Merge pull request #9 from lucasrod16/configure-ci

add a workflow to smoke test deployment
lucasrod16 · Jan 23, 2025 · 096d91e · 096d91e
2 parents c5d7d9a + b013be9
commit 096d91e
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 1 deletion.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,3 +4,9 @@ updates:
     directory: "docker"
     schedule:
       interval: "daily"
+  - package-ecosystem: "terraform"
+    directories:
+      - "/"
+      - "github-oidc-infra"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,29 @@
+on:
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: AWS OIDC Auth
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: us-east-2
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+
+      - name: Create SSH keypair
+        run: ssh-keygen -t rsa -b 2048 -q -N ""
+
+      - name: Deploy LLM
+        run: ./deploy.sh
+
+      - name: Teardown
+        if: always()
+        run: terraform destroy --auto-approve
diff --git a/github-oidc-infra/.terraform.lock.hcl b/github-oidc-infra/.terraform.lock.hcl
diff --git a/github-oidc-infra/main.tf b/github-oidc-infra/main.tf
@@ -0,0 +1,55 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+  backend "s3" {
+    bucket         = "lucasrod16-tfstate"
+    key            = "github-oidc/tfstate"
+    region         = "us-east-2"
+    dynamodb_table = "lucasrod16-tfstate"
+  }
+}
+
+provider "aws" {
+  region = "us-east-2"
+}
+
+locals {
+  name = "github-oidc"
+  tags = {
+    Category = local.name
+  }
+}
+
+################################################################################
+# GitHub OIDC Provider
+# Note: This is one per AWS account
+################################################################################
+
+module "iam_github_oidc_provider" {
+  source = "github.com/terraform-aws-modules/terraform-aws-iam/modules/iam-github-oidc-provider?ref=e803e25ce20a6ebd5579e0896f657fa739f6f03e" # v5.52.2
+  tags   = local.tags
+}
+
+################################################################################
+# GitHub OIDC Role
+################################################################################
+
+module "iam_github_oidc_role" {
+  source = "github.com/terraform-aws-modules/terraform-aws-iam/modules/iam-github-oidc-role?ref=e803e25ce20a6ebd5579e0896f657fa739f6f03e" # v5.52.2
+  name   = local.name
+  subjects = [
+    "repo:lucasrod16/self-hosted-llm:*",
+  ]
+  policies = {
+    EC2        = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+    S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+  }
+  tags = local.tags
+}
+
+output "role_arn" {
+  value = module.iam_github_oidc_role.arn
+}
diff --git a/main.tf b/main.tf
@@ -111,7 +111,7 @@ resource "aws_volume_attachment" "llm_volume_attachment" {
   # https://docs.aws.amazon.com/ebs/latest/userguide/nvme-ebs-volumes.html
   # Amazon EBS volumes are exposed as NVMe block devices on Amazon EC2 instances built on the AWS Nitro System.
   # 
-  # tldr; device_name is renamed using NVMe device names (/dev/nvme[0-26]n1)
+  # tl;dr device_name is renamed using NVMe device names (/dev/nvme[0-26]n1)
   # because G6e instance types are built on the Nitro v2 system.
   # 
   # https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html