Skip to content

Commit

Permalink
Extend .github/workflows/run-e2e-tests.yml to support fetching Test S…
Browse files Browse the repository at this point in the history 
…ecrets from AWS Secrets Manager (#805)
  • Loading branch information
@lukaszcl
lukaszcl authored Jan 16, 2025
1 parent fb79097 commit 61acf90
Show file tree
Hide file tree
Showing 5 changed files with 132 additions and 3 deletions.
53 changes: 50 additions & 3 deletions .github/workflows/run-e2e-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,13 @@ on:
'Run tests by trigger name. Example: "Run Nightly E2E Tests"'
required: false
type: string
test_secrets_override_key:
description:
'Key to use for overriding the default test secrets. Use "aws:" prefix
for AWS secrets. Example:
"aws:testsecrets/TEST_SECRETS_OVERRIDE_BASE64"'
required: false
type: string
test_config_override_path:
description:
"Path to a test config file used to override the default test config"
Expand Down Expand Up @@ -282,16 +289,33 @@ jobs:
require_chainlink_plugin_versions_in_qa_ecr_matrix:
${{ steps.set-required-chainlink-plugin-versions-matrix.outputs.versions
}}
aws_test_secrets_key:
${{ steps.check-inputs.outputs.aws_test_secrets_key }}
steps:
- name: Check input conditions
id: check-inputs
run: |
if [[ "${{ inputs.test_ids }}" != "" && "${{ inputs.test_trigger }}" != "" ]]; then
echo "::error::Error: Both 'test_ids' and 'test_trigger' are provided. Please specify only one."
exit 1
fi
# Check if both TEST_SECRETS_OVERRIDE_BASE64 and test_secrets_override_key starting with 'aws:' are set
if [[ "${{ secrets.TEST_SECRETS_OVERRIDE_BASE64 }}" != "" && "${{ inputs.test_secrets_override_key }}" == aws:* ]]; then
echo "::error::Error: Both GitHub Secret and AWS Secret ('test_secrets_override_key' starting with 'aws:') are set. Please specify only one."
exit 1
fi
# Inform if custom secrets are being used
if [[ "${{ secrets.TEST_SECRETS_OVERRIDE_BASE64 }}" != "" ]]; then
echo "Will run tests with custom test secrets"
echo "Will run tests with custom test secrets from GitHub Secret."
elif [[ "${{ inputs.test_secrets_override_key }}" == aws:* ]]; then
ORIGINAL_KEY="${{ inputs.test_secrets_override_key }}"
SECRET_ID="${ORIGINAL_KEY#aws:}"
echo "aws_test_secrets_key=$SECRET_ID" >> "$GITHUB_OUTPUT"
echo "Will run tests with custom test secrets from AWS Secrets Manager. AWS Secret ID: $SECRET_ID"
fi
- name: Install jq
run: sudo apt-get install jq

Expand Down Expand Up @@ -576,6 +600,7 @@ jobs:
name: ${{ matrix.tests.id }}
needs:
[
validate-inputs,
load-test-configurations,
require-chainlink-image-versions-in-qa-ecr,
require-chainlink-plugin-versions-in-qa-ecr,
Expand Down Expand Up @@ -688,6 +713,16 @@ jobs:
echo "$key=$value" >> "$GITHUB_ENV"
done
fi
- name: Get Test Secrets from AWS Secret Manager
if: ${{ needs.validate-inputs.outputs.aws_test_secrets_key }}
id: aws-test-secrets
uses: smartcontractkit/.github/actions/ctf-fetch-aws-secret@921f4b0ca850dd473dcef9082e3169ccbb83cc52 # [email protected]
with:
secret_id: ${{ needs.validate-inputs.outputs.aws_test_secrets_key }}
aws_region: ${{ secrets.QA_AWS_REGION }}
aws_role_to_assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }}

