@depup/artillery 2.0.30-depup.0

package/lib/platform/aws/iam-cf-templates/gh-oidc-fargate.yml

@@ -0,0 +1,241 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Creates an ArtilleryGitHubOIDCForFargateRole IAM role with permissions needed to run Artillery Fargate tests from a specified GitHub repository. An OIDC identity provider for Github will also be created if it is not already present in the account.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "GitHub"
+        Parameters:
+          - GitHubRepository
+          - GitHubBranch
+      - Label:
+          default: "AWS IAM"
+        Parameters:
+          - GitHubOIDCProviderExists
+
+    ParameterLabels:
+      GitHubRepository:
+        default: "GitHub repository"
+      GitHubBranch:
+        default: "GitHub branch"
+      GitHubOIDCProviderExists:
+        default: "GitHub OIDC identity provider already created for the account?"
+
+Parameters:
+  GitHubRepository:
+    Type: String
+    Default: ""
+    Description: The GitHub repository (orgname/reponame) to be allowed to assume the created IAM role using OIDC (e.g. "artilleryio/artillery").
+
+  GitHubBranch:
+    Type: String
+    Default: "*"
+    Description: (Optional) Use when you want to allow only a specific branch within the specified Github repository to assume this IAM role using OIDC (e.g. "main"). If not set, defaults to "*" (all branches). 
+
+  GitHubOIDCProviderExists:
+    Type: String
+    Default: 'No'
+    AllowedValues:
+      - 'Yes'
+      - 'No'
+    Description: This will let CloudFormation know whether it needs to create the provider. (If it exists, can be found at Services -> IAM -> Identity providers as 'token.actions.githubusercontent.com').
+
+Conditions:
+  IsGHRepoSet:
+    !Not [!Equals [!Ref GitHubRepository, ""]]
+
+  CreateOIDCProvider:
+    !Equals [!Ref GitHubOIDCProviderExists, "No"]
+
+Resources:
+  GitHubOIDCProvider:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: "https://token.actions.githubusercontent.com"
+      ClientIdList:
+        - "sts.amazonaws.com"
+      ThumbprintList:
+        - "6938fd4d98bab03faadb97b34396831e3780ee11"
+
+  ArtilleryGitHubOIDCForFargateRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: "ArtilleryGitHubOIDCForFargateRole"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Federated: 
+                Fn::If:
+                  - CreateOIDCProvider
+                  - !Ref GitHubOIDCProvider
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com"
+            Action: "sts:AssumeRoleWithWebIdentity"
+            Condition: {
+              StringEquals:
+                {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+              StringLike:
+                {
+                  "token.actions.githubusercontent.com:sub": !Sub "repo:${GitHubRepository}:${GitHubBranch}"
+                }
+            }
+      Path: "/"
+      Policies:
+        - PolicyName: "ArtilleryGitHubOIDCForFargatePolicy"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: "CreateOrGetECSRole"
+                Effect: "Allow"
+                Action:
+                  - "iam:CreateRole"
+                  - "iam:GetRole"
+                  - "iam:AttachRolePolicy"
+                  - "iam:PassRole"
+                Resource:
+                  Fn::Sub: "arn:aws:iam::${AWS::AccountId}:role/artilleryio-ecs-worker-role"
+              - Sid: "CreateECSPolicy"
+                Effect: "Allow"
+                Action:
+                  - "iam:CreatePolicy"
+                Resource:
+                  Fn::Sub: "arn:aws:iam::${AWS::AccountId}:policy/artilleryio-ecs-worker-policy"
+              - Effect: "Allow"
+                Action:
+                  - "iam:CreateServiceLinkedRole"
+                Resource:
+                  - "arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*"
+                Condition:
+                  StringLike:
+                    iam:AWSServiceName: "ecs.amazonaws.com"
+              - Effect: "Allow"
+                Action:
+                  - "iam:PassRole"
+                Resource:
+                  - Fn::Sub: "arn:aws:iam::${AWS::AccountId}:role/artilleryio-ecs-worker-role"
+              - Sid: "SQSPermissions"
+                Effect: "Allow"
+                Action:
+                  - "sqs:*"
+                Resource:
+                  Fn::Sub: "arn:aws:sqs:*:${AWS::AccountId}:artilleryio*"
+              - Sid: "SQSListQueues"
+                Effect: "Allow"
+                Action:
+                  - "sqs:ListQueues"
+                Resource: "*"
+              - Sid: "ECSPermissionsGeneral"
+                Effect: "Allow"
+                Action:
+                  - "ecs:ListClusters"
+                  - "ecs:CreateCluster"
+                  - "ecs:RegisterTaskDefinition"
+                  - "ecs:DeregisterTaskDefinition"
+                Resource: "*"
