Build OVA - Wazuh virtual machines branch 4.10.0 - Launched by @c-bordon #109
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| run-name: Build OVA - Wazuh virtual machines branch ${{ inputs.WAZUH_VIRTUAL_MACHINES_REFERENCE }} - Launched by @${{ github.actor }} | |
| name: Build OVA | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| WAZUH_VIRTUAL_MACHINES_REFERENCE: | |
| description: 'Branch or tag of the wazuh-virtual-machines repository' | |
| required: true | |
| default: '4.10.0' | |
| WAZUH_INSTALLATION_ASSISTANT_REFERENCE: | |
| description: 'Branch or tag of the wazuh-installation-assistant repository' | |
| required: true | |
| default: '4.10.0' | |
| WAZUH_AUTOMATION_REFERENCE: | |
| description: 'Branch or tag of the wazuh-automation repository' | |
| required: true | |
| default: '4.10.0' | |
| WAZUH_PACKAGE_REPOSITORY: | |
| type: choice | |
| description: 'Wazuh package repository from which to download the packages' | |
| required: true | |
| options: | |
| - prod | |
| - dev | |
| - staging | |
| S3_REPOSITORY: | |
| type: choice | |
| description: 'packages-dev repository to upload the OVA' | |
| required: true | |
| options: | |
| - pre-release | |
| - staging | |
| DEBUG: | |
| type: choice | |
| description: 'Debug mode' | |
| required: false | |
| options: | |
| - -v | |
| - -vv | |
| - -vvv | |
| env: | |
| COMPOSITE_NAME: "linux-amazon-2-amd64" | |
| TEMPORAL_S3_BUCKET: "warehouse.wazuh.com" | |
| S3_BUCKET: "packages-dev.wazuh.com" | |
| OVA_ENVIRONMENT: "vmware" | |
| CONTAINER_FORMAT: "ova" | |
| TEMPORAL_S3_PATH: "trash/vm" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| build_and_run: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Ansible | |
| run: sudo apt-get update && sudo apt install -y python3 jq && python3 -m pip install --user ansible-core==2.16 | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setting FILENAME var | |
| run: | | |
| WAZUH_VERSION=$(cat VERSION) | |
| echo "WAZUH_VERSION=$WAZUH_VERSION" >> $GITHUB_ENV | |
| FILENAME="wazuh-${WAZUH_VERSION}" | |
| echo "FILENAME=$FILENAME" >> $GITHUB_ENV | |
| FILENAME_OVA="${FILENAME}.ova" | |
| echo "FILENAME_OVA=$FILENAME_OVA" >> $GITHUB_ENV | |
| FILENAME_SHA="${FILENAME}.sha512" | |
| echo "FILENAME_SHA=$FILENAME_SHA" >> $GITHUB_ENV | |
| - name: View parameters | |
| run: echo "${{ toJson(inputs) }}" | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_IAM_OVA_ROLE }} | |
| role-session-name: "OVA-Builder" | |
| aws-region: "us-east-1" | |
| role-duration-seconds: 10800 # Set the duration of the role session to 3 hours | |
| - name: Checkout wazuh/wazuh-automation repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wazuh/wazuh-automation | |
| ref: ${{ inputs.WAZUH_AUTOMATION_REFERENCE }} | |
| token: ${{ secrets.GH_CLONE_TOKEN }} | |
| path: wazuh-automation | |
| - name: Install and set allocator requirements | |
| run: | | |
| pip3 install -r wazuh-automation/deployability/deps/requirements.txt | |
| - name: Execute allocator module and set ssh variables to create OVA VM | |
| id: alloc_vm_ova | |
| run: | | |
| python3 wazuh-automation/deployability/modules/allocation/main.py --action create --provider aws --size large --composite-name ${{ env.COMPOSITE_NAME }} --working-dir /tmp/allocatorvm_ova \ | |
| --track-output /tmp/allocatorvm_ova/track.yml --inventory-output /tmp/allocatorvm_ova/inventory.yml --instance-name gha_${{ github.run_id }}_ova_build \ | |
| --label-team devops --label-termination-date 1d | |
| sed 's/: */=/g' /tmp/allocatorvm_ova/inventory.yml > /tmp/allocatorvm_ova/inventory_mod.yml | |
| sed -i 's/-o StrictHostKeyChecking=no/\"-o StrictHostKeyChecking=no\"/g' /tmp/allocatorvm_ova/inventory_mod.yml | |
| source /tmp/allocatorvm_ova/inventory_mod.yml | |
| echo "[gha_instance]" > /tmp/allocatorvm_ova/inventory | |
| echo "$ansible_host ansible_port=$ansible_port ansible_user=$ansible_user ansible_ssh_private_key_file=$ansible_ssh_private_key_file ansible_ssh_common_args='$ansible_ssh_common_args'" >> /tmp/allocatorvm_ova/inventory | |
