OPSEXP-3176 Automate AMI bumps with updatecli (#1133)

Author: gionn

.github/updatecli/updatecli_amis.tpl

@@ -0,0 +1,64 @@
+name: Update AMI
+
+sources:
+{{- range $key, $ami := .amis }}
+  src_{{ $key }}:
+    kind: aws/ami
+    spec:
+      region: {{ requiredEnv "AWS_REGION" }}
+      filters:
+        - name: "owner-id"
+          values: '{{ $ami.owner_id | default "*" }}'
+        - name: "name"
+          values: '{{ $ami.pattern }}'
+        - name: "architecture"
+          values: '{{ $ami.architecture | default "x86_64" }}'
+        - name: "block-device-mapping.volume-type"
+          values: '{{ $ami.volume_type | default "gp3" }}'
+  src_name_{{ $key }}:
+    kind: shell
+    dependson:
+      - src_{{ $key }}
+    spec:
+      command: aws ec2 describe-images --region {{ requiredEnv "AWS_REGION" }} --image-ids {{ source (printf "src_%s" $key) }} --query 'Images[0].Name' --output text
+      environments:
+        - name: PATH
+        - name: AWS_ACCESS_KEY_ID
+        - name: AWS_SECRET_ACCESS_KEY
+{{- end }}
+
+targets:
+{{- range $key, $target := .targets }}
+  yml_{{ $key }}:
+    name: {{ $target.source }} bump
+    kind: yaml
+    sourceid: src_{{ $target.source }}
+    scmid: "github"
+    spec:
+      engine: yamlpath # https://github.com/updatecli/updatecli/issues/4490
+      file: '{{ $target.file }}'
+      key: '{{ $target.key }}'
+      comment: '{{ source (printf "src_name_%s" $target.source) }}'
+{{- end }}
+
+actions:
+  pr:
+    kind: "github/pullrequest"
+    scmid: "github"
+    spec:
+      title: "Bump AMIs versions"
+      labels:
+        - "updatecli"
+        - "ec2-test"
+
+scms:
+  github:
+    kind: "github"
+    spec:
+      owner: "Alfresco"
+      repository: "alfresco-ansible-deployment"
+      branch: "master"
+      token: {{ requiredEnv "UPDATECLI_GITHUB_TOKEN" }}
+      username: {{ requiredEnv "UPDATECLI_GITHUB_USERNAME" }}
+      user: {{ requiredEnv "UPDATECLI_GITHUB_USERNAME" }}
+      email: {{ requiredEnv "UPDATECLI_GITHUB_EMAIL" }}

.github/updatecli/updatecli_amis_values.yml

@@ -0,0 +1,52 @@
+amis:
+  rhel8:
+    pattern: RHEL-8.10.0_HVM-*
+    owner_id: "309956199498"
+  rhel9:
+    pattern: RHEL-9.4.0_HVM-*
+    owner_id: "309956199498"
+  rl8:
+    pattern: Rocky-8-EC2-Base-8.10-*
+    volume_type: gp2
+    owner_id: "792107900819"
+  rl9:
+    pattern: Rocky-9-EC2-Base-9.4-*
+    volume_type: gp2
+    owner_id: "792107900819"
+  ub22:
+    pattern: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*
+    volume_type: gp2
+    owner_id: "099720109477"
+  ub24:
+    pattern: ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*
+    owner_id: "099720109477"
+
+targets:
+  molecule_default_rhel8:
+    file: molecule/default/vars-rhel8.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: rhel8
+  molecule_default_rocky8:
+    file: molecule/default/vars-rocky8.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: rl8
+  molecule_default_rