Add Documentation for Testing E2E Resource Changes

.github/workflows/appsignals-e2e-ec2-test.yml

@@ -21,11 +21,12 @@ env:
   # It is not redundant
   AWS_DEFAULT_REGION: ${{ inputs.aws-region }} 
   TEST_ACCOUNT: ${{ secrets.APP_SIGNALS_E2E_TEST_ACC }}
-  SAMPLE_APP_FRONTEND_SERVICE_JAR: "s3://aws-appsignals-sample-app/main-service.jar"
-  SAMPLE_APP_REMOTE_SERVICE_JAR: "s3://aws-appsignals-sample-app/remote-service.jar"
+  SAMPLE_APP_FRONTEND_SERVICE_JAR: ${{ secrets.APP_SIGNALS_E2E_FE_SA_JAR }}
+  SAMPLE_APP_REMOTE_SERVICE_JAR: ${{ secrets.APP_SIGNALS_E2E_RE_SA_JAR }}
   APP_SIGNALS_ADOT_JAR: "https://github.com/aws-observability/aws-otel-java-instrumentation/releases/latest/download/aws-opentelemetry-agent.jar"
   METRIC_NAMESPACE: AppSignals
   LOG_GROUP_NAME: /aws/appsignals/generic
+  APP_SIGNALS_E2E_EC2_TEST_ROLE: ${{ secrets.APP_SIGNALS_E2E_EC2_TEST_ROLE }}
 
 jobs:
   e2e-ec2-test:
@@ -47,7 +48,6 @@ jobs:
           else
             echo APP_SIGNALS_CW_AGENT_RPM="https://amazoncloudwatch-agent-${{ env.AWS_DEFAULT_REGION }}.s3.${{ env.AWS_DEFAULT_REGION }}.amazonaws.com/amazon_linux/amd64/1.300031.0b313/amazon-cloudwatch-agent.rpm" >> $GITHUB_ENV
           fi
-
 
       - name: Generate testing id
         run: echo TESTING_ID="${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV
@@ -85,6 +85,7 @@ jobs:
               -var="sample_remote_app_jar=${{ env.SAMPLE_APP_REMOTE_SERVICE_JAR }}" \
               -var="cw_agent_rpm=${{ env.APP_SIGNALS_CW_AGENT_RPM }}" \
               -var="adot_jar=${{ env.APP_SIGNALS_ADOT_JAR }}" \
+              -var="test_role=${{ env.APP_SIGNALS_E2E_EC2_TEST_ROLE }}" \
             || deployment_failed=$?
 
             if [ $deployment_failed -eq 1 ]; then

.github/workflows/appsignals-e2e-eks-test.yml

@@ -42,6 +42,24 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Download enablement script
+        uses: actions/checkout@v4
+        with:
+          repository: aws-observability/application-signals-demo
+          ref: main
+          path: enablement-script
+          sparse-checkout: |
+            scripts/eks/appsignals/enable-app-signals.sh
+            scripts/eks/appsignals/clean-app-signals.sh
+          sparse-checkout-cone-mode: false
+
+      - name: Remove log group deletion command
+        if: always()
+        working-directory: enablement-script/scripts/eks/appsignals
+        run: |
+          delete_log_group="aws logs delete-log-group --log-group-name '${{ env.LOG_GROUP_NAME }}' --region \$REGION"
+          sed -i "s#$delete_log_group##g" clean-app-signals.sh
+
       - uses: actions/setup-java@v4
         with:
           java-version: 17
@@ -90,18 +108,6 @@ jobs:
         with:
           terraform_wrapper: false
 
-      # Enable App Signals on the test cluster
-      - name: Pull and unzip enablement script from S3
-        working-directory: testing/terraform/eks
-        run: aws s3 cp ${{ env.ENABLEMENT_SCRIPT_S3_BUCKET }} . && unzip -j onboarding.zip
-
-      - name: Remove log group deletion command
-        if: always()
-        working-directory: testing/terraform/eks
-        run: |
-          delete_log_group="aws logs delete-log-group --log-group-name '${{ env.LOG_GROUP_NAME }}' --region \$REGION"
-          sed -i "s#$delete_log_group##g" clean-app-signals.sh
-
       - name: Deploy sample app via terraform and wait for the endpoint to come online
         id: deploy-sample-app
         working-directory: testing/terraform/eks
@@ -138,7 +144,7 @@ jobs:
             # after installing App Signals. Attempts to connect will be made for up to 10 minutes
             if [ $deployment_failed -eq 0 ]; then
               echo "Installing app signals to the sample app"
-              ./enable-app-signals.sh \
+              ${GITHUB_WORKSPACE}/enablement-script/scripts/eks/appsignals/enable-app-signals.sh \
               ${{ inputs.test-cluster-name }} \
               ${{ env.AWS_DEFAULT_REGION }} \
               ${{ env.SAMPLE_APP_NAMESPACE }}
@@ -325,7 +331,7 @@ jobs:
       - name: Clean Up App Signals
         if: always()
         continue-on-error: true
-        working-directory: testing/terraform/eks
+        working-directory: enablement-script/scripts/eks/appsignals
         run: |
           ./clean-app-signals.sh \
           ${{ inputs.test-cluster-name }} \

