Skip to content

Commit

Permalink
[Jenkins] Allow performing AWS actions with an assumed role and minor…
Browse files Browse the repository at this point in the history 
… inconsistency fixes (#923)

*Improves Jenkins posture by specifying an AWS account and role for given AWS actions
*Minor bug fixes with context options and some improper naming
*Moves away from providing VPC id as a parameter and allows CDK to create the VPC

---------

Signed-off-by: Tanner Lewis <[email protected]>
  • Loading branch information
@lewijacn
lewijacn authored Sep 3, 2024
1 parent f77bc1c commit 8d5463b
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 32 deletions.
11 changes: 2 additions & 9 deletions jenkins/migrationIntegPipelines/ec2SourceE2EPipeline.groovy
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
// Note:
// 1. We are using an existing common VPC that we provide through a manually created 'VPC_ID' parameter on the pipeline for now until we move
// to a proper Jenkins accounts and can create a setup without public subnets as well as request an extension to allow more than 5 VPCs per region
// 2. There is a still a manual step needed on the EC2 source load balancer to replace its security group rule which allows all traffic (0.0.0.0/0) to
// 1. There is a still a manual step needed on the EC2 source load balancer to replace its security group rule which allows all traffic (0.0.0.0/0) to
// allow traffic for the relevant service security group. This needs a better story around accepting user security groups in our Migration CDK.

def sourceContextId = 'source-single-node-ec2'
Expand All @@ -10,13 +8,11 @@ def migrationContextId = 'migration-default'
// all future runs should use the specified parameters
def gitBranch = params.GIT_BRANCH ?: 'main'
def gitUrl = params.GIT_REPO_URL ?: 'https://github.com/opensearch-project/opensearch-migrations.git'
def vpcId = params.VPC_ID
def source_cdk_context = """
{
"source-single-node-ec2": {
"suffix": "ec2-source-<STAGE>",
"networkStackSuffix": "ec2-source-<STAGE>",
"vpcId": "$vpcId",
"distVersion": "7.10.2",
"cidr": "12.0.0.0/16",
"distributionUrl": "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.10.2-linux-x86_64.tar.gz",
Expand All @@ -38,7 +34,7 @@ def migration_cdk_context = """
{
"migration-default": {
"stage": "<STAGE>",
"vpcId": "$vpcId",
"vpcId": "<VPC_ID>",
"engineVersion": "OS_2.11",
"domainName": "os-cluster-<STAGE>",
"dataNodeCount": 2,
Expand All @@ -47,7 +43,6 @@ def migration_cdk_context = """
"artifactBucketRemovalPolicy": "DESTROY",
"trafficReplayerServiceEnabled": true,
"trafficReplayerExtraArgs": "--speedup-factor 10.0",
"fetchMigrationEnabled": true,
"reindexFromSnapshotServiceEnabled": true,
"sourceClusterEndpoint": "<SOURCE_CLUSTER_ENDPOINT>",
"dpPipelineTemplatePath": "../../../test/dp_pipeline_aws_integ.yaml",
Expand All @@ -66,8 +61,6 @@ defaultIntegPipeline(
migrationContext: migration_cdk_context,
sourceContextId: sourceContextId,
migrationContextId: migrationContextId,
gitUrl: gitUrl,
gitBranch: gitBranch,
defaultStageId: 'aws-integ',
//deployStep: {
// echo 'Custom Test Step'
Expand Down
19 changes: 9 additions & 10 deletions jenkins/migrationIntegPipelines/rfsBackfillE2EPipeline.groovy
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
// Note:
// 1. We are using an existing common VPC that we provide through a manually created 'VPC_ID' parameter on the pipeline for now until we move
// to a proper Jenkins accounts and can create a setup without public subnets as well as request an extension to allow more than 5 VPCs per region
// 2. There is a still a manual step needed on the EC2 source load balancer to replace its security group rule which allows all traffic (0.0.0.0/0) to
// 1. There is a still a manual step needed on the EC2 source load balancer to replace its security group rule which allows all traffic (0.0.0.0/0) to
// allow traffic for the relevant service security group. This needs a better story around accepting user security groups in our Migration CDK.

