elastic · gurevichdmitry · Jan 10, 2024 · Dec 26, 2023 · Dec 26, 2023 · Dec 26, 2023
@@ -17,7 +17,7 @@ on:
         default: false
       elk-stack-version:
         required: true
-        description: "Stack version: For released/BC version use 8.x.y, for SNAPSHOT use 8.x.y-SNAPSHOT"
+        description: "Stack version: For released version use 8.x.y, for BC use version with hash 8.x.y-hash, for SNAPSHOT use 8.x.y-SNAPSHOT"
         default: "8.11.0"
         type: string
       ess-region:
@@ -54,7 +54,7 @@ on:
         default: false
       elk-stack-version:
         required: true
-        description: "Stack version: For released/BC version use 8.x.y, for SNAPSHOT use 8.x.y-SNAPSHOT"
+        description: "Stack version: For released version use 8.x.y, for BC use version with hash 8.x.y-hash, for SNAPSHOT use 8.x.y-SNAPSHOT"
         default: "8.10.0"
         type: string
       ess-region:
@@ -104,15 +104,13 @@ jobs:
       run:
         working-directory: ${{ env.WORKING_DIR }}
     env:
-      TF_VAR_stack_version: ${{ inputs.elk-stack-version }}
       TF_VAR_ess_region: ${{ inputs.ess-region }}
       DEPLOYMENT_NAME: ${{ inputs.deployment_name }}
       TF_VAR_serverless_mode: ${{ inputs.serverless_mode }}
       TEST_AGENTLESS: ${{ inputs.serverless_mode }}
       S3_BASE_BUCKET: "s3://tf-state-bucket-test-infra"
       S3_BUCKET_URL: "https://s3.console.aws.amazon.com/s3/buckets/tf-state-bucket-test-infra"
       DOCKER_IMAGE_OVERRIDE: ${{ inputs.docker-image-override }}
-      STACK_VERSION: ${{ inputs.elk-stack-version }}
       CNVM_STACK_NAME: "${{ inputs.deployment_name }}-cnvm-sanity-test-stack"
     # Add "id-token" with the intended permissions.
     permissions:
@@ -152,6 +150,39 @@ jobs:
           echo "::add-mask::$ec_api_key"
           echo "TF_VAR_ec_api_key=$ec_api_key" >> $GITHUB_ENV
 
+      - name: Process Stack Version
+        id: remove-commit-hash
+        run: |
+          # Extract the stack version
+          stack_version="${{ inputs.elk-stack-version }}"
+
+          echo "TF_VAR_stack_version=$stack_version" >> $GITHUB_ENV
+          echo "STACK_VERSION=$stack_version" >> $GITHUB_ENV
+
+          # Handle BC versions with commit hash (e.g. 8.11.0-1234567890)
+          if [[ $stack_version =~ -[a-f0-9]+ ]]; then
+            cleaned_version=$(echo $stack_version | awk -F"-" '{print $1}')
+
+            # Versions with commit hash are not allowed for EC regular deployments and should be modified
+            # EC module resource:
+            # ec_deployment.deployment.version is required attribute and should be in format 8.x.y | 8.x.y-SNAPSHOT
+            # Therefore, we need to modify the version in the env variable
+            echo "TF_VAR_stack_version=$cleaned_version" >> $GITHUB_ENV
+
+            # env variable STACK_VERSION is used in sanity tests for findings validation
+            # findings are saved with version without commit hash
+            # therefore, we need to modify the version in the env variable
+            echo "STACK_VERSION=$cleaned_version" >> $GITHUB_ENV
+
+            # TF_VAR_pin_version is used to override stack docker images
+            # for BC versions with commit hash
+            # This version will be used to override the docker images
+            # elasticsearch.config.docker_image
+            # kibana.config.docker_image
+            # integrations_server.config.docker_image
+            echo "TF_VAR_pin_version=$stack_version" >> $GITHUB_ENV
+          fi
+
       - name: Init Enrollment Token
         run: |
           enrollment_token="init"
@@ -198,7 +229,8 @@ jobs:
           terraform apply --auto-approve \
             -var="deployment_name=${{ env.DEPLOYMENT_NAME }}" \
             -var="region=${{ env.AWS_REGION }}" \
-            -var="project=${{ github.actor }}"
+            -var="project=${{ github.actor }}" \
+            -var="owner=${{ github.actor }}"
 
