mirror of
https://github.com/game-ci/unity-builder.git
synced 2026-02-03 23:49:08 +08:00
a61c02481f
* Update cloud-runner-aws-pipeline.yml * Update cloud-runner-k8s-pipeline.yml * yarn build * yarn build * correct branch ref * correct branch ref passed to target repo * Create k8s-tests.yml * Delete k8s-tests.yml * correct branch ref passed to target repo * correct branch ref passed to target repo * Always describe AWS tasks for now, because unstable error handling * Remove unused tree commands * Use lfs guid sum * Simple override cache push * Simple override cache push and pull override to allow pure cloud storage driven caching * Removal of early branch (breaks lfs caching) * Remove unused tree commands * Update action.yml * Update action.yml * Support cache and input override commands as input + full support custom hooks * Increase k8s timeout * replace filename being appended for unknclear reason * cache key should not contain whitespaces * Always try and deploy rook for k8s * Apply k8s files for rook * Update action.yml * Apply k8s files for rook * Apply k8s files for rook * cache test and action description for kuber storage class * Correct test and implement dependency health check and start * GCP-secret run, cache key * lfs smudge set explicit and undo explicit * Run using external secret provider to speed up input * Update cloud-runner-aws-pipeline.yml * Add nodejs as build step dependency * Add nodejs as build step dependency * Cloud Runner Tests must be specified to capture logs from cloud runner for tests * Cloud Runner Tests must be specified to capture logs from cloud runner for tests * Refactor and cleanup - no async input, combined setup/build, removed github logs for cli runs * Refactor and cleanup - no async input, combined setup/build, removed github logs for cli runs * Refactor and cleanup - no async input, combined setup/build, removed github logs for cli runs * Refactor and cleanup - no async input, combined setup/build, removed github logs for cli runs * Refactor and cleanup - no async input, combined setup/build, removed github logs for cli runs * better defaults for new inputs * better defaults * merge latest * force build update * use npm n to update node in unity builder * use npm n to update node in unity builder * use npm n to update node in unity builder * correct new line * quiet zipping * quiet zipping * default secrets for unity username and password * default secrets for unity username and password * ls active directory before lfs install * Get cloud runner secrets from * Get cloud runner secrets from * Cleanup setup of default secrets * Various fixes * Cleanup setup of default secrets * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * Various fixes * AWS secrets manager support * less caching logs * default k8s storage class to pd-standard * more readable build commands * Capture aws exit code 1 reliably * Always replace /head from branch * k8s default storage class to standard-rwo * cleanup * further cleanup input * further cleanup input * further cleanup input * further cleanup input * further cleanup input * folder sizes to inspect caching * dir command for local cloud runner test * k8s wait for pending because pvc will not create earlier * prefer k8s standard storage * handle empty string as cloud runner cluster input * local-system is now used for cloud runner test implementation AND correctly unset test CLI input * local-system is now used for cloud runner test implementation AND correctly unset test CLI input * fix unterminated quote * fix unterminated quote * do not share build parameters in tests - in cloud runner this will cause conflicts with resouces of the same name * remove head and heads from branch prefix * fix reversed caching direction of cache-push * fixes * fixes * fixes * cachePull cli * fixes * fixes * fixes * fixes * fixes * order cache test to be first * order cache test to be first * fixes * populate cache key instead of using branch * cleanup cli * garbage-collect-aws cli can iterate over aws resources and cli scans all ts files * import cli methods * import cli files explicitly * import cli files explicitly * import cli files explicitly * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * import cli methods * log parameters in cloud runner parameter test * log parameters in cloud runner parameter test * log parameters in cloud runner parameter test * Cloud runner param test before caching because we have a fast local cache test now * Using custom build path relative to repo root rather than project root * aws-garbage-collect at end of pipeline * aws-garbage-collect do not actually delete anything for now - just list * remove some legacy du commands * Update cloud-runner-aws-pipeline.yml * log contents after cache pull and fix some scenarios with duplicate secrets * log contents after cache pull and fix some scenarios with duplicate secrets * log contents after cache pull and fix some scenarios with duplicate secrets * PR comments * Replace guid with uuid package * use fileExists lambda instead of stat to check file exists in caching * build failed results in core error message * Delete sample.txt
392 lines
12 KiB
YAML
392 lines
12 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: AWS Fargate cluster that can span public and private subnets. Supports
|
|
public facing load balancers, private internal load balancers, and
|
|
both internal and external service discovery namespaces.
