From 8f1c9a3af652e330d8078e802dcdac44623388ef Mon Sep 17 00:00:00 2001 From: arnol377 Date: Wed, 23 Apr 2025 13:49:17 -0400 Subject: [PATCH 1/2] this repo is now only concerned with building the image and the lambda function. No longer creating other infrastructure --- .github/workflows/build-lambda.yml | 33 +++++- backend.tf | 7 -- buildspec.yml | 25 ----- errors.txt | 103 ------------------ .../github-actions-trust-policy.json | 20 ---- infrastructure/main.tf | 99 ----------------- infrastructure/outputs.tf | 14 --- infrastructure/providers.tf | 12 -- infrastructure/variables.tf | 15 --- main.tf | 49 --------- varfiles/default.tfvars | 2 + variables.tf | 29 ----- 12 files changed, 32 insertions(+), 376 deletions(-) delete mode 100644 backend.tf delete mode 100644 buildspec.yml delete mode 100644 errors.txt delete mode 100644 infrastructure/github-actions-trust-policy.json delete mode 100644 infrastructure/main.tf delete mode 100644 infrastructure/outputs.tf delete mode 100644 infrastructure/providers.tf delete mode 100644 infrastructure/variables.tf delete mode 100644 main.tf delete mode 100644 variables.tf diff --git a/.github/workflows/build-lambda.yml b/.github/workflows/build-lambda.yml index 591309a..e3f824d 100644 --- a/.github/workflows/build-lambda.yml +++ b/.github/workflows/build-lambda.yml @@ -23,12 +23,39 @@ jobs: uses: actions/checkout@v4 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: CSVD/aws-auth@main + id: aws_auth with: - role-to-assume: ${{ secrets.AWS_ROLE_ARN }} - aws-region: ${{ vars.AWS_REGION }} + ecs: true + + - name: Terraform Init and Apply + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + working-directory: ./infrastructure + run: | + terraform init + terraform apply -auto-approve + + - name: Package Source Code + run: | + zip -r source.zip . -x ".git/*" ".github/*" "infrastructure/*" + + - name: Upload to S3 + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + run: | + BUCKET_NAME=$(cd infrastructure && terraform output -raw codebuild_source_bucket) + aws s3 cp source.zip s3://${BUCKET_NAME}/source.zip - name: Start CodeBuild Project + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} run: | BUILD_ID=$(aws codebuild start-build --project-name eks-automation-lambda-builder --output text --query 'build.id') echo "Started build with ID: $BUILD_ID" diff --git a/backend.tf b/backend.tf deleted file mode 100644 index b41413b..0000000 --- a/backend.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - backend "gcs" { - bucket = "hpw-terraform-state" - prefix = "eks-automation-lambda" - } -} - diff --git a/buildspec.yml b/buildspec.yml deleted file mode 100644 index e0ddb58..0000000 --- a/buildspec.yml +++ /dev/null @@ -1,25 +0,0 @@ -version: 0.2 - -phases: - install: - runtime-versions: - python: 3.11 - commands: - - curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - - - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" - - sudo apt-get update && sudo apt-get install packer - - pre_build: - commands: - - echo "Initializing Packer plugins..." - - packer init . - - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $REPOSITORY_URI - - build: - commands: - - echo "Building the Lambda container image with Packer..." - - packer build -var="repository_uri=$REPOSITORY_URI" packer.pkr.hcl - - post_build: - commands: - - echo "Build completed successfully!" diff --git a/errors.txt b/errors.txt deleted file mode 100644 index 53eb104..0000000 --- a/errors.txt +++ /dev/null @@ -1,103 +0,0 @@ -=================================== FAILURES =================================== -_______________ TestGitHubClientIntegration.test_file_operations _______________ -self = -integration_client = -temp_repo_name = 'temp-test-repo-fc9ad0f3' -cleanup_repo = ._register_repo at 0x7f6a6137dee0> -tmp_path = PosixPath('/tmp/pytest-of-runner/pytest-0/test_file_operations0') - def test_file_operations(self, integration_client, temp_repo_name, cleanup_repo, tmp_path): - """Test file operations with real repository""" - repo_name = cleanup_repo(temp_repo_name) - - # Create new repository - repo = integration_client.get_repository(repo_name, create=True) - - # Create a test file - test_content = { - "test": True, - "timestamp": datetime.utcnow().isoformat() - } - - # Write test content to work directory - work_dir = str(tmp_path) - os.makedirs(work_dir, exist_ok=True) - test_file = os.path.join(work_dir, "test-config.json") - - with open(test_file, "w") as f: - json.dump(test_content, f, indent=2) - - # Commit the file -> integration_client.commit_repository_contents( - repo_name, - work_dir, - "Test commit from integration tests" - ) -tests/test_github_client_integration.py:110: -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -app.py:446: in commit_repository_contents - blob_sha = self.create_blob(repo_name, file_content) -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -self = -repo_name = 'temp-test-repo-fc9ad0f3' -content = b'{\n "test": true,\n "timestamp": "2025-04-17T16:25:48.668975"\n}' - def create_blob(self, repo_name, content): - """Create a blob in the repository - - Args: - repo_name (str): Name of the repository - content (bytes): Content of the blob - - Returns: - str: SHA of the created blob - """ - api_url = f"{self.api_base_url}/repos/{self.org_name}/{repo_name}/git/blobs" - - # Base64 encode the content - content_b64 = base64.b64encode(content).decode('utf-8') - - data = { - "content": content_b64, - "encoding": "base64" - } - - response = requests.post(api_url, headers=self.headers, json=data, verify=False) - - if response.status_code in (201, 200): - return response.json()["sha"] - else: - error_message = f"Failed to create blob for {repo_name}: {response.status_code} - {response.text}" - logger.error(error_message) -> raise Exception(error_message) -E Exception: Failed to create blob for temp-test-repo-fc9ad0f3: 409 - {"message":"Git Repository is empty.","documentation_url":"https://docs.github.com/rest/git/blobs#create-a-blob","status":"409"} -app.py:256: Exception ------------------------------- Captured log call ------------------------------- -INFO root:app.py:81 Checking if repository temp-test-repo-fc9ad0f3 exists -INFO root:app.py:89 Creating repository temp-test-repo-fc9ad0f3 - "content": content_b64, - "encoding": "base64" - } - - response = requests.post(api_url, headers=self.headers, json=data, verify=False) - - if response.status_code in (201, 200): - return response.json()["sha"] - else: - error_message = f"Failed to create blob for {repo_name}: {response.status_code} - {response.text}" - logger.error(error_message) -> raise Exception(error_message) -E Exception: Failed to create blob for temp-test-repo-e0e2ba0e: 409 - {"message":"Git Repository is empty.","documentation_url":"https://docs.github.com/rest/git/blobs#create-a-blob","status":"409"} -app.py:256: Exception ------------------------------- Captured log call ------------------------------- -INFO root:app.py:81 Checking if repository temp-test-repo-e0e2ba0e exists -INFO root:app.py:89 Creating repository temp-test-repo-e0e2ba0e -ERROR root:app.py:255 Failed to create blob for temp-test-repo-e0e2ba0e: 409 - {"message":"Git Repository is empty.","documentation_url":"https://docs.github.com/rest/git/blobs#create-a-blob","status":"409"} -=============================== warnings summary =============================== -tests/test_github_client_integration.py: 14 warnings - /opt/hostedtoolcache/Python/3.9.22/x64/lib/python3.9/site-packages/urllib3/connectionpool.py:1064: InsecureRequestWarning: Unverified HTTPS request is being made to host 'api.github.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings - warnings.warn( --- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html -=========================== short test summary info ============================ -FAILED tests/test_github_client_integration.py::TestGitHubClientIntegration::test_file_operations - Exception: Failed to create blob for temp-test-repo-fc9ad0f3: 409 - {"message":"Git Repository is empty.","documentation_url":"https://docs.github.com/rest/git/blobs#create-a-blob","status":"409"} -FAILED tests/test_github_client_integration.py::TestGitHubClientIntegration::test_branch_operations - Exception: Failed to create blob for temp-test-repo-e0e2ba0e: 409 - {"message":"Git Repository is empty.","documentation_url":"https://docs.github.com/rest/git/blobs#create-a-blob","status":"409"} -=========== 2 failed, 1 passed, 12 deselected, 14 warnings in 4.33s ============ -Error: Process completed with exit code 1. \ No newline at end of file diff --git a/infrastructure/github-actions-trust-policy.json b/infrastructure/github-actions-trust-policy.json deleted file mode 100644 index 684318a..0000000 --- a/infrastructure/github-actions-trust-policy.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringLike": { - "token.actions.githubusercontent.com:sub": "repo:${YOUR_GITHUB_ORG}/${YOUR_REPO_NAME}:*" - }, - "StringEquals": { - "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" - } - } - } - ] -} diff --git a/infrastructure/main.tf b/infrastructure/main.tf deleted file mode 100644 index 39b850a..0000000 --- a/infrastructure/main.tf +++ /dev/null @@ -1,99 +0,0 @@ -# IAM Role for CodeBuild -resource "aws_iam_role" "codebuild" { - name = "eks-automation-lambda-codebuild-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "codebuild.amazonaws.com" - } - } - ] - }) -} - -# IAM Role Policy for CodeBuild -resource "aws_iam_role_policy" "codebuild" { - name = "eks-automation-lambda-codebuild-policy" - role = aws_iam_role.codebuild.id - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Resource = ["*"] - Action = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ] - }, - { - Effect = "Allow" - Resource = ["*"] - Action = [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:PutImage", - "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "codebuild:StartBuild", - "codebuild:BatchGetBuilds", - "codebuild:StopBuild" - ] - }, - "ecr:CompleteLayerUpload" - ] - } - ] - }) -} - -# CodeBuild Project -resource "aws_codebuild_project" "lambda_builder" { - name = "eks-automation-lambda-builder" - service_role = aws_iam_role.codebuild.arn - build_timeout = "30" - - artifacts { - type = "NO_ARTIFACTS" - } - - environment { - compute_type = "BUILD_GENERAL1_SMALL" - image = "aws/codebuild/amazonlinux2-x86_64-standard:4.0" - type = "LINUX_CONTAINER" - image_pull_credentials_type = "CODEBUILD" - privileged_mode = true - - environment_variable { - name = "REPOSITORY_URI" - value = var.repository_uri - } - } - - source { - type = "GITHUB" - location = var.github_repo_url - git_clone_depth = 1 - buildspec = "buildspec.yml" - } - - cache { - type = "NO_CACHE" - } - - logs_config { - cloudwatch_logs { - status = "ENABLED" - } - } -} diff --git a/infrastructure/outputs.tf b/infrastructure/outputs.tf deleted file mode 100644 index 9d417b0..0000000 --- a/infrastructure/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "codebuild_project_name" { - description = "Name of the CodeBuild project" - value = aws_codebuild_project.lambda_builder.name -} - -output "codebuild_project_arn" { - description = "ARN of the CodeBuild project" - value = aws_codebuild_project.lambda_builder.arn -} - -output "iam_role_arn" { - description = "ARN of the IAM role used by CodeBuild" - value = aws_iam_role.codebuild.arn -} diff --git a/infrastructure/providers.tf b/infrastructure/providers.tf deleted file mode 100644 index 3a69900..0000000 --- a/infrastructure/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } -} - -provider "aws" { - region = var.aws_region -} diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf deleted file mode 100644 index ad68078..0000000 --- a/infrastructure/variables.tf +++ /dev/null @@ -1,15 +0,0 @@ -variable "aws_region" { - description = "AWS region where resources will be created" - type = string - default = "us-west-2" -} - -variable "repository_uri" { - description = "The URI of the ECR repository where the Lambda image will be pushed" - type = string -} - -variable "github_repo_url" { - description = "The HTTPS clone URL of the GitHub repository" - type = string -} diff --git a/main.tf b/main.tf deleted file mode 100644 index baf5863..0000000 --- a/main.tf +++ /dev/null @@ -1,49 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -data "aws_caller_identity" "current" {} - -resource "aws_ecrpublic_repository" "eks-automation-lambda" { - repository_name = "eks-automation-lambda" - - catalog_data { - about_text = "EKS Automation Lambda Image" - architectures = ["x86_64"] - description = "Lambda container image for EKS automation" - operating_systems = ["AmazonLinux2"] - usage_text = "Creates an EKS Automation Lambda container image" - } - - tags = { - env = "production" - } -} - -locals { - repository_uri = aws_ecrpublic_repository.eks-automation-lambda.repository_uri - repository_id = aws_ecrpublic_repository.eks-automation-lambda.id - aws_account_id = data.aws_caller_identity.current.account_id - region = "us-east-1" - arn = aws_ecrpublic_repository.eks-automation-lambda.arn -} - -output "repository_uri" { - value = local.repository_uri -} - -output "repository_id" { - value = local.repository_id -} - -output "aws_account_id" { - value = local.aws_account_id -} - -output "region" { - value = local.region -} - -output "arn" { - value = local.arn -} \ No newline at end of file diff --git a/varfiles/default.tfvars b/varfiles/default.tfvars index e69de29..d222f7e 100644 --- a/varfiles/default.tfvars +++ b/varfiles/default.tfvars @@ -0,0 +1,2 @@ +image_version="0.10.0" +image_name="eks-automation-lambda" \ No newline at end of file diff --git a/variables.tf b/variables.tf deleted file mode 100644 index 7592d02..0000000 --- a/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "github_api" { - description = "URL for the GitHub Enterprise API" - type = string - default = "https://github.enterprise.example.com/api/v3" -} - -variable "github_org_name" { - description = "GitHub organization name" - type = string - default = "your-org" -} - -variable "github_token_secret_name" { - description = "AWS SSM parameter name for the GitHub token" - type = string - default = "/github/token" -} - -variable "template_repo_name" { - description = "GitHub repository name for the EKS template" - type = string - default = "template-eks-cluster" -} - -variable "template_file_name" { - description = "Template file name for the EKS configuration" - type = string - default = "eks.hcl.j2" -} \ No newline at end of file From da1237f4850553d97b5084eb59efa592725873a2 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Thu, 24 Apr 2025 12:47:54 -0700 Subject: [PATCH 2/2] Create gh-token.yml --- .github/workflows/gh-token.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/gh-token.yml diff --git a/.github/workflows/gh-token.yml b/.github/workflows/gh-token.yml new file mode 100644 index 0000000..f7e1c7c --- /dev/null +++ b/.github/workflows/gh-token.yml @@ -0,0 +1,19 @@ +name: GitHub Token Refresh + +on: + schedule: + - cron: '*/5 * * * *' # Runs every 5 minutes + workflow_dispatch: # Allows manual triggering + +jobs: + refresh-token: + name: Refresh GitHub Token + uses: CSVD/centralized-actions/.github/workflows/upload-github-token.yml@main + with: + aws_region: 'us-gov-west-1' + secret_name: '/eks-cluster-deployment/github_token' # This matches the SECRET_NAME in app.py + github_app_id: ${{ vars.GH_APP_ID }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + use_ecs_credentials: true + secrets: + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}