Skip to content

Image: Agent - duplocloud-docker #64

Image: Agent - duplocloud-docker

Image: Agent - duplocloud-docker #64

Workflow file for this run

name: 'Image: Agent - duplocloud-docker'
on:
workflow_dispatch:
inputs:
image_version:
description: 'Set the image version'
required: false
default: 'dev' # default to dev version
only_partition:
description: 'Only build this partition'
required: false
default: 'all'
only_builders:
description: 'Only run these builders'
required: false
default: 'all'
env:
git_user: duplo-bot
git_email: [email protected]
duplo_host: https://prod.duplocloud.net
duplo_token: "${{ secrets.PROD_DUPLO_TOKEN }}"
jobs:
build-commercial:
if: "${{ github.event.inputs.only_partition == 'all' || github.event.inputs.only_partition == 'commercial' }}"
# Needed for GCP (OIDC): Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# GCP credentials
- name: Packer GCP Service Account
uses: google-github-actions/auth@v0
with:
workload_identity_provider: 'projects/17033121890/locations/global/workloadIdentityPools/duplo-githubactions/providers/duplo-githubactions'
service_account: '[email protected]'
# AWS credentials
- name: Packer AWS Role
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
aws-region: us-west-2
role-to-assume: arn:aws:iam::227120241369:role/packer-builder
role-session-name: github-duplocloud-linuxagent
role-duration-seconds: 3600
role-skip-session-tagging: true
# Build images
- name: Build VM Images
run: |
set -eu
# Install session manager.
curl -o session-manager-plugin.deb "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb"
sudo dpkg -i session-manager-plugin.deb
# Install packer.
curl -o packer.zip https://releases.hashicorp.com/packer/1.8.6/packer_1.8.6_linux_amd64.zip
mkdir -p /tmp/bin
sudo unzip -d /tmp/bin packer.zip
export PATH="/tmp/bin:$PATH"
# Validate the template.
packer validate -syntax-only ./packer
# Parse build options.
if [ "$ONLY_BUILDERS" = "all" ]; then
ONLY_BUILDERS=""
elif [ -n "$ONLY_BUILDERS" ]; then
ONLY_BUILDERS="-only=$ONLY_BUILDERS"
fi
# Validate the AWS settings in the target account
# Without this check, we have wasted hours building an AMI only for it to fail at the end due to the encryption settings.
# If this check fails the build - it means that your build would have failed or your AMI would have been unsharable.
#
for region in us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-west-2 ap-northeast-1 ap-south-1
do
encryption_enabled="$(aws ec2 get-ebs-encryption-by-default --region=$region | jq -r .EbsEncryptionByDefault)"
if [ "$encryption_enabled" = "true" ]
then
echo "EBS Encryption by Default MUST NOT BE ENABLED - STOPPING BUILD" 1>&2
exit 1
fi
done
# Build the images.
rm -f packer-manifest.json # always be clean
packer build $ONLY_BUILDERS \
-color=false -on-error=cleanup -parallel-builds=10 -timestamp-ui \
./packer
env:
ONLY_BUILDERS: "${{ github.event.inputs.only_builders }}"
PKR_VAR_image_version: "${{ github.event.inputs.image_version }}"
PKR_VAR_agent_git_ref: "${{ github.sha }}"
# Upload the image manifest
- name: Attach Manifest
uses: actions/upload-artifact@v3
with:
name: packer-manifest.json
path: packer-manifest.json
build-govcloud:
if: "${{ github.event.inputs.only_partition == 'all' || github.event.inputs.only_partition == 'govcloud' }}"
runs-on: ubuntu-latest
env:
duplo_host: https://qa-govcloud.duplocloud.net
duplo_token: "${{ secrets.GOVCLOUD_DUPLO_TOKEN }}"
steps:
- name: Checkout
uses: actions/checkout@v3
# AWS credentials
- name: Tenant AWS JIT
uses: duplocloud/ghactions-aws-jit@master
with:
tenant: github
# AWS credentials
- name: Packer AWS Role
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
aws-region: us-gov-west-1