|
|
Parameters:
|
|
EnvironmentName:
|
|
Type: String
|
|
Default: development
|
|
Description: 'Your deployment environment: DEV, QA , PROD'
|
|
Version:
|
|
Type: String
|
|
Description: 'hash of template'
|
|
|
|
# ContainerPort:
|
|
# Type: Number
|
|
# Default: 80
|
|
# Description: What port number the application inside the docker container is binding to
|
|
|
|
Mappings:
|
|
# Hard values for the subnet masks. These masks define
|
|
# the range of internal IP addresses that can be assigned.
|
|
# The VPC can have all IP's from 10.0.0.0 to 10.0.255.255
|
|
# There are four subnets which cover the ranges:
|
|
#
|
|
# 10.0.0.0 - 10.0.0.255
|
|
# 10.0.1.0 - 10.0.1.255
|
|
# 10.0.2.0 - 10.0.2.255
|
|
# 10.0.3.0 - 10.0.3.255
|
|
|
|
SubnetConfig:
|
|
VPC:
|
|
CIDR: '10.0.0.0/16'
|
|
PublicOne:
|
|
CIDR: '10.0.0.0/24'
|
|
PublicTwo:
|
|
CIDR: '10.0.1.0/24'
|
|
|
|
Resources:
|
|
# VPC in which containers will be networked.
|
|
# It has two public subnets, and two private subnets.
|
|
# We distribute the subnets across the first two available subnets
|
|
# for the region, for high availability.
|
|
VPC:
|
|
Type: AWS::EC2::VPC
|
|
Properties:
|
|
EnableDnsSupport: true
|
|
EnableDnsHostnames: true
|
|
CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR']
|
|
|
|
EFSServerSecurityGroup:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupName: 'efs-server-endpoints'
|
|
GroupDescription: Which client ip addrs are allowed to access EFS server
|
|
VpcId: !Ref 'VPC'
|
|
SecurityGroupIngress:
|
|
- IpProtocol: tcp
|
|
FromPort: 2049
|
|
ToPort: 2049
|
|
SourceSecurityGroupId: !Ref ContainerSecurityGroup
|
|
#CidrIp: !FindInMap ['SubnetConfig', 'VPC', 'CIDR']
|
|
# A security group for the containers we will run in Fargate.
|
|
# Rules are added to this security group based on what ingress you
|
|
# add for the cluster.
|
|
ContainerSecurityGroup:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupName: 'task security group'
|
|
GroupDescription: Access to the Fargate containers
|
|
VpcId: !Ref 'VPC'
|
|
# SecurityGroupIngress:
|
|
# - IpProtocol: tcp
|
|
# FromPort: !Ref ContainerPort
|
|
# ToPort: !Ref ContainerPort
|
|
# CidrIp: 0.0.0.0/0
|
|
SecurityGroupEgress:
|
|
- IpProtocol: -1
|
|
FromPort: 2049
|
|
ToPort: 2049
|
|
CidrIp: '0.0.0.0/0'
|
|
|
|
# Two public subnets, where containers can have public IP addresses
|
|
PublicSubnetOne:
|
|
Type: AWS::EC2::Subnet
|
|
Properties:
|
|
AvailabilityZone: !Select
|
|
- 0
|
|
- Fn::GetAZs: !Ref 'AWS::Region'
|
|
VpcId: !Ref 'VPC'
|
|
CidrBlock: !FindInMap ['SubnetConfig', 'PublicOne', 'CIDR']
|
|
# MapPublicIpOnLaunch: true
|
|
|
|
PublicSubnetTwo:
|
|
Type: AWS::EC2::Subnet
|
|
Properties:
|
|
AvailabilityZone: !Select
|
|
- 1
|
|
- Fn::GetAZs: !Ref 'AWS::Region'
|
|
VpcId: !Ref 'VPC'
|
|
CidrBlock: !FindInMap ['SubnetConfig', 'PublicTwo', 'CIDR']
|
|
# MapPublicIpOnLaunch: true
|
|
|
|
# Setup networking resources for the public subnets. Containers
|
|
# in the public subnets have public IP addresses and the routing table
|
|
# sends network traffic via the internet gateway.
|
|
InternetGateway:
|
|
Type: AWS::EC2::InternetGateway
|
|
GatewayAttachement:
|
|
Type: AWS::EC2::VPCGatewayAttachment
|
|
Properties:
|
|
VpcId: !Ref 'VPC'
|
|
InternetGatewayId: !Ref 'InternetGateway'
