Image: Agent - duplocloud-docker #69
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Image: Agent - duplocloud-docker' | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| image_version: | |
| description: 'Set the image version' | |
| required: false | |
| default: 'dev' # default to dev version | |
| only_partition: | |
| description: 'Only build this partition' | |
| required: false | |
| default: 'all' | |
| only_builders: | |
| description: 'Only run these builders' | |
| required: false | |
| default: 'all' | |
| env: | |
| git_user: duplo-bot | |
| git_email: [email protected] | |
| duplo_host: https://prod.duplocloud.net | |
| duplo_token: "${{ secrets.PROD_DUPLO_TOKEN }}" | |
| jobs: | |
| build-commercial: | |
| if: "${{ github.event.inputs.only_partition == 'all' || github.event.inputs.only_partition == 'commercial' }}" | |
| # Needed for GCP (OIDC): Add "id-token" with the intended permissions. | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # GCP credentials | |
| - name: Packer GCP Service Account | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: 'projects/17033121890/locations/global/workloadIdentityPools/duplo-githubactions/providers/duplo-githubactions' | |
| service_account: '[email protected]' | |
| # AWS credentials | |
| - name: Packer AWS Role | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} | |
| aws-session-token: ${{ env.AWS_SESSION_TOKEN }} | |
| aws-region: us-west-2 | |
| role-to-assume: arn:aws:iam::227120241369:role/packer-builder | |
| role-session-name: github-duplocloud-linuxagent | |
| role-duration-seconds: 3600 | |
| role-skip-session-tagging: true | |
| # Build images | |
| - name: Build VM Images | |
| run: | | |
| set -eu | |
| # Install session manager. | |
| curl -o session-manager-plugin.deb "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" | |
| sudo dpkg -i session-manager-plugin.deb | |
| # Install packer. | |
| curl -o packer.zip https://releases.hashicorp.com/packer/1.8.6/packer_1.8.6_linux_amd64.zip | |
| mkdir -p /tmp/bin | |
| sudo unzip -d /tmp/bin packer.zip | |
| export PATH="/tmp/bin:$PATH" | |
| # Validate the template. | |
| packer validate -syntax-only ./packer | |
| # Parse build options. | |
| if [ "$ONLY_BUILDERS" = "all" ]; then | |
| ONLY_BUILDERS="" | |
| elif [ -n "$ONLY_BUILDERS" ]; then | |
| ONLY_BUILDERS="-only=$ONLY_BUILDERS" | |
| fi | |
| # Validate the AWS settings in the target account | |
| # Without this check, we have wasted hours building an AMI only for it to fail at the end due to the encryption settings. | |
| # If this check fails the build - it means that your build would have failed or your AMI would have been unsharable. | |
| # | |
| for region in us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-west-2 ap-northeast-1 ap-south-1 | |
| do | |
| encryption_enabled="$(aws ec2 get-ebs-encryption-by-default --region=$region | jq -r .EbsEncryptionByDefault)" | |
| if [ "$encryption_enabled" = "true" ] | |
| then | |
| echo "EBS Encryption by Default MUST NOT BE ENABLED - STOPPING BUILD" 1>&2 | |
| exit 1 | |
| fi | |
| done | |
| # Build the images. | |
| rm -f packer-manifest.json # always be clean | |
| packer build $ONLY_BUILDERS \ | |
| -color=false -on-error=cleanup -parallel-builds=10 -timestamp-ui \ | |
| ./packer | |
| env: | |
| ONLY_BUILDERS: "${{ github.event.inputs.only_builders }}" | |
| PKR_VAR_image_version: "${{ github.event.inputs.image_version }}" | |
| PKR_VAR_agent_git_ref: "${{ github.sha }}" | |
| # Upload the image manifest | |
| - name: Attach Manifest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: packer-manifest.json | |
| path: packer-manifest.json | |
| build-govcloud: | |
| if: "${{ github.event.inputs.only_partition == 'all' || github.event.inputs.only_partition == 'govcloud' }}" | |
| runs-on: ubuntu-latest | |
| env: | |
| duplo_host: https://qa-govcloud.duplocloud.net | |
| duplo_token: "${{ secrets.GOVCLOUD_DUPLO_TOKEN }}" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # AWS credentials | |
| - name: Tenant AWS JIT | |
| uses: duplocloud/ghactions-aws-jit@master | |
| with: | |
| tenant: github | |
| # AWS credentials | |
| - name: Packer AWS Role | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} | |
| aws-session-token: ${{ env.AWS_SESSION_TOKEN }} | |
