-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
UID2-3366 Build ami in operator repo (#610)
* Adding packer files to build ami * Build euid for testing * Change path to action * added git checkout * Try download artifact * change name of artifact * Testing file name * download all * Added github_token input * Pass token to action * add file name * add AWS role request * move role request to action * add write id-token * change working folder * adding some logging * move the files * create directory first * setup packer * added anisble to plugins * changed vpc * [CI Pipeline] Released Patch version: 5.32.4 * [CI Pipeline] Released Patch version: 5.32.10 * [CI Pipeline] Released Patch version: 5.32.12 * [CI Pipeline] Released Patch version: 5.32.16 * [CI Pipeline] Released Patch version: 5.32.19 * [CI Pipeline] Released Patch version: 5.32.22 * [CI Pipeline] Released Patch version: 5.32.25 * [CI Pipeline] Released Patch version: 5.32.28 * Adding the ability to diable CSTG key * Resolve conflicts * Update actions and workflow to match the latest version in aws-operator-building repo * Fix conflicts with main * Update working-directory to ./scripts/aws/uid2-operator-ami * Make workflow run on ubuntu instead of self-host runner * Fix paths for actions * Use the correct token credential * Add env for `repo_owner` and `repo_name` * Config aws auth * Add steps to build EUID and collect artifacts * Add EUID AWS credentials * Revert changes to match main * Specify ansible version to 9.6.1 * Move role and region to env variable * Change default value for `save_ami` to `true` * Fix naming for AMI artifacts * Add ls statement to print out files in folder * Remove pre and post cleanup * Remove unused `DOWNLOAD_PATH_OLD` * Change custom branch to main --------- Co-authored-by: Thomas Manson <thomas.manson@thetradedesk.com> Co-authored-by: Release Workflow <unifiedid-admin+release@thetradedesk.com> Co-authored-by: Cody Constine <cody.constine@thetradedesk.com>
- Loading branch information
1 parent
bc9fca3
commit fc22065
Showing
11 changed files
with
764 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,191 @@ | ||
name: Build AMI | ||
description: Builds the AMI for AWS private operators | ||
|
||
inputs: | ||
identity_scope: | ||
description: The identity scope [uid2, euid] | ||
required: true | ||
github_token: | ||
description: The GITHUB token to use to get the EIF | ||
required: true | ||
eif_repo_owner: | ||
description: The owner of the EIF repo | ||
required: true | ||
eif_repo_name: | ||
description: The name of the EIF repo | ||
required: true | ||
operator_release: | ||
description: The operator release that has the EIF to use | ||
default: '' | ||
operator_branch: | ||
description: The Operator Branch to build from | ||
default: main | ||
operator_run_number: | ||
description: The Operator run number for artifacts. Ignored if Operator Release is given | ||
save_ami: | ||
description: Save the AMIs as a build artifact. | ||
default: true | ||
uid2_aws_role: | ||
description: The AWS role to assume for UID2 | ||
required: true | ||
uid2_aws_region: | ||
description: The UID2 AWS region to upload AMI to | ||
required: true | ||
euid_aws_role: | ||
description: The AWS role to assume for EUID | ||
required: true | ||
euid_aws_region: | ||
description: The EUID AWS region to upload AMI to | ||
required: true | ||
|
||
outputs: | ||
version_number: | ||
description: The version number set in IABTechLab/uid2-operator pom.xml. | ||
value: ${{ steps.versionNumber.outputs.version_number }} | ||
|
||
runs: | ||
using: "composite" | ||
|
||
steps: | ||
- name: Show Context | ||
shell: bash | ||
run: | | ||
printenv | ||
echo "$GITHUB_CONTEXT" | ||
env: | ||
GITHUB_CONTEXT: ${{ toJson(github) }} | ||
|
||
- name: Checkout full history | ||
uses: actions/checkout@v4 | ||
|
||
- name: Get EIF for Release ${{ inputs.operator_release }} | ||
uses: IABTechLab/uid2-operator/.github/actions/download_release_artifact@main | ||
if: ${{ inputs.operator_release != '' }} | ||
with: | ||
github_token: ${{ inputs.github_token }} | ||
repo_owner: ${{ inputs.eif_repo_owner }} | ||
repo_name: ${{ inputs.eif_repo_name }} | ||
release_name: ${{ inputs.operator_release }} | ||
artifact_name: aws-${{ inputs.identity_scope }}-deployment-files | ||
folder: ./scripts/aws/uid2-operator-ami/artifacts | ||
|
||
- name: Get EIF for Run ${{ inputs.operator_run_number }} | ||
id: get_eif_for_run | ||
uses: actions/download-artifact@v4 | ||
if: ${{ inputs.operator_release == '' }} | ||
with: | ||
github_token: ${{ inputs.github_token }} | ||
repo: IABTechLab/uid2-operator | ||
name: 'aws-${{ inputs.identity_scope }}-deployment-files-.*' | ||
name_is_regexp: true | ||
run_id: ${{ inputs.operator_run_number }} | ||
skip_unpack: true | ||
path: ./download/artifacts | ||
|
||
- name: Unzip artifacts | ||
if: ${{ inputs.operator_release == '' }} | ||
shell: bash | ||
run: | | ||
ARTIFACTS='${{ steps.get_eif_for_run.outputs.artifacts }}' | ||
FILE=$(echo $ARTIFACTS | jq -r '.[0].name') | ||
unzip -o -d ./scripts/aws/uid2-operator-ami/artifacts $FILE.zip | ||
rm $FILE.zip | ||
- name: Configure UID2 AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
if: ${{ inputs.identity_scope == 'uid2' }} | ||
with: | ||
aws-region: ${{ inputs.uid2_aws_region }} | ||
role-to-assume: ${{ inputs.uid2_aws_role }} | ||
|
||
- name: Configure EUID AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
if: ${{ inputs.identity_scope == 'euid' }} | ||
with: | ||
aws-region: ${{ inputs.euid_aws_region }} | ||
role-to-assume: ${{ inputs.euid_aws_role }} | ||
|
||
- name: Show AWS Identity | ||
shell: bash | ||
run: | | ||
aws sts get-caller-identity | ||
- name: Get version number | ||
id: versionNumber | ||
shell: bash | ||
working-directory: ./scripts/aws/uid2-operator-ami | ||
run: | | ||
ls -al | ||
VERSION_NUMBER=$(cat ./artifacts/version_number.txt) | ||
echo "VERSION_NUMBER=$VERSION_NUMBER" >> $GITHUB_OUTPUT | ||
echo $VERSION_NUMBER | ||
- name: Setup Packer | ||
id: setup-packer | ||
uses: hashicorp/setup-packer@main | ||
|
||
- name: Create AMI | ||
shell: bash | ||
working-directory: ./scripts/aws/uid2-operator-ami | ||
run: | | ||
ls -al | ||
TIMESTAMP=$(date +%s) | ||
echo "TIMESTAMP=$TIMESTAMP" >> $GITHUB_OUTPUT | ||
packer init . | ||
packer build \ | ||
-var "version=${{ steps.versionNumber.outputs.VERSION_NUMBER }}" \ | ||
-var "timestamp=$TIMESTAMP" \ | ||
-var-file="${{ inputs.identity_scope }}.pkrvars.hcl" \ | ||
-debug \ | ||
. | ||
- name: Extract AMI ID | ||
id: extractAmiId | ||
shell: bash | ||
working-directory: ./scripts/aws/uid2-operator-ami | ||
run: | | ||
AMI_ID=$(jq -r '.builds[-1].artifact_id' manifest.json | cut -d ":" -f2) | ||
echo "AMI_ID=$AMI_ID" >> $GITHUB_OUTPUT | ||
echo $AMI_ID | ||
- name: Persist UID2 enclave and AMI IDs | ||
if: ${{ inputs.identity_scope == 'uid2' }} | ||
shell: bash | ||
working-directory: ./scripts/aws/uid2-operator-ami | ||
run: | | ||
touch uid2_AMI_measurement.txt | ||
echo "Enclave ID: $(cat ./artifacts/pcr0.txt)" >> uid2_AMI_measurement.txt | ||
echo "AMI ID: " ${{ steps.extractAmiId.outputs.AMI_ID }} >> uid2_AMI_measurement.txt | ||
echo "uid2_AMI_measurement.txt Contents:" | ||
cat uid2_AMI_measurement.txt | ||
ls -al | ||
- name: Copy AMI to us-east-1 | ||
id: euidCopyAmi | ||
if: ${{ inputs.identity_scope == 'euid' }} | ||
shell: bash | ||
working-directory: ./scripts/aws/uid2-operator-ami | ||
run: | | ||