+              - Sid: "ECSPermissionsScopedToCluster"
+                Effect: "Allow"
+                Action:
+                  - "ecs:DescribeClusters"
+                  - "ecs:ListContainerInstances"
+                Resource:
+                  Fn::Sub: "arn:aws:ecs:*:${AWS::AccountId}:cluster/*"
+              - Sid: "ECSPermissionsScopedWithCondition"
+                Effect: "Allow"
+                Action:
+                  - "ecs:SubmitTaskStateChange"
+                  - "ecs:DescribeTasks"
+                  - "ecs:ListTasks"
+                  - "ecs:ListTaskDefinitions"
+                  - "ecs:DescribeTaskDefinition"
+                  - "ecs:StartTask"
+                  - "ecs:StopTask"
+                  - "ecs:RunTask"
+                Condition:
+                  ArnEquals:
+                    ecs:cluster:
+                      Fn::Sub: "arn:aws:ecs:*:${AWS::AccountId}:cluster/*"
+                Resource: "*"
+              - Sid: "S3Permissions"
+                Effect: "Allow"
+                Action:
+                  - "s3:CreateBucket"
+                  - "s3:DeleteObject"
+                  - "s3:GetObject"
+                  - "s3:GetObjectAcl"
+                  - "s3:GetObjectTagging"
+                  - "s3:GetObjectVersion"
+                  - "s3:PutObject"
+                  - "s3:PutObjectAcl"
+                  - "s3:ListBucket"
+                  - "s3:GetBucketLocation"
+                  - "s3:GetBucketLogging"
+                  - "s3:GetBucketPolicy"
+                  - "s3:GetBucketTagging"
+                  - "s3:PutBucketPolicy"
+                  - "s3:PutBucketTagging"
+                  - "s3:PutMetricsConfiguration"
+                  - "s3:GetLifecycleConfiguration"
+                  - "s3:PutLifecycleConfiguration"
+                Resource:
+                  - "arn:aws:s3:::artilleryio-test-data-*"
+                  - "arn:aws:s3:::artilleryio-test-data-*/*"
+              - Sid: "LogsPermissions"
+                Effect: "Allow"
+                Action:
+                  - "logs:PutRetentionPolicy"
+                Resource:
+                  - Fn::Sub: "arn:aws:logs:*:${AWS::AccountId}:log-group:artilleryio-log-group/*"
+              - Effect: "Allow"
+                Action:
+                  - "secretsmanager:GetSecretValue"
+                Resource:
+                  - Fn::Sub: "arn:aws:secretsmanager:*:${AWS::AccountId}:secret:artilleryio/*"
+              - Effect: "Allow"
+                Action:
+                  - "ssm:PutParameter"
+                  - "ssm:GetParameter"
+                  - "ssm:GetParameters"
+                  - "ssm:DeleteParameter"
+                  - "ssm:DescribeParameters"
+                  - "ssm:GetParametersByPath"
+                Resource:
+                  - Fn::Sub: "arn:aws:ssm:us-east-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:us-east-2:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:us-west-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:us-west-2:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ca-central-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:eu-west-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:eu-west-2:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:eu-west-3:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:eu-central-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:eu-north-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ap-south-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ap-east-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ap-northeast-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ap-northeast-2:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ap-southeast-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:ap-southeast-2:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:me-south-1:${AWS::AccountId}:parameter/artilleryio/*"
+                  - Fn::Sub: "arn:aws:ssm:sa-east-1:${AWS::AccountId}:parameter/artilleryio/*"
+              - Effect: "Allow"
+                Action:
+                  - "ec2:DescribeRouteTables"
+                  - "ec2:DescribeVpcs"
+                  - "ec2:DescribeSubnets"
+                Resource: "*"
+
+Outputs:
+  RoleArn:
+    Description: "ARN of the created IAM Role"
+    Value:
+      Fn::GetAtt:
+        - "ArtilleryGitHubOIDCForFargateRole"
+        - "Arn"
+  OIDCProviderArn:
+    Condition: CreateOIDCProvider
+    Description: "ARN of the newly created OIDC provider"
+    Value: !Ref GitHubOIDCProvider

package/lib/platform/aws/iam-cf-templates/gh-oidc-lambda.yml

@@ -0,0 +1,153 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Creates an ArtilleryGitHubOIDCForLambdaRole IAM role with permissions needed to run Artillery Lambda tests from a specified GitHub repository. An OIDC identity provider for Github will also be created if it is not already present in the account.