| echo "ansible_ssh_private_key_file=$ansible_ssh_private_key_file" >> $GITHUB_ENV; | |
| - name: Run Ansible playbook to configure wazuh-user user | |
| run: | | |
| ansible-playbook -i /tmp/allocatorvm_ova/inventory .github/workflows/ansible_playbooks/ova_user_configuration.yaml ${{ inputs.DEBUG }} | |
| - name: Update inventory with wazuh-user | |
| run: | | |
| sed -i 's|ec2-user|wazuh-user|g' /tmp/allocatorvm_ova/inventory | |
| sed -i 's|ansible_ssh_private_key_file=${{ env.ansible_ssh_private_key_file }}||g' /tmp/allocatorvm_ova/inventory | |
| sed -i '${s/$/ ansible_password=wazuh/}' /tmp/allocatorvm_ova/inventory | |
| - name: Run Ansible playbook to generate the OVA | |
| run: | | |
| if [ "${{ inputs.WAZUH_PACKAGE_REPOSITORY }}" == "prod" ]; then | |
| builder_args="-i" | |
| elif [ "${{ inputs.WAZUH_PACKAGE_REPOSITORY }}" == "staging" ]; then | |
| builder_args="-i -d staging" | |
| elif [ "${{ inputs.WAZUH_PACKAGE_REPOSITORY }}" == "dev" ]; then | |
| builder_args="-i -d" | |
| fi | |
| ansible-playbook -i /tmp/allocatorvm_ova/inventory .github/workflows/ansible_playbooks/ova_generator.yaml \ | |
| --extra-vars " \ | |
| wia_branch=${{ inputs.WAZUH_INSTALLATION_ASSISTANT_REFERENCE }} \ | |
| ova_branch=${{ inputs.WAZUH_VIRTUAL_MACHINES_REFERENCE }} \ | |
| repository=${{ inputs.WAZUH_PACKAGE_REPOSITORY }} \ | |
| builder_args='$builder_args' \ | |
| debug=yes" ${{ inputs.DEBUG }} | |
| - name: Export Instance to create OVA | |
| run: | | |
| ID=$(grep -oP '^identifier: \K.*' /tmp/allocatorvm_ova/track.yml) | |
| EXPORT=$(aws ec2 create-instance-export-task --instance-id "${ID}" --target-environment vmware \ | |
| --export-to-s3-task "ContainerFormat=${{ env.CONTAINER_FORMAT }},DiskImageFormat=VMDK,S3Bucket=${{ env.TEMPORAL_S3_BUCKET }},S3Prefix=${{ env.TEMPORAL_S3_PATH }}/${{ env.FILENAME }}") | |
| EXPORT_ID=$(echo ${EXPORT} | jq -r '.ExportTask.ExportTaskId') | |
| echo "EXPORT_ID=${EXPORT_ID}" >> $GITHUB_ENV | |
| - name: Wait for export OVA | |
| run: | | |
| MAX_RETRIES=40 | |
| NUM_RETRIES=0 | |
| while true; do | |
| STATUS=$(aws ec2 describe-export-tasks --export-task-ids ${{ env.EXPORT_ID }} | jq -r '.ExportTasks[0].State') | |
| if [ "${STATUS}" == "completed" ]; then | |
| break | |
| fi | |
| sleep 270 | |
| NUM_RETRIES=$((NUM_RETRIES+1)) | |
| if [ ${NUM_RETRIES} -eq ${MAX_RETRIES} ]; then | |
| echo "Error exporting OVA" | |
| exit 1 | |
| fi | |
| done | |
| - name: Getting OVA from temporal bucket | |
| run: | | |
| aws s3 --quiet cp "s3://${{ env.TEMPORAL_S3_BUCKET }}/${{ env.TEMPORAL_S3_PATH }}/${{ env.FILENAME }}${{ env.EXPORT_ID }}.ova" /tmp/${{ env.FILENAME_OVA }} | |
| - name: Standarizing OVA | |
| run: | | |
| sed -i "s|ovf:capacity=\"40\"|ovf:capacity=\"50\"|g" ova/wazuh_ovf_template | |
| bash ova/setOVADefault.sh "ova/" "/tmp/${{ env.FILENAME_OVA }}" "/tmp/${{ env.FILENAME_OVA }}" "ova/wazuh_ovf_template" "${{ env.WAZUH_VERSION }}" | |
| - name: Exporting OVA to final repository | |
| run: | | |
| aws s3 cp --quiet --acl public-read /tmp/${{ env.FILENAME_OVA }} s3://${{ env.S3_BUCKET }}/${{ inputs.S3_REPOSITORY }}/vm/${{ env.FILENAME_OVA }} | |
| - name: Generating sha512 file | |
| run: | | |
| sha512sum /tmp/${{ env.FILENAME_OVA }} > /tmp/${{ env.FILENAME_SHA }} | |
| aws s3 cp --quiet --acl public-read /tmp/${{ env.FILENAME_SHA }} s3://${{ env.S3_BUCKET }}/${{ inputs.S3_REPOSITORY }}/checksums/wazuh/${{ env.WAZUH_VERSION }}/${{ env.FILENAME_SHA }} | |
| - name: Removing temporal files | |
| run: | | |
| aws s3 rm --quiet s3://${{ env.TEMPORAL_S3_BUCKET }}/${{ env.TEMPORAL_S3_PATH }}/${{ env.FILENAME }}${{ env.EXPORT_ID }}.ova | |
| - name: Delete allocated VM | |
| if: always() && steps.alloc_vm_ova.outcome == 'success' | |
| run: | | |
| python3 wazuh-automation/deployability/modules/allocation/main.py --action delete --track-output /tmp/allocatorvm_ova/track.yml |