|
|
|
|
# Attaching a Internet Gateway to route table makes it public.
|
|
PublicRouteTable:
|
|
Type: AWS::EC2::RouteTable
|
|
Properties:
|
|
VpcId: !Ref 'VPC'
|
|
PublicRoute:
|
|
Type: AWS::EC2::Route
|
|
DependsOn: GatewayAttachement
|
|
Properties:
|
|
RouteTableId: !Ref 'PublicRouteTable'
|
|
DestinationCidrBlock: '0.0.0.0/0'
|
|
GatewayId: !Ref 'InternetGateway'
|
|
|
|
# Attaching a public route table makes a subnet public.
|
|
PublicSubnetOneRouteTableAssociation:
|
|
Type: AWS::EC2::SubnetRouteTableAssociation
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnetOne
|
|
RouteTableId: !Ref PublicRouteTable
|
|
PublicSubnetTwoRouteTableAssociation:
|
|
Type: AWS::EC2::SubnetRouteTableAssociation
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnetTwo
|
|
RouteTableId: !Ref PublicRouteTable
|
|
|
|
# ECS Resources
|
|
ECSCluster:
|
|
Type: AWS::ECS::Cluster
|
|
|
|
# A role used to allow AWS Autoscaling to inspect stats and adjust scaleable targets
|
|
# on your AWS account
|
|
AutoscalingRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: [application-autoscaling.amazonaws.com]
|
|
Action: ['sts:AssumeRole']
|
|
Path: /
|
|
Policies:
|
|
- PolicyName: service-autoscaling
|
|
PolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- 'application-autoscaling:*'
|
|
- 'cloudwatch:DescribeAlarms'
|
|
- 'cloudwatch:PutMetricAlarm'
|
|
- 'ecs:DescribeServices'
|
|
- 'ecs:UpdateService'
|
|
Resource: '*'
|
|
|
|
# This is an IAM role which authorizes ECS to manage resources on your
|
|
# account on your behalf, such as updating your load balancer with the
|
|
# details of where your containers are, so that traffic can reach your
|
|
# containers.
|
|
ECSRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: [ecs.amazonaws.com]
|
|
Action: ['sts:AssumeRole']
|
|
Path: /
|
|
Policies:
|
|
- PolicyName: ecs-service
|
|
PolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
# Rules which allow ECS to attach network interfaces to instances
|
|
# on your behalf in order for awsvpc networking mode to work right
|
|
- 'ec2:AttachNetworkInterface'
|
|
- 'ec2:CreateNetworkInterface'
|
|
- 'ec2:CreateNetworkInterfacePermission'
|
|
- 'ec2:DeleteNetworkInterface'
|
|
- 'ec2:DeleteNetworkInterfacePermission'
|
|
- 'ec2:Describe*'
|
|
- 'ec2:DetachNetworkInterface'
|
|
|
|
# Rules which allow ECS to update load balancers on your behalf
|
|
# with the information sabout how to send traffic to your containers
|
|
- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
|
|
- 'elasticloadbalancing:DeregisterTargets'
|
|
- 'elasticloadbalancing:Describe*'
|
|
- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
|
|
- 'elasticloadbalancing:RegisterTargets'
|
|
Resource: '*'
|
|
|
|
# This is a role which is used by the ECS tasks themselves.
|
|
ECSTaskExecutionRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: [ecs-tasks.amazonaws.com]
|
|
Action: ['sts:AssumeRole']
|
|
Path: /
|
|
Policies:
|
|
- PolicyName: AmazonECSTaskExecutionRolePolicy
|
|
PolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
# Allow the use of secret manager
|
|
- 'secretsmanager:GetSecretValue'
|
|
- 'kms:Decrypt'
|
|
|
|
# Allow the ECS Tasks to download images from ECR
|
|
- 'ecr:GetAuthorizationToken'
|
|
- 'ecr:BatchCheckLayerAvailability'
|
|
- 'ecr:GetDownloadUrlForLayer'
|
|
- 'ecr:BatchGetImage'
|
|
|
|
# Allow the ECS tasks to upload logs to CloudWatch
|
|
- 'logs:CreateLogStream'
|
|
- 'logs:PutLogEvents'
|
|
Resource: '*'
|
|
|
|
DeleteCFNLambdaExecutionRole:
|
|
Type: 'AWS::IAM::Role'
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: 'Allow'
|
|
Principal:
|
|
Service: ['lambda.amazonaws.com']
|
|
Action: 'sts:AssumeRole'
|
|
Path: '/'
|
|
Policies:
|
|
- PolicyName: DeleteCFNLambdaExecutionRole
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: 'Allow'
|
