Fix regional test failures by using separate keys (#1949)

Author: jefchien

.github/workflows/clean-aws-resources.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old ami
@@ -40,7 +40,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old file system
@@ -59,7 +59,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old dedicated host
@@ -171,7 +171,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old ecs resources
@@ -190,7 +190,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old eks cluster
@@ -208,7 +208,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old unused ebs volumes
@@ -227,7 +227,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old asg
@@ -246,7 +246,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old launch configuration
@@ -264,7 +264,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old IAM roles
@@ -282,7 +282,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old Log Groups
@@ -300,7 +300,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean Old Security Groups

.github/workflows/deploy-canary.yml

@@ -3,8 +3,8 @@
 
 name: Deploy Canary
 env:
-  TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
-  S3_INTEGRATION_BUCKET: ${{ secrets.S3_INTEGRATION_BUCKET }}
+  TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
+  S3_INTEGRATION_BUCKET: ${{ vars.S3_INTEGRATION_BUCKET }}
   KEY_NAME: ${{ secrets.KEY_NAME }}
   PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY }}
   CWA_GITHUB_TEST_REPO_NAME: "aws/amazon-cloudwatch-agent-test"
@@ -31,8 +31,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
         with:
-          repository: ${{env.CWA_GITHUB_TEST_REPO_NAME}}
-          ref: ${{env.CWA_GITHUB_TEST_REPO_BRANCH}}
+          repository: ${{ env.CWA_GITHUB_TEST_REPO_NAME }}
+          ref: ${{ env.CWA_GITHUB_TEST_REPO_BRANCH }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -47,14 +47,14 @@ jobs:
 
       - name: Terminate Last Canary
         run: |
-          if aws s3api wait object-exists --bucket ${S3_INTEGRATION_BUCKET} --key canary/al2/terraform.tfstate ;
+          if aws s3api wait object-exists --bucket ${{ env.S3_INTEGRATION_BUCKET }} --key canary/al2/terraform.tfstate ;
           then
             cd terraform/ec2/linux
-            aws s3 cp s3://${S3_INTEGRATION_BUCKET}/canary/al2/terraform.tfstate .
+            aws s3 cp s3://${{ env.S3_INTEGRATION_BUCKET }}/canary/al2/terraform.tfstate .
             terraform --version
             terraform init
             terraform destroy -auto-approve
-            aws s3api delete-object --bucket ${S3_INTEGRATION_BUCKET} --key canary/al2/terraform.tfstate
+            aws s3api delete-object --bucket ${{ env.S3_INTEGRATION_BUCKET }} --key canary/al2/terraform.tfstate
           fi
 
       - name: Verify Terraform version
@@ -71,18 +71,18 @@ jobs:
             cd terraform/ec2/linux
             terraform init
             if terraform apply --auto-approve \
-              -var="github_test_repo=${{env.CWA_GITHUB_TEST_REPO_URL}}" \
-              -var="github_test_repo_branch=${{env.CWA_GITHUB_TEST_REPO_BRANCH}}" \
+              -var="github_test_repo=${{ env.CWA_GITHUB_TEST_REPO_URL }}" \
+              -var="github_test_repo_branch=${{ env.CWA_GITHUB_TEST_REPO_BRANCH }}" \
               -var="user=ec2-user" \
               -var="ami=cloudwatch-agent-integration-test-al2*" \
               -var="arc=amd64" \
               -var="binary_name=amazon-cloudwatch-agent.rpm" \
-              -var="s3_bucket=${S3_INTEGRATION_BUCKET}" \
-              -var="ssh_key_name=${KEY_NAME}" \
-              -var="ssh_key_value=${PRIVATE_KEY}" \
+              -var="s3_bucket=${{ env.S3_INTEGRATION_BUCKET }}" \
+              -var="ssh_key_name=${{ env.KEY_NAME }}" \
+              -var="ssh_key_value=${{ env.PRIVATE_KEY }}" \
               -var="test_name=canary" \
               -var="is_canary=true" \
-              -var="test_dir=./test/canary" ; then aws s3 cp terraform.tfstate s3://${S3_INTEGRATION_BUCKET}/canary/al2/terraform.tfstate
+              -var="test_dir=./test/canary" ; then aws s3 cp terraform.tfstate s3://${{ env.S3_INTEGRATION_BUCKET }}/canary/al2/terraform.tfstate
             else
               terraform destroy -auto-approve && exit 1
             fi

.github/workflows/e2e-test.yml

@@ -9,8 +9,6 @@ env:
   CWA_GITHUB_TEST_REPO_NAME: "aws/amazon-cloudwatch-agent-test"
   CWA_GITHUB_TEST_REPO_URL: "https://github.com/aws/amazon-cloudwatch-agent-test.git"
   CWA_GITHUB_TEST_REPO_BRANCH: "main"
-  TERRAFORM_AWS_ASSUME_ROLE_ITAR: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE_ITAR }}
-  TERRAFORM_AWS_ASSUME_ROLE_CN: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE_CN }}
   OPERATOR_GITHUB_REPO_NAME: "aws/amazon-cloudwatch-agent-operator"
 
 on:

.github/workflows/ec2-integration-test.yml

@@ -42,6 +42,11 @@ on:
         type: boolean
       s3_integration_bucket:
         type: string
+    secrets:
+      AWS_PRIVATE_KEY:
+        required: false
+      KEY_NAME:
+        required: false
 
 jobs:
   EC2IntegrationTest:

.github/workflows/release-candidate-test.yml

@@ -3,16 +3,7 @@
 
 name: Test Release Candidate
 env:
-  TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
-  TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
-  S3_INTEGRATION_BUCKET: ${{ vars.S3_INTEGRATION_BUCKET }}
-  S3_RELEASE_BUCKET: amazon-cloud-watch-agent
-  S3_RELEASE_REPO: cloudwatch-agent
   CWA_GITHUB_TEST_REPO_BRANCH: "main"
-  TERRAFORM_AWS_ASSUME_ROLE_ITAR: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE_ITAR }}
-  S3_INTEGRATION_BUCKET_ITAR: ${{ vars.S3_INTEGRATION_BUCKET_ITAR }}
-  TERRAFORM_AWS_ASSUME_ROLE_CN: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE_CN }}
-  S3_INTEGRATION_BUCKET_CN: ${{ vars.S3_INTEGRATION_BUCKET_CN }}
 
 on:
   workflow_dispatch:

.github/workflows/soak-test.yml

@@ -3,8 +3,6 @@
 
 name: Soak Test
 env:
-  TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
-  S3_INTEGRATION_BUCKET: ${{ secrets.S3_INTEGRATION_BUCKET }}
   KEY_NAME: ${{ secrets.KEY_NAME }}
   PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY }}
   CWA_GITHUB_TEST_REPO_NAME: "aws/amazon-cloudwatch-agent-test"
@@ -70,13 +68,13 @@ jobs:
     steps:
       - uses: actions/checkout@v3
         with:
-          repository: ${{env.CWA_GITHUB_TEST_REPO_NAME}}
-          ref: ${{env.CWA_GITHUB_TEST_REPO_BRANCH}}
+          repository: ${{ env.CWA_GITHUB_TEST_REPO_NAME }}
+          ref: ${{ env.CWA_GITHUB_TEST_REPO_BRANCH }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Install Terraform
@@ -98,16 +96,16 @@ jobs:
             cd terraform/ec2/linux
             terraform init
             terraform apply --auto-approve \
-              -var="github_test_repo=${{env.CWA_GITHUB_TEST_REPO_URL}}" \
+              -var="github_test_repo=${{ env.CWA_GITHUB_TEST_REPO_URL }}" \
               -var="github_test_repo_branch=${{env.CWA_GITHUB_TEST_REPO_BRANCH}}" \
-              -var="cwa_github_sha=${GITHUB_SHA}" \
+              -var="cwa_github_sha=${{ github.sha }}" \
               -var="user=ec2-user" \
               -var="ami=cloudwatch-agent-integration-test-al2*" \
               -var="arc=amd64" \
               -var="binary_name=amazon-cloudwatch-agent.rpm" \
-              -var="s3_bucket=${S3_INTEGRATION_BUCKET}" \
-              -var="ssh_key_name=${KEY_NAME}" \
-              -var="ssh_key_value=${PRIVATE_KEY}" \
+              -var="s3_bucket=${{ vars.S3_INTEGRATION_BUCKET }}" \
+              -var="ssh_key_name=${{ env.KEY_NAME }}" \
+              -var="ssh_key_value=${{ env.PRIVATE_KEY }}" \
               -var="test_name=SoakTest" \
               -var="test_dir=./test/soak -run TestSoakHigh"
 

