Skip to content

Build OVA - Wazuh virtual machines branch 4.10.0 - Launched by @c-bordon #122

Build OVA - Wazuh virtual machines branch 4.10.0 - Launched by @c-bordon

Build OVA - Wazuh virtual machines branch 4.10.0 - Launched by @c-bordon #122

Workflow file for this run

run-name: Build OVA - Wazuh virtual machines branch ${{ inputs.WAZUH_VIRTUAL_MACHINES_REFERENCE }} - Launched by @${{ github.actor }}
name: Build OVA
on:
workflow_dispatch:
inputs:
WAZUH_VIRTUAL_MACHINES_REFERENCE:
description: 'Branch or tag of the wazuh-virtual-machines repository'
required: true
default: '4.10.0'
WAZUH_INSTALLATION_ASSISTANT_REFERENCE:
description: 'Branch or tag of the wazuh-installation-assistant repository'
required: true
default: '4.10.0'
WAZUH_PACKAGE_REPOSITORY:
type: choice
description: 'Wazuh package repository from which to download the packages'
required: true
options:
- prod
- dev
- staging
S3_REPOSITORY:
type: choice
description: 'packages-dev repository to upload the OVA'
required: true
options:
- pre-release
- staging
DEBUG:
type: choice
description: 'Debug mode'
required: false
options:
- -v
- -vv
- -vvv
env:
OVA_AMI: "ami-0d4bd55523ee67aa4"
INSTANCE_TYPE: "t2.xlarge"
SECURITY_GROUP: "sg-005cff996b335d497"
SUBNET: "subnet-0b6aea31fb32cffad"
TEMPORAL_S3_BUCKET: "warehouse.wazuh.com"
S3_BUCKET: "packages-dev.wazuh.com"
OVA_ENVIRONMENT: "vmware"
CONTAINER_FORMAT: "ova"
TEMPORAL_S3_PATH: "trash/vm"
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
build_and_run:
runs-on: ubuntu-latest
steps:
- name: Install Ansible
run: sudo apt-get update && sudo apt install -y python3 jq sshpass && python3 -m pip install --user ansible-core==2.16
- name: Checkout code
uses: actions/checkout@v4
- name: Setting FILENAME var
run: |
WAZUH_VERSION=$(cat VERSION)
echo "WAZUH_VERSION=$WAZUH_VERSION" >> $GITHUB_ENV
FILENAME="wazuh-${WAZUH_VERSION}"
echo "FILENAME=$FILENAME" >> $GITHUB_ENV
FILENAME_OVA="${FILENAME}.ova"
echo "FILENAME_OVA=$FILENAME_OVA" >> $GITHUB_ENV
FILENAME_SHA="${FILENAME}.sha512"
echo "FILENAME_SHA=$FILENAME_SHA" >> $GITHUB_ENV
- name: View parameters
run: echo "${{ toJson(inputs) }}"
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_IAM_OVA_ROLE }}
role-session-name: "OVA-Builder"
aws-region: "us-east-1"
role-duration-seconds: 10800 # Set the duration of the role session to 3 hours
- name: Install and config OpenVPN
run: |
sudo apt update
sudo apt install -y openvpn openvpn-systemd-resolved
echo "${{ secrets.CI_VPN_GITHUB }}" > vpn.ovpn
sudo openvpn --config "vpn.ovpn" --daemon
- name: Wait for a VPN connection
id: vpn_connected
timeout-minutes: 10
run: |
while ! ping -c2 10.10.0.252; do
sudo kill -9 `pidof openvpn`;
sudo openvpn --config "vpn.ovpn" --daemon;
sleep 30;
done
- name: Create OVA VM
id: alloc_vm_ova
run: |
instance=$(aws ec2 run-instances --image-id "${{ env.OVA_AMI }}" --count 1 --instance-type "${{ env.INSTANCE_TYPE }}" --key-name Ephemeral \
--security-group-ids "${{ env.SECURITY_GROUP }}" --subnet-id "${{ env.SUBNET }}" --no-associate-public-ip-address \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=gha_${{ github.run_id }}_ova_build},{Key=team,Value=devops}]')
INSTANCE_ID=$(echo $instance | jq -r '.Instances[0].InstanceId')
echo "INSTANCE_ID=${INSTANCE_ID}" >> $GITHUB_ENV
- name: Wait for instance to be running
run: |
MAX_RETRIES=40
NUM_RETRIES=0
while true; do
STATUS=$(aws ec2 describe-instances --instance-ids "${{ env.INSTANCE_ID }}" | jq -r '.Reservations[0].Instances[0].State.Name')
if [ "${STATUS}" == "running" ]; then
break
fi
sleep 30
NUM_RETRIES=$((NUM_RETRIES+1))
if [ ${NUM_RETRIES} -eq ${MAX_RETRIES} ]; then
echo "Error creating OVA VM"
aws ec2 terminate-instances --instance-ids "${{ env.INSTANCE_ID }}"
exit 1
fi
done
