-
Notifications
You must be signed in to change notification settings - Fork 181
Expand file tree
/
Copy pathaction.yml
More file actions
308 lines (298 loc) · 13.5 KB
/
action.yml
File metadata and controls
308 lines (298 loc) · 13.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
---
name: "run_command"
description: "Run a command in a devcontainer"
inputs:
COMMAND:
description: "The command you want to run in the Devcontainer."
required: true
DEVCONTAINER_TAG:
description: "The container label to use when running the command."
required: true
AZURE_CREDENTIALS:
description: "Credentials to access Azure."
required: true
AZURE_ENVIRONMENT:
description: "Azure Cloud Environment"
default: "AzureCloud"
required: false
API_CLIENT_ID:
description: "The API Client Id."
required: false
AAD_TENANT_ID:
description: "The Tenant Id where the App is registered and the Test User is registered for the E2E Tests."
required: false
TEST_APP_ID:
description: "The Test Application Id used to interact with the API."
required: false
TEST_ACCOUNT_CLIENT_ID:
description: "The Test Automation Account Client Id used to interact with the API."
required: false
TEST_ACCOUNT_CLIENT_SECRET:
description: "The Test Automation Account Client Secret used to interact with the API."
required: false
TRE_ID:
description: "The TRE Id."
required: false
TERRAFORM_STATE_CONTAINER_NAME:
description: "The name of the container to store the Terraform state."
required: false
default: ""
MGMT_RESOURCE_GROUP_NAME:
description: "The resource group used to store the Terraform state."
required: false
MGMT_STORAGE_ACCOUNT_NAME:
description: "The storage account used to store the Terraform state."
required: false
CORE_ADDRESS_SPACE:
description: "Core address space."
required: false
TRE_ADDRESS_SPACE:
description: "TRE address apace."
required: false
ENABLE_SWAGGER:
description: "Determines whether the Swagger interface for the API will be available."
required: false
SWAGGER_UI_CLIENT_ID:
description: "The Swagger UI Client ID."
required: false
API_CLIENT_SECRET:
description: "The API Client Secret."
required: false
APPLICATION_ADMIN_CLIENT_ID:
description: "The Client ID of an identity that can manage the AAD Applications."
required: false
APPLICATION_ADMIN_CLIENT_SECRET:
description: "The Client secret of an identity that can manage the AAD Applications."
required: false
ACR_NAME:
description: "The Container Registry that holds our Research images."
required: false
LOCATION:
description: "The Azure Region (e.g. WestEurope)."
required: false
BUNDLE_TYPE:
description: "The Bundle type (workspace / Workspace-service / User Resource)."
required: false
WORKSPACE_SERVICE_NAME:
description: "The workspace service name for the bundle you are registering."
required: false
IS_API_SECURED:
description: "Indicates if the API endpoint has valid TLS certificate and if we validate it during E2E."
required: false
default: "true"
STATEFUL_RESOURCES_LOCKED:
description: "A value indicating if resources with state will be protected with locks."
required: false
default: "true"
ENABLE_AIRLOCK_MALWARE_SCANNING:
description: "If False, Airlock requests will skip the malware scanning stage."
required: false
default: "false"
CI_CACHE_ACR_NAME:
description: "A secondary ACR used for caching in CI environments"
required: true
default: ""
TF_LOG:
description: "Log level for terraform - values are blank | DEBUG | TRACE"
required: false
default: ""
CORE_APP_SERVICE_PLAN_SKU:
description: "The AppService plan sku used in core resources"
required: false
default: ""
WORKSPACE_APP_SERVICE_PLAN_SKU:
description: "The AppService plan sku used by tests"
required: false
default: ""
RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE:
description: "The number of resource processor processes to create for parallel operations"
required: false
E2E_TESTS_NUMBER_PROCESSES:
description: "The number of e2e tests running in parallel"
required: false
default: ""
RP_BUNDLE_VALUES:
description: "JSON string containing key/value pairs to injet into the Resource Processor as ENV vars"
required: false
default: ""
KV_PURGE_PROTECTION_ENABLED:
description: "A boolean indicating if the purge protection will be enabled on the core keyvault."