role-to-assume: arn:aws-us-gov:iam::051848153245:role/packer-builder
role-session-name: github-duplocloud-linuxagent
role-chaining: true
role-duration-seconds: 3600
role-skip-session-tagging: true
# Build images
- name: Build VM Images
run: |
set -eu
# Install session manager.
curl -o session-manager-plugin.deb "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb"
sudo dpkg -i session-manager-plugin.deb
# Install packer.
curl -o packer.zip https://releases.hashicorp.com/packer/1.8.6/packer_1.8.6_linux_amd64.zip
mkdir -p /tmp/bin
sudo unzip -d /tmp/bin packer.zip
export PATH="/tmp/bin:$PATH"
# Validate the template.
packer validate -syntax-only ./packer
# Parse build options.
if [ "$ONLY_BUILDERS" = "all" ]; then
ONLY_BUILDERS="-except=amazon-ebs.ubuntu-18,googlecompute.ubuntu-20,googlecompute.ubuntu-22"
elif [ -n "$ONLY_BUILDERS" ]; then
ONLY_BUILDERS="-only=$ONLY_BUILDERS"
fi
# Validate the AWS settings in the target account
# Without this check, we have wasted hours building an AMI only for it to fail at the end due to the encryption settings.
# If this check fails the build - it means that your build would have failed or your AMI would have been unsharable.
#
for region in us-gov-west-1 us-gov-east-1
do
encryption_enabled="$(aws ec2 get-ebs-encryption-by-default --region=$region | jq -r .EbsEncryptionByDefault)"
if [ "$encryption_enabled" = "true" ]
then
echo "EBS Encryption by Default MUST NOT BE ENABLED - STOPPING BUILD" 1>&2
exit 1
fi
done
# Build the images.
rm -f *packer-manifest.json # always be clean
packer build $ONLY_BUILDERS \
-color=false -on-error=cleanup -parallel-builds=10 -timestamp-ui \
-var-file=packer/duplo-gov.json \
./packer
mv packer-manifest.json govcloud-packer-manifest.json
env:
ONLY_BUILDERS: "${{ github.event.inputs.only_builders }}"
PKR_VAR_image_version: "${{ github.event.inputs.image_version }}"
PKR_VAR_agent_git_ref: "${{ github.sha }}"
# Upload the image manifest
- name: Attach Manifest
uses: actions/upload-artifact@v3
with:
name: govcloud-packer-manifest.json
path: govcloud-packer-manifest.json
# If this is a release build, create a PR to update Duplo
autoupdate-duplo-images:
runs-on: ubuntu-latest
if: "${{ startsWith(github.event.inputs.image_version, 'release-') && github.event.inputs.only_partition == 'all' }}"
needs:
- build-commercial
- build-govcloud
steps:
# Get the code for the image JSON generation, and the code for Duplo master.
- name: Checkout duplo-infra
uses: actions/checkout@v3
- name: Checkout duplo (backend)
uses: actions/checkout@v3
with:
repository: duplocloud-internal/duplo
ref: master # always start from master
token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }}
path: duplo-backend
# Download the image manifest
- name: Download Manifest (Commercial)
uses: actions/download-artifact@v3
with:
name: packer-manifest.json
path: packer
- name: Download Manifest (Govcloud)
uses: actions/download-artifact@v3
with:
name: govcloud-packer-manifest.json
path: packer
# Run the script to generate new image JSON.
- name: Update duplo images JSON
run: |
git config core.autocrlf false
cd packer
INPUT_FILES='packer-manifest.json govcloud-packer-manifest.json' DUPLO_SOURCE=../duplo-backend ./gen-native-images.sh
# Create a PR
- name: Create Pull Request
uses: peter-evans/create-pull-request@v4
with:
title: '[duplo-bot] Update Duplo Docker AMI(s)'
branch: auto-update/duplo-docker-amis
base: master
add-paths: config/V1/BuiltInNativeImages.json
commit-message: '[duplo-bot] Update Duplo Docker AMI(s)'
body: 'Automated update of Duplo Docker AMI(s)'
committer: "${{ env.git_user }} <${{ env.git_email }}>"
delete-branch: true
path: duplo-backend
token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }}