diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml new file mode 100644 index 0000000..106a419 --- /dev/null +++ b/.github/workflows/e2e.yaml @@ -0,0 +1,88 @@ +name: e2e + +on: + push: + branches: + - mkulke/restricted-environment + +permissions: + id-token: write + contents: read + +jobs: + build-and-run-example: + runs-on: ubuntu-latest + environment: restricted + steps: + - name: Create resource suffix + run: > + echo "SUFFIX=$(echo $RANDOM | md5sum | head -c6)" + >> "$GITHUB_ENV" + + - uses: actions/checkout@v3 + + - name: Az CLI login + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: stable + + - name: Build example project + working-directory: ./az-snp-vtpm + run: | + sudo apt-get update + sudo apt-get install -y libtss2-dev + cargo build --release -p example + + - name: Create SSH key pair + run: ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa + + - name: Create VM resources + working-directory: ./az-snp-vtpm + env: + LOCATION: eastus + ASSIGN_PUBLIC_IP: 'true' + CVM_RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }} + run: | + make deploy + public_ip=$(az network public-ip show \ + -g "$CVM_RESOURCE_GROUP" \ + -n "cvm-${SUFFIX}-ip" \ + --query ipAddress \ + -o tsv) + echo "PUBLIC_IP=$public_ip" >> "$GITHUB_ENV" + + - name: Copy bin to cvm + working-directory: ./az-snp-vtpm + run: > + scp + -o StrictHostKeyChecking=no + target/release/example + "azureuser@${PUBLIC_IP}:" + + - name: Install dependency on CVM + run: > + ssh + -o StrictHostKeyChecking=no + "azureuser@${PUBLIC_IP}" + -C "sudo apt-get update && sudo apt-get install -y libtss2-tctildr0" + + - name: Execute example on CVM + run: > + ssh + -o StrictHostKeyChecking=no + "azureuser@${PUBLIC_IP}" + -C "sudo ./example" + + - name: Delete VM resources + if: always() + working-directory: ./az-snp-vtpm + env: + CVM_RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }} + run: make delete diff --git a/az-snp-vtpm/Makefile b/az-snp-vtpm/Makefile index eec237e..81c29a2 100644 --- a/az-snp-vtpm/Makefile +++ b/az-snp-vtpm/Makefile @@ -1,8 +1,6 @@ -CVM_RESOURCE_GROUP ?= +CVM_RESOURCE_GROUP ?= azure-cvm-tooling-ci LOCATION ?= eastus -VNET_ID ?= /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ IMAGE_ID ?= - -SUBNET_NAME ?= default SSH_PUB_KEY_PATH ?= ~/.ssh/id_rsa.pub ADMIN_PUBLIC_KEY = $(shell cat $(SSH_PUB_KEY_PATH)) ifeq ($(SUFFIX),) @@ -19,8 +17,6 @@ deploy: --name $(VM_NAME) \ --parameters virtualMachineName=$(VM_NAME) \ --parameters location=$(LOCATION) \ - --parameters subnetName=$(SUBNET_NAME) \ - --parameters vnetId=$(VNET_ID) \ $(if $(IMAGE_ID:-=),--parameters imageId=$(IMAGE_ID)) \ --parameters adminPublicKey='$(ADMIN_PUBLIC_KEY)' \ --parameters assignPublicIP=$(ASSIGN_PUBLIC_IP) && \ @@ -39,4 +35,7 @@ delete: --yes && \ az network public-ip delete \ --resource-group $(CVM_RESOURCE_GROUP) \ - --name $(VM_NAME)-ip + --name $(VM_NAME)-ip && \ + az network vnet delete \ + --resource-group azure-cvm-tooling-ci \ + --name $(VM_NAME)-vnet diff --git a/az-snp-vtpm/arm/cvm.bicep b/az-snp-vtpm/arm/cvm.bicep index 252b1dd..488e345 100644 --- a/az-snp-vtpm/arm/cvm.bicep +++ b/az-snp-vtpm/arm/cvm.bicep @@ -1,6 +1,5 @@ param location string -param subnetName string -param vnetId string +param subnetId string = '' param virtualMachineName string param imageId string = '' param osDiskType string = 'Premium_LRS' @@ -9,16 +8,18 @@ param virtualMachineSize string = 'Standard_DC2as_v5' param nicDeleteOption string = 'Delete' param adminUsername string = 'azureuser' param assignPublicIP bool = false - @secure() param adminPublicKey string param securityType string = 'ConfidentialVM' param secureBoot bool = true param vTPM bool = true -var subnetRef = '${vnetId}/subnets/${subnetName}' var networkInterfaceName = '${virtualMachineName}-nic' var publicIPName = '${virtualMachineName}-ip' +var virtualNetworkName = '${virtualMachineName}-vnet' +var subnetName = '${virtualMachineName}-subnet' +var subnetAddressPrefix = '10.1.0.0/24' +var addressPrefix = '10.1.0.0/16' resource publicIP_resource 'Microsoft.Network/publicIPAddresses@2022-07-01' = if (assignPublicIP == true) { name: publicIPName @@ -28,6 +29,26 @@ resource publicIP_resource 'Microsoft.Network/publicIPAddresses@2022-07-01' = if } } +resource virtualNetwork_resource 'Microsoft.Network/virtualNetworks@2021-05-01' = if (subnetId == '') { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + } +} + +resource subnet_resource 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' = if (subnetId == '') { + parent: virtualNetwork_resource + name: subnetName + properties: { + addressPrefix: subnetAddressPrefix + } +} + resource networkInterfaceName_resource 'Microsoft.Network/networkInterfaces@2021-08-01' = { name: networkInterfaceName location: location @@ -38,7 +59,7 @@ resource networkInterfaceName_resource 'Microsoft.Network/networkInterfaces@2021 properties: { subnet: { #disable-next-line use-resource-id-functions - id: subnetRef + id: (subnetId == '') ? subnet_resource.id : subnetId } privateIPAllocationMethod: 'Dynamic' publicIPAddress: assignPublicIP ? {