build-image.yaml

name: 'Image: Agent - duplocloud-docker'
on:
  workflow_dispatch:
    inputs:
      image_version:
        description: 'Set the image version'
        required: false
        default: 'dev' # default to dev version
      only_partition:
        description: 'Only build this partition'
        required: false
        default: 'all'
      only_builders:
        description: 'Only run these builders'
        required: false
        default: 'all'
env:
  git_user: duplo-bot
  git_email: joe+github-bot@duplocloud.net
  duplo_host: https://prod.duplocloud.net
  duplo_token: "${{ secrets.PROD_DUPLO_TOKEN }}"

jobs:
  build-commercial:
    if: "${{ github.event.inputs.only_partition == 'all' || github.event.inputs.only_partition == 'commercial' }}"
    # Needed for GCP (OIDC): Add "id-token" with the intended permissions.
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      # GCP credentials
      - name: Packer GCP Service Account
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: 'projects/17033121890/locations/global/workloadIdentityPools/duplo-githubactions/providers/duplo-githubactions'
          service_account: 'packer@msp-duplocloud-01.iam.gserviceaccount.com'

      # AWS credentials
      - name: Packer AWS Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
          aws-region: us-west-2
          role-to-assume: arn:aws:iam::227120241369:role/packer-builder
          role-session-name: github-duplocloud-linuxagent
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      # Build images
      - name: Build VM Images
        run: |
          set -eu

          # Install session manager.
          curl -o session-manager-plugin.deb "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb"
          sudo dpkg -i session-manager-plugin.deb

          # Install packer.
          curl -o packer.zip https://releases.hashicorp.com/packer/1.8.6/packer_1.8.6_linux_amd64.zip
          mkdir -p /tmp/bin
          sudo unzip -d /tmp/bin packer.zip
          export PATH="/tmp/bin:$PATH"

          # Validate the template.
          packer validate -syntax-only ./packer

          # Parse build options.
          if [ "$ONLY_BUILDERS" = "all" ]; then
            ONLY_BUILDERS=""
          elif [ -n "$ONLY_BUILDERS" ]; then
            ONLY_BUILDERS="-only=$ONLY_BUILDERS"
          fi

          # Validate the AWS settings in the target account
          # Without this check, we have wasted hours building an AMI only for it to fail at the end due to the encryption settings.
          # If this check fails the build - it means that your build would have failed or your AMI would have been unsharable.
          #
          for region in us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-west-2 ap-northeast-1 ap-south-1
          do
            encryption_enabled="$(aws ec2 get-ebs-encryption-by-default --region=$region | jq -r .EbsEncryptionByDefault)"
            if [ "$encryption_enabled" = "true" ]
            then
              echo "EBS Encryption by Default MUST NOT BE ENABLED - STOPPING BUILD" 1>&2
              exit 1
            fi
          done

          # Build the images.
          rm -f packer-manifest.json # always be clean
          packer build $ONLY_BUILDERS \
            -color=false -on-error=cleanup -parallel-builds=10 -timestamp-ui \
            ./packer
          
        env:
          ONLY_BUILDERS: "${{ github.event.inputs.only_builders }}"
          PKR_VAR_image_version: "${{ github.event.inputs.image_version }}"
          PKR_VAR_agent_git_ref: "${{ github.sha }}"
      
      # Upload the image manifest
      - name: Attach Manifest
        uses: actions/upload-artifact@v4
        with:
          name: packer-manifest.json
          path: packer-manifest.json
  build-govcloud:
    if: "${{ github.event.inputs.only_partition == 'all' || github.event.inputs.only_partition == 'govcloud' }}"
    runs-on: ubuntu-latest
    env:
      duplo_host: https://qa-govcloud.duplocloud.net
      duplo_token: "${{ secrets.GOVCLOUD_DUPLO_TOKEN }}"
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      # AWS credentials
      - name: Tenant AWS JIT
        uses: duplocloud/ghactions-aws-jit@master
        with:
          tenant: github

      # AWS credentials
      - name: Packer AWS Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
          aws-region: us-gov-west-1
          role-to-assume: arn:aws-us-gov:iam::051848153245:role/packer-builder
          role-session-name: github-duplocloud-linuxagent
          role-chaining: true
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      # Build images
      - name: Build VM Images
        run: |
          set -eu

          # Install session manager.
          curl -o session-manager-plugin.deb "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb"
          sudo dpkg -i session-manager-plugin.deb

          # Install packer.
          curl -o packer.zip https://releases.hashicorp.com/packer/1.8.6/packer_1.8.6_linux_amd64.zip
          mkdir -p /tmp/bin
          sudo unzip -d /tmp/bin packer.zip
          export PATH="/tmp/bin:$PATH"

          # Validate the template.
          packer validate -syntax-only ./packer

          # Parse build options.
          if [ "$ONLY_BUILDERS" = "all" ]; then
            ONLY_BUILDERS="-except=amazon-ebs.ubuntu-18,googlecompute.ubuntu-20,googlecompute.ubuntu-22"
          elif [ -n "$ONLY_BUILDERS" ]; then
            ONLY_BUILDERS="-only=$ONLY_BUILDERS"
          fi

          # Validate the AWS settings in the target account
          # Without this check, we have wasted hours building an AMI only for it to fail at the end due to the encryption settings.
          # If this check fails the build - it means that your build would have failed or your AMI would have been unsharable.
          #
          for region in us-gov-west-1 us-gov-east-1
          do
            encryption_enabled="$(aws ec2 get-ebs-encryption-by-default --region=$region | jq -r .EbsEncryptionByDefault)"
            if [ "$encryption_enabled" = "true" ]
            then
              echo "EBS Encryption by Default MUST NOT BE ENABLED - STOPPING BUILD" 1>&2
              exit 1
            fi
          done

          # Build the images.
          rm -f *packer-manifest.json # always be clean
          packer build $ONLY_BUILDERS \
            -color=false -on-error=cleanup -parallel-builds=10 -timestamp-ui \
            -var-file=packer/duplo-gov.json \
            ./packer
          mv packer-manifest.json govcloud-packer-manifest.json
          
        env:
          ONLY_BUILDERS: "${{ github.event.inputs.only_builders }}"
          PKR_VAR_image_version: "${{ github.event.inputs.image_version }}"
          PKR_VAR_agent_git_ref: "${{ github.sha }}"
      
      # Upload the image manifest
      - name: Attach Manifest
        uses: actions/upload-artifact@v4
        with:
          name: govcloud-packer-manifest.json
          path: govcloud-packer-manifest.json

  # If this is a release build, create a PR to update Duplo
  autoupdate-duplo-images:
    runs-on: ubuntu-latest
    if: "${{ startsWith(github.event.inputs.image_version, 'release-') && github.event.inputs.only_partition == 'all' }}"
    needs:
      - build-commercial
      - build-govcloud
    steps:
      # Get the code for the image JSON generation, and the code for Duplo master.
      - name: Checkout duplo-infra
        uses: actions/checkout@v4
      - name: Checkout duplo (backend)
        uses: actions/checkout@v4
        with:
          repository: duplocloud-internal/duplo
          ref: master                 # always start from master
          token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }}
          path: duplo-backend
      
      # Download the image manifest
      - name: Download Manifest (Commercial)
        uses: actions/download-artifact@v4
        with:
          name: packer-manifest.json
          path: packer
      - name: Download Manifest (Govcloud)
        uses: actions/download-artifact@v4
        with:
          name: govcloud-packer-manifest.json
          path: packer

      # Run the script to generate new image JSON.
      - name: Update duplo images JSON
        run: |
          git config core.autocrlf false
          cd packer
          INPUT_FILES='packer-manifest.json govcloud-packer-manifest.json' DUPLO_SOURCE=../duplo-backend ./gen-native-images.sh
      
      # Create a PR
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v4
        with:
          title: '[duplo-bot] Update Duplo Docker AMI(s)'
          branch: auto-update/duplo-docker-amis
          base: master
          add-paths: config/V1/BuiltInNativeImages.json
          commit-message: '[duplo-bot] Update Duplo Docker AMI(s)'
          body: 'Automated update of Duplo Docker AMI(s)'
          committer: "${{ env.git_user }} <${{ env.git_email }}>"
          delete-branch: true
          path: duplo-backend
          token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }}