getCwd(t), "cloudwatch"), + RunUpdateTest: true, + // Override ambient credentials to use our OIDC role. + Env: []string{ + "AWS_ACCESS_KEY_ID=" + creds.AccessKeyID, + "AWS_SECRET_ACCESS_KEY=" + creds.SecretAccessKey, + "AWS_SESSION_TOKEN=" + creds.SessionToken, + "AWS_REGION=" + os.Getenv("AWS_REGION"), + }, + }) + skipRefresh(&test) + integration.ProgramTest(t, &test) +} + +func TestAccCloudWatchOIDCAmbient(t *testing.T) { test := getJSBaseOptions(t). With(integration.ProgramTestOptions{ Dir: filepath.Join(getCwd(t), "cloudwatchOidcManual"), @@ -157,6 +193,28 @@ func TestAccCloudWatchOidcManual(t *testing.T) { SkipRefresh: true, AllowEmptyPreviewChanges: true, AllowEmptyUpdateChanges: true, + // Inherit ambient credentials. + }) + + integration.ProgramTest(t, &test) +} + +func TestAccCloudWatchOIDCManual(t *testing.T) { + test := getJSBaseOptions(t). + With(integration.ProgramTestOptions{ + Dir: filepath.Join(getCwd(t), "cloudwatchOidcManual"), + + // TODO[pulumi/pulumi-aws#3193] multiple issues with refreshing and updating cleanly. + SkipRefresh: true, + AllowEmptyPreviewChanges: true, + AllowEmptyUpdateChanges: true, + // Unset any ambient credentials. + Env: []string{ + `AWS_ACCESS_KEY_ID=""`, + `AWS_SECRET_ACCESS_KEY=""`, + `AWS_SESSION_TOKEN=""`, + `AWS_REGION=` + os.Getenv("AWS_REGION"), + }, }) integration.ProgramTest(t, &test) @@ -720,7 +778,7 @@ func TestServerlessAppRepositoryApplication(t *testing.T) { func TestAccEcrImage(t *testing.T) { test := getJSBaseOptions(t). With(integration.ProgramTestOptions{ - Dir: filepath.Join(getCwd(t), "ecr-image"), + Dir: filepath.Join(getCwd(t), "ecr-image"), ExtraRuntimeValidation: func(t *testing.T, stack integration.RuntimeValidationStackInfo) { repoDigest, ok := stack.Outputs["digest"].(string) assert.True(t, ok, "expected digest output to be set") From 2c34100df1672d031ec547a296668f0ecffab2b4 Mon Sep 17 00:00:00 2001 From: Bryce Lampe Date: Wed, 11 Dec 2024 14:25:52 -0800 Subject: [PATCH 2/2] fix unset --- examples/examples_nodejs_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go index aa14b80b323..dd2a14b3a9a 100644 --- a/examples/examples_nodejs_test.go +++ b/examples/examples_nodejs_test.go @@ -210,9 +210,9 @@ func TestAccCloudWatchOIDCManual(t *testing.T) { AllowEmptyUpdateChanges: true, // Unset any ambient credentials. Env: []string{ - `AWS_ACCESS_KEY_ID=""`, - `AWS_SECRET_ACCESS_KEY=""`, - `AWS_SESSION_TOKEN=""`, + `AWS_ACCESS_KEY_ID=`, + `AWS_SECRET_ACCESS_KEY=`, + `AWS_SESSION_TOKEN=`, `AWS_REGION=` + os.Getenv("AWS_REGION"), }, })