US_EAST_AMI_ID=$(aws ec2 copy-image --region us-east-1 --source-region eu-central-1 --source-image-id ${{ steps.extractAmiId.outputs.AMI_ID }} --name euid-operator-${{ steps.versionNumber.outputs.VERSION_NUMBER }}-${{ steps.createAMI.outputs.TIMESTAMP }} --output text) | ||
echo "US_EAST_1_AMI_ID=$US_EAST_AMI_ID" >> $GITHUB_OUTPUT | ||
echo $US_EAST_AMI_ID | ||
- name: Persist EUID enclave and AMI IDs | ||
if: ${{ inputs.identity_scope == 'euid' }} | ||
shell: bash | ||
working-directory: ./scripts/aws/uid2-operator-ami | ||
run: | | ||
touch euid_AMI_measurement.txt | ||
echo "Enclave ID: $(cat ./artifacts/pcr0.txt)" >> euid_AMI_measurement.txt | ||
echo "eu-central-1 AMI ID:" ${{ steps.extractAmiId.outputs.AMI_ID }} >> euid_AMI_measurement.txt | ||
echo "us-east-1 AMI ID:" ${{ steps.euidCopyAmi.outputs.US_EAST_1_AMI_ID }} >> euid_AMI_measurement.txt | ||
echo "euid_AMI_measurement.txt contents" | ||
cat euid_AMI_measurement.txt | ||
ls -al | ||
- name: Upload artifacts | ||
uses: actions/upload-artifact@v4 | ||
if: ${{ inputs.save_ami == 'true' }} | ||
with: | ||
name: ${{ inputs.identity_scope }}_AMI_measurement | ||
path: ./scripts/aws/uid2-operator-ami/${{ inputs.identity_scope }}_AMI_measurement.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
name: Download Release Artifact | ||
description: Downloads an artifact from a release | ||
|
||
inputs: | ||
github_token: | ||
description: The GITHUB_TOKEN to use for the target repo | ||
required: false | ||
repo_owner: | ||
description: The owner of the target repo | ||
required: true | ||
repo_name: | ||
description: The name of the target repo | ||
required: true | ||
release_name: | ||
description: The release name that contains the aritfact | ||
required: true | ||
artifact_name: | ||
description: The name of the artifact. Can be a partial name | ||
required: true | ||
folder: | ||
description: The folder to download the artifact to and then unpack | ||
required: true | ||
|
||
runs: | ||
using: "composite" | ||
|
||
steps: | ||
- name: Get Artifact Ids | ||
id: get_asset_id | ||
uses: actions/github-script@v7 | ||
with: | ||
github-token: ${{ inputs.github_token }} | ||
result-encoding: string | ||
script: | | ||
let allReleases = await github.rest.repos.listReleases({ | ||
owner: '${{ inputs.repo_owner }}', | ||
repo: '${{ inputs.repo_name }}' | ||
}) | ||
assetUrl = "" | ||
let matchedReleases = allReleases.data.filter((release) => { | ||
return release.name == "${{ inputs.release_name }}" | ||
}) | ||
if (matchedReleases.length == 0) { | ||
core.setFailed('Unable to find release: ' + '${{ inputs.release_name }}' ); | ||
} else { | ||
let matchedRelease = matchedReleases[0]; | ||
let releaseId = matchedRelease.id; | ||
console.log('Release Id:' + releaseId); | ||
let assets = matchedRelease.assets.filter((asset) => { | ||
return asset.name.includes('${{ inputs.artifact_name }}') | ||
}); | ||
if (assets.length == 0) { | ||
core.setFailed('Unable to find asset in release'); | ||
} else { | ||
let asset = assets[0]; | ||
console.log('Asset:'); | ||
console.log(asset); | ||
assetUrl = asset.url | ||
} | ||
return assetUrl | ||
} | ||
- name: Download Assets | ||
shell: bash | ||
run: | | ||
echo 'Asset URL: ${{ steps.get_asset_id.outputs.result }}' | ||
mkdir -p ./${{ inputs.folder }} | ||
DOWNLOAD_PATH=${{ steps.get_asset_id.outputs.result }} | ||
echo $DOWNLOAD_PATH | ||
curl -L -H "Accept: application/octet-stream" \ | ||
-H "Authorization: Bearer ${{ inputs.github_token }}" \ | ||
-o "./${{ inputs.folder }}/${{ inputs.artifact_name }}.zip" \ | ||
$DOWNLOAD_PATH | ||
- name: Unzip artifacts | ||
shell: bash | ||
run: | | ||
unzip -o -d './${{ inputs.folder }}' './${{ inputs.folder }}/${{ inputs.artifact_name }}.zip' | ||
rm './${{ inputs.folder }}/${{ inputs.artifact_name }}.zip' |
Oops, something went wrong.