Enable ECS-Optimized AMIs enhanced release process (aws#197)

* Add action to push to codecommit mirror ripository * release.auto.pkvars.hcl refactor: creating 1 file per AMI variant * Add script to check for security update of given ami (aws#165) * Change generate-release-vars.sh to update specific release files (aws#169) * Modify generate-release-vars.sh to include ecs init, docker, and containerd versions similar to previously existing release vars (aws#173) * Add generateConfig action, updates to check-update-security and generate-release-vars.sh (aws#174) * Modify generate-release-vars.sh to include ecs init, docker, and containerd versions similar to previously existing release vars * Add generateConfig action, small updates to check-update-security * Add security update install script in build recipe for al1 and al2 (aws#178) * Remove unnecessary security update checks for al2023 (aws#186) * Combine GenerateConfig and PushToCodeCommit actions under one action and add conditional kickoff (aws#187) * Refactor generate release notes script for enhanced release process --------- Co-authored-by: hozkaya2000 <[email protected]> Co-authored-by: Anuj Singh <[email protected]> Co-authored-by: hozkaya2000 <[email protected]>
rwarren25 · Jul 9, 2024 · e1fd5bf · e1fd5bf
1 parent fef9957
commit e1fd5bf
Show file tree

Hide file tree

Showing 12 changed files with 777 additions and 277 deletions.
diff --git a/.github/workflows/initiaterelease.yml b/.github/workflows/initiaterelease.yml
@@ -0,0 +1,76 @@
+name: InitiateRelease
+
+on: workflow_dispatch
+
+jobs:
+  GenerateConfig:
+    runs-on: ubuntu-latest
+    outputs:
+      commit_exit_code: ${{ steps.final.outputs.commit_exit_code }}
+    permissions:
+      id-token: write
+      contents: write
+    env: 
+      IAM_INSTANCE_PROFILE_ARN: ${{secrets.IAM_INSTANCE_PROFILE_ARN}} 
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Install xmllint
+      run: sudo apt-get update && sudo apt-get install libxml2-utils
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with: 
+        role-to-assume: ${{secrets.AMI_GENERATE_CONFIG_ROLE}}
+        aws-region: us-west-2
+    - name: Configure prereqs
+      run: |
+        git config --global user.name "GenerateConfig Action"
+        git config --global user.email "[email protected]"
+    - name: Check AL1 Update
+      run: ./scripts/check-update.sh al1
+    - name: Check AL2 Update
+      run: ./scripts/check-update.sh al2
+    - name: Check AL2023 Update
+      run: ./scripts/check-update.sh al2023
+    - name: Commit and Push Changes
+      id: final
+      run: |
+        set +e
+        git commit -m "Release Kickoff"
+        echo "commit_exit_code=$?" >> "$GITHUB_OUTPUT"
+        git status
+        git push
+        set -e
+  PushToCodeCommit:
+    needs: GenerateConfig
+    if: ${{ needs.GenerateConfig.outputs.commit_exit_code==0 }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with: 
+        role-to-assume: ${{secrets.AMI_MIRROR_ROLE}}
+        aws-region: us-west-2
+    - name: Delete shinkansen branch on codecommit repository
+      run: |
+        aws codecommit delete-branch --repository-name amazon-ecs-ami-mirror --branch-name shinkansen
+    - name: Configure prereqs
+      run: |
+        git config --global user.name "Github Action"
+        git config --global user.email "[email protected]"
+        pip install git-remote-codecommit
+    - name: Mirror to shinkansen branch on codecommit repository
+      run: | 
+        git clone --single-branch --branch feature/shinkansen https://github.com/aws/amazon-ecs-ami ecsAmiGithub
+        git clone codecommit::us-west-2://amazon-ecs-ami-mirror ecsAmiCodeCommit
+        cp ecsAmiCodeCommit/Config ecsAmiGithub/
+        cd ecsAmiGithub
+        git add Config
+        git commit -m "Add config"
+        git remote add codecommit codecommit::us-west-2://amazon-ecs-ami-mirror
+        git push codecommit feature/shinkansen:shinkansen
diff --git a/Makefile b/Makefile
@@ -21,8 +21,16 @@ packer:
 	unzip ./packer.zip
 	rm ./packer.zip
 
-release.auto.pkrvars.hcl:
-	echo "Missing configuration file: release.auto.pkrvars.hcl."
+release-al1.auto.pkrvars.hcl:
+	echo "Missing configuration file: release-al1.auto.pkrvars.hcl."
+	exit 1
+
+release-al2.auto.pkrvars.hcl:
+	echo "Missing configuration file: release-al2.auto.pkrvars.hcl."
+	exit 1
+
+release-al2023.auto.pkrvars.hcl:
+	echo "Missing configuration file: release-al2023.auto.pkrvars.hcl."
 	exit 1
 
 .PHONY: check-region
@@ -42,47 +50,47 @@ validate: check-region init
 	./packer validate -var "region=${REGION}" .
 
 .PHONY: al1
-al1: check-region init validate release.auto.pkrvars.hcl
+al1: check-region init validate release-al1.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al1" -var "region=${REGION}" .
 
 .PHONY: al2
-al2: check-region init validate release.auto.pkrvars.hcl
+al2: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2" -var "region=${REGION}" .
 
 .PHONY: al2arm
-al2arm: check-region init validate release.auto.pkrvars.hcl
+al2arm: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2arm" -var "region=${REGION}" .
 
 .PHONY: al2gpu
-al2gpu: check-region init validate release.auto.pkrvars.hcl
+al2gpu: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2gpu" -var "region=${REGION}" .
 
 .PHONY: al2keplergpu
-al2keplergpu: check-region init validate release.auto.pkrvars.hcl
+al2keplergpu: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2keplergpu" -var "region=${REGION}" .
 
 .PHONY: al2inf
-al2inf: check-region init validate release.auto.pkrvars.hcl
+al2inf: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2inf" -var "region=${REGION}" .
 
 .PHONY: al2kernel5dot10
-al2kernel5dot10: check-region init validate release.auto.pkrvars.hcl
+al2kernel5dot10: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2kernel5dot10" -var "region=${REGION}" .
 
 .PHONY: al2kernel5dot10arm
-al2kernel5dot10arm: check-region init validate release.auto.pkrvars.hcl
+al2kernel5dot10arm: check-region init validate release-al2.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2kernel5dot10arm" -var "region=${REGION}" .
 
 .PHONY: al2023
-al2023: check-region init validate release.auto.pkrvars.hcl
+al2023: check-region init validate release-al2023.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2023" -var "region=${REGION}" .
 
 .PHONY: al2023arm
-al2023arm: check-region init validate release.auto.pkrvars.hcl
+al2023arm: check-region init validate release-al2023.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2023arm" -var "region=${REGION}" .
 
 .PHONY: al2023neu
-al2023neu: check-region init validate release.auto.pkrvars.hcl
+al2023neu: check-region init validate release-al2023.auto.pkrvars.hcl
 	./packer build -only="amazon-ebs.al2023neu" -var "region=${REGION}" .
 
 shellcheck:

diff --git a/al1.pkr.hcl b/al1.pkr.hcl
@@ -137,6 +137,13 @@ build {
     ]
   }
 
+  provisioner "shell" {
+    inline_shebang = "/bin/sh -ex"
+    inline = [
+      "sudo yum update -y --security --sec-severity=critical --exclude=nvidia*,docker*,cuda*,containerd*"
+    ]
+  }
+
   provisioner "shell" {
     script = "scripts/cleanup.sh"
   }