testing/README.md

@@ -0,0 +1,95 @@
+# How to Test E2E Resource Changes
+This guide will give a step by step instruction on how to test changes made to E2E testing resources before pushing a PR. 
+
+### 1. Create an IAM Role with OIDC Identity Provider
+This step is needed to allow Github Action to have access to resources in the AWS account
+#### Create an OIDC Provider
+- First step is to create an OIDC Identity Provider to allow Github action access to the AWS account resource. Login to AWS, go to the IAM console and click on the Identity Providers tab.
+- Click on Add Provider, choose OpenID Connect and type `https://token.actions.githubusercontent.com` in the Provider URL. Click "Get thumbprint". For Audience, use `sts.amazonaws.com`. Finally, click "Add provider"
+#### Create an IAM role
+- Next, an IAM role needs to be created using the OIDC Identity Provider. Go to the Roles tab and click Create role. 
+- Choose Web Identity, and choose `token.actions.githubusercontent.com` as the Identity provider, Audience as `sts.amazonaws.com`, and for Github organizations put your github username down. Click next.
+- Add the AdministratorAccess policy. Click next.
+- Enter your Role name. Click "Create role".
+#### Add Additional Permission
+- After the role is created, search the role name in the roles tab, click on the role, and go to the Trust relationships tab. Click on "Edit trust policy".
+- In the Statement list, add the following item: 
+`{
+  "Sid": "accessToRole",
+  "Effect": "Allow",
+  "Principal": {
+  "AWS": "arn:aws:iam::<AccountID>:root"
+  },
+  "Action": "sts:AssumeRole"
+  }`. This additional permission is need to allow Github Action to assume roles and have access to the EKS cluster. 
+
+Additional Resource: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
+
+### 2. Create an EKS Cluster 
+The E2E EKS test uses an EKS cluster to deploy the sample apps.
+#### Setup Environment with the Appropriate Roles and Permissions.
+- First, assume Admin role from the test account by running `ada credentials update --account=<AccountID> --role=Admin --provider=isengard --once`
+- Assume the e2e test role by running 
+  - `output=$(aws sts assume-role --role-arn arn:aws:iam::<AccountID>:role/<E2ETestRole> --role-session-name AWSCLI-Session)`
+  - `export AWS_ACCESS_KEY_ID=$(echo $output | jq -r .Credentials.AccessKeyId)`
+  - `export AWS_SECRET_ACCESS_KEY=$(echo $output | jq -r .Credentials.SecretAccessKey)`
+  - `export AWS_SESSION_TOKEN=$(echo $output | jq -r .Credentials.SessionToken)`
+- Run `aws sts get-caller-identity` to check if you are in the correct role
+#### Create a new Cluster
+- Next, create the cluster by running `eksctl create cluster --name <ClusterName> --region us-east-1 --zones us-east-1a,us-east-1b`. This will take around ~10 minutes. 
+#### Install AWS Load Balancer Controller Add-on
+- Finally, install the AWS Load Balancer Controller add-on by running the following commands. Make sure to replace the `<ClusterName>` and `<AccountID>` with the correct value.
+  - `eksctl utils associate-iam-oidc-provider --cluster <ClusterName> --region us-east-1 --approve`
+  - `curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json`
+  - `aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json --region us-east-1`
+  - `eksctl create iamserviceaccount --cluster=<ClusterName> --namespace=kube-system --name=aws-load-balancer-controller --attach-policy-arn=arn:aws:iam::<AccountID>:policy/AWSLoadBalancerControllerIAMPolicy --region us-east-1 --approve`
+  - `kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml`
+  - `curl -Lo v2_4_7_full.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.7/v2_4_7_full.yaml`
+  - `sed -i.bak -e '561,569d' ./v2_4_7_full.yaml`
+  - `sed -i.bak -e 's|your-cluster-name|<ClusterName>|' ./v2_4_7_full.yaml`
+  - `kubectl apply -f v2_4_7_full.yaml`
+  - `curl -Lo v2_4_7_ingclass.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.7/v2_4_7_ingclass.yaml`
+  - `kubectl apply -f v2_4_7_ingclass.yaml`
+
+### 3. Setting up Environment for EC2 Tests
+#### Create IAM Role for EC2 Instance
+- Login to AWS, go to the IAM console and click on the Roles tab. Click Create role.
+- Choose AWS service, and choose EC2 as the use case. Click Next.
+- Choose AmazonS3ReadOnlyAccess, AWSXrayWriteOnlyAccess, and CloudWatchAgentServerPolicy as the permission. 
+- Type the role name and click "Create role".
+- 
+#### Setting Up Default VPC
+- Go to the VPC console and on the routing table for the default VPC, click Edit routes. 
+- Click add routes, for destination add `0.0.0.0/0`, for target add Internet Gateway and save changes.
+- Go to the Security groups tab, find the security group attached to the default VPC, click Edit inbound rules, choose type: All Traffic, Source: custom, and CIDR block: 0.0.0.0/0. Save rules.
+
+### 4. Building Sample App to ECR
+Create two ECR repositories: one for the sample app main service and another for the sample app remote service. 
+Follow the instructions under ./sample-apps/README.md to build the sample app image and upload it to the ECR
+
+### 5. Building Sample App to S3 Bucket
+Create an S3 Bucket to store the .jar files for the sample app main service and sample app remote service.
+Follow the instructions under ./sample-apps/README.md to build the sample app .jar and upload it to the bucket
+
+### 6. Setting up repository
+- Go to https://github.com/aws-observability/aws-otel-java-instrumentation and create a fork
+- Go to the forked repo and enable action on the Action tab
+- Add the following secrets to the repository
+  - APP_SIGNALS_E2E_TEST_ACC: `<AccountID>`
+  - E2E_TEST_ROLE_ARN: `arn:aws:iam::<AccountID>:role/<RoleName>`
+  - APP_SIGNALS_E2E_EC2_TEST_ROLE: <EC2_IAM_ROLE_NAME>
+  - APP_SIGNALS_E2E_FE_SA_IMG: `<AccountID>.dkr.ecr.us-east-1.amazonaws.com/<Path to Sample App Image>`
+  - APP_SIGNALS_E2E_RE_SA_IMG: `<AccountID>.dkr.ecr.us-east-1.amazonaws.com/<Path to Remote Sample App Image>`
+  - APP_SIGNALS_E2E_FE_SA_JAR: s3://<BucketName>/<FileName.jar>
+  - APP_SIGNALS_E2E_RE_SA_JAR: s3://<BucketName>/<FileName.jar>
+
+
+### 7. Running the tests
+Copy paste the test.yml into `../.github/workflows` and replace the cluster name with the one generated in step 2. 
+Push the code changes and there should be a test running on the forked repo in the Action tab
+
+### E2E Testing Resources
+- `./.github/workflows/appsignals-e2e-*`: workflow files for running e2e tests
+- `./testing/sample-apps/*`: files for building the sample app
+- `./testing/validator/*`: files for validating logs/metrics/traces generated by sample app
+- `./testing/terraform/*`:  files for launching the sample app to EKS cluster or EC2 instances

testing/sample-apps/README.md

@@ -10,10 +10,16 @@ Ensure that none of the repositories are currently using the image about to be u
 To update the image, first push the update to a backup image (or generate a new one), then switch the address on the three repositories to the backup image one by one. Once all three repositories are pointing to
 the backup image, push the update to the main image and revert the addresses on the repositories back to the original. Be careful to ensure the image names are appropriately stored in secrets.
 