.github/workflows/start-localstack.yml

@@ -31,6 +31,11 @@ on:
     outputs:
       local_stack_host_name:
         value: ${{ jobs.StartLocalStack.outputs.local_stack_host_name }}
+    secrets:
+      AWS_PRIVATE_KEY:
+        required: false
+      KEY_NAME:
+        required: false
 
 
 jobs:

.github/workflows/stop-localstack.yml

@@ -25,6 +25,11 @@ on:
         type: string
       s3_integration_bucket:
         type: string
+    secrets:
+      AWS_PRIVATE_KEY:
+        required: false
+      KEY_NAME:
+        required: false
 
 
 jobs:

.github/workflows/test-artifacts.yml

@@ -3,7 +3,7 @@
 
 name: Test Artifacts
 env:
-  PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY  }}
+  PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY }}
   TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
   TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
   S3_INTEGRATION_BUCKET: ${{ vars.S3_INTEGRATION_BUCKET }}
@@ -250,7 +250,9 @@ jobs:
     name: 'StartLocalStackITAR'
     needs: [OutputEnvVariables]
     uses: ./.github/workflows/start-localstack.yml
-    secrets: inherit
+    secrets:
+      AWS_PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY_ITAR }}
+      KEY_NAME: ${{ secrets.KEY_NAME }}
     permissions:
       id-token: write
       contents: read
@@ -267,7 +269,9 @@ jobs:
     name: 'StartLocalStackCN'
     needs: [ OutputEnvVariables, UploadDependenciesCN ]
     uses: ./.github/workflows/start-localstack.yml
-    secrets: inherit
+    secrets:
+      AWS_PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY_CN }}
+      KEY_NAME: ${{ secrets.KEY_NAME }}
     permissions:
       id-token: write
       contents: read
@@ -450,7 +454,9 @@ jobs:
       region: us-gov-east-1
       terraform_assume_role: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE_ITAR }}
       s3_integration_bucket: ${{ vars.S3_INTEGRATION_BUCKET_ITAR }}
-    secrets: inherit
+    secrets:
+      AWS_PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY_ITAR }}
+      KEY_NAME: ${{ secrets.KEY_NAME }}
 
   EC2LinuxIntegrationTestCN:
     needs: [ StartLocalStackCN, GenerateTestMatrix, OutputEnvVariables ]
@@ -468,7 +474,9 @@ jobs:
       region: cn-north-1
       terraform_assume_role: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE_CN }}
       s3_integration_bucket: ${{ vars.S3_INTEGRATION_BUCKET_CN }}
-    secrets: inherit
+    secrets:
+      AWS_PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY_CN }}
+      KEY_NAME: ${{ secrets.KEY_NAME }}
 
   EC2SELinuxIntegrationTest:
     needs: [ StartLocalStack, GenerateTestMatrix, OutputEnvVariables ]
@@ -669,7 +677,9 @@ jobs:
     if: ${{ always() && needs.StartLocalStackITAR.result == 'success' }}
     needs: [ StartLocalStackITAR, EC2LinuxIntegrationTestITAR, OutputEnvVariables ]
     uses: ./.github/workflows/stop-localstack.yml
-    secrets: inherit
+    secrets:
+      AWS_PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY_ITAR }}
+      KEY_NAME: ${{ secrets.KEY_NAME }}
     permissions:
       id-token: write
       contents: read
@@ -686,7 +696,9 @@ jobs:
     if: ${{ always() && needs.StartLocalStackCN.result == 'success' }}
     needs: [ StartLocalStackCN, EC2LinuxIntegrationTestCN, OutputEnvVariables]
     uses: ./.github/workflows/stop-localstack.yml
-    secrets: inherit
+    secrets:
+      AWS_PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY_CN }}
+      KEY_NAME: ${{ secrets.KEY_NAME }}
     permissions:
       id-token: write
       contents: read