ansible_host=$(aws ec2 describe-instances --instance-ids "${{ env.INSTANCE_ID }}" | jq -r '.Reservations[0].Instances[0].PrivateIpAddress')
mkdir -p /tmp/allocatorvm_ova
echo "[gha_instance]" > /tmp/allocatorvm_ova/inventory
echo "$ansible_host ansible_user=wazuh-user ansible_password=wazuh ansible_ssh_common_args='-o StrictHostKeyChecking=no'" >> /tmp/allocatorvm_ova/inventory
- name: Wait for SSH to be available
run: |
ansible_host=$(cat /tmp/allocatorvm_ova/inventory | grep -oP '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}')
MAX_RETRIES=40
NUM_RETRIES=0
while true; do
if sshpass -p wazuh ssh -o 'StrictHostKeyChecking no' -o 'ConnectTimeout=10' wazuh-user@$ansible_host "exit"; then
break
fi
sleep 30
NUM_RETRIES=$((NUM_RETRIES+1))
if [ ${NUM_RETRIES} -eq ${MAX_RETRIES} ]; then
echo "Error connecting to OVA VM"
aws ec2 terminate-instances --instance-ids "${{ env.INSTANCE_ID }}"
exit 1
fi
done
- name: Run Ansible playbook to generate the OVA
run: |
if [ "${{ inputs.WAZUH_PACKAGE_REPOSITORY }}" == "prod" ]; then
builder_args="-i"
elif [ "${{ inputs.WAZUH_PACKAGE_REPOSITORY }}" == "staging" ]; then
builder_args="-i -d staging"
elif [ "${{ inputs.WAZUH_PACKAGE_REPOSITORY }}" == "dev" ]; then
builder_args="-i -d"
fi
ansible-playbook -i /tmp/allocatorvm_ova/inventory .github/workflows/ansible_playbooks/ova_generator.yaml \
--extra-vars " \
wia_branch=${{ inputs.WAZUH_INSTALLATION_ASSISTANT_REFERENCE }} \
ova_branch=${{ inputs.WAZUH_VIRTUAL_MACHINES_REFERENCE }} \
repository=${{ inputs.WAZUH_PACKAGE_REPOSITORY }} \
builder_args='$builder_args' \
debug=yes" ${{ inputs.DEBUG }}
- name: Export Instance to create OVA
run: |
ID=$(grep -oP '^identifier: \K.*' /tmp/allocatorvm_ova/track.yml)
EXPORT=$(aws ec2 create-instance-export-task --instance-id "${ID}" --target-environment vmware \
--export-to-s3-task "ContainerFormat=${{ env.CONTAINER_FORMAT }},DiskImageFormat=VMDK,S3Bucket=${{ env.TEMPORAL_S3_BUCKET }},S3Prefix=${{ env.TEMPORAL_S3_PATH }}/${{ env.FILENAME }}")
EXPORT_ID=$(echo ${EXPORT} | jq -r '.ExportTask.ExportTaskId')
echo "EXPORT_ID=${EXPORT_ID}" >> $GITHUB_ENV
- name: Wait for export OVA
run: |
MAX_RETRIES=40
NUM_RETRIES=0
while true; do
STATUS=$(aws ec2 describe-export-tasks --export-task-ids "${{ env.EXPORT_ID }}" | jq -r '.ExportTasks[0].State')
if [ "${STATUS}" == "completed" ]; then
break
fi
sleep 270
NUM_RETRIES=$((NUM_RETRIES+1))
if [ ${NUM_RETRIES} -eq ${MAX_RETRIES} ]; then
echo "Error exporting OVA"
exit 1
fi
done
- name: Getting OVA from temporal bucket
run: |
aws s3 --quiet cp "s3://${{ env.TEMPORAL_S3_BUCKET }}/${{ env.TEMPORAL_S3_PATH }}/${{ env.FILENAME }}${{ env.EXPORT_ID }}.ova" /tmp/${{ env.FILENAME_OVA }}
- name: Standarizing OVA
run: |
sed -i "s|ovf:capacity=\"40\"|ovf:capacity=\"50\"|g" ova/wazuh_ovf_template
bash ova/setOVADefault.sh "ova/" "/tmp/${{ env.FILENAME_OVA }}" "/tmp/${{ env.FILENAME_OVA }}" "ova/wazuh_ovf_template" "${{ env.WAZUH_VERSION }}"
- name: Exporting OVA to final repository
run: |
aws s3 cp --quiet --acl public-read /tmp/${{ env.FILENAME_OVA }} s3://${{ env.S3_BUCKET }}/${{ inputs.S3_REPOSITORY }}/vm/${{ env.FILENAME_OVA }}
- name: Generating sha512 file
run: |
sha512sum /tmp/${{ env.FILENAME_OVA }} > /tmp/${{ env.FILENAME_SHA }}
aws s3 cp --quiet --acl public-read /tmp/${{ env.FILENAME_SHA }} s3://${{ env.S3_BUCKET }}/${{ inputs.S3_REPOSITORY }}/checksums/wazuh/${{ env.WAZUH_VERSION }}/${{ env.FILENAME_SHA }}
- name: Removing temporal files
run: |
aws s3 rm --quiet s3://${{ env.TEMPORAL_S3_BUCKET }}/${{ env.TEMPORAL_S3_PATH }}/${{ env.FILENAME }}${{ env.EXPORT_ID }}.ova
- name: Delete allocated VM
if: always() && steps.alloc_vm_ova.outcome == 'success'
run: |
aws ec2 terminate-instances --instance-ids "${{ env.INSTANCE_ID }}"