Skip to content

Commit bf371a8

Browse files
ig15ig15
authored
Remove integration test github secrets and add OIDC role based Auth for best security practices (#510)
* Remove Integration Test github secrets and add OIDC authentication
1 parent d29cefc commit bf371a8

File tree

2 files changed

+43
-8
lines changed

2 files changed

+43
-8
lines changed

.github/docker-images/integration-tests/ubuntu/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ RUN apt update && apt upgrade -y && \
5959
RUN mkdir /home/dependencies
6060
WORKDIR /home/dependencies
6161

62-
RUN wget https://zlib.net/zlib-1.3.1.tar.gz -O /tmp/zlib-1.3.tar.gz && \
62+
RUN wget https://zlib.net/zlib-1.3.1.tar.gz -O /tmp/zlib-1.3.1.tar.gz && \
6363
tar xzvf /tmp/zlib-1.3.1.tar.gz && \
6464
cd zlib-1.3.1 && \
6565
./configure && \

.github/workflows/e2e-ci.yml

Lines changed: 42 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -360,14 +360,19 @@ jobs:
360360
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:x86_64-ubuntu-${{ needs.versioning.outputs.version }}
361361
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:x86_64-ubuntu-latest
362362
platforms: linux/amd64
363+
- name: Assume Role for Integration Test
364+
uses: aws-actions/configure-aws-credentials@v2
365+
with:
366+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
367+
aws-region: us-east-1
363368
- name: Run Tests
364369
env:
365370
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
366371
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
367372
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
368373
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
369374
run: |
370-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
375+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
371376
e2e-tests-ubuntu-aarch64:
372377
runs-on: ubuntu-latest
373378
if: ${{ false }} # Disabled for now. aarch64 local proxy build takes too long
@@ -408,14 +413,19 @@ jobs:
408413
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:aarch64-ubuntu-${{ needs.versioning.outputs.version }}
409414
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:aarch64-ubuntu-latest
410415
platforms: linux/arm64
416+
- name: Assume Role for Integration Test
417+
uses: aws-actions/configure-aws-credentials@v2
418+
with:
419+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
420+
aws-region: us-east-1
411421
- name: Run Tests
412422
env:
413423
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
414424
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
415425
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
416426
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
417427
run: |
418-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --clean-up
428+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --clean-up
419429
e2e-tests-ubuntu-armv7:
420430
runs-on: ubuntu-latest
421431
if: ${{ false }} # Disabled for now as local proxy builds take too long. Re-enable if binary or image becomes available.
@@ -453,14 +463,19 @@ jobs:
453463
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:armv7-ubuntu-${{ needs.versioning.outputs.version }}
454464
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:armv7-ubuntu-latest
455465
platforms: linux/arm/v7
466+
- name: Assume Role for Integration Test
467+
uses: aws-actions/configure-aws-credentials@v2
468+
with:
469+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
470+
aws-region: us-east-1
456471
- name: Run Tests
457472
env:
458473
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
459474
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
460475
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
461476
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
462477
run: |
463-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --clean-up
478+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --clean-up
464479
e2e-tests-amazonlinux-x86_64:
465480
# The amazonlinux integration tests do not run the secure tunneling integration tests. TODO:// Need to configure SSH in ubi8 integration test image
466481
runs-on: ubuntu-latest
@@ -500,14 +515,19 @@ jobs:
500515
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:x86_64-amazonlinux-${{ needs.versioning.outputs.version }}
501516
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:x86_64-amazonlinux-latest
502517
platforms: linux/amd64
518+
- name: Assume Role for Integration Test
519+
uses: aws-actions/configure-aws-credentials@v2
520+
with:
521+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
522+
aws-region: us-east-1
503523
- name: Run Tests
504524
env:
505525
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
506526
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
507527
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
508528
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
509529
run: |
510-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
530+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
511531
e2e-tests-amazonlinux-aarch64:
512532
# The amazonlinux integration tests do not run the secure tunneling integration tests. TODO:// Need to configure SSH in ubi8 integration test image
513533
runs-on: ubuntu-latest
@@ -547,14 +567,19 @@ jobs:
547567
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:aarch64-amazonlinux-${{ needs.versioning.outputs.version }}
548568
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:aarch64-amazonlinux-latest
549569
platforms: linux/arm64
570+
- name: Assume Role for Integration Test
571+
uses: aws-actions/configure-aws-credentials@v2
572+
with:
573+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
574+
aws-region: us-east-1
550575
- name: Run Tests
551576
env:
552577
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
553578
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
554579
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
555580
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
556581
run: |
557-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
582+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
558583
e2e-tests-ubi8-x86_64:
559584
# The ubi8 integration tests do not run the secure tunneling integration tests. TODO:// Need to configure SSH in ubi8 integration test image
560585
runs-on: ubuntu-latest
@@ -596,14 +621,19 @@ jobs:
596621
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:x86_64-ubi8-${{ needs.versioning.outputs.version }}
597622
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:x86_64-ubi8-latest
598623
platforms: linux/amd64
624+
- name: Assume Role for Integration Test
625+
uses: aws-actions/configure-aws-credentials@v2
626+
with:
627+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
628+
aws-region: us-east-1
599629
- name: Run Tests
600630
env:
601631
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
602632
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
603633
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
604634
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
605635
run: |
606-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
636+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
607637
e2e-tests-ubi8-aarch64:
608638
# The ubi8 integration tests do not run the secure tunneling integration tests. TODO:// Need to configure SSH in ubi8 integration test image
609639
runs-on: ubuntu-latest
@@ -647,11 +677,16 @@ jobs:
647677
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:aarch64-ubi8-${{ needs.versioning.outputs.version }}
648678
public.ecr.aws/${{ env.ECR_TEST_RUNNER_REPO }}:aarch64-ubi8-latest
649679
platforms: linux/arm64
680+
- name: Assume Role for Integration Test
681+
uses: aws-actions/configure-aws-credentials@v2
682+
with:
683+
role-to-assume: arn:aws:iam::${{ secrets.DC_AWS_ACCOUNT_ID }}:role/integration-test-role
684+
aws-region: us-east-1
650685
- name: Run Tests
651686
env:
652687
IOT_ENDPOINT: ${{ secrets.IOT_ENDPOINT }}
653688
CERTIFICATE: ${{ secrets.CLAIM_CERTIFICATE }}
654689
DEVICE_KEY_SECRET: ${{ secrets.FP_DEVICE_KEY_SECRET }}
655690
AMAZON_ROOT_CA: ${{ secrets.AMAZON_ROOT_CA }}
656691
run: |
657-
docker run -e AWS_ACCESS_KEY_ID="$(echo ${{ secrets.INTEG_USER_KEY_ID }})" -e AWS_SECRET_ACCESS_KEY="$(echo ${{ secrets.INTEG_USER_KEY_SECRET }})" -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up
692+
docker run -e IOT_ENDPOINT="$(echo $IOT_ENDPOINT)" -e CERTIFICATE="$(echo $CERTIFICATE)" -e DEVICE_KEY_SECRET="$(echo $DEVICE_KEY_SECRET)" -e AMAZON_ROOT_CA="$(echo $AMAZON_ROOT_CA)" -e THING_NAME=fleetprovisioning ${{ steps.build-test-runner.outputs.imageid }} --skip-st --clean-up

0 commit comments

Comments
 (0)