Merge pull request #23 from sonikro/optional-subnet-ids

feat(subnetIds): made subnet-ids optional

Author: sonikro

.github/workflows/test.yml

@@ -62,3 +62,24 @@ jobs:
             terraform -v
             echo "Hello World. I am ${{github.repository}}"
             echo "Testing $GITHUB_REPOSITORY variable"
+  test-auto-subnet-ids: 
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'sonikro'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./
+        with:
+          role_arn: "${{secrets.TEST_ROLE_ARN}}"
+          image: hashicorp/terraform:latest
+          region: us-east-1
+          vpc_id: "${{secrets.TEST_VPC_ID}}"
+          shell: sh
+          run: |
+            ls -la
+            terraform -v
+            echo "Hello World. I am ${{github.repository}}"
+            echo "Testing $GITHUB_REPOSITORY variable"

README.md

@@ -91,11 +91,12 @@ The policy attattched to this role must have at least these permissions:
                 "logs:GetLogEvents",
                 "s3:*",
                 "ec2:DescribeSecurityGroups",
-				"ec2:DescribeSecurityGroupRules",
-				"ec2:AuthorizeSecurityGroupEgress",
-				"ec2:CreateSecurityGroup",
-				"ec2:AuthorizeSecurityGroupIngress",
-				"ec2:DeleteSecurityGroup"
+                "ec2:DescribeSecurityGroupRules",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:CreateSecurityGroup",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:DeleteSecurityGroup",
+          			"ec2:DescribeSubnets"
             ],
             "Resource": "*"
         },
@@ -119,7 +120,6 @@ The policy attattched to this role must have at least these permissions:
 
 #### Easiest way to get started
 
-
 ```yaml
 jobs:
   terraform: 
@@ -136,8 +136,6 @@ jobs:
           image: hashicorp/terraform:latest
           region: us-east-1
           vpc_id: "${{secrets.VPC_ID}}"
-          subnet_ids: |
-            ${{secrets.SUBNBET_ID}}
           shell: sh
           run: |
             terraform apply
@@ -171,6 +169,34 @@ jobs:
             terraform apply
 ```
 
+#### Using specific subnet ids
+
+If you want your task to run on specific subnets, use the **subnet_ids** argument
+
+```yaml
+jobs:
+  terraform: 
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write 
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: sonikro/aws-run@v1
+        with:
+          role_arn: "${{secrets.ROLE_ARN}}"
+          image: hashicorp/terraform:latest
+          region: us-east-1
+          vpc_id: "${{secrets.VPC_ID}}"
+          security_group_id: "<SECURITY_GROUP_ID>"
+          subnet_ids: |
+            ${{secrets.SUBNBET_ID}}
+          shell: sh
+          run: |
+            terraform apply
+```
+
 > id-token: write is required in order to authenticate to AWS using OIDC
 
 This example would run a container with image **hashicorp/terraform:latest** in your AWS Account, connected to the specified VPC_ID, SUBNET_ID nd SECURITY_GROUP_ID. All contents of the GitHub Runner Workspace are copied to the remote container, meaning that the remote shell has access to all of the files of the host runner.
@@ -214,7 +240,7 @@ In the execution phase, the action will:
 - [X] Allow multiple Subnet IDs
 - [X] Stream the Cloudwatch logs as they happen, and not just at the end of the execution
 - [X] Automatically create temporary security group if one is not provided
-- [ ] Automatically grab list of Subnets for VPC_ID, if Subnet_IDS are not provided
+- [X] Automatically grab list of Subnets for VPC_ID, if Subnet_IDS are not provided
 - [ ] Mask secrets inside the Cloudwatch Logs
 - [X] Map all GitHub Contexts/ENVS into the ECS Container
 - [ ] Ability to upload artifacts back to GitHub (if your remote execution generates artifacts)

action.yml

@@ -40,8 +40,8 @@ inputs:
     required: true
     description: Name of the shell to be used in the container to execute the run script
   subnet_ids:
-    required: true
-    description: Subnet ID of where the Task will be executed.
+    required: false
+    description: Subnet ID of where the Task will be executed. If no subnet_ids is specified, the task will find one automatically within the VPC
   vpc_id:
     required: true
     description: VPC ID of where the Task will be executed

dist/index.js

@@ -20,7 +20,7 @@ async function run(): Promise<void> {
     const runScript: string = core.getInput('run')
     const vpcId: string = core.getInput('vpc_id')
     const subnetIds: string[] = core
-      .getInput('subnet_ids')
+      .getInput('subnet_ids', {required: false})
       .split('\n')
       .map(s => s.trim())
       .filter(x => x !== '')

dist/index.js.map

@@ -233,6 +233,16 @@ describe('AWSECSRemoteEnvironment', () => {
         return callback(null, {})
       })
     AWSMock.mock(`EC2`, `deleteSecurityGroup`, deleteSecurityGroup)
+
+    const mockedDescribeSubnetResult = mock<
+      PromiseResult<EC2.DescribeSubnetsResult, AWSError>
+    >({
+      Subnets: [{SubnetId: 'subnet1'}, {SubnetId: 'subnet2'}]
+    })
+    const describeSubnets = jest.fn().mockImplementation((input, callback) => {
+      callback(null, mockedDescribeSubnetResult)
+    })
+    AWSMock.mock('EC2', 'describeSubnets', describeSubnets)
     return {
       Sut: AWSECSRemoteEnvironment,
       region,
@@ -248,11 +258,13 @@ describe('AWSECSRemoteEnvironment', () => {
       mockedCreateClusterResult,
       mockedDescribeClusterResult,
       mockedEcsCluster,
+      mockedDescribeSubnetResult,
       deregisterTaskDefinition,
       deleteLogStream,
       deleteBucket,
       deleteObject,
-      deleteSecurityGroup
+      deleteSecurityGroup,
+      describeSubnets
     }
   }
 
@@ -317,6 +329,24 @@ describe('AWSECSRemoteEnvironment', () => {
       // Then
       expect(receivedResult.exitCode).toBe(0)
     }, 10000)
+
+    it('correctly finds all subnetIds, if no subnetId is provided', async () => {
+      // Given
+      const {Sut, region, roleArn, webIdentityToken, ecsExecutionSettings} =
+        makeSut({subnetIds: []})
+      // When
+      const awsEcsRemoteEnvironment = await Sut.fromGithubOidc({
+        region,
+        roleArn,
+        webIdentityToken
+      })
+
+      const receivedResult = await awsEcsRemoteEnvironment.execute({
+        settings: ecsExecutionSettings
+      })
+      // Then
+      expect(receivedResult.exitCode).toBe(0)
+    }, 10000)
   })
 
   describe('tearDown', () => {

src/main.ts

@@ -130,11 +130,13 @@ export class AWSECSRemoteEnvironment
     })
     console.log(`Starting ECS Task`)
     // Start Remote Execution
+    const subnetIds = await this.findSubnetIds({settings})
+
     const executionTask = await this.startTask({
       ecsCluster,
-      settings,
       taskDefinition,
-      securityGroupId
+      securityGroupId,
+      subnetIds
     })
     console.log(`Waiting until ECS Task is running`)
     await ecs
@@ -169,6 +171,30 @@ export class AWSECSRemoteEnvironment
       s3WorkspaceBucket: s3Workspace
     }
   }
+  async findSubnetIds({
+    settings
+  }: {
+    settings: ECSExecutionSettings
+  }): Promise<string[]> {
+    const {ec2} = this.dependencies
+    if (settings.subnetIds.length > 0) {
+      return settings.subnetIds
+    }
+
+    const allSubnets = await ec2
+      .describeSubnets({
+        Filters: [
+          {
+            Name: 'vpc-id',
+            Values: [settings.vpcId]
+          }
+        ]
+      })
+      .promise()
+
+    return allSubnets.Subnets!.map(it => it.SubnetId!)
+  }
+
   async setupSecurityGroup({
     settings
   }: {
@@ -328,13 +354,13 @@ export class AWSECSRemoteEnvironment
   protected async startTask({
     taskDefinition,
     ecsCluster,
-    settings,
-    securityGroupId
+    securityGroupId,
+    subnetIds
   }: {
     taskDefinition: ECS.TaskDefinition
     ecsCluster: ECS.Cluster
-    settings: ECSExecutionSettings
     securityGroupId: string
+    subnetIds: string[]
   }): Promise<ECS.Task> {
     const {ecs} = this.dependencies
     const task = await ecs
@@ -345,7 +371,7 @@ export class AWSECSRemoteEnvironment
         networkConfiguration: {
           awsvpcConfiguration: {
             assignPublicIp: 'ENABLED',
-            subnets: settings.subnetIds,
+            subnets: subnetIds,
             securityGroups: [securityGroupId]
           }
         },