|
Action:
|
|
- 'logs:CreateLogGroup'
|
|
- 'logs:CreateLogStream'
|
|
- 'logs:PutLogEvents'
|
|
Resource: 'arn:aws:logs:*:*:*'
|
|
- Effect: 'Allow'
|
|
Action:
|
|
- 'cloudformation:DeleteStack'
|
|
- 'kinesis:DeleteStream'
|
|
- 'secretsmanager:DeleteSecret'
|
|
- 'kinesis:DescribeStreamSummary'
|
|
- 'logs:DeleteLogGroup'
|
|
- 'logs:DeleteSubscriptionFilter'
|
|
- 'ecs:DeregisterTaskDefinition'
|
|
- 'lambda:DeleteFunction'
|
|
- 'lambda:InvokeFunction'
|
|
- 'events:RemoveTargets'
|
|
- 'events:DeleteRule'
|
|
- 'lambda:RemovePermission'
|
|
Resource: '*'
|
|
|
|
### cloud watch to kinesis role
|
|
CloudWatchIAMRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: [logs.amazonaws.com]
|
|
Action: ['sts:AssumeRole']
|
|
Path: /
|
|
Policies:
|
|
- PolicyName: service-autoscaling
|
|
PolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- 'kinesis:PutRecord'
|
|
Resource: '*'
|
|
|
|
#####################EFS#####################
|
|
EfsFileStorage:
|
|
Type: 'AWS::EFS::FileSystem'
|
|
Properties:
|
|
BackupPolicy:
|
|
Status: ENABLED
|
|
PerformanceMode: maxIO
|
|
Encrypted: false
|
|
|
|
FileSystemPolicy:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: 'Allow'
|
|
Action:
|
|
- 'elasticfilesystem:ClientMount'
|
|
- 'elasticfilesystem:ClientWrite'
|
|
- 'elasticfilesystem:ClientRootAccess'
|
|
Principal:
|
|
AWS: '*'
|
|
|
|
MountTargetResource1:
|
|
Type: AWS::EFS::MountTarget
|
|
Properties:
|
|
FileSystemId: !Ref EfsFileStorage
|
|
SubnetId: !Ref PublicSubnetOne
|
|
SecurityGroups:
|
|
- !Ref EFSServerSecurityGroup
|
|
|
|
MountTargetResource2:
|
|
Type: AWS::EFS::MountTarget
|
|
Properties:
|
|
FileSystemId: !Ref EfsFileStorage
|
|
SubnetId: !Ref PublicSubnetTwo
|
|
SecurityGroups:
|
|
- !Ref EFSServerSecurityGroup
|
|
|
|
Outputs:
|
|
EfsFileStorageId:
|
|
Description: 'The connection endpoint for the database.'
|
|
Value: !Ref EfsFileStorage
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:EfsFileStorageId
|
|
ClusterName:
|
|
Description: The name of the ECS cluster
|
|
Value: !Ref 'ECSCluster'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:ClusterName
|
|
AutoscalingRole:
|
|
Description: The ARN of the role used for autoscaling
|
|
Value: !GetAtt 'AutoscalingRole.Arn'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:AutoscalingRole
|
|
ECSRole:
|
|
Description: The ARN of the ECS role
|
|
Value: !GetAtt 'ECSRole.Arn'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:ECSRole
|
|
ECSTaskExecutionRole:
|
|
Description: The ARN of the ECS role tsk execution role
|
|
Value: !GetAtt 'ECSTaskExecutionRole.Arn'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:ECSTaskExecutionRole
|
|
|
|
DeleteCFNLambdaExecutionRole:
|
|
Description: Lambda execution role for cleaning up cloud formations
|
|
Value: !GetAtt 'DeleteCFNLambdaExecutionRole.Arn'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:DeleteCFNLambdaExecutionRole
|
|
|
|
CloudWatchIAMRole:
|
|
Description: The ARN of the CloudWatch role for subscription filter
|
|
Value: !GetAtt 'CloudWatchIAMRole.Arn'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:CloudWatchIAMRole
|
|
VpcId:
|
|
Description: The ID of the VPC that this stack is deployed in
|
|
Value: !Ref 'VPC'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:VpcId
|
|
PublicSubnetOne:
|
|
Description: Public subnet one
|
|
Value: !Ref 'PublicSubnetOne'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:PublicSubnetOne
|
|
PublicSubnetTwo:
|
|
Description: Public subnet two
|
|
Value: !Ref 'PublicSubnetTwo'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:PublicSubnetTwo
|
|
|
|
ContainerSecurityGroup:
|
|
Description: A security group used to allow Fargate containers to receive traffic
|
|
Value: !Ref 'ContainerSecurityGroup'
|
|
Export:
|
|
Name: !Sub ${EnvironmentName}:ContainerSecurityGroup
|