Aarch64 CI support

ci-infra/ami-build/Makefile

@@ -0,0 +1,7 @@
+all:
+
+docker:
+	packer build github-runner-docker.json
+
+ami-arm64:
+	aws-vault exec osquery-dev -- packer build github-runner-ami-arm64.json

ci-infra/ami-build/README.md

@@ -0,0 +1,5 @@
+# AMI Build #
+
+This is a series of [Packer](https://www.packer.io/) scripts to build AMIs
+which will then launch inside of the ASG. In order to build these AMIs you
+will need access to the Envoy AWS Account.

ci-infra/ami-build/TODO.md

@@ -0,0 +1,12 @@
+Move /srv/runner/tmpscripts (which needs root) to /tmp. It's only part
+of the provisioning.
+
+Figure out the security group thing
+
+Figure out more consistency about `sudo`
+
+Consider an instance disk AMI, not a EBS one?
+
+Upgrade to 20.04?
+
+AMI builds seem really flakey. This just fails 75% of the time. Issues with preseed, or network connectivity. And generally WTF

ci-infra/ami-build/agent-setup.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+set -ex
+
+cat <<EOF > /tmp/preseed.cfg
+debconf debconf/frontend select Noninteractive
+tzdata tzdata/Areas select Etc
+tzdata tzdata/Zones/Etc select UTC
+EOF
+
+sudo debconf-set-selections /tmp/preseed.cfg
+
+ARCH=$(dpkg --print-architecture)
+
+export DEBIAN_FRONTEND=noninteractive
+sudo apt-get update
+sudo apt-get install -y tzdata
+sudo apt-get -y upgrade
+
+echo "Installing required packages for apt repos"
+sudo apt-get install -y apt-transport-https ca-certificates gnupg-agent software-properties-common curl
+
+curl -L https://download.docker.com/linux/ubuntu/gpg \
+    | sudo apt-key add -
+sudo apt-key adv --list-public-keys --with-fingerprint --with-colons 0EBFCD88 2>/dev/null \
+    | grep 'fpr' | head -n1 | grep '9DC858229FC7DD38854AE2D88D81803C0EBFCD88'
+sudo add-apt-repository -y "deb [arch=${ARCH}] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+#sudo apt-add-repository -y ppa:git-core/ppa
+
+sudo apt-get update
+
+echo "Installing docker"
+sudo apt-get install -y docker-ce docker-ce-cli git awscli jq inotify-tools
+
+sudo mkdir -p /etc/docker
+echo '{
+  "ipv6": true,
+  "fixed-cidr-v6": "2001:db8:1::/64"
+}' | sudo tee /etc/docker/daemon.json
+echo "::1 localhost" | sudo tee -a /etc/hosts
+
+sudo systemctl enable docker
+##FIXME##sudo systemctl start docker
+
+sudo useradd -ms /bin/bash -G docker github-runner
+sudo mkdir -p /srv/runner
+sudo chown -R github-runner:github-runner /srv/runner/
+
+##
+## Setup GitHub Runner Agent
+##
+
+# Normalize ARCH variable for x64
+[[ "${ARCH}" == "amd64" ]] && ARCH=x64
+
+AGENT_VERSION=2.277.1
+AGENT_FILE=actions-runner-linux-${ARCH}-${AGENT_VERSION}.tar.gz
+
+curl -L https://github.com/actions/runner/releases/download/v${AGENT_VERSION}/${AGENT_FILE} \
+     | sudo -u github-runner tar xz -C /srv/runner
+
+sudo /srv/runner/bin/installdependencies.sh
+
+
+# Setup github ssh key. Not totally sure we need it, but...
+sudo -u github-runner mkdir /home/github-runner/.ssh
+ssh-keyscan github.com \
+    | sudo -u github-runner tee /home/github-runner/.ssh/known_hosts
+
+
+
+sudo chown root:root /tmp/transfer/scripts/*.sh
+sudo chmod 0755 /tmp/transfer/scripts/*.sh
+sudo mv /tmp/transfer/scripts/*.sh /usr/local/bin
+rm -rf /tmp/transfer

ci-infra/ami-build/github-runner-ami-arm64.json

@@ -0,0 +1,51 @@
+{
+  "provisioners": [
+    {
+      "inline": [
+        "mkdir -p /tmp/transfer"
+      ],
+      "type": "shell"
+    },
+    {
+      "destination": "/tmp/transfer",
+      "source": "scripts",
+      "type": "file"
+    },
+    {
+      "type": "shell",
+      "script": "agent-setup.sh"
+    }
+  ],
+  "builders": [
+    {
+      "encrypt_boot": true,
+      "security_group_ids": [],
+      "tags": {
+      },
+      "run_tags": {
+        "Project": "Packer"
+      },
+      "run_volume_tags": {
+        "Project": "Packer"
+      },
+      "ami_name": "github-runner-ami-arm64-{{timestamp}}",
+      "ssh_username": "ubuntu",
+      "instance_type": "r6g.large",
+      "source_ami_filter": {
+        "most_recent": true,
+        "owners": [
+          "099720109477"
+        ],
+        "filters": {
+          "root-device-type": "ebs",
+          "name": "ubuntu/images/*ubuntu-focal-20.04-arm64-server-*",
+          "virtualization-type": "hvm"
+        }
+      },
+      "region": "us-east-1",
+      "type": "amazon-ebs"
+    }
+  ],
+  "variables": {
+  }
+}

ci-infra/ami-build/github-runner-docker.json

@@ -0,0 +1,40 @@
+{
+  "variables": {
+  },
+  "builders": [
+    {
+      "export_path": "image.tar",
+      "image": "ubuntu:20.04",
+      "type": "docker"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "inline": [
+        "mkdir -p /srv/runner/tmpscripts"
+      ]
+    },
+    {
+      "type": "file",
+      "source": "scripts",
+      "destination": "/srv/runner/tmpscripts"
+    },
+    {
+      "type": "shell",
+      "inline": [
+        "ln -snf /usr/share/zoneinfo/$TZ /etc/localtime",
+        "echo $TZ > /etc/timezone",
+        "apt-get update",
+        "apt-get install -y sudo systemd"
+      ],
+      "environment_vars": [
+        "TZ=Etc/UTC"
+      ]
+    },
+    {
+      "script": "agent-setup.sh",
+      "type": "shell"
+    }
+  ]
+}

ci-infra/ami-build/scripts/aws-metadata-refresh.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+mkdir -p /run/aws-metadata/
+
+role_name=$(wget -q -O - http://169.254.169.254/latest/meta-data/iam/security-credentials)
+wget -q -O - "http://169.254.169.254/latest/meta-data/iam/security-credentials/$role_name" > /run/aws-metadata/creds.json
+wget -q -O - http://169.254.169.254/latest/dynamic/instance-identity/document > /run/aws-metadata/iid.json
+
+chmod 0400 /run/aws-metadata/creds.json
+chmod 0400 /run/aws-metadata/iid.json
+chmod 0400 /run/aws-metadata/asg-name
+chown azure-pipelines:azure-pipelines /run/aws-metadata/creds.json
+chown azure-pipelines:azure-pipelines /run/aws-metadata/iid.json
+chown azure-pipelines:azure-pipelines /run/aws-metadata/asg-name