required: false
default: "true"
FIREWALL_SKU:
description: "Firewall SKU"
required: false
default: ""
APP_GATEWAY_SKU:
description: "Application Gateway SKU"
required: false
default: ""
ENABLE_CMK_ENCRYPTION:
description: "A boolean indicating if we should enable CMK on supported resources"
required: false
default: "false"
ENCRYPTION_KV_NAME:
description: ""
required: false
default: "The name of the keyvault that will be created for CMK"
EXTERNAL_KEY_STORE_ID:
description: "The Azure Resource ID for an external key store to use for CMK"
required: false
default: ""
USER_MANAGEMENT_ENABLED:
description: "If set to true TRE Admins are able to assign and de-assign users to workspaces via the UI"
required: false
default: "false"
PRIVATE_AGENT_SUBNET_ID:
description: Enables vnet exception for the subnet to access private resources
required: false
default: ""
UI_SITE_NAME:
description: "Product name shown in top left corner of TRE portal"
required: false
default: "Azure TRE"
UI_FOOTER_TEXT:
description: "Text shown in bottom left corner of TRE portal"
required: false
default: "Azure Trusted Research Environment"
AUTO_GRANT_WORKSPACE_CONSENT:
description: "When set to true removes the need for users to manually grant consent when creating new workspaces"
required: false
default: "false"
ENABLE_DNS_POLICY:
description: "Enable the DNS security policy"
required: false
default: "false"
ALLOWED_DNS:
description: "Add allowed domain name to the DNS security policy"
required: false
default: "[]"
runs:
using: composite
steps:
- name: Construct AZURE_ENVIRONMENT
shell: bash
run: |
azure_env="${{ (inputs.AZURE_ENVIRONMENT != '' && inputs.AZURE_ENVIRONMENT) || 'AzureCloud' }}"
echo "AZURE_ENVIRONMENT=$azure_env" >> $GITHUB_ENV
- name: Azure Login
uses: azure/login@v2
if: contains(inputs.COMMAND, 'make bootstrap') != true
with:
creds: ${{ inputs.AZURE_CREDENTIALS }}
environment: "${{ env.AZURE_ENVIRONMENT }}"
- name: ACR Login
shell: bash
if: contains(inputs.COMMAND, 'make bootstrap') != true
run: |
az acr login --name "${{ inputs.CI_CACHE_ACR_NAME }}"
- name: Construct TRE_URL
shell: bash
run: |
source devops/scripts/construct_tre_url.sh
tre_url=$(construct_tre_url "${{ inputs.TRE_ID }}" "${{ inputs.LOCATION }}" "${{ env.AZURE_ENVIRONMENT }}")
echo "TRE_URL=$tre_url" >> $GITHUB_ENV
- name: Construct ARM_ENVIRONMENT
shell: bash
run: |
source devops/scripts/convert_azure_env_to_arm_env.sh
arm_environment=$(convert_azure_env_to_arm_env "${{ env.AZURE_ENVIRONMENT }}")
echo "ARM_ENVIRONMENT=$arm_environment" >> $GITHUB_ENV
- name: Construct ACR Domain Suffix
shell: bash
run: |
echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV
- name: Run command in DevContainer
shell: bash
run: |
# Write command to a command.sh script file
cat <<EOF > ./command.sh
#!/bin/bash
set -x
${{ inputs.COMMAND }}
EOF
chmod +x ./command.sh
docker run --rm --mount \
"type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "./command.sh:/workspaces/tre/command.sh" \
--workdir /workspaces/tre \
--user vscode \
-e TF_INPUT="0" \
-e TF_IN_AUTOMATION="1" \
-e USE_ENV_VARS_NOT_FILES="true" \
-e BUNDLE_TYPE="${{ inputs.BUNDLE_TYPE }}" \
-e WORKSPACE_SERVICE_NAME="${{ inputs.WORKSPACE_SERVICE_NAME }}" \
-e ARM_ENVIRONMENT="${{ env.ARM_ENVIRONMENT }}" \
-e TF_VAR_arm_environment="${{ env.ARM_ENVIRONMENT }}" \
-e AZURE_ENVIRONMENT="${{ env.AZURE_ENVIRONMENT }}" \
-e LOCATION="${{ inputs.LOCATION }}" \
-e TF_VAR_location="${{ inputs.LOCATION }}" \
-e RESOURCE_LOCATION="${{ inputs.LOCATION }}" \
-e ARM_CLIENT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientId }}" \
-e ARM_CLIENT_SECRET="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientSecret }}" \
-e ARM_TENANT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).tenantId }}" \
-e ARM_SUBSCRIPTION_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
-e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != ''
&& inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \
-e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \
-e TF_VAR_mgmt_resource_group_name="${{ inputs.MGMT_RESOURCE_GROUP_NAME }}" \
-e ACR_NAME=${{ inputs.ACR_NAME }} \
-e TF_VAR_acr_name=${{ inputs.ACR_NAME }} \
-e TF_VAR_aad_tenant_id="${{ inputs.AAD_TENANT_ID }}" \
-e TF_VAR_api_client_id="${{ inputs.API_CLIENT_ID }}" \
-e TF_VAR_api_client_secret="${{ inputs.API_CLIENT_SECRET }}" \
-e TF_VAR_application_admin_client_id="${{ inputs.APPLICATION_ADMIN_CLIENT_ID }}" \
-e TF_VAR_application_admin_client_secret="${{ inputs.APPLICATION_ADMIN_CLIENT_SECRET }}" \
-e TF_VAR_arm_subscription_id="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
-e TF_VAR_enable_swagger="${{ (inputs.ENABLE_SWAGGER != ''
&& inputs.ENABLE_SWAGGER) || 'false' }}" \
-e SWAGGER_UI_CLIENT_ID="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
-e TF_VAR_swagger_ui_client_id="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
-e TF_VAR_core_address_space="${{ (inputs.CORE_ADDRESS_SPACE != ''
&& inputs.CORE_ADDRESS_SPACE) || '10.0.0.0/22' }}" \
-e TF_VAR_tre_address_space="${{ (inputs.TRE_ADDRESS_SPACE != ''
&& inputs.TRE_ADDRESS_SPACE) || '10.0.0.0/16' }}" \
-e API_CLIENT_ID="${{ inputs.API_CLIENT_ID }}" \
-e AAD_TENANT_ID="${{ inputs.AAD_TENANT_ID }}" \
-e TRE_ID="${{ inputs.TRE_ID }}" \
-e TF_VAR_tre_id="${{ inputs.TRE_ID }}" \
-e TRE_URL="${{ env.TRE_URL }}" \
-e TEST_APP_ID="${{ inputs.TEST_APP_ID }}" \
-e TEST_ACCOUNT_CLIENT_ID="${{ inputs.TEST_ACCOUNT_CLIENT_ID }}" \
-e TEST_ACCOUNT_CLIENT_SECRET="${{ inputs.TEST_ACCOUNT_CLIENT_SECRET }}" \
-e IS_API_SECURED=${{ inputs.IS_API_SECURED }} \
-e DOCKER_BUILDKIT=1 \
-e TF_VAR_stateful_resources_locked=${{ inputs.STATEFUL_RESOURCES_LOCKED }} \
-e TF_VAR_kv_purge_protection_enabled="${{ inputs.KV_PURGE_PROTECTION_ENABLED }}" \
-e TF_VAR_enable_airlock_malware_scanning=${{ inputs.ENABLE_AIRLOCK_MALWARE_SCANNING }} \
-e CI_CACHE_ACR_NAME="${{ inputs.CI_CACHE_ACR_NAME }}" \
-e TF_VAR_core_app_service_plan_sku="${{ (inputs.CORE_APP_SERVICE_PLAN_SKU != ''
&& inputs.CORE_APP_SERVICE_PLAN_SKU) || 'P1v2' }}" \
-e WORKSPACE_APP_SERVICE_PLAN_SKU="${{ (inputs.WORKSPACE_APP_SERVICE_PLAN_SKU != ''
&& inputs.WORKSPACE_APP_SERVICE_PLAN_SKU) || 'P1v2' }}" \
-e TF_VAR_rp_bundle_values='${{ (toJson(inputs.RP_BUNDLE_VALUES) != '""'
&& inputs.RP_BUNDLE_VALUES) || '{}' }}' \
-e UI_SITE_NAME="${{ inputs.UI_SITE_NAME }}" \
-e UI_FOOTER_TEXT="${{ inputs.UI_FOOTER_TEXT }}" \
-e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
&& inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
-e FIREWALL_SKU=${{ inputs.FIREWALL_SKU != '' && inputs.FIREWALL_SKU || 'Standard' }} \
-e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU != '' && inputs.FIREWALL_SKU || 'Standard' }} \
-e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
-e TF_VAR_enable_cmk_encryption="${{ (inputs.ENABLE_CMK_ENCRYPTION != ''
&& inputs.ENABLE_CMK_ENCRYPTION) || 'false' }}" \
-e TF_VAR_encryption_kv_name="${{ inputs.ENCRYPTION_KV_NAME }}" \
-e TF_VAR_external_key_store_id="${{ inputs.EXTERNAL_KEY_STORE_ID }}" \
-e TF_VAR_user_management_enabled="${{ (inputs.USER_MANAGEMENT_ENABLED != '' && inputs.USER_MANAGEMENT_ENABLED) || 'false' }}" \
-e USER_MANAGEMENT_ENABLED="${{ inputs.USER_MANAGEMENT_ENABLED }}" \
-e PRIVATE_AGENT_SUBNET_ID=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \
-e TF_VAR_private_agent_subnet_id=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \
-e TF_VAR_auto_grant_workspace_consent="${{ (inputs.AUTO_GRANT_WORKSPACE_CONSENT != '' && inputs.AUTO_GRANT_WORKSPACE_CONSENT) || 'false' }}" \
-e TF_VAR_enable_dns_policy="${{ (inputs.ENABLE_DNS_POLICY != '' && inputs.ENABLE_DNS_POLICY) || 'false' }}" \
-e TF_VAR_allowed_dns='${{ (toJson(inputs.ALLOWED_DNS) != '""' && inputs.ALLOWED_DNS) || '[]' }}' \
-e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
'${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
bash -c -x "./command.sh"
# Clean up temporary script file
rm ./command.sh