+### Setting up the environment:
+1. Run the `patch.sh` script under `.github/scripts/` folder. You should have a new folder called `opentelemetry-java-instrumentation`
+2. Cd to the new folder, then run `gradle publishToMavenLocal`
+3. Run `rm -rf opentelemetry-java-instrumentation` to delete the folder.
+
 ### Steps to update image:
 1. Use `ada` commands to autheticate into the testing account
-2. Login to ECR Repository: `aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin {REPOSITORY}`
+2. Login to ECR Repository: `aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin {REPOSITORY}`. Create a new repository first if the repository doesn't exist.
 3. Change repository name in the `build.gradle.kts` file under `testing/sample-apps/springboot` or `testing/sample-apps/sprintboot-remote-service`
+4. Change the `tasks.named("jib").enabled` value on the `build.gradle.kts` file from false to true
 4. Run `gradle jib` under the respective directory.
 
 ## [WIP] EC2 Use Case: Building the JAR Files

testing/terraform/ec2/main.tf

@@ -27,7 +27,7 @@ locals {
 }
 
 data "aws_ami" "ami" {
-  owners = ["amazon"]
+  owners   = ["amazon"]
   most_recent      = true
   filter {
     name   = "name"
@@ -66,7 +66,7 @@ resource "aws_instance" "main_service_instance" {
   ami                                   = data.aws_ami.ami.id # Amazon Linux 2 (free tier)
   instance_type                         = "t2.micro"
   key_name                              = local.ssh_key_name
-  iam_instance_profile                  = "APP_SIGNALS_EC2_TEST_ROLE"
+  iam_instance_profile                  = var.test_role
   vpc_security_group_ids                = [aws_default_vpc.default.default_security_group_id]
   associate_public_ip_address           = true
   instance_initiated_shutdown_behavior  = "terminate"
@@ -127,7 +127,7 @@ resource "aws_instance" "remote_service_instance" {
   ami                                   = data.aws_ami.ami.id # Amazon Linux 2 (free tier)
   instance_type                         = "t2.micro"
   key_name                              = local.ssh_key_name
-  iam_instance_profile                  = "APP_SIGNALS_EC2_TEST_ROLE"
+  iam_instance_profile                  = var.test_role
   vpc_security_group_ids                = [aws_default_vpc.default.default_security_group_id]
   associate_public_ip_address           = true
   instance_initiated_shutdown_behavior  = "terminate"

testing/terraform/ec2/variables.tf

@@ -39,4 +39,8 @@ variable "cw_agent_rpm" {
 
 variable "adot_jar" {
   default = "s3://<bucket-name>/<jar>"
+}
+
+variable "test_role" {
+   default = "<role-name>"
 }

testing/test.yml

@@ -0,0 +1,24 @@
+## This workflow aims to run the Application Signals end-to-end tests to test changes
+## on the E2E testing resources before submitting a PR. The e2e-eks-test will deploy a
+## sample app on an EKS cluster, call the APIs, and validate the generated telemetry
+## including logs, metrics, and traces while the e2e-ec2-test will do the same but on
+## two EC2 instances.
+name: Test
+on:
+  push:
+
+jobs:
+  e2e-eks-test:
+    uses: ./.github/workflows/appsignals-e2e-eks-test.yml
+    secrets: inherit
+    with:
+      aws-region: us-east-1
+      test-cluster-name: <Enter Cluster Name>
+      caller-workflow-name: 'test'
+
+  e2e-ec2-test:
+    uses: ./.github/workflows/appsignals-e2e-ec2-test.yml
+    secrets: inherit
+    with:
+      aws-region: us-east-1
+      caller-workflow-name: 'test'