Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main' into sas-UID2-4272-support…
Browse files Browse the repository at this point in the history 
…-euid-phone
  • Loading branch information
@ssundahlTTD
ssundahlTTD committed Nov 7, 2024
2 parents 8126001 + 4976107 commit 9483d25
Show file tree
Hide file tree
Showing 185 changed files with 7,252 additions and 13,347 deletions.
191 changes: 191 additions & 0 deletions .github/actions/build_ami/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
name: Build AMI
description: Builds the AMI for AWS private operators

inputs:
identity_scope:
description: The identity scope [uid2, euid]
required: true
github_token:
description: The GITHUB token to use to get the EIF
required: true
eif_repo_owner:
description: The owner of the EIF repo
required: true
eif_repo_name:
description: The name of the EIF repo
required: true
operator_release:
description: The operator release that has the EIF to use
default: ''
operator_run_number:
description: The Operator run number for artifacts. Ignored if Operator Release is given
uid2_aws_role:
description: The AWS role to assume for UID2
required: true
uid2_aws_region:
description: The UID2 AWS region to upload AMI to
required: true
euid_aws_role:
description: The AWS role to assume for EUID
required: true
euid_aws_region:
description: The EUID AWS region to upload AMI to
required: true

outputs:
version_number:
description: The version number set in IABTechLab/uid2-operator pom.xml.
value: ${{ steps.versionNumber.outputs.version_number }}
ami_id:
description: the AMI_ID of the newly created AMI
value: ${{ steps.extractAmiIdAndEnclaveId.outputs.AMI_ID }}
enclave_id:
description: the Enclave_ID of the EIF used to create the AMI
value: ${{ steps.extractAmiIdAndEnclaveId.outputs.ENCLAVE_ID }}

runs:
using: "composite"

steps:
- name: Show Context
shell: bash
run: |
printenv
echo "$GITHUB_CONTEXT"
env:
GITHUB_CONTEXT: ${{ toJson(github) }}

- name: Checkout full history
uses: actions/checkout@v4

- name: Get EIF for Release ${{ inputs.operator_release }}
uses: IABTechLab/uid2-operator/.github/actions/download_release_artifact@main
if: ${{ inputs.operator_release != '' }}
with:
github_token: ${{ inputs.github_token }}
repo_owner: ${{ inputs.eif_repo_owner }}
repo_name: ${{ inputs.eif_repo_name }}
release_name: ${{ inputs.operator_release }}
artifact_name: aws-${{ inputs.identity_scope }}-deployment-files
folder: ./scripts/aws/uid2-operator-ami/artifacts

- name: Get EIF for Run ${{ inputs.operator_run_number }}
id: get_eif_for_run
uses: dawidd6/action-download-artifact@v6
if: ${{ inputs.operator_release == '' }}
with:
name: 'aws-${{ inputs.identity_scope }}-deployment-files-.*'
name_is_regexp: true
run_id: ${{ inputs.operator_run_number }}
skip_unpack: true

- name: Unzip artifacts
if: ${{ inputs.operator_release == '' }}
shell: bash
run: |
ARTIFACTS='${{ steps.get_eif_for_run.outputs.artifacts }}'
FILE=$(echo $ARTIFACTS | jq -r '.[0].name')
unzip -o -d ./scripts/aws/uid2-operator-ami/artifacts $FILE.zip
rm $FILE.zip
- name: Configure UID2 AWS credentials
uses: aws-actions/configure-aws-credentials@v4
if: ${{ inputs.identity_scope == 'uid2' }}
with:
aws-region: ${{ inputs.uid2_aws_region }}
role-to-assume: ${{ inputs.uid2_aws_role }}

- name: Configure EUID AWS credentials
uses: aws-actions/configure-aws-credentials@v4
if: ${{ inputs.identity_scope == 'euid' }}
with:
aws-region: ${{ inputs.euid_aws_region }}
role-to-assume: ${{ inputs.euid_aws_role }}

- name: Show AWS Identity
shell: bash
run: |
aws sts get-caller-identity
- name: Get version number
id: versionNumber
shell: bash
working-directory: ./scripts/aws/uid2-operator-ami
run: |
ls -al
VERSION_NUMBER=$(cat ./artifacts/version_number.txt)
echo "VERSION_NUMBER=$VERSION_NUMBER" >> $GITHUB_OUTPUT
echo $VERSION_NUMBER
- name: Setup Packer
id: setup-packer
uses: hashicorp/setup-packer@main

