Implementing helm integration tests for amazon-cloudwatch-observability

aws-observability · Mar 15, 2024 · 78d8709 · 78d8709
1 parent cd8ad01
commit 78d8709
Show file tree

Hide file tree

Showing 9 changed files with 651 additions and 0 deletions.
diff --git a/.github/workflows/amazon-cloudwatch-observability-helm-integration-test.yaml b/.github/workflows/amazon-cloudwatch-observability-helm-integration-test.yaml
@@ -0,0 +1,78 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Run Integration Test for Amazon CloudWatch Observability Helm Chart
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+  AWS_DEFAULT_REGION: us-west-2
+
+jobs:
+  HelmChartsIntegrationTest:
+    name: HelmChartsIntegrationTest
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Generate testing id
+        run: echo TESTING_ID="${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      #  local directory to store the kubernetes config
+      - name: Create kubeconfig directory
+        run: mkdir -p ${{ github.workspace }}/../../../.kube
+
+      - name: Set KUBECONFIG environment variable
+        run: echo KUBECONFIG="${{ github.workspace }}/../../../.kube/config" >> $GITHUB_ENV
+
+      - name: Verify Terraform version
+        run: terraform --version
+
+      - name: Terraform apply
+        uses: nick-fields/retry@v2
+        with:
+          max_attempts: 1
+          timeout_minutes: 60 # EKS takes about 20 minutes to spin up a cluster and service on the cluster
+          retry_wait_seconds: 5
+          command: |
+            cd integration-tests/amazon-cloudwatch-observability/terraform/helm
+            terraform init
+            if terraform apply -auto-approve \
+                -var="kube_dir=${{ github.workspace }}/../../../.kube"; then
+              terraform destroy -auto-approve
+            else
+              terraform destroy -auto-approve && exit 1
+            fi
+
+      - name: Terraform destroy
+        if: ${{ cancelled() || failure() }}
+        uses: nick-fields/retry@v2
+        with:
+          max_attempts: 3
+          timeout_minutes: 8
+          retry_wait_seconds: 5
+          command: |
+            cd integration-tests/amazon-cloudwatch-observability/terraform/helm
+            terraform destroy --auto-approve
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/basic_components/main.tf b/integration-tests/amazon-cloudwatch-observability/terraform/basic_components/main.tf
@@ -0,0 +1,25 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+module "common" {
+  source = "../common"
+}
+
+data "aws_iam_role" "cwagent_iam_role" {
+  name = module.common.cwa_iam_role
+}
+
+data "aws_vpc" "vpc" {
+  default = true
+}
+
+data "aws_subnets" "public_subnet_ids" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.vpc.id]
+  }
+}
+
+data "aws_security_group" "security_group" {
+  name = module.common.vpc_security_group
+}
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/basic_components/output.tf b/integration-tests/amazon-cloudwatch-observability/terraform/basic_components/output.tf
@@ -0,0 +1,14 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+output "security_group" {
+  value = data.aws_security_group.security_group.id
+}
+
+output "public_subnet_ids" {
+  value = data.aws_subnets.public_subnet_ids.ids
+}
+
+output "role_arn" {
+  value = data.aws_iam_role.cwagent_iam_role.arn
+}
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/common/main.tf b/integration-tests/amazon-cloudwatch-observability/terraform/common/main.tf
@@ -0,0 +1,6 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+resource "random_id" "testing_id" {
+  byte_length = 8
+}
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/common/output.tf b/integration-tests/amazon-cloudwatch-observability/terraform/common/output.tf
@@ -0,0 +1,14 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+output "testing_id" {
+  value = random_id.testing_id.hex
+}
+
+output "cwa_iam_role" {
+  value = "cwa-e2e-iam-role"
+}
+
+output "vpc_security_group" {
+  value = "vpc_security_group"
+}
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/helm/main.tf b/integration-tests/amazon-cloudwatch-observability/terraform/helm/main.tf
@@ -0,0 +1,132 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+module "common" {
+  source = "../common"
+}
+
+module "basic_components" {
+  source = "../basic_components"
+}
+
+locals {
+  aws_eks  = "aws eks --region ${var.region}"
+  cluster_name = var.cluster_name != "" ? var.cluster_name : "cwagent-helm-chart-integ"
+}
+
+data "aws_eks_cluster_auth" "this" {
+  name = aws_eks_cluster.this.name
+}
+
+resource "aws_eks_cluster" "this" {
+  name     = "${local.cluster_name}-${module.common.testing_id}"
+  role_arn = module.basic_components.role_arn
+  version  = var.k8s_version
+  vpc_config {
+    subnet_ids         = module.basic_components.public_subnet_ids
+    security_group_ids = [module.basic_components.security_group]
+  }
+}
+
+# EKS Node Groups
+resource "aws_eks_node_group" "this" {
+  cluster_name    = aws_eks_cluster.this.name
+  node_group_name = "${local.cluster_name}-node"
+  node_role_arn   = aws_iam_role.node_role.arn
+  subnet_ids      = module.basic_components.public_subnet_ids
+
+  scaling_config {
+    desired_size = 1
+    max_size     = 1
+    min_size     = 1
+  }
+
+  ami_type       = "AL2_x86_64"
+  capacity_type  = "ON_DEMAND"
+  disk_size      = 20
+  instance_types = ["t3a.medium"]
+
+  depends_on = [
+    aws_iam_role_policy_attachment.node_CloudWatchAgentServerPolicy,
+    aws_iam_role_policy_attachment.node_AmazonEC2ContainerRegistryReadOnly,
+    aws_iam_role_policy_attachment.node_AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.node_AmazonEKSWorkerNodePolicy
+  ]
+}
+
+# EKS Node IAM Role
+resource "aws_iam_role" "node_role" {
+  name = "${local.cluster_name}-Worker-Role-${module.common.testing_id}"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "node_AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.node_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "node_AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.node_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "node_AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.node_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "node_CloudWatchAgentServerPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+  role       = aws_iam_role.node_role.name
+}
+
+resource "null_resource" "kubectl" {
+  depends_on = [
+    aws_eks_cluster.this,
+    aws_eks_node_group.this
+  ]
+  provisioner "local-exec" {
+    command = <<-EOT
+      ${local.aws_eks} update-kubeconfig --name ${aws_eks_cluster.this.name}
+      ${local.aws_eks} list-clusters --output text
+      ${local.aws_eks} describe-cluster --name ${aws_eks_cluster.this.name} --output text
+    EOT
+  }
+}
+
+resource "helm_release" "this" {
+  depends_on = [
+    null_resource.kubectl
+  ]
+  name = "amazon-cloudwatch-observability"
+  namespace = "amazon-cloudwatch"
+  create_namespace = true
+  chart      = "${var.helm_dir}"
+  set {
+    name  = "region"
+    value = "${var.region}"
+  }
+}
+
+resource "null_resource" "validator" {
+  depends_on = [
+    helm_release.this
+  ]
+  provisioner "local-exec" {
+    command = "go test ${var.test_dir} -v"
+  }
+}
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/helm/providers.tf b/integration-tests/amazon-cloudwatch-observability/terraform/helm/providers.tf
@@ -0,0 +1,12 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+provider "aws" {
+  region = var.region
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = "${var.kube_dir}/config"
+  }
+}
diff --git a/integration-tests/amazon-cloudwatch-observability/terraform/helm/variables.tf b/integration-tests/amazon-cloudwatch-observability/terraform/helm/variables.tf
@@ -0,0 +1,33 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT
+
+variable "region" {
+  type    = string
+  default = "us-west-2"
+}
+
+variable "k8s_version" {
+  type    = string
+  default = "1.29"
+}
+
+# eks addon and helm tests are similar
+variable "test_dir" {
+  type    = string
+  default = "../validator"
+}
+
+variable "helm_dir" {
+  type    = string
+  default = "../../../charts/amazon-cloudwatch-observability"
+}
+
+variable "kube_dir" {
+  type    = string
+  default = "~/.kube"
+}
+
+variable "cluster_name" {
+  type    = string
+  default = "cwagent-helm-chart-integ"
+}