+
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "GitHub"
+        Parameters:
+          - GitHubRepository
+          - GitHubBranch
+      - Label:
+          default: "AWS IAM"
+        Parameters:
+          - GitHubOIDCProviderExists
+
+    ParameterLabels:
+      GitHubRepository:
+        default: "GitHub repository"
+      GitHubBranch:
+        default: "GitHub branch"
+      GitHubOIDCProviderExists:
+        default: "GitHub OIDC identity provider already created for the account?"
+
+Parameters:
+  GitHubRepository:
+    Type: String
+    Default: ""
+    Description: The GitHub repository (orgname/reponame) to be allowed to assume the created IAM role using OIDC (e.g. "artilleryio/artillery").
+
+  GitHubBranch:
+    Type: String
+    Default: "*"
+    Description: (Optional) Use when you want to allow only a specific branch within the specified Github repository to assume this IAM role using OIDC (e.g. "main"). If not set, defaults to "*" (all branches). 
+
+  GitHubOIDCProviderExists:
+    Type: String
+    Default: 'No'
+    AllowedValues:
+      - 'Yes'
+      - 'No'
+    Description: This will let CloudFormation know whether it needs to create the provider. (If it exists, can be found at Services -> IAM -> Identity providers as 'token.actions.githubusercontent.com').
+
+Conditions:
+  IsGHRepoSet:
+    !Not [!Equals [!Ref GitHubRepository, ""]]
+
+  CreateOIDCProvider:
+    !Equals [!Ref GitHubOIDCProviderExists, "No"]
+
+Resources:
+  GitHubOIDCProvider:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: "https://token.actions.githubusercontent.com"
+      ClientIdList:
+        - "sts.amazonaws.com"
+      ThumbprintList:
+        - "6938fd4d98bab03faadb97b34396831e3780ee11"
+
+
+  ArtilleryGitHubOIDCForLambdaRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: "ArtilleryGitHubOIDCForLambdaRole"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Federated: 
+                Fn::If:
+                  - CreateOIDCProvider
+                  - !Ref GitHubOIDCProvider
+                  - !Ref GitHubOIDCProviderArn
+            Action: "sts:AssumeRoleWithWebIdentity"
+            Condition: {
+              StringEquals:
+                {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+              StringLike:
+                {
+                  "token.actions.githubusercontent.com:sub": !Sub "repo:${GitHubRepository}:${GitHubBranch}"
+                }
+            }
+      Path: "/"
+      Policies:
+        - PolicyName: ArtilleryDistributedTestingLambdaPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: CreateOrGetLambdaRole
+                Effect: Allow
+                Action:
+                  - iam:CreateRole
+                  - iam:GetRole
+                  - iam:PassRole
+                  - iam:AttachRolePolicy
+                Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/artilleryio-default-lambda-role-*"
+              - Sid: CreateLambdaPolicy
+                Effect: Allow
+                Action:
+                  - iam:CreatePolicy
+                Resource: !Sub "arn:aws:iam::${AWS::AccountId}:policy/artilleryio-lambda-policy-*"
+              - Sid: SQSPermissions
+                Effect: Allow
+                Action:
+                  - sqs:*
+                Resource: !Sub "arn:aws:sqs:*:${AWS::AccountId}:artilleryio*"
+              - Sid: SQSListQueues
+                Effect: Allow
+                Action:
+                  - sqs:ListQueues
+                Resource: "*"
+              - Sid: LambdaPermissions
+                Effect: Allow
+                Action:
+                  - lambda:InvokeFunction
+                  - lambda:CreateFunction
