Traditionally, AWS Tools for PowerShell has been built in Jenkins CI which limits developers to run build on PRs. Having no PR checks allowed developers to pushed untested code in release branch.
Containerizing PS build
AWS Tools for PowerShell has been challenging to build locally due to specific dependencies such as .NET Core 2.1, PowerShell 6.1.3 and Pester 4.8.1. There is separate work item for switching to from .NET Core 2.1. There are number of fixes introduced to allow PS in a container.
Goal 1: Migrating to PowerShell 7
Following tests verifies the working of the credential chain when no AWS credentials are provided. The tests are setup by mocking the readonly field/properties in AWS .NET using PowerShell 6.1.3, which is not supported in newer versions of .NET Core and PowerShell.
It "should fail with no credentials set" {
# unfortunately, this takes 15 seconds...
{ Get-EC2Instance } | Should Throw "No credentials specified or obtained from persisted/shell defaults."
}
It "should fail with no credentials set" {
# unfortunately, this takes 15 seconds...
{ Get-S3Bucket } | Should Throw "No credentials specified or obtained from persisted/shell defaults."
}
Goal 2: Supporting temporary credentials for testing
Fixing/removing tests which don't support temporary AWS credentials
AWS Tools for PowerShell tests are designed to run against permanent AWS credentials. Depending on permanent credentials is bad practices and comes with rotation maintenance.
TestHelper.ps1 is updated to incorporate temporary AWS credentials.
Why are following tests skipped?
It "Can list jobs and get job status" {
# Get-IEJob can't be used here because it requires permanent credentials
if ($helper.Token -ne $null) {
return
}
It "Can get temporary credentials" {
# Get-STSSecurityToken can't be used here because it requires permanent credentials
if ($helper.Token -ne $null) {
return
}
Above tests verifies the operations which are only supported by permanent credentials.
Goal 3: Migrating to Pester 5.0
This has been put hold for now, it requires major re-structuring of tests which isn't feasible at the moment.
Setting AWS CodeBuild CI for PR validation
AWS CodeBuild CI (ci.codebuild.yml) allows developers to build and test their PRs on GitHub using AWS CodeBuild. It has three parts
1. AWS CodeBuild CI GitHub action
On every PR request to master and dev branch and merge to master and dev branch, it executes CodeBuild project. It uses repository secrets to store role ARN. OpenID authentication is used to setup AWS credentials.
2. Dockerfile and CodeBuild project
CodeBuild project uses custom buildtools/Dockerfile container which has all the required tools installed to build and test the PRs.
Pester tests use test-runner AWS profile for running the tests. Therefore, the codebuild job, assumes TEST_RUNNER_ROLE_ARN role and sets up the test-runner profile and executes the tests.
CodeBuild job must have permission to assume TEST_RUNNER_ROLE_ARN role.
3. Template for infra generation
ci.template.yml is responsible for creating infra in AWS that includes creating role for OIDC and CodeBuild project.
Screenshots (if appropriate)
Types of changes
[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)
[x] CI
Checklist
[x] My code follows the code style of this project
[ ] My change requires a change to the documentation
[ ] I have updated the documentation accordingly
[x] I have read the README document
[x] I have added tests to cover my changes
[x] All new and existing tests passed
License
[x] I confirm that this pull request can be released under the Apache 2 license
Motivation and Context
Traditionally, AWS Tools for PowerShell has been built in Jenkins CI which limits developers to run build on PRs. Having no PR checks allowed developers to pushed untested code in release branch.
Containerizing PS build
AWS Tools for PowerShell has been challenging to build locally due to specific dependencies such as .NET Core 2.1, PowerShell 6.1.3 and Pester 4.8.1. There is separate work item for switching to from .NET Core 2.1. There are number of fixes introduced to allow PS in a container.
Goal 1: Migrating to PowerShell 7
Following tests verifies the working of the credential chain when no AWS credentials are provided. The tests are setup by mocking the readonly field/properties in AWS .NET using PowerShell 6.1.3, which is not supported in newer versions of .NET Core and PowerShell.
Goal 2: Supporting temporary credentials for testing
Fixing/removing tests which don't support temporary AWS credentials
AWS Tools for PowerShell tests are designed to run against permanent AWS credentials. Depending on permanent credentials is bad practices and comes with rotation maintenance.
TestHelper.ps1 is updated to incorporate temporary AWS credentials.
Why are following tests skipped?
Above tests verifies the operations which are only supported by permanent credentials.
Goal 3: Migrating to Pester 5.0
This has been put hold for now, it requires major re-structuring of tests which isn't feasible at the moment.
Setting AWS CodeBuild CI for PR validation
AWS CodeBuild CI (
ci.codebuild.yml
) allows developers to build and test their PRs on GitHub using AWS CodeBuild. It has three parts1. AWS CodeBuild CI GitHub action
On every PR request to
master
anddev
branch and merge tomaster
anddev
branch, it executes CodeBuild project. It uses repository secrets to store role ARN. OpenID authentication is used to setup AWS credentials.2. Dockerfile and CodeBuild project
CodeBuild project uses custom
buildtools/Dockerfile
container which has all the required tools installed to build and test the PRs.Pester tests use
test-runner
AWS profile for running the tests. Therefore, the codebuild job, assumesTEST_RUNNER_ROLE_ARN
role and sets up thetest-runner
profile and executes the tests.CodeBuild job must have permission to assume
TEST_RUNNER_ROLE_ARN
role.3. Template for infra generation
ci.template.yml is responsible for creating infra in AWS that includes creating role for OIDC and CodeBuild project.
Screenshots (if appropriate)
Types of changes
Checklist
License