       - name: Set Environment Output
         id: env-output

@@ -12,7 +12,7 @@ on:
         required: true
       target-elk-stack-version:
         required: true
-        description: "Target version of the ELK stack: For BC version use 8.x.y, for SNAPSHOT use 8.x.y-SNAPSHOT"
+        description: "Target version of the ELK stack: For BC use version with hash 8.x.y-hash, for SNAPSHOT use 8.x.y-SNAPSHOT"
         default: "8.11.0"
         type: string
       base-elk-stack-version:
@@ -38,8 +38,9 @@ jobs:
   init:
     runs-on: ubuntu-20.04
     outputs:
-      stack-version: ${{ steps.set-previous-version.outputs.PREVIOUS_VERSION }}
+      base-stack-version: ${{ steps.set-previous-version.outputs.PREVIOUS_VERSION }}
       ess-region: ${{ env.TF_VAR_ess_region }}
+      target-agent-version: ${{ steps.clean-version.outputs.AGENT_VERSION }}
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -52,7 +53,20 @@ jobs:
             PREVIOUS_VERSION=$(./.ci/scripts/get-previous-version.sh "$VERSION")
             echo "PREVIOUS_VERSION=$PREVIOUS_VERSION" >> $GITHUB_OUTPUT
           else
-            echo "PREVIOUS_VERSION=${{ inputs.base-elk-stack-version }}" >> $GITHUB_ENV
+            echo "PREVIOUS_VERSION=${{ inputs.base-elk-stack-version }}" >> $GITHUB_OUTPUT
+          fi
+      - name: Process BC version
+        id: clean-version
+        run: |
+          # Extract the stack version
+          stack_version="${{ inputs.target-elk-stack-version }}"
+
+          # Check if the version contains a commit hash, remove it
+          if [[ $stack_version =~ -[a-f0-9]+ ]]; then
+            cleaned_version=$(echo $stack_version | awk -F"-" '{print $1}')
+            echo "AGENT_VERSION=$cleaned_version" >> $GITHUB_OUTPUT
+          else
+            echo "AGENT_VERSION=$stack_version" >> $GITHUB_OUTPUT
           fi
   deploy:
     uses: ./.github/workflows/test-environment.yml
@@ -63,7 +77,7 @@ jobs:
       id-token: 'write'
     with:
       deployment_name: ${{ inputs.deployment_name }}
-      elk-stack-version: ${{ needs.init.outputs.stack-version }}
+      elk-stack-version: ${{ needs.init.outputs.base-stack-version }}
       ess-region: ${{ needs.init.outputs.ess-region }}
       run-sanity-tests: false # Set to true once the issue at https://github.com/elastic/kibana/pull/171200 is resolved.
       serverless_mode: false
@@ -125,7 +139,11 @@ jobs:
         id: apply
         if: success()
         run: |
-          terraform apply --auto-approve -var="deployment_name=${{ inputs.deployment_name }}" -var="region=${{ env.AWS_REGION }}"
+          terraform apply --auto-approve \
+            -var="deployment_name=${{ inputs.deployment_name }}" \
+            -var="region=${{ env.AWS_REGION }}" \
+            -var="project=${{ github.actor }}" \
+            -var="owner=${{ github.actor }}"
 
       - name: Set Environment Output
         id: env-output
@@ -167,7 +185,7 @@ jobs:
         working-directory: ./tests
         env:
           USE_K8S: false
-          AGENT_VERSION: ${{ needs.init.outputs.stack-version }}
+          AGENT_VERSION: ${{ needs.init.outputs.base-stack-version }}
         run: |
           poetry install
           poetry run pytest -m "sanity" --alluredir=./allure/results/ --clean-alluredir --maxfail=4
@@ -198,20 +216,21 @@ jobs:
               --name $(terraform output -raw deployment_name) --alias eks-config
           kubectl config use-context eks-config
           kubectl set image daemonset elastic-agent -n kube-system elastic-agent=${{ env.DOCKER_IMAGE }}
+          kubectl rollout restart daemonset/elastic-agent -n kube-system
 