def sourceContextId = 'source-single-node-ec2'
Expand All @@ -10,13 +8,11 @@ def migrationContextId = 'migration-rfs'
// all future runs should use the specified parameters
def gitBranch = params.GIT_BRANCH ?: 'main'
def gitUrl = params.GIT_REPO_URL ?: 'https://github.com/opensearch-project/opensearch-migrations.git'
def vpcId = params.VPC_ID
def source_cdk_context = """
{
"source-single-node-ec2": {
"suffix": "ec2-source-<STAGE>",
"networkStackSuffix": "ec2-source-<STAGE>",
"vpcId": "$vpcId",
"distVersion": "7.10.2",
"distributionUrl": "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.10.2-linux-x86_64.tar.gz",
"captureProxyEnabled": false,
Expand All @@ -37,14 +33,13 @@ def migration_cdk_context = """
{
"migration-rfs": {
"stage": "<STAGE>",
"vpcId": "$vpcId",
"vpcId": "<VPC_ID>",
"engineVersion": "OS_2.11",
"domainName": "os-cluster-<STAGE>",
"dataNodeCount": 2,
"openAccessPolicyEnabled": true,
"domainRemovalPolicy": "DESTROY",
"artifactBucketRemovalPolicy": "DESTROY",
"kafkaBrokerServiceEnabled": true,
"trafficReplayerServiceEnabled": false,
"reindexFromSnapshotServiceEnabled": true,
"sourceClusterEndpoint": "<SOURCE_CLUSTER_ENDPOINT>"
Expand Down Expand Up @@ -72,8 +67,12 @@ defaultIntegPipeline(
"--junitxml=${test_result_file} ${test_dir}/backfill_tests.py " +
"--unique_id ${uniqueId} " +
"-s"
sh "sudo ./awsRunIntegTests.sh --command '${command}' " +
"--test-result-file ${test_result_file} " +
"--stage ${params.STAGE}"
withCredentials([string(credentialsId: 'migrations-test-account-id', variable: 'MIGRATIONS_TEST_ACCOUNT_ID')]) {
withAWS(role: 'JenkinsDeploymentRole', roleAccount: "${MIGRATIONS_TEST_ACCOUNT_ID}", duration: 3600, roleSessionName: 'jenkins-session') {
sh "sudo --preserve-env ./awsRunIntegTests.sh --command '${command}' " +
"--test-result-file ${test_result_file} " +
"--stage ${params.STAGE}"
}
}
}
)
62 changes: 49 additions & 13 deletions vars/defaultIntegPipeline.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ def call(Map config = [:]) {
throw new RuntimeException("The migrationContext argument must be provided");
}
if(defaultStageId == null || defaultStageId.isEmpty()){
throw new RuntimeException("The migrationContext argument must be provided");
throw new RuntimeException("The defaultStageId argument must be provided");
}
def source_context_id = config.sourceContextId ?: 'source-single-node-ec2'
def migration_context_id = config.migrationContextId ?: 'migration-default'
Expand All @@ -28,29 +28,57 @@ def call(Map config = [:]) {
stages {
stage('Checkout') {
steps {
git branch: "${params.GIT_BRANCH}", url: "${params.GIT_REPO_URL}"
script {
// Allow overwriting this step
if (config.checkoutStep) {
config.checkoutStep()
} else {
git branch: "${params.GIT_BRANCH}", url: "${params.GIT_REPO_URL}"
}
}
}
}

stage('Test Caller Identity') {
steps {
sh 'aws sts get-caller-identity'
script {
// Allow overwriting this step
if (config.awsIdentityCheckStep) {
config.awsIdentityCheckStep()
} else {
sh 'aws sts get-caller-identity'
}
}
}
}

stage('Setup E2E CDK Context') {
steps {
writeFile (file: "test/$source_context_file_name", text: sourceContext)
sh "echo 'Using source context file options: ' && cat test/$source_context_file_name"
writeFile (file: "test/$migration_context_file_name", text: migrationContext)
sh "echo 'Using migration context file options: ' && cat test/$migration_context_file_name"
script {
// Allow overwriting this step
if (config.cdkContextStep) {
config.cdkContextStep()
} else {
writeFile (file: "test/$source_context_file_name", text: sourceContext)
sh "echo 'Using source context file options: ' && cat test/$source_context_file_name"
writeFile (file: "test/$migration_context_file_name", text: migrationContext)
sh "echo 'Using migration context file options: ' && cat test/$migration_context_file_name"
}
}
}
}

stage('Build') {
steps {
timeout(time: 1, unit: 'HOURS') {
sh 'sudo ./gradlew clean build --no-daemon'
script {
// Allow overwriting this step
if (config.buildStep) {
config.buildStep()
} else {
sh 'sudo --preserve-env ./gradlew clean build --no-daemon'
}
}
}
}
}
Expand All @@ -66,7 +94,7 @@ def call(Map config = [:]) {
} else {
sh 'sudo usermod -aG docker $USER'
sh 'sudo newgrp docker'
def baseCommand = "sudo ./awsE2ESolutionSetup.sh --source-context-file './$source_context_file_name' " +
def baseCommand = "sudo --preserve-env ./awsE2ESolutionSetup.sh --source-context-file './$source_context_file_name' " +
"--migration-context-file './$migration_context_file_name' " +
"--source-context-id $source_context_id " +
"--migration-context-id $migration_context_id " +
Expand All @@ -76,7 +104,11 @@ def call(Map config = [:]) {
if (skipCaptureProxyOnNodeSetup) {
baseCommand += " --skip-capture-proxy"
}
sh baseCommand
withCredentials([string(credentialsId: 'migrations-test-account-id', variable: 'MIGRATIONS_TEST_ACCOUNT_ID')]) {
withAWS(role: 'JenkinsDeploymentRole', roleAccount: "${MIGRATIONS_TEST_ACCOUNT_ID}", duration: 5400, roleSessionName: 'jenkins-session') {
sh baseCommand
}
}
}
}
}
Expand All @@ -101,9 +133,13 @@ def call(Map config = [:]) {
"--junitxml=${test_result_file} ${test_dir}/replayer_tests.py " +
"--unique_id ${uniqueId} " +
"-s"
sh "sudo ./awsRunIntegTests.sh --command '${command}' " +
"--test-result-file ${test_result_file} " +
"--stage ${params.STAGE}"
withCredentials([string(credentialsId: 'migrations-test-account-id', variable: 'MIGRATIONS_TEST_ACCOUNT_ID')]) {
withAWS(role: 'JenkinsDeploymentRole', roleAccount: "${MIGRATIONS_TEST_ACCOUNT_ID}", duration: 3600, roleSessionName: 'jenkins-session') {
sh "sudo --preserve-env ./awsRunIntegTests.sh --command '${command}' " +
"--test-result-file ${test_result_file} " +
"--stage ${params.STAGE}"
}
}
}
}
}
Expand Down

0 comments on commit 8d5463b

Please sign in to comment.