From 75e924a1e81444ed5f7db78ac7fa5214127d6c52 Mon Sep 17 00:00:00 2001
From: Trent Clarke <trent@goteleport.com>
Date: Mon, 5 Jun 2023 17:38:21 +1000
Subject: [PATCH] Integrate AMI buids into drone

---
 .drone.yml          | 126 +++++++++++++++++++++++++++++++++++++++++++-
 dronegen/promote.go |  22 +++++++-
 dronegen/tag.go     |  21 ++++++++
 3 files changed, 166 insertions(+), 3 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 0dda1d453ce88..dfcb66ff20705 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -7051,6 +7051,66 @@ image_pull_secrets:
 # Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
+kind: pipeline
+type: kubernetes
+name: promote-teleport-hardened-amis
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-hardened-amis
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "release-source-tag=${DRONE_TAG}" '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
 kind: pipeline
 type: kubernetes
 name: promote-teleport-kube-agent-updater-oci-images
@@ -8420,6 +8480,7 @@ clone:
 depends_on:
 - clean-up-previous-build
 - build-linux-amd64-deb
+- build-linux-amd64-fips-deb
 - build-linux-arm64-deb
 steps:
 - name: Check out code
@@ -8462,6 +8523,68 @@ image_pull_secrets:
 # Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
+kind: pipeline
+type: kubernetes
+name: build-teleport-hardened-amis
+trigger:
+  event:
+    include:
+    - tag
+  ref:
+    include:
+    - refs/tags/v*
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+depends_on:
+- clean-up-previous-build
+- build-linux-amd64-deb
+- build-linux-amd64-fips-deb
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
 kind: pipeline
 type: kubernetes
 name: build-teleport-kube-agent-updater-oci-images
@@ -16996,6 +17119,7 @@ depends_on:
 - teleport-container-images-branch-promote
 - publish-os-package-repos
 - promote-teleport-oci-distroless-images
+- promote-teleport-hardened-amis
 - promote-teleport-kube-agent-updater-oci-images
 steps:
 - name: Check if commit is tagged
@@ -17106,6 +17230,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: c12537f0b20719e1d7b3247410ec676e00d60db9c892bdaf02b08f13b0c224d0
+hmac: a07eb27d94c8fe53e608a6876668464b470cbd061c5ea7cb18e83a7e3a673cbd
 
 ...
diff --git a/dronegen/promote.go b/dronegen/promote.go
index 8540a04581d76..f528a94035ab3 100644
--- a/dronegen/promote.go
+++ b/dronegen/promote.go
@@ -37,9 +37,28 @@ func promoteBuildPipelines() []pipeline {
 		},
 	})
 	ociPipeline.Trigger.Target.Include = append(ociPipeline.Trigger.Target.Include, "promote-distroless")
-
 	promotePipelines = append(promotePipelines, ociPipeline)
 
+	amiPipeline := ghaBuildPipeline(ghaBuildType{
+		buildType:    buildType{os: "linux", fips: false},
+		trigger:      triggerPromote,
+		pipelineName: "promote-teleport-hardened-amis",
+		workflows: []ghaWorkflow{
+			{
+				name:              "promote-teleport-hardened-amis.yaml",
+				timeout:           150 * time.Minute,
+				ref:               "${DRONE_TAG}",
+				srcRefVar:         "DRONE_TAG",
+				shouldTagWorkflow: true,
+				inputs: map[string]string{
+					"release-source-tag": "${DRONE_TAG}",
+				},
+			},
+		},
+	})
+	amiPipeline.Trigger.Target.Include = append(amiPipeline.Trigger.Target.Include, "promote-hardened-amis")
+	promotePipelines = append(promotePipelines, amiPipeline)
+
 	updaterPipeline := ghaBuildPipeline(ghaBuildType{
 		buildType:    buildType{os: "linux", fips: false},
 		trigger:      triggerPromote,
@@ -57,7 +76,6 @@ func promoteBuildPipelines() []pipeline {
 		},
 	})
 	updaterPipeline.Trigger.Target.Include = append(updaterPipeline.Trigger.Target.Include, "promote-updater")
-
 	promotePipelines = append(promotePipelines, updaterPipeline)
 
 	return promotePipelines
diff --git a/dronegen/tag.go b/dronegen/tag.go
index bed5568e00b33..fe440ca305b62 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -213,6 +213,7 @@ func tagPipelines() []pipeline {
 		dependsOn: []string{
 			tagCleanupPipelineName,
 			"build-linux-amd64-deb",
+			"build-linux-amd64-fips-deb",
 			"build-linux-arm64-deb",
 		},
 		workflows: []ghaWorkflow{
@@ -226,6 +227,26 @@ func tagPipelines() []pipeline {
 		},
 	}))
 
+	ps = append(ps, ghaBuildPipeline(ghaBuildType{
+		buildType:    buildType{os: "linux", fips: false},
+		trigger:      triggerTag,
+		pipelineName: "build-teleport-hardened-amis",
+		dependsOn: []string{
+			tagCleanupPipelineName,
+			"build-linux-amd64-deb",
+			"build-linux-amd64-fips-deb",
+		},
+		workflows: []ghaWorkflow{
+			{
+				name:              "release-teleport-hardened-amis.yaml",
+				srcRefVar:         "DRONE_TAG",
+				ref:               "${DRONE_TAG}",
+				timeout:           150 * time.Minute,
+				shouldTagWorkflow: true,
+			},
+		},
+	}))
+
 	ps = append(ps, ghaBuildPipeline(ghaBuildType{
 		buildType:    buildType{os: "linux", fips: false},
 		trigger:      triggerTag,