       - name: Upgrade Linux agents
         working-directory: ${{ env.WORKING_DIR }}/${{ env.FLEET_API_DIR }}
         env:
           CNVM_STACK_NAME: ${{ needs.deploy.outputs.cnvm-stack-name }}
-          STACK_VERSION: ${{ inputs.target-elk-stack-version }}
+          STACK_VERSION: ${{ needs.init.outputs.target-agent-version }}
         run: |
           poetry run python upgrade_agents.py
 
       - name: Run Upgrade Sanity checks
         if: success()
         working-directory: ./tests
         env:
-          AGENT_VERSION: ${{ inputs.target-elk-stack-version }}
+          AGENT_VERSION: ${{ needs.init.outputs.target-agent-version }}
           USE_K8S: false
         run: |
           poetry install

@@ -0,0 +1,67 @@
+locals {
+  version                          = var.stack_version
+  region                           = var.region
+  name_prefix                      = var.deployment_name_prefix
+  deployment_template              = var.deployment_template
+  es_docker_image                  = lookup(var.docker_image, "elasticsearch", "")
+  es_docker_image_tag_override     = lookup(var.docker_image_tag_override, "elasticsearch", "")
+  kibana_docker_image              = lookup(var.docker_image, "kibana", "")
+  kibana_docker_image_tag_override = lookup(var.docker_image_tag_override, "kibana", "")
+  apm_docker_image                 = lookup(var.docker_image, "apm", "")
+  apm_docker_image_tag_override    = lookup(var.docker_image_tag_override, "apm", "")
+}
+
+data "ec_stack" "deployment_version" {
+  version_regex = local.version
+  region        = local.region
+}
+
+resource "ec_deployment" "deployment" {
+  name                   = "${local.name_prefix}-${data.ec_stack.deployment_version.version}"
+  version                = data.ec_stack.deployment_version.version
+  region                 = local.region
+  deployment_template_id = local.deployment_template
+  tags                   = var.tags
+
+  elasticsearch = {
+    autoscale = var.elasticsearch_autoscale
+    strategy  = "rolling_all"
+    config = local.es_docker_image_tag_override != "" ? {
+      docker_image = "${local.es_docker_image}:${local.es_docker_image_tag_override}"
+    } : null
+
+    cold = {
+      autoscaling = {}
+    }
+
+    frozen = {
+      autoscaling = {}
+    }
+
+    hot = {
+      autoscaling = {
+        max_size          = "128g"
+        max_size_resource = "memory"
+      }
+      size       = var.elasticsearch_size
+      zone_count = var.elasticsearch_zone_count
+    }
+
+    warm = {
+      autoscaling = {}
+    }
+  }
+
+  kibana = {
+    config = local.kibana_docker_image_tag_override != "" ? {
+      docker_image = "${local.kibana_docker_image}:${local.kibana_docker_image_tag_override}"
+    } : null
+  }
+
+  integrations_server = {
+    config = local.apm_docker_image_tag_override != "" ? {
+      docker_image = "${local.apm_docker_image}:${local.apm_docker_image_tag_override}"
+    } : null
+  }
+
+}
@@ -0,0 +1,26 @@
+output "kibana_url" {
+  value       = ec_deployment.deployment.kibana.https_endpoint
+  description = "The secure Kibana URL"
+}
+
+output "elasticsearch_url" {
+  value       = ec_deployment.deployment.elasticsearch.https_endpoint
+  description = "The secure Elasticsearch URL"
+}
+
+output "elasticsearch_username" {
+  value       = ec_deployment.deployment.elasticsearch_username
+  sensitive   = true
+  description = "The Elasticsearch username"
+}
+
+output "elasticsearch_password" {
+  value       = ec_deployment.deployment.elasticsearch_password
+  sensitive   = true
+  description = "The Elasticsearch password"
+}
+
+output "stack_version" {
+  value       = data.ec_stack.deployment_version.version
+  description = "The matching stack pack version from the provided stack_version"
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3, <2.0.0"
+
+  required_providers {
+    ec = {
+      source  = "elastic/ec"
+      version = ">=0.9.0"
+    }
+  }
+}
@@ -0,0 +1,80 @@
+variable "ec_api_key" {
+  type = string
+}
+
+variable "stack_version" {
+  description = "Optional version of the Elastic Cloud deployment"
+  type        = string
+  default     = "latest"
+}
+
+variable "region" {
+  description = "Optional region of the Elastic Cloud deployment"
+  type        = string
+  default     = "gcp-us-west2"
+}
+
+variable "deployment_template" {
+  description = "Optional defaults to the CPU optimized template for GCP"
+  type        = string
+  default     = "gcp-compute-optimized-v3"
+}
+
+variable "deployment_name_prefix" {
+  description = "Prefix for the Elastic Cloud deployment name"
+  type        = string
+  default     = "cloud-security"
+}
+
+variable "tags" {
+  type = map(string)
+  default = {
+    "deployment"  = "cloud-security",
+    "environment" = "test-enviroment",
+  }
+  description = "Optional set of tags to use for all deployments"
+}
+
+variable "elasticsearch_size" {
+  default     = "8g"
+  type        = string
+  description = "Optional Elasticsearch instance size"
+}
+
+variable "elasticsearch_zone_count" {
+  default     = 2
+  type        = number
+  description = "Optional Elasticsearch zone count"
+}
+
+variable "elasticsearch_autoscale" {
+  default     = false
+  type        = bool
+  description = "Optional autoscale the Elasticsearch cluster"
+}
+
+# Docker image overrides
+
+# Docker image tag override is used to override the default docker image tag
+# for BC reasons. This is used to test new versions of the cloud deployment
+# This option allow to pin the docker image tag to a specific version to prevent
+# unexpected changes in the deployment.
+variable "docker_image_tag_override" {
+  default = {
+    "elasticsearch" = "",
+    "kibana"        = "",
+    "apm"           = "",
+  }
+  description = "Optional docker image tag overrides, The full map needs to be specified"
+  type        = map(string)
+}
+
+variable "docker_image" {
+  default = {
+    "elasticsearch" = "docker.elastic.co/cloud-release/elasticsearch-cloud-ess",
+    "kibana"        = "docker.elastic.co/cloud-release/kibana-cloud",
+    "apm"           = "docker.elastic.co/cloud-release/elastic-agent-cloud",
+  }
+  type        = map(string)
+  description = "Optional docker image overrides. The full map needs to be specified"
+}
@@ -63,7 +63,8 @@ Please note that the customized image is currently available in the following re
 |:-------------:|:-------------:|:------------|
 | ec_api_key    |   None   | The API key for Elastic Cloud can also be defined using the `TF_VAR_ec_api_key` environment variable |
 | ess_region    | gcp-us-west2 | The ESS deployment region can also be defined using the `TF_VAR_stack_version` environment variable|
-| stack_version | latest | The ELK stack version can alsob be defined using the `TF_VAR_stack_version` environment variable |
+| stack_version | latest | The ELK stack version can also be defined using the `TF_VAR_stack_version` environment variable |
+| pin_version   | None | Optional: The ELK pin version (docker tag override) can also be defined using the `TF_VAR_pin_version` environment variable |
 
 ## Execution
 
@@ -104,6 +105,13 @@ terraform apply --auto-approve -target "module.aws_ec2_for_kspm"
 terraform apply --auto-approve -target "module.ec_deployment"
 ```
 
+BC version
+
+```bash
+terraform apply --auto-approve -var="stack_version=8.12.0" -var="pin_version=8.12.0-9f05a310" -target "module.ec_deployment"
+```
+
+
 - EKS Deployment
 
 ```bash