Skip to content

Commit

Permalink
added autotest for workspaces-*
Browse files Browse the repository at this point in the history
  • Loading branch information
anna-shcherbak committed May 13, 2024
1 parent 328df3e commit 81bf215
Show file tree
Hide file tree
Showing 19 changed files with 474 additions and 49 deletions.
76 changes: 38 additions & 38 deletions .github/workflows/tf_testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,47 +22,47 @@ env:
CORE_TESTING_FOLDER: ${{ github.workspace }}
OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output
AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
resource_priority_list: 'acm'
resource_priority_list: 'workspaces'
RED: '\033[0;31m'

jobs:
terraform_test_policy_green_flights:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-22.04
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.CI_ASSUME_ROLE }}
role-session-name: ECC-AWS-RULEPACK_CI-GREEN
aws-region: ${{ vars.AWS_REGION }}
- name: Install dependencies
shell: bash
working-directory: auto_policy_testing/scripts
run: |
pip install -r requirements.txt
- name: terraform_test_policy_green_flights
shell: bash
working-directory: auto_policy_testing/scripts
run: |
python main.py \
--cloud AWS \
--infra_color green \
-l $resource_priority_list \
--base_dir $GITHUB_WORKSPACE \
--output_dir $OUTPUT_DIR \
--sa "github_ci_readonly_ecc-aws-rulepack"
echo -e "${RED}Failed policies:"
cat $OUTPUT_DIR/.failed
echo -e "${RED}Failed terraforms:"
cat $OUTPUT_DIR/.tf_failed
test -s $OUTPUT_DIR/.failed && exit 1
test -s $OUTPUT_DIR/.tf_failed && exit 1
exit 0
# terraform_test_policy_green_flights:
# permissions:
# contents: 'read'
# id-token: 'write'
# runs-on: ubuntu-22.04
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: configure aws credentials
# uses: aws-actions/configure-aws-credentials@v4
# with:
# role-to-assume: ${{ secrets.CI_ASSUME_ROLE }}
# role-session-name: ECC-AWS-RULEPACK_CI-GREEN
# aws-region: ${{ vars.AWS_REGION }}
# - name: Install dependencies
# shell: bash
# working-directory: auto_policy_testing/scripts
# run: |
# pip install -r requirements.txt
# - name: terraform_test_policy_green_flights
# shell: bash
# working-directory: auto_policy_testing/scripts
# run: |
# python main.py \
# --cloud AWS \
# --infra_color green \
# -l $resource_priority_list \
# --base_dir $GITHUB_WORKSPACE \
# --output_dir $OUTPUT_DIR \
# --sa "github_ci_readonly_ecc-aws-rulepack"
# echo -e "${RED}Failed policies:"
# cat $OUTPUT_DIR/.failed
# echo -e "${RED}Failed terraforms:"
# cat $OUTPUT_DIR/.tf_failed
# test -s $OUTPUT_DIR/.failed && exit 1
# test -s $OUTPUT_DIR/.tf_failed && exit 1
# exit 0

terraform_test_policy_red_flights:
permissions:
Expand Down
50 changes: 40 additions & 10 deletions auto_policy_testing/green/common_resources/vpc.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,49 @@ resource "aws_vpc" "this" {
}

resource "aws_subnet" "subnet1" {
vpc_id = aws_vpc.this.id
cidr_block = "10.0.1.0/24"
availability_zone = data.aws_availability_zones.this.names[0]
vpc_id = aws_vpc.this.id
cidr_block = "10.0.1.0/24"
availability_zone_id = "use1-az2"
map_public_ip_on_launch = "true"
}

resource "aws_subnet" "subnet2" {
vpc_id = aws_vpc.this.id
cidr_block = "10.0.2.0/24"
availability_zone = data.aws_availability_zones.this.names[0]
vpc_id = aws_vpc.this.id
cidr_block = "10.0.2.0/24"
availability_zone = data.aws_availability_zones.this.names[0]
map_public_ip_on_launch = "true"
}

resource "aws_subnet" "subnet3" {
vpc_id = aws_vpc.this.id
cidr_block = "10.0.3.0/24"
availability_zone = data.aws_availability_zones.this.names[1]
}
vpc_id = aws_vpc.this.id
cidr_block = "10.0.3.0/24"
availability_zone_id = "use1-az4"
map_public_ip_on_launch = "true"
}

resource "aws_internet_gateway" "this" {
vpc_id = aws_vpc.this.id
}

resource "aws_route_table" "this" {
vpc_id = aws_vpc.this.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this.id
}
}

resource "aws_route_table_association" "this" {
subnet_id = aws_subnet.subnet1.id
route_table_id = aws_route_table.this.id
}

resource "aws_route_table_association" "this2" {
subnet_id = aws_subnet.subnet2.id
route_table_id = aws_route_table.this.id
}

resource "aws_route_table_association" "this3" {
subnet_id = aws_subnet.subnet3.id
route_table_id = aws_route_table.this.id
}
30 changes: 30 additions & 0 deletions auto_policy_testing/green/workspaces/iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
resource "aws_iam_role" "workspaces-default" {
name = "workspaces_DefaultRole"
assume_role_policy = data.aws_iam_policy_document.workspaces.json
}

data "aws_iam_policy_document" "workspaces" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["workspaces.amazonaws.com"]
}
}
}

resource "aws_iam_role_policy_attachment" "workspaces-default-service-access" {
role = aws_iam_role.workspaces-default.name
policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesServiceAccess"
}

resource "aws_iam_role_policy_attachment" "workspaces-default-self-service-access" {
role = aws_iam_role.workspaces-default.name
policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesSelfServiceAccess"
}

resource "aws_iam_role_policy_attachment" "this" {
role = aws_iam_role.workspaces-default.name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
13 changes: 13 additions & 0 deletions auto_policy_testing/green/workspaces/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
module "naming" {
source = "../../shared_tf_modules/naming"
resource_type = basename(abspath(path.module))
status = title(basename(dirname(abspath(path.module))))
}

data "terraform_remote_state" "common" {
backend = "local"

config = {
path = "../common_resources/terraform.tfstate"
}
}
6 changes: 6 additions & 0 deletions auto_policy_testing/green/workspaces/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
output "workspaces" {
value = {
workspaces = aws_workspaces_workspace.this,
workspaces-directory = aws_workspaces_directory.this,
}
}
42 changes: 42 additions & 0 deletions auto_policy_testing/green/workspaces/policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaceBundles",
"iam:CreateRole",
"ds:CreateDirectory",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"iam:GetRole",
"ds:DescribeDirectories",
"iam:ListRolePolicies",
"ec2:DescribeSecurityGroups",
"iam:ListAttachedRolePolicies",
"iam:AttachRolePolicy",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ds:ListTagsForResource",
"workspaces:RegisterWorkspaceDirectory",
"iam:DetachRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:DeleteRole",
"ds:DeleteDirectory",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteSecurityGroup",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:ModifyWorkspaceCreationProperties",
"workspaces:DescribeTags",
"workspaces:CreateWorkspaces",
"workspaces:DescribeWorkspaces",
"workspaces:CreateWorkspaceImage",
"workspaces:TerminateWorkspaces",
"workspaces:DeregisterWorkspaceDirectory"
],
"Resource": "*"
}
]
}
15 changes: 15 additions & 0 deletions auto_policy_testing/green/workspaces/provider.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
}
}
}

provider "aws" {
region = var.region
default_tags {
tags = module.naming.default_tags
}
}
5 changes: 5 additions & 0 deletions auto_policy_testing/green/workspaces/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "region" {
type = string
description = "Region where resources will be created"
default = "us-east-1"
}
30 changes: 30 additions & 0 deletions auto_policy_testing/green/workspaces/vpc.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
resource "aws_security_group" "this" {
name = "workstation_security_group"
vpc_id = data.terraform_remote_state.common.outputs.vpc_id

ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [data.terraform_remote_state.common.outputs.vpc_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

resource "aws_security_group" "this2" {
name = "workstation_security_group2"
vpc_id = data.terraform_remote_state.common.outputs.vpc_id


ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [data.terraform_remote_state.common.outputs.vpc_cidr_block]
}
}
84 changes: 84 additions & 0 deletions auto_policy_testing/green/workspaces/workspace.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
########################
### WARNING !!! ###
# This is a very expensive resource. Each WorkSpace will cost $7.25/month + $0.17/hour.

data "aws_workspaces_bundle" "this" {
owner = "Amazon"
name = "Value with Amazon Linux 2"
}

resource "random_password" "this" {
length = 12
special = true
numeric = true
override_special = "!#$%*()-_=+[]{}:?"
}

resource "aws_directory_service_directory" "this" {
name = "${module.naming.resource_prefix.directory}.com"
password = random_password.this.result
size = "Small"

vpc_settings {
vpc_id = data.terraform_remote_state.common.outputs.vpc_id
subnet_ids = [data.terraform_remote_state.common.outputs.vpc_subnet_1_id, data.terraform_remote_state.common.outputs.vpc_subnet_3_id]
}
}

resource "aws_workspaces_directory" "this" {
directory_id = aws_directory_service_directory.this.id
subnet_ids = [data.terraform_remote_state.common.outputs.vpc_subnet_1_id, data.terraform_remote_state.common.outputs.vpc_subnet_3_id]

workspace_creation_properties {
enable_maintenance_mode = true
}

depends_on = [
aws_iam_role_policy_attachment.workspaces-default-service-access,
aws_iam_role_policy_attachment.workspaces-default-self-service-access
]
}

resource "aws_workspaces_workspace" "this" {
directory_id = aws_workspaces_directory.this.id
bundle_id = data.aws_workspaces_bundle.this.id
user_name = "Administrator"

root_volume_encryption_enabled = true
user_volume_encryption_enabled = true
volume_encryption_key = data.terraform_remote_state.common.outputs.kms_key_arn

workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}

depends_on = [
aws_iam_role_policy_attachment.workspaces-default-service-access,
aws_workspaces_directory.this
]
}


## Can not be created from encrypted Workspace
# data "external" "this" {
# program = ["bash", "-c", "aws workspaces create-workspace-image --name autotest-green-image --description autotest-green-image --workspace-id ${aws_workspaces_workspace.this.id} | jq -r -c '{image_id: .ImageId }'"]

# depends_on = [ aws_workspaces_workspace.this ]
# }

# resource "null_resource" "this" {
# triggers = {
# image_id = data.external.this.result["image_id"]
# }

# provisioner "local-exec" {
# when = destroy
# command = "aws workspaces delete-workspace-image --image-id ${self.triggers.image_id}"
# }

# depends_on = [ aws_workspaces_workspace.this, data.external.this ]
# }
Loading

0 comments on commit 81bf215

Please sign in to comment.