Abstract some ec2 CI logic and add support for c7g

tests/ci/cdk/app.py

@@ -6,11 +6,11 @@
 from aws_cdk import Environment, App
 
 # from cdk.bm_framework_stack import BmFrameworkStack
-from cdk.aws_lc_mac_arm_ci_stack import AwsLcMacArmCIStack
 from cdk.aws_lc_analytics_stack import  AwsLcGitHubAnalyticsStack
+from cdk.aws_lc_android_ci_stack import AwsLcAndroidCIStack
 from cdk.aws_lc_github_ci_stack import AwsLcGitHubCIStack
 from cdk.aws_lc_github_fuzz_ci_stack import  AwsLcGitHubFuzzCIStack
-from cdk.aws_lc_android_ci_stack import AwsLcAndroidCIStack
+from cdk.aws_lc_ec2_test_framework_ci_stack import AwsLcEC2TestingCIStack
 from cdk.linux_docker_image_batch_build_stack import LinuxDockerImageBatchBuildStack
 from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack
 from cdk.ecr_stack import EcrStack
@@ -50,8 +50,8 @@
 AwsLcGitHubAnalyticsStack(app, "aws-lc-ci-analytics", analytics_build_spec_file, env=env)
 # bm_framework_build_spec_file = "cdk/codebuild/bm_framework_omnibus.yaml"
 # BmFrameworkStack(app, "aws-lc-ci-bm-framework", bm_framework_build_spec_file, env=env)
-mac_arm_build_spec_file = "cdk/codebuild/github_ci_macos_m1_omnibus.yaml"
-AwsLcMacArmCIStack(app, "aws-lc-ci-macos-arm", mac_arm_build_spec_file, env=env)
+ec2_test_framework_build_spec_file = "cdk/codebuild/ec2_test_framework_omnibus.yaml"
+AwsLcEC2TestingCIStack(app, "aws-lc-ci-ec2-test-framework", ec2_test_framework_build_spec_file, env=env)
 android_build_spec_file = "cdk/codebuild/github_ci_android_omnibus.yaml"
 AwsLcAndroidCIStack(app, "aws-lc-ci-devicefarm-android", android_build_spec_file, env=env)
 

tests/ci/cdk/cdk/aws_lc_mac_arm_ci_stack.py → tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py

@@ -9,13 +9,14 @@
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
-from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
-from util.iam_policies import code_build_batch_policy_in_json, ec2_policies_in_json, ssm_policies_in_json, s3_read_write_policy_in_json
+from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, LINUX_AARCH_ECR_REPO, \
+    LINUX_X86_ECR_REPO
+from util.iam_policies import code_build_batch_policy_in_json, ec2_policies_in_json, ssm_policies_in_json, s3_read_write_policy_in_json, ecr_power_user_policy_in_json
 from util.build_spec_loader import BuildSpecLoader
 
 # detailed documentation can be found here: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html
 
-class AwsLcMacArmCIStack(Stack):
+class AwsLcEC2TestingCIStack(Stack):
     """Define a stack used to create a CodeBuild instance on which to execute the AWS-LC m1 ci ec2 instance"""
 
     def __init__(self,
@@ -25,9 +26,6 @@ def __init__(self,
                  **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
-        # Define some variables that will be commonly used
-        CLOUDWATCH_LOGS = "{}-cw-logs".format(id)
-
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
             owner=GITHUB_REPO_OWNER,
@@ -76,7 +74,8 @@ def __init__(self,
 
         # S3 bucket for testing internal fixes.
         s3_read_write_policy = iam.PolicyDocument.from_json(s3_read_write_policy_in_json("aws-lc-codebuild"))
-        ec2_inline_policies = {"s3_read_write_policy": s3_read_write_policy}
+        ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json([LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO]))
+        ec2_inline_policies = {"s3_read_write_policy": s3_read_write_policy, "ecr_power_user_policy": ecr_power_user_policy}
         ec2_role = iam.Role(scope=self, id="{}-ec2-role".format(id),
                             role_name="{}-ec2-role".format(id),
                             assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
@@ -97,18 +96,18 @@ def __init__(self,
         security_group = ec2.SecurityGroup(self, id="{}-ec2-sg".format(id),
                           allow_all_outbound=True,
                           vpc=vpc,
-                          security_group_name='macos_arm_ec2_sg')
+                          security_group_name='codebuild_ec2_sg')
 
+        # MacOS EC2 tag names must be specific for use in general tests/ci/run_m1_ec2_instance.sh script.
         # Dedicated Hosts are required for Mac ec2 instances.
         cfn_host = ec2.CfnHost(self, id="{}-dedicated-host".format(id),
                                 availability_zone="us-west-2a",
                                 auto_placement="off",
                                 instance_type="mac2.metal")
         Tags.of(cfn_host).add("Name", "{}-dedicated-host".format(id))
-
         # AMI is for M1 MacOS Monterey.
         ami_id="ami-084c6ab9d03ad4d46"
-        cfn_instance = ec2.CfnInstance(self, "{}-ec2-instance".format(id),
+        macos_arm_instance = ec2.CfnInstance(self, "aws-lc-ci-macos-arm-ec2-instance",
                         availability_zone="us-west-2a",
                         tenancy="host",
                         host_id=cfn_host.attr_host_id,
@@ -120,4 +119,9 @@ def __init__(self,
                         tags=[CfnTag(key="Name",value="aws-lc-ci-macos-arm-ec2-instance")])
 
         # Define logs for SSM.
-        logs.LogGroup(self, "{}-cw-logs".format(id), log_group_name=CLOUDWATCH_LOGS)
+        log_group_name = "{}-cw-logs".format(id)
+        log_group = logs.CfnLogGroup(self, log_group_name,
+            log_group_name=log_group_name,
+            retention_in_days=365,
+        )
+

tests/ci/cdk/cdk/codebuild/ec2_test_framework_omnibus.yaml

@@ -0,0 +1,31 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+version: 0.2
+
+# Doc for batch https://docs.aws.amazon.com/codebuild/latest/userguide/batch-build-buildspec.html#build-spec.batch.build-list
+batch:
+  build-list:
+    # Actual tests are ran on an m1 ec2 instance via SSM Commands.
+    # MacOS is special since the ec2 instance can't be spun up and closed on the fly.
+    # TODO: Migrate this to Github Actions when https://github.com/actions/runner-images/issues/2187 is resolved.
+    - identifier: macos_arm_tests
+      buildspec: ./tests/ci/codebuild/macos-aarch/run_m1_tests.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: true
+        compute-type: BUILD_GENERAL1_LARGE
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-7x-bm-framework_latest
+
+    # Actual tests are ran on an Graviton3 ec2 instance via SSM Commands.
+    - identifier: graviton3_tests
+      buildspec: ./tests/ci/codebuild/common/run_ec2_target.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: true
+        compute-type: BUILD_GENERAL1_LARGE
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-7x-bm-framework_latest
+        variables:
+          EC2_AMI: "ami-0c79a55dda52434da"
+          EC2_INSTANCE_TYPE: "c7g.2xlarge"
+          ECR_DOCKER_TAG: "amazonlinux-2023_clang-15x_sanitizer"

tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml

@@ -0,0 +1,40 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+---
+schemaVersion: '2.2'
+description: aws-lc:bmFrameworkEc2Benchmark
+mainSteps:
+  - action: aws:runShellScript
+    name: runShellScript
+    inputs:
+      timeoutSeconds: '7200'
+      runCommand:
+        - sudo -i
+        - export DEBIAN_FRONTEND=noninteractive
+        - export CPU_TYPE=$(dpkg --print-architecture)
+        # if we have a cpu type of x86, we want linux-x86
+        - if [ "${CPU_TYPE}" = amd64 ]; then export CPU_ARCH=linux-x86; export AWS_CLI_PREFIX=x86_; sudo sh -c "echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo"; fi
+        # if we have a cpu type of arm, we want linux-aarch
+        - if [ "${CPU_TYPE}" = arm64 ]; then export CPU_ARCH=linux-aarch; export AWS_CLI_PREFIX=aarch; fi
+        # install aws-cli
+        - apt-get -y install unzip
+        - curl "https://awscli.amazonaws.com/awscli-exe-linux-${AWS_CLI_PREFIX}64.zip" -o "awscliv2.zip"
+        - unzip awscliv2.zip
+        - ./aws/install
+        - git clone {GITHUB_REPO} aws-lc-pr
+        - cd aws-lc-pr
+        - git checkout {COMMIT_ID}
+        # install docker if its not already installed
+        - chmod +x ./tests/ci/benchmark_framework/install_docker.sh
+        - ./tests/ci/benchmark_framework/install_docker.sh
+        # log into docker and get needed docker image from ecr
+        - export ECR_REPO="{AWS_ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-${CPU_ARCH}"
+        - aws ecr get-login-password --region us-west-2 | docker login -u AWS --password-stdin "${ECR_REPO}"
+        - docker pull "${ECR_REPO}:{ECR_DOCKER_TAG}"
+        - # start the container and run the bm script
+        - exec_docker="docker run --env AWS_ACCOUNT_ID={AWS_ACCOUNT_ID} --env PR_NUM={PR_NUM} --env COMMIT_ID={COMMIT_ID} --env CPU_TYPE=${CPU_TYPE} -v `pwd`:`pwd` -w `pwd` ${ECR_REPO}:{ECR_DOCKER_TAG}_latest"
+        - chmod +x ./tests/ci/run_posix_sanitizers.sh
+        - $exec_docker ./tests/ci/run_posix_sanitizers.sh
+        - chmod +x ./tests/ci/run_fips_tests.sh
+        - $exec_docker ./tests/ci/run_fips_tests.sh

