--- name: enos on: # Only trigger this working using workflow_call. This workflow requires many # secrets that must be inherited from the caller workflow. workflow_call: inputs: # The name of the artifact that we're going to use for testing. This should # match exactly to build artifacts uploaded to Github and Artifactory. build-artifact-name: required: true type: string # The base name of the file in ./github/enos-run-matrices that we use to # determine which scenarios to run for the build artifact. # # They are named in the format of: # $caller_workflow_name-$artifact_source-$vault_edition-$platform-$arch-$packing_type # # Where each are: # caller_workflow_name: the Github Actions workflow that is calling # this one # artifact_source: where we're getting the artifact from. Either # "github" or "artifactory" # vault_edition: which edition of vault that we're testing. e.g. "oss" # or "ent" # platform: the vault binary target platform, e.g. "linux" or "macos" # arch: the vault binary target architecture, e.g. "arm64" or "amd64" # packing_type: how vault binary is packaged, e.g. "zip", "deb", "rpm" # # Examples: # build-github-oss-linux-amd64-zip matrix-file-name: required: true type: string # The test group we want to run. This corresponds to the test_group attribute # defined in the enos-run-matrices files. matrix-test-group: default: 0 type: string runs-on: # NOTE: The value should be JSON encoded as that's the only way we can # pass arrays with workflow_call. type: string required: false default: '"ubuntu-latest"' ssh-key-name: type: string default: ${{ github.event.repository.name }}-ci-ssh-key # Which edition of Vault we're using. e.g. "oss", "ent", "ent.hsm.fips1402" vault-edition: required: true type: string # The Git commit SHA used as the revision when building vault vault-revision: required: true type: string jobs: metadata: runs-on: ${{ fromJSON(inputs.runs-on) }} outputs: build-date: ${{ steps.metadata.outputs.build-date }} matrix: ${{ steps.metadata.outputs.matrix }} version: ${{ steps.metadata.outputs.version }} version-minor: ${{ steps.metadata.outputs.matrix }} env: # Pass the vault edition as VAULT_METADATA so the CI make targets can create # values that consider the edition. VAULT_METADATA: ${{ inputs.vault-edition }} # Pass in the matrix and matrix group for filtering MATRIX_FILE: ./.github/enos-run-matrices/${{ inputs.matrix-file-name }}.json MATRIX_TEST_GROUP: ${{ inputs.matrix-test-group }} steps: - uses: actions/checkout@v3 with: ref: ${{ inputs.vault-revision }} - id: metadata run: | # shellcheck disable=SC2129 echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT" echo "version=$(make ci-get-version)" >> "$GITHUB_OUTPUT" echo "matrix=$(make ci-filter-matrix)" >> "$GITHUB_OUTPUT" # Run the Enos test scenarios run: needs: metadata strategy: fail-fast: false # don't fail as that can skip required cleanup steps for jobs matrix: ${{ fromJson(needs.metadata.outputs.matrix) }} runs-on: ubuntu-latest env: GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} # Pass in enos variables ENOS_VAR_aws_region: ${{ matrix.aws_region }} ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }} ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }} ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }} ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }} ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }} ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.version }} ENOS_VAR_vault_revision: ${{ inputs.vault-revision }} ENOS_VAR_vault_bundle_path: ./support/downloads/${{ inputs.build-artifact-name }} ENOS_VAR_vault_license_path: ./support/vault.hclic steps: - uses: actions/checkout@v3 - uses: hashicorp/setup-terraform@v2 with: # the Terraform wrapper will break Terraform execution in Enos because # it changes the output to text when we expect it to be JSON. terraform_wrapper: false - uses: aws-actions/configure-aws-credentials@v1-node16 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} aws-region: ${{ matrix.aws_region }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-skip-session-tagging: true role-duration-seconds: 3600 - uses: hashicorp/action-setup-enos@v1 with: github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} - name: Prepare scenario dependencies run: | mkdir -p ./enos/support/terraform-plugin-cache echo "${{ secrets.SSH_KEY_PRIVATE_CI }}" > ./enos/support/private_key.pem chmod 600 ./enos/support/private_key.pem - if: contains(inputs.matrix-file-name, 'github') uses: actions/download-artifact@v3 with: name: ${{ inputs.build-artifact-name }} path: ./enos/support/downloads - if: contains(inputs.matrix-file-name, 'ent') name: Configure Vault license run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true - name: Run Enos scenario id: run # Continue once and retry to handle occasional blips when creating # infrastructure. continue-on-error: true run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} - name: Retry Enos scenario if necessary id: run_retry if: steps.run.outcome == 'failure' run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} - name: Ensure scenario has been destroyed if: ${{ always() }} # With Enos version 0.0.11 the destroy step returns an error if the infrastructure # is already destroyed by enos run. So temporarily setting it to continue on error in GHA continue-on-error: true run: enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} - name: Clean up Enos runtime directories if: ${{ always() }} run: | rm -rf /tmp/enos* rm -rf ./enos/support rm -rf ./enos/.enos