- name: Run tests
id: run_tests
uses: smartcontractkit/.github/actions/ctf-run-tests@5a52473d754eb3cfde41449437e320167bbbddf2 # [email protected]
Expand Down Expand Up @@ -719,7 +754,8 @@ jobs:
test_download_vendor_packages_command:
cd $(dirname ${{ matrix.tests.path }}) && go mod download
test_secrets_override_base64:
${{ secrets.TEST_SECRETS_OVERRIDE_BASE64 }}
${{ steps.aws-test-secrets.outputs.secret_value ||
secrets.TEST_SECRETS_OVERRIDE_BASE64 }}
test_config_override_path: ${{ env.TEST_CONFIG_OVERRIDE_PATH }}
test_type: ${{ matrix.tests.test_env_vars.TEST_TYPE }}
test_suite: ${{ matrix.tests.test_env_vars.TEST_SUITE }}
Expand Down Expand Up @@ -876,6 +912,7 @@ jobs:
run-k8s-runner-tests:
needs:
[
validate-inputs,
load-test-configurations,
get-remote-runner-test-image,
require-chainlink-image-versions-in-qa-ecr,
Expand Down Expand Up @@ -954,6 +991,15 @@ jobs:
done
fi
- name: Get Test Secrets from AWS Secret Manager
if: ${{ needs.validate-inputs.outputs.aws_test_secrets_key }}
id: aws-test-secrets
uses: smartcontractkit/.github/actions/ctf-fetch-aws-secret@921f4b0ca850dd473dcef9082e3169ccbb83cc52 # [email protected]
with:
secret_id: ${{ needs.validate-inputs.outputs.aws_test_secrets_key }}
aws_region: ${{ secrets.QA_AWS_REGION }}
aws_role_to_assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }}

- name: Run tests
id: run_tests
uses: smartcontractkit/.github/actions/ctf-run-tests@5a52473d754eb3cfde41449437e320167bbbddf2 # [email protected]
Expand Down Expand Up @@ -995,7 +1041,8 @@ jobs:
-hidepassingtests=false' }}
test_download_vendor_packages_command: make gomod
test_secrets_override_base64:
${{ secrets.TEST_SECRETS_OVERRIDE_BASE64 }}
${{ steps.aws-test-secrets.outputs.secret_value ||
secrets.TEST_SECRETS_OVERRIDE_BASE64 }}
test_config_override_path: ${{ env.TEST_CONFIG_OVERRIDE_PATH }}
test_type: ${{ matrix.tests.test_env_vars.TEST_TYPE }}
test_suite: ${{ matrix.tests.test_env_vars.TEST_SUITE }}
Expand Down
3 changes: 3 additions & 0 deletions actions/ctf-fetch-aws-secret/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# ctf-fetch-aws-secret

>
61 changes: 61 additions & 0 deletions actions/ctf-fetch-aws-secret/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: ctf-fetch-aws-secret
description: "Fetches a secret from AWS Secrets Manager."

inputs:
secret_id:
description: "The AWS Secrets Manager Secret ID."
required: true
aws_region:
required: true
description: "The AWS region to use."
aws_role_to_assume:
required: true
description: "The AWS role to assume."
aws_role_duration_seconds:
required: false
default: "900"
description: "The duration (in seconds) to assume the AWS role."

outputs:
secret_value:
description: "Secret value returned from AWS Secrets Manager."
value: ${{ steps.get-aws-secret.outputs.secret_value }}

runs:
using: "composite"
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ inputs.aws_region }}
role-to-assume: ${{ inputs.aws_role_to_assume }}
role-duration-seconds: ${{ inputs.aws_role_duration_seconds }}
mask-aws-account-id: true

- name: Get Secret from AWS Secrets Manager
id: get-aws-secret
shell: bash
run: |
# Exit immediately if any command fails
set -e
# Use secret_id as-is (no prefix removal)
SECRET_ID="${{ inputs.secret_id }}"
# Attempt to fetch the secret string from AWS Secrets Manager
SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id "$SECRET_ID" --query 'SecretString' --output text)
# Mask the secret value in logs
echo "::add-mask::$SECRET_VALUE"
# Fail if the secret could not be retrieved or is empty
if [ -z "$SECRET_VALUE" ]; then
echo "::error::Failed to retrieve AWS Secret. The secret might not exist or is empty: $SECRET_ID"
exit 1
fi
# Set the action output
echo "secret_value=$SECRET_VALUE" >> $GITHUB_OUTPUT
# Final success message
echo "Successfully retrieved AWS Secret: $SECRET_ID"
11 changes: 11 additions & 0 deletions actions/ctf-fetch-aws-secret/package.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "ctf-fetch-aws-secret",
"version": "0.0.0",
"description": "",
"private": true,
"scripts": {},
"author": "@smartcontractkit",
"license": "MIT",
"dependencies": {},
"repository": "https://github.com/smartcontractkit/.github"
}
7 changes: 7 additions & 0 deletions actions/ctf-fetch-aws-secret/project.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"name": "ctf-fetch-aws-secret",
"$schema": "../../node_modules/nx/schemas/project-schema.json",
"projectType": "application",
"sourceRoot": "actions/ctf-fetch-aws-secret",
"targets": {}
}

0 comments on commit 61acf90

Please sign in to comment.