tests/ci/cdk/cdk/ssm/m1_tests_ssm_document.yaml

@@ -10,12 +10,12 @@ mainSteps:
     inputs:
       timeoutSeconds: '7200'
       runCommand:
+        - export HOME="/var/root"
+        - export SOURCE={SOURCE}
         - eval $(/opt/homebrew/bin/brew shellenv)
         - sudo su
         - BUILD_ROOT=$(mktemp -d)
         - cd ${BUILD_ROOT}
-        - export HOME="/var/root"
-        - export SOURCE={SOURCE}
         - trap "rm -rf ${BUILD_ROOT}" EXIT
         # Check if the source code is on S3, otherwise treat the source as a PR.
         - >

tests/ci/codebuild/common/run_ec2_target.yml

@@ -0,0 +1,13 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+version: 0.2
+
+env:
+  variables:
+    GOPROXY: https://proxy.golang.org,direct
+
+phases:
+  build:
+    commands:
+      - ./tests/ci/run_ec2_test_framework.sh "${EC2_AMI}" "${EC2_INSTANCE_TYPE}" "${ECR_DOCKER_TAG}"

tests/ci/run_ec2_test_framework.sh

@@ -0,0 +1,134 @@
+#!/usr/bin/env bash
+set -exo pipefail
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+# Please run from project root folder!
+# You'll want to set the codebuild env variables set if running locally
+source tests/ci/common_ssm_setup.sh
+
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+# Cleanup AWS resources.
+cleanup() {
+  set +e
+  aws ec2 terminate-instances --instance-ids "${instance_id}"
+  aws ssm delete-document --name "${ssm_doc_name}"
+}
+
+generate_ssm_document_file() {
+  # use sed to replace placeholder values inside preexisting document
+  sed -e "s,{AWS_ACCOUNT_ID},${AWS_ACCOUNT_ID},g" \
+    -e "s,{PR_NUM},${CODEBUILD_WEBHOOK_TRIGGER},g" \
+    -e "s,{COMMIT_ID},${CODEBUILD_SOURCE_VERSION},g" \
+    -e "s,{GITHUB_REPO},${CODEBUILD_SOURCE_REPO_URL},g" \
+    -e "s,{ECR_DOCKER_TAG},${ecr_docker_tag},g" \
+    tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml \
+    > "tests/ci/cdk/cdk/ssm/${ec2_ami_id}_ssm_document.yaml"
+}
+
+#$1 for ami, $2 for instance-type, echos the instance id so we can capture the output
+create_ec2_instances() {
+  local instance_id
+  instance_id="$(aws ec2 run-instances --image-id "$1" --count 1 \
+    --instance-type "$2" --security-group-ids "${sg_id}" --subnet-id "${subnet_id}" \
+    --block-device-mappings 'DeviceName="/dev/sda1",Ebs={DeleteOnTermination=True,VolumeSize=200}' \
+    --tag-specifications 'ResourceType="instance",Tags=[{Key="aws-lc",Value="aws-lc-ci-ec2-test-framework-ec2-x86-instance"}]' \
+    --iam-instance-profile Name=aws-lc-ci-ec2-test-framework-ec2-profile \
+    --placement 'AvailabilityZone=us-west-2a' \
+    --query Instances[*].InstanceId --output text)"
+  echo "${instance_id}"
+}
+
+trap cleanup EXIT
+
+# print some information for reference
+echo GitHub PR Number: "${CODEBUILD_WEBHOOK_TRIGGER}"
+echo GitHub Commit Version: "${CODEBUILD_SOURCE_VERSION}"
+echo AWS Account ID: "${AWS_ACCOUNT_ID}"
+echo GitHub Repo Link: "${CODEBUILD_SOURCE_REPO_URL}"
+export ec2_ami_id="$1"
+export ec2_instance_type="$2"
+export ecr_docker_tag="$3"
+export s3_bucket_name="aws-lc-codebuild"
+
+# Get resources for ec2 instances. These were created with the cdk script.
+vpc_id="$(aws ec2 describe-vpcs --filter Name=tag:Name,Values=aws-lc-ci-ec2-test-framework/aws-lc-ci-ec2-test-framework-ec2-vpc --query Vpcs[*].VpcId --output text)"
+sg_id="$(aws ec2 describe-security-groups --filter Name=vpc-id,Values="${vpc_id}" --filter Name=group-name,Values=codebuild_ec2_sg --query SecurityGroups[*].GroupId --output text)"