- name: Create AMI
shell: bash
working-directory: ./scripts/aws/uid2-operator-ami
run: |
ls -al
TIMESTAMP=$(date +%s)
echo "TIMESTAMP=$TIMESTAMP" >> $GITHUB_OUTPUT
packer init .
packer build \
-var "version=${{ steps.versionNumber.outputs.VERSION_NUMBER }}" \
-var "timestamp=$TIMESTAMP" \
-var-file="${{ inputs.identity_scope }}.pkrvars.hcl" \
.
- name: Extract AMI ID
id: extractAmiIdAndEnclaveId
shell: bash
working-directory: ./scripts/aws/uid2-operator-ami
run: |
AMI_ID=$(jq -r '.builds[-1].artifact_id' manifest.json | cut -d ":" -f2)
echo "AMI_ID=$AMI_ID" >> $GITHUB_OUTPUT
echo $AMI_ID
ENCLAVE_ID=$(cat ./artifacts/pcr0.txt)
echo "ENCLAVE_ID=$ENCLAVE_ID" >> $GITHUB_OUTPUT
echo $ENCLAVE_ID
- name: Persist UID2 enclave and AMI IDs
id: extractUid2Data
if: ${{ inputs.identity_scope == 'uid2' }}
shell: bash
working-directory: ./scripts/aws/uid2-operator-ami
run: |
touch uid2_AMI_measurement.txt
echo "UID2 Enclave ID: ${{ steps.extractAmiIdAndEnclaveId.outputs.ENCLAVE_ID }}" >> uid2_AMI_measurement.txt
echo "AMI ID: " ${{ steps.extractAmiIdAndEnclaveId.outputs.AMI_ID }} >> uid2_AMI_measurement.txt
echo "uid2_AMI_measurement.txt Contents:"
cat uid2_AMI_measurement.txt
ls -al
- name: Copy AMI to us-east-1
id: euidCopyAmi
if: ${{ inputs.identity_scope == 'euid' }}
shell: bash
working-directory: ./scripts/aws/uid2-operator-ami
run: |
US_EAST_AMI_ID=$(aws ec2 copy-image --region us-east-1 --source-region eu-central-1 --source-image-id ${{ steps.extractAmiIdAndEnclaveId.outputs.AMI_ID }} --name euid-operator-${{ steps.versionNumber.outputs.VERSION_NUMBER }}-${{ steps.createAMI.outputs.TIMESTAMP }} --output text)
echo "US_EAST_1_AMI_ID=$US_EAST_AMI_ID" >> $GITHUB_OUTPUT
echo $US_EAST_AMI_ID
- name: Persist EUID enclave and AMI IDs
id: extractEuidData
if: ${{ inputs.identity_scope == 'euid' }}
shell: bash
working-directory: ./scripts/aws/uid2-operator-ami
run: |
touch euid_AMI_measurement.txt
echo "EUID Enclave ID: ${{ steps.extractAmiIdAndEnclaveId.outputs.ENCLAVE_ID }}" >> euid_AMI_measurement.txt
echo "eu-central-1 AMI ID:" ${{ steps.extractAmiIdAndEnclaveId.outputs.AMI_ID }} >> euid_AMI_measurement.txt
echo "us-east-1 AMI ID:" ${{ steps.euidCopyAmi.outputs.US_EAST_1_AMI_ID }} >> euid_AMI_measurement.txt
echo "euid_AMI_measurement.txt contents"
cat euid_AMI_measurement.txt
ls -al
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.identity_scope }}_AMI_measurement
path: ./scripts/aws/uid2-operator-ami/${{ inputs.identity_scope }}_AMI_measurement.txt
128 changes: 128 additions & 0 deletions .github/actions/build_aws_eif/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
name: Build AWS EIF
description: Builds the EIF for AWS private operators

inputs:
identity_scope:
description: The identity scope [uid2, euid]
required: true
artifacts_base_output_dir:
description: The base output directory for the AMI artifacts
required: true
amazonlinux_dockerfile:
description: The Docker file to use to build the EIF
default: amazonlinux.Dockerfile
makefile:
description: The make file to use
default: Makefile.eif
version_number_input:
description: If set, the version number will not be incremented and the given number will be used.
default: ''
commit_sha:
description: The commit SHA for committing the new version for pom.xml.
default: ''

outputs:
enclave_id:
description: The enclave id for this EIF.
value: ${{ steps.prepare_artifacts.outputs.enclave_id }}

runs:
using: "composite"

steps:
- name: Checkout full history at commit sha ${{ inputs.commit_sha }}
uses: actions/checkout@v4
with:
ref: ${{ inputs.commit_sha }}
# git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout.
fetch-depth: 0