ci-infra/ami-build/scripts/detach-self.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+# Check Pre-Reqs, and that we're running on an AWS Instance Seemingly.
+if ! hash aws >/dev/null 2>&1 ; then
+  echo "Need the AWS Cli in order to set AWS Protection."
+  exit 1
+fi
+if ! hash jq >/dev/null 2>&1 ; then
+  echo "Need JQ in order to query credentials."
+  exit 2
+fi
+if [[ ! -f "/sys/devices/virtual/dmi/id/board_asset_tag" ]]; then
+  echo "Doesn't seem to be an AWS Instance: [/sys/devices/virtual/dmi/id/board_asset_tag] does not exist".
+  exit 3
+fi
+instance_id=$(< /sys/devices/virtual/dmi/id/board_asset_tag)
+if [[ ! "$instance_id" =~ ^i- ]]; then
+  echo "Retrieved Instance ID: [$instance_id] does not start with [i-]"
+  exit 4
+fi
+
+function ensureCredentials() {
+  if [[ ! -f "/run/aws-metadata/creds.json" ]] || [[ ! -f "/run/aws-metadata/asg-name" ]] || [[ ! -f "/run/aws-metadata/iid.json" ]] || \
+     [[ ! -r "/run/aws-metadata/creds.json" ]] || [[ ! -r "/run/aws-metadata/asg-name" ]] || [[ ! -r "/run/aws-metadata/iid.json" ]]; then
+    echo "Failed to find Credentials for AWS Instance."
+    exit 5
+  fi
+
+  local readonly credentials_json=$(< /run/aws-metadata/creds.json)
+  local readonly iid_json=$(< /run/aws-metadata/iid.json)
+  local readonly asg_name=$(< /run/aws-metadata/asg-name)
+  local readonly aws_access_key=$(echo -n "$credentials_json" | jq -r .AccessKeyId)
+  local readonly secret_access_key=$(echo -n "$credentials_json" | jq -r .SecretAccessKey)
+  local readonly session_token=$(echo -n "$credentials_json" | jq -r .Token)
+  local readonly expiration=$(echo -n "$credentials_json" | jq -r .Expiration)
+  local readonly region=$(echo -n "$iid_json" | jq -r .region)
+
+  echo "Fetched Cached Credentials, Expire At: [$expiration]"
+  export AWS_ACCESS_KEY_ID="$aws_access_key"
+  export AWS_SECRET_ACCESS_KEY="$secret_access_key"
+  export AWS_SESSION_TOKEN="$session_token"
+  export AWS_DEFAULT_REGION="$region"
+  export CURRENT_ASG_NAME="$asg_name"
+}
+
+ensureCredentials
+aws autoscaling detach-instances --instance-ids "$instance_id" --auto-scaling-group-name "$CURRENT_ASG_NAME" --no-should-decrement-desired-capacity

terraform/.gitignore

@@ -0,0 +1,2 @@
+.terraform
+.terraform.lock.hcl

terraform/aws-ci/common.tf

@@ -0,0 +1 @@
+../common.tf

terraform/aws-ci/ec2.tf

@@ -0,0 +1,56 @@
+resource "aws_launch_template" "runner" {
+  provider = aws.osquery-dev
+
+  name = "GitHubRunner"
+
+  # This will cause terraform to autoupdate the version. Which can
+  # break a staging/prod seperation, but we're small.
+  update_default_version  = true
+
+  iam_instance_profile {
+    arn = aws_iam_instance_profile.runner_implicit_instance_profile.arn
+  }
+
+  ebs_optimized           = "true"
+  image_id                = "ami-08f2dbe31f794898b"
+  key_name                = "seph-osquery-dev"
+
+  #network_interfaces {
+  #  associate_public_ip_address = true
+  #  delete_on_termination = true
+  #}
+
+  # subnet_id = module.vpc.module.vpc[0].arn
+
+  vpc_security_group_ids  = [
+    module.vpc.default_security_group_id
+  ]
+
+  instance_type           = "r6g.large"
+  instance_market_options {
+    market_type = "spot"
+  }
+}
+
+
+resource "aws_launch_template" "sephtestrunner" {
+  provider = aws.osquery-dev
+  name = "sephTestGitHubRunner"
+
+  iam_instance_profile {
+    arn = "arn:aws:iam::204725418487:instance-profile/OsqueryGitHubRunners"
+  }
+  ebs_optimized           = "false"
+  image_id                = "ami-08f2dbe31f794898b"
+  key_name                = "seph-osquery-dev"
+
+  vpc_security_group_ids  = [
+    "sg-0447741384aa67749",
+  ]
+
+  instance_type           = "r6g.large"
+  instance_market_options {
+    market_type = "spot"
+  }
+
+}