QA » openQA Project

So far I started with https://github.com/os-autoinst/openQA/pull/4880 which is a simple draft created according to https://progress.opensuse.org/projects/openqav3/wiki/Wiki#section-71; in the next steps, I would like to see, if I can use another terraform provider (like docker) to test it locally and/or try to login to AWS console and test/debug it there.

Let's look into it during the mob session on Thursday

jbaier_cz wrote:

Unfortunately, my aws credential seems to be no longer valid so I am unable to test that for real. Also creating code for other provider will not share code, so that is also not a way out.

I'm looking into access to AWS following internal documentation about landing zone access. Unfortunately it seems all of our accounts need to be replaced. See SD-103992.

Resources¶

• https://docs.localstack.cloud/integrations/terraform/
• https://www.scien.cx/2021/07/03/localstack-with-terraform-and-docker-for-running-aws-locally/
• https://docs.localstack.cloud/get-started/#localstack-cockpit GUI for debugging (available as an AppImage, requires docker)
• https://docs.localstack.cloud/ci/github-actions/

Run terraform with fake aws locally¶

    cd container/terraform

    podman run --rm -it --name terraform -v $(pwd):/workspace -w /workspace hashi
corp/terraform:light validate
    podman run --rm -it --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light init ## this needs to be run once; providers will be downloaded to a local folder
    podman run --rm -it --name localstack -p 4566:4566 -p 4510-4559:4510-4559 -v $(pwd):/workspace -w /workspace localstack/localstack:latest
    podman run --rm -it --network host --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light apply

    ╷                                                                                                                       
│ Warning: Argument is deprecated                                                                                       
│                                                                                                                       
│   with provider["registry.terraform.io/hashicorp/aws"],                                                               
│   on main.tf line 18, in provider "aws":                                                                              
│   18:   s3_force_path_style         = false                                                                           
│                                                                                                                       
│ Use s3_use_path_style instead.                                                                                        
│                                                                                                                       
│ (and one more similar warning elsewhere)                                                                              
╵                                                                                                                       
╷                                                                                                                       
│ Warning: Attribute Deprecated                                                                                         
│                                                                                                                       
│   with provider["registry.terraform.io/hashicorp/aws"],                                                               
│   on main.tf line 18, in provider "aws":                                                                              
│   18:   s3_force_path_style         = false                                                                           
│                                                                                                                       
│ Use s3_use_path_style instead.                                                                                        
│                                                                                                                       
│ (and one more similar warning elsewhere)
╵

Interim verdict / next steps¶

• Without the "pro" version we get a sanity check of the AWS setup but it won't setup working containers
• Reproduce the above commands in the form of a GitHub action @cdywan
• Get new AWS accounts (see SD ticket above) @cdywan
• Confirm that this can be deployed on the actual AWS - to be done in another mob session
• We saw some deprecation warnings, those should be investigated @tina

Simply replacing

  s3_force_path_style         = true

with

 s3_use_path_style            = true

gets rid of the deprecation warning.

The docs at https://docs.localstack.cloud/integrations/terraform/ are outdated a bit, it seems.

• For CI (https://github.com/os-autoinst/openQA/pull/4880) override files could be used to avoid hard-coding localstack values https://developer.hashicorp.com/terraform/language/files/override
• Add ~/.aws/credentials without relying on aws configure aws_access_key_id= aws_secret_access_key= aws_session_token=
• Verify what's running iva aws ec2 describe-instances | jq '.Reservations | .[] | .Instances | .[] | .ImageId,.InstanceId,.PublicDnsName' analoguous to checking the AWS console

variable "aws_access_key_id" { default = "test" }
variable "aws_secret_access_key" { default = "test" }
variable "aws_session_token" { default = "test" }

provider "aws" {
  region                      = var.region
  access_key                  = var.aws_access_key_id
  secret_key                  = var.aws_secret_access_key
  token                       = var.aws_session_token
  s3_use_path_style           = true
}

• Place credentials as key-value pairs in container/terraform/terraform.tfvars
• Consider deleting old state when terraform gets confused: rm terraform.tfstate*
• export TF_LOG="TRACE" doesn't seem to do much
• We tried to provision SSH keys via Terraform using resource "aws_key_pair" "deployer" { public_key = "ssh-rsa ....... user@suse.de" }, see also https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair and also via user-data in aws-instance sections. Neither could be confirmed to work.
• The web UI doesn't correctly spin up; without SSH access we had no way of investigating the problem.

I pushed an update to the PR that adds terraform and CI which relies on overrides and variables and works for me locally.

Still need to experiment further with SSH key deployment.

cdywan wrote:

I pushed an update to the PR that adds terraform and CI which relies on overrides and variables and works for me locally.

I browsed stackoverflow and read up on workspaces and dynamic blocks which allowed me to cleanly use the same configuration locally and in CI unmodified.

aws_access_key_id=
aws_secret_access_key=
aws_session_token=

These can now, and this is mentioned in variables.tf as a comment, be put into a file terraform.tfvars. Note that these are invalidated automatically. Between sessions I had to replace all of them to test on AWS.
Also, the image ID experied as well in the meantime. So I'm not trying to keep it "correct" at this point. Maybe it needs to be filled in whenever it's used in production.

Still need to experiment further with SSH key deployment.

Still no real progress there. I tried some things to get something to run but I can only guess why it won't since I'm still fyling blind.

• AC2: One or multiple workers are setup

• We should add another aws_instance for a worker
• Workers can probably be "internal" to the network
• Add steps from #118660#note-14 to the README.md in a Terraform
  • For a recent openSUSE Leap image check https://pint.suse.com/?resource=images&csp=amazon&state=active®ion=eu-central-1&search=leap
  • Suggest specifying image_id

With this we can review/ merge the PR.

Follow up steps:

• Allow multiple workers e.g. something like https://stackoverflow.com/questions/60716579/terraform-creating-multiple-instances-with-for-each
• Workers need to talk to the web UI
  • Developer mode needs to be able to connect to the worker if we want to support it

Setting due date based on mean cycle time of SUSE QE Tools

Setting due date based on mean cycle time of SUSE QE Tools

Setting due date based on mean cycle time of SUSE QE Tools

Setting due date based on mean cycle time of SUSE QE Tools