| aws-region: us-gov-west-1 | |
| role-to-assume: arn:aws-us-gov:iam::051848153245:role/packer-builder | |
| role-session-name: github-duplocloud-linuxagent | |
| role-chaining: true | |
| role-duration-seconds: 3600 | |
| role-skip-session-tagging: true | |
| # Build images | |
| - name: Build VM Images | |
| run: | | |
| set -eu | |
| # Install session manager. | |
| curl -o session-manager-plugin.deb "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" | |
| sudo dpkg -i session-manager-plugin.deb | |
| # Install packer. | |
| curl -o packer.zip https://releases.hashicorp.com/packer/1.8.6/packer_1.8.6_linux_amd64.zip | |
| mkdir -p /tmp/bin | |
| sudo unzip -d /tmp/bin packer.zip | |
| export PATH="/tmp/bin:$PATH" | |
| # Validate the template. | |
| packer validate -syntax-only ./packer | |
| # Parse build options. | |
| if [ "$ONLY_BUILDERS" = "all" ]; then | |
| ONLY_BUILDERS="-except=amazon-ebs.ubuntu-18,googlecompute.ubuntu-20,googlecompute.ubuntu-22" | |
| elif [ -n "$ONLY_BUILDERS" ]; then | |
| ONLY_BUILDERS="-only=$ONLY_BUILDERS" | |
| fi | |
| # Validate the AWS settings in the target account | |
| # Without this check, we have wasted hours building an AMI only for it to fail at the end due to the encryption settings. | |
| # If this check fails the build - it means that your build would have failed or your AMI would have been unsharable. | |
| # | |
| for region in us-gov-west-1 us-gov-east-1 | |
| do | |
| encryption_enabled="$(aws ec2 get-ebs-encryption-by-default --region=$region | jq -r .EbsEncryptionByDefault)" | |
| if [ "$encryption_enabled" = "true" ] | |
| then | |
| echo "EBS Encryption by Default MUST NOT BE ENABLED - STOPPING BUILD" 1>&2 | |
| exit 1 | |
| fi | |
| done | |
| # Build the images. | |
| rm -f *packer-manifest.json # always be clean | |
| packer build $ONLY_BUILDERS \ | |
| -color=false -on-error=cleanup -parallel-builds=10 -timestamp-ui \ | |
| -var-file=packer/duplo-gov.json \ | |
| ./packer | |
| mv packer-manifest.json govcloud-packer-manifest.json | |
| env: | |
| ONLY_BUILDERS: "${{ github.event.inputs.only_builders }}" | |
| PKR_VAR_image_version: "${{ github.event.inputs.image_version }}" | |
| PKR_VAR_agent_git_ref: "${{ github.sha }}" | |
| # Upload the image manifest | |
| - name: Attach Manifest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: govcloud-packer-manifest.json | |
| path: govcloud-packer-manifest.json | |
| # If this is a release build, create a PR to update Duplo | |
| autoupdate-duplo-images: | |
| runs-on: ubuntu-latest | |
| if: "${{ startsWith(github.event.inputs.image_version, 'release-') && github.event.inputs.only_partition == 'all' }}" | |
| needs: | |
| - build-commercial | |
| - build-govcloud | |
| steps: | |
| # Get the code for the image JSON generation, and the code for Duplo master. | |
| - name: Checkout duplo-infra | |
| uses: actions/checkout@v4 | |
| - name: Checkout duplo (backend) | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: duplocloud-internal/duplo | |
| ref: master # always start from master | |
| token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }} | |
| path: duplo-backend | |
| # Download the image manifest | |
| - name: Download Manifest (Commercial) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: packer-manifest.json | |
| path: packer | |
| - name: Download Manifest (Govcloud) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: govcloud-packer-manifest.json | |
| path: packer | |
| # Run the script to generate new image JSON. | |
| - name: Update duplo images JSON | |
| run: | | |
| git config core.autocrlf false | |
| cd packer | |
| INPUT_FILES='packer-manifest.json govcloud-packer-manifest.json' DUPLO_SOURCE=../duplo-backend ./gen-native-images.sh | |
| # Create a PR | |
| - name: Create Pull Request | |
| uses: peter-evans/create-pull-request@v4 | |
| with: | |
| title: '[duplo-bot] Update Duplo Docker AMI(s)' | |
| branch: auto-update/duplo-docker-amis | |
| base: master | |
| add-paths: config/V1/BuiltInNativeImages.json | |
| commit-message: '[duplo-bot] Update Duplo Docker AMI(s)' | |
| body: 'Automated update of Duplo Docker AMI(s)' | |
| committer: "${{ env.git_user }} <${{ env.git_email }}>" | |
| delete-branch: true | |
| path: duplo-backend | |
| token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }} |