Worker: allow configuring executor CloudWatch group

We need the ability to use different CloudWatch group for the osbuild-executor on Fedora workers in staging and production environment. Extend the worker confguration to allow configuring the CloudWatch group name used by the osbuild-executor. Extend the secure instance code to instruct cloud-init via user data to create /tmp/cloud_init_vars file with the CloudWatch group name in the osbuild-executor instance, to make it possible for the executor to configure its logging differently based on the value. Cover new changes by unit tests. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2024-03-07 15:23:31 +01:00 · 2024-03-07 15:23:31 +01:00 · e7743f17ec
commit e7743f17ec
parent ceddabc395
7 changed files with 90 additions and 21 deletions
--- a/internal/cloud/awscloud/secure-instance.go
+++ b/internal/cloud/awscloud/secure-instance.go
@ -18,15 +18,27 @@ type SecureInstance struct {
 	Instance *ec2.Instance
 }

-const UserData = `#cloud-config
+// SecureInstanceUserData returns the cloud-init user data for a secure instance.
+func SecureInstanceUserData(CloudWatchGroup string) string {
+	additionalFiles := ""
+
+	if CloudWatchGroup != "" {
+		additionalFiles += fmt.Sprintf(`  - path: /tmp/cloud_init_vars
+    content: |
+      OSBUILD_EXECUTOR_CLOUDWATCH_GROUP='%s'
+`, CloudWatchGroup)
+	}
+
+	return fmt.Sprintf(`#cloud-config
 write_files:
  - path: /tmp/worker-run-executor-service
    content: ''
-`
+%s`, additionalFiles)
+}

 // Runs an instance with a security group that only allows traffic to
 // the host. Will replace resources if they already exists.
-func (a *AWS) RunSecureInstance(iamProfile, keyName string) (*SecureInstance, error) {
+func (a *AWS) RunSecureInstance(iamProfile, keyName, CloudWatchGroup string) (*SecureInstance, error) {
 	identity, err := a.ec2metadata.GetInstanceIdentityDocument()
 	if err != nil {
 		logrus.Errorf("Error getting the identity document, %s", err)
@ -67,7 +79,7 @@ func (a *AWS) RunSecureInstance(iamProfile, keyName string) (*SecureInstance, er
 		return nil, err
 	}

-	ltID, err := a.createOrReplaceLT(identity.InstanceID, imageID, sgID, instanceType, iamProfile, keyName)
+	ltID, err := a.createOrReplaceLT(identity.InstanceID, imageID, sgID, instanceType, iamProfile, keyName, CloudWatchGroup)
 	if ltID != "" {
 		secureInstance.LTID = ltID
 	}
@ -284,7 +296,7 @@ func isLaunchTemplateNotFoundError(err error) bool {

 }

-func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iamProfile, keyName string) (string, error) {
+func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iamProfile, keyName, CloudWatchGroup string) (string, error) {
 	ltName := fmt.Sprintf("launch-template-for-%s-runner-instance", hostInstanceID)
 	descrLTOutput, err := a.ec2.DescribeLaunchTemplates(&ec2.DescribeLaunchTemplatesInput{
 		LaunchTemplateNames: []*string{
@ -322,7 +334,7 @@ func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iam
 			SecurityGroupIds: []*string{
 				aws.String(sgID),
 			},
-			UserData: aws.String(base64.StdEncoding.EncodeToString([]byte(UserData))),
+			UserData: aws.String(base64.StdEncoding.EncodeToString([]byte(SecureInstanceUserData(CloudWatchGroup)))),
 		},
 		TagSpecifications: []*ec2.TagSpecification{
 			&ec2.TagSpecification{
--- a/internal/cloud/awscloud/secure-instance_test.go
+++ b/internal/cloud/awscloud/secure-instance_test.go
@ -0,0 +1,43 @@
+package awscloud
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestSecureInstanceUserData(t *testing.T) {
+	type testCase struct {
+		CloudWatchGroup  string
+		ExpectedUserData string
+	}
+
+	testCases := []testCase{
+		{
+			ExpectedUserData: `#cloud-config
+write_files:
+  - path: /tmp/worker-run-executor-service
+    content: ''
+`,
+		},
+		{
+			CloudWatchGroup: "test-group",
+			ExpectedUserData: `#cloud-config
+write_files:
+  - path: /tmp/worker-run-executor-service
+    content: ''
+  - path: /tmp/cloud_init_vars
+    content: |
+      OSBUILD_EXECUTOR_CLOUDWATCH_GROUP='test-group'
+`,
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Test case %d", idx), func(t *testing.T) {
+			userData := SecureInstanceUserData(tc.CloudWatchGroup)
+			if userData != tc.ExpectedUserData {
+				t.Errorf("Expected: %s, got: %s", tc.ExpectedUserData, userData)
+			}
+		})
+	}
+}
--- a/internal/osbuildexecutor/runner-impl-aws-ec2.go
+++ b/internal/osbuildexecutor/runner-impl-aws-ec2.go
@ -13,8 +13,9 @@ import (
 )

 type awsEC2Executor struct {
-	iamProfile string
-	keyName    string
+	iamProfile      string
+	keyName         string
+	cloudWatchGroup string
 }

 func (ec2e *awsEC2Executor) RunOSBuild(manifest []byte, store, outputDirectory string, exports, exportPaths, checkpoints,
@ -29,7 +30,7 @@ func (ec2e *awsEC2Executor) RunOSBuild(manifest []byte, store, outputDirectory s
 		return nil, err
 	}

-	si, err := aws.RunSecureInstance(ec2e.iamProfile, ec2e.keyName)
+	si, err := aws.RunSecureInstance(ec2e.iamProfile, ec2e.keyName, ec2e.cloudWatchGroup)
 	if err != nil {
 		return nil, err
 	}
@ -92,9 +93,10 @@ func (ec2e *awsEC2Executor) RunOSBuild(manifest []byte, store, outputDirectory s
 	return &osbuildResult, nil
 }

-func NewAWSEC2Executor(iamProfile, keyName string) Executor {
+func NewAWSEC2Executor(iamProfile, keyName, cloudWatchGroup string) Executor {
 	return &awsEC2Executor{
 		iamProfile,
 		keyName,
+		cloudWatchGroup,
 	}
 }