- name: Restore timestamps
uses: thetradedesk/git-restore-mtime-action@v1.3

- name: Free up space - delete preinstalled tools
shell: bash
run: |
rm -rf /opt/hostedtoolcache
- name: Check disk usage
shell: bash
run: |
df -h
- name: Run amazonlinux Docker image
shell: bash
run: |
docker build -t amazonlinux -f ${{ inputs.amazonlinux_dockerfile }} .
docker run -d --privileged --name amazonlinux amazonlinux:latest
- name: Create build folder
id: buildFolder
shell: bash
run: |
BUILD_FOLDER="./build/${{ inputs.identity_scope }}"
mkdir -p $BUILD_FOLDER
echo "BUILD_FOLDER=$BUILD_FOLDER" >> $GITHUB_OUTPUT
- name: Get identity scope
shell: bash
run: |
echo "${{ inputs.identity_scope }}" | tr '[:lower:]' '[:upper:]' > ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt
cat ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt
- name: Get version number
shell: bash
run: |
echo ${{ inputs.version_number_input }} > ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt
cat ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt
- name: Build EIF
shell: bash
run: |
make -f ${{ inputs.makefile }} ${{ inputs.identity_scope }}operator.eif
- name: Free up space
shell: bash
run: |
echo y | docker system prune -a
- name: Prepare artifacts
id: prepare_artifacts
shell: bash
run: |
ARTIFACTS_OUTPUT_DIR="${{ inputs.artifacts_base_output_dir }}"
mkdir -p ${ARTIFACTS_OUTPUT_DIR}
cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt ${ARTIFACTS_OUTPUT_DIR}/
cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/start.sh ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/stop.sh ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/proxies.host.yaml ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/sockd.conf ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/uid2operator.service ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/pipeline/$(cat ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt)_VERSION ${ARTIFACTS_OUTPUT_DIR}/VERSION
cp ./scripts/aws/syslog-ng/syslog-ng-server.conf ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/syslog-ng/server_al_2023/ivykis-0.43-1.amzn2023.x86_64.rpm ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/syslog-ng/server_al_2023/libnet-1.2-2.amzn2023.0.2.x86_64.rpm ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/syslog-ng/server_al_2023/pubkey.gpg ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/syslog-ng/server_al_2023/syslog-ng-4.7.1.104.gcc5a7d9-1.amzn2023.x86_64.rpm ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/syslog-ng/server_al_2023/syslog-ng-logrotate-4.7.1.104.gcc5a7d9-1.amzn2023.x86_64.rpm ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/logrotate/operator-logrotate.conf ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/logrotate/logrotate ${ARTIFACTS_OUTPUT_DIR}/
cp ./scripts/aws/logrotate/logrotateDaily ${ARTIFACTS_OUTPUT_DIR}/
cp -r ./scripts/aws/config-server ${ARTIFACTS_OUTPUT_DIR}/
docker cp amazonlinux:/sockd ${ARTIFACTS_OUTPUT_DIR}/
docker cp amazonlinux:/vsockpx ${ARTIFACTS_OUTPUT_DIR}/
docker cp amazonlinux:/${{ inputs.identity_scope }}operator.eif ${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif
docker cp amazonlinux:/pcr0.txt ${{ steps.buildFolder.outputs.BUILD_FOLDER }}
docker cp amazonlinux:/pcr0.txt ${ARTIFACTS_OUTPUT_DIR}/
echo "enclave_id=$(cat ${{ steps.buildFolder.outputs.BUILD_FOLDER}}/pcr0.txt)" >> $GITHUB_OUTPUT
- name: Cleanup
shell: bash
run: |
docker rm -vf $(docker ps -a -q)
docker rmi -f $(docker images -aq)
Loading

0 comments on commit 9483d25

Please sign in to comment.