+                  - lambda:DeleteFunction
+                  - lambda:GetFunctionConfiguration
+                Resource: !Sub "arn:aws:lambda:*:${AWS::AccountId}:function:artilleryio-*"
+              - Sid: EcrPullImagePermissions
+                Effect: Allow
+                Action:
+                  - ecr:GetDownloadUrlForLayer
+                  - ecr:BatchGetImage
+                Resource: "arn:aws:ecr:*:248481025674:repository/artillery-worker"
+              - Sid: S3Permissions
+                Effect: Allow
+                Action:
+                  - s3:CreateBucket
+                  - s3:DeleteObject
+                  - s3:GetObject
+                  - s3:PutObject
+                  - s3:ListBucket
+                  - s3:GetLifecycleConfiguration
+                  - s3:PutLifecycleConfiguration
+                Resource:
+                  - !Sub "arn:aws:s3:::artilleryio-test-data-*"
+                  - !Sub "arn:aws:s3:::artilleryio-test-data-*/*"
+
+Outputs:
+  RoleArn:
+    Description: ARN of the IAM Role for Artillery.io Lambda functions
+    Value: !GetAtt ArtilleryGitHubOIDCForLambdaRole.Arn
+  OIDCProviderArn:
+    Condition: CreateOIDCProvider
+    Description: "ARN of the newly created OIDC provider"
+    Value: !Ref GitHubOIDCProvider

package/lib/platform/aws-ecs/ecs.js

@@ -0,0 +1,247 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const debug = require('debug')('platform:aws-ecs');
+
+const ensureS3BucketExists = require('../aws/aws-ensure-s3-bucket-exists');
+
+const {
+  IAMClient,
+  GetRoleCommand,
+  CreateRoleCommand,
+  CreatePolicyCommand,
+  AttachRolePolicyCommand
+} = require('@aws-sdk/client-iam');
+
+const { ensureParameterExists } = require('./legacy/aws-util');
+
+const { S3_BUCKET_NAME_PREFIX } = require('../aws/constants');
+
+const getAccountId = require('../aws/aws-get-account-id');
+
+const sleep = require('../../util/sleep');
+const { getBucketRegion } = require('../aws/aws-get-bucket-region');
+const awsGetDefaultRegion = require('../aws/aws-get-default-region');
+
+class PlatformECS {
+  constructor(_script, _payload, opts, platformOpts) {
+    this.opts = opts;
+    this.platformOpts = platformOpts;
+
+    this.arnPrefx = this.platformOpts.region.startsWith('cn-')
+      ? 'arn:aws-cn'
+      : 'arn:aws';
+
+    this.testRunId = platformOpts.testRunId;
+    if (!this.testRunId) {
+      throw new Error('testRunId is required');
+    }
+
+    this.s3LifecycleConfigurationRules = [
+      {
+        Expiration: { Days: 2 },
+        Filter: { Prefix: 'tests/' },
+        ID: 'RemoveAdHocTestData',
+        Status: 'Enabled'
+      },
+      {
+        Expiration: { Days: 7 },
+        Filter: { Prefix: 'test-runs/' },
+        ID: 'RemoveTestRunMetadata',
+        Status: 'Enabled'
+      }
+    ];
+  }
+
+  async init() {
+    global.artillery.awsRegion =
+      (await awsGetDefaultRegion()) || this.platformOpts.region;
+
+    this.accountId = await getAccountId();
+
+    await ensureSSMParametersExist(this.platformOpts.region);
+    const bucketName = await ensureS3BucketExists(
+      this.platformOpts.region,
+      this.s3LifecycleConfigurationRules,
+      false
+    );
+
+    global.artillery.s3BucketRegion = await getBucketRegion(bucketName);
+    await this.createIAMResources(
+      this.accountId,
+      this.platformOpts.taskRoleName
+    );
+  }
+
+  async createIAMResources(accountId, taskRoleName) {
+    const workerRoleArn = await this.createWorkerRole(accountId, taskRoleName);
+
+    return {
+      workerRoleArn
+    };
+  }
+
+  async createWorkerRole(accountId, taskRoleName) {
+    const iam = new IAMClient({ region: global.artillery.awsRegion });
+
+    try {
