Jenkinsfile,tests/smoke: assume minimum role#974
Conversation
tests/smoke/aws/smoke.sh
Outdated
| create() { | ||
| common "$1" | ||
| make plan | filter | ||
| assume_role |
There was a problem hiding this comment.
we don't need to plan here. if you want to plan and create then execute two calls: smoke.sh plan... followed by smoke.sh create...
| usage | ||
| exit 1 | ||
| fi | ||
| main () { |
There was a problem hiding this comment.
make this a function so we can make the variables local. this is useful so that sourcing the script does not set a bunch of variables like COMMAND on the calling shell.
| } | ||
|
|
||
| common() { | ||
| DIR="$( cd "$( dirname "$0" )" && pwd )" |
There was a problem hiding this comment.
these are common dependencies so it makes sense for them to go in common.
squat
force-pushed
the
assume_role_smoke
branch
10 times, most recently
from
4ddaff5 to
7c35461
Compare
squat
force-pushed
the
assume_role_smoke
branch
2 times, most recently
from
38f9172 to
a9d1ea3
Compare
Jenkinsfile
Outdated
| stage("Assume Role") { | ||
| steps { | ||
| withCredentials(creds) { | ||
| sh 'set +x -e && eval "$(${WORKSPACE}/tests/smoke/aws/smoke.sh assume-role "$TECTONIC_INSTALLER_ROLE")"' |
There was a problem hiding this comment.
set +x so that the eval'd credentials are not printed out to stdout
Jenkinsfile
Outdated
| stage("Assume Role") { | ||
| steps { | ||
| withCredentials(creds) { | ||
| sh 'set +x -e && eval "$(${WORKSPACE}/tests/smoke/aws/smoke.sh assume-role "$TECTONIC_INSTALLER_ROLE")"' |
There was a problem hiding this comment.
we use eval rather than source as the method for passing variables because if we source the script, we try to execute bash-specific commands like set -o pipefail in sh which causes an error.
|
Is there a simple way to do that? Stages are not meant to run individual steps like assuming a role. |
|
@Quentin-M the other option is to run "assume-role" in every parallel stage before the make apply/plan/destroy. Do you prefer that style? The Jenkins step must call +x to avoid printing the eval'd statements and the smoke.sh must call set +x to avoid printing the echo'd statements. We need both because smoke.sh does set -x at the very top when it is executed. |
|
The reason we can't do that is that, stages/steps are not all going to run on the same machines (see bare-metal vs. AWS) - thus the environment won't be everywhere. |
We want to ensure that our smoke tests run with limited privileges so we can catch when a change adds a dependency on a new privilege.
2 participants
We want to ensure that our smoke tests run with limited privileges so we
can catch when a change adds a dependency on a new privilege.
@ggreer @Quentin-M