+subnet_id="$(aws ec2 describe-subnets --filter Name=vpc-id,Values="${vpc_id}" --filter Name=state,Values=available --filter Name=tag:Name,Values=aws-lc-ci-ec2-test-framework/aws-lc-ci-ec2-test-framework-ec2-vpc/PrivateSubnet1 --query Subnets[*].SubnetId --output text)"
+
+# create the ssm documents that will be used for the various ssm commands
+generate_ssm_document_file
+
+# create ec2 instances
+instance_id=$(create_ec2_instances "${ec2_ami_id}" "${ec2_instance_type}")
+if [[ -z "${instance_id}" ]];  then
+  exit 1
+fi
+
+# Give a few minutes for the ec2 instance to be ready
+sleep 60
+for i in {1..30}; do
+  status=$(aws ssm describe-instance-information --filter Key="InstanceIds",Values="${instance_id}" \
+    --query InstanceInformationList[*].PingStatus --output text)
+  if [ "${status}" == Online ]; then
+    break
+  fi
+  echo "Wait for instances to be able to run the SSM commands"
+
+  # if we've hit the 30 minute mark and still aren't ready, then something has gone wrong
+  if [ "${i}" = 30 ]; then exit 1; fi
+  sleep 60
+done
+
+
+# Create, and run ssm command.
+ssm_doc_name=$(create_ssm_document "${ec2_ami_id}")
+
+cloudwatch_group_name="aws-lc-ci-ec2-test-framework-cw-logs"
+ec2_test_ssm_command_id=$(run_ssm_command "${ssm_doc_name}" "${instance_id}" ${cloudwatch_group_name})
+
+run_url="https://${AWS_REGION}.console.aws.amazon.com/cloudwatch/home?region=${AWS_REGION}\
+#logsV2:log-groups/log-group/${cloudwatch_group_name}/log-events/\
+${ec2_test_ssm_command_id}\$252F${instance_id}\$252FrunShellScript\$252Fstdout"
+
+echo "Actual Run in EC2 can be observered at CloudWatch URL: ${run_url}"
+
+# Give some time for the commands to run
+done=false
+success=false
+for i in {1..45}; do
+  echo "${i}: Continue to wait 2 min for SSM commands to finish."
+  sleep 120
+
+  ssm_command_status="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].Status --output text)"
+  ssm_target_count="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].TargetCount --output text)"
+  ssm_completed_count="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].CompletedCount --output text)"
+  if [[ ${ssm_command_status} == 'Success' && ${ssm_completed_count} == "${ssm_target_count}" ]]; then
+    echo "SSM command ${ec2_test_ssm_command_id} finished successfully."
+    success=true
+    done=true
+  elif [[ ${ssm_command_status} == 'Failed' && ${ssm_completed_count} == "${ssm_target_count}" ]]; then
+    echo "SSM command ${ec2_test_ssm_command_id} failed."
+    done=true
+  else
+    # Still running.
+    done=false
+  fi
+
+  # if after the loop finish and done is still true, then we're done
+  if [ "${done}" = true ]; then
+    echo "EC2 SSM command has finished."
+
+    # if success is still true here, then none of the commands failed
+    if [ "${success}" == true ]; then
+      echo "EC2 SSM command succeeded!"
+      exit 0
+    else
+      echo "EC2 SSM command failed!"
+      exit 1
+    fi
+    break
+  fi
+done
+exit 1

tests/ci/run_m1_ec2_instance.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -exo pipefail
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
@@ -25,7 +25,7 @@ echo GitHub Branch Name: "${CODEBUILD_WEBHOOK_HEAD_REF}"
 AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
 echo AWS Account ID: "${AWS_ACCOUNT_ID}"
 echo GitHub Repo Link: "${CODEBUILD_SOURCE_REPO_URL}"
-export cloudwatch_group_name="aws-lc-ci-macos-arm-cw-logs"
+export cloudwatch_group_name="aws-lc-ci-ec2-test-framework-cw-logs"
 export s3_bucket_name="aws-lc-codebuild"
 
 # get information for ec2 instances