+      const res = await iam.send(
+        new GetRoleCommand({ RoleName: taskRoleName })
+      );
+      return res.Role.Arn;
+    } catch (err) {
+      debug(err);
+    }
+
+    const createRoleResp = await iam.send(
+      new CreateRoleCommand({
+        AssumeRolePolicyDocument: JSON.stringify({
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Effect: 'Allow',
+              Principal: {
+                Service: ['ecs-tasks.amazonaws.com', 'ecs.amazonaws.com']
+              },
+              Action: 'sts:AssumeRole'
+            }
+          ]
+        }),
+        Path: '/',
+        RoleName: taskRoleName
+      })
+    );
+
+    const policyDocument = {
+      Version: '2012-10-17',
+      Statement: [
+        {
+          Effect: 'Allow',
+          Action: ['ssm:DescribeParameters'],
+          Resource: ['*']
+        },
+        {
+          Effect: 'Allow',
+          Action: [
+            'ssm:GetParameters',
+            'ssm:GetParameter',
+            'ssm:PutParameter',
+            'ssm:DeleteParameter',
+            'ssm:DescribeParameters',
+            'ssm:GetParametersByPath'
+          ],
+          Resource: [
+            `${this.arnPrefx}:ssm:*:${accountId}:parameter/artilleryio/*`
+          ]
+        },
+        {
+          Effect: 'Allow',
+          Action: ['ecr:GetAuthorizationToken'],
+          Resource: ['*']
+        },
+        {
+          Effect: 'Allow',
+          Action: ['logs:*'],
+          Resource: [
+            `${this.arnPrefx}:logs:*:${accountId}:log-group:artilleryio-log-group*:*`
+          ]
+        },
+        {
+          Effect: 'Allow',
+          Action: ['sqs:*'],
+          Resource: [`${this.arnPrefx}:sqs:*:${accountId}:artilleryio*`]
+        },
+        {
+          Effect: 'Allow',
+          Action: ['s3:*'],
+          Resource: [
+            `${this.arnPrefx}:s3:::${S3_BUCKET_NAME_PREFIX}-${accountId}`,
+            `${this.arnPrefx}:s3:::${S3_BUCKET_NAME_PREFIX}-${accountId}/*`
+          ]
+        },
+        {
+          Effect: 'Allow',
+          Action: ['xray:PutTraceSegments', 'xray:PutTelemetryRecords'],
+          Resource: ['*']
+        }
+      ]
+    };
+
+    const createPolicyResp = await iam.send(
+      new CreatePolicyCommand({
+        PolicyName: 'artilleryio-ecs-worker-policy',
+        Path: '/',
+        PolicyDocument: JSON.stringify(policyDocument)
+      })
+    );
+
+    await iam.send(
+      new AttachRolePolicyCommand({
+        PolicyArn: createPolicyResp.Policy.Arn,
+        RoleName: taskRoleName
+      })
+    );
+
+    debug('Waiting for IAM role to be ready');
+    await sleep(30 * 1000);
+    return createRoleResp.Role.Arn;
+  }
+
+  async createWorker() {}
+
+  async prepareWorker() {}
+
+  async runWorker() {}
+
+  async stopWorker() {}
+
+  async shutdown() {}
+}
+
+async function ensureSSMParametersExist(region) {
+  await ensureParameterExists(
+    '/artilleryio/NPM_TOKEN',
+    'null',
+    'SecureString',
+    region
+  );
+  await ensureParameterExists(
+    '/artilleryio/NPM_REGISTRY',
+    'null',
+    'String',
+    region
+  );
+  await ensureParameterExists(
+    '/artilleryio/NPM_SCOPE',
+    'null',
+    'String',
+    region
+  );
+  await ensureParameterExists(
+    '/artilleryio/ARTIFACTORY_AUTH',
+    'null',
+    'SecureString',
+    region
+  );
+  await ensureParameterExists(
+    '/artilleryio/ARTIFACTORY_EMAIL',
+    'null',
+    'String',
+    region
+  );
+  await ensureParameterExists(
+    '/artilleryio/NPMRC',
+    'null',
+    'SecureString',
+    region
+  );
+  await ensureParameterExists(
+    '/artilleryio/NPM_SCOPE_REGISTRY',
+    'null',
+    'String',
+    region
+  );
+}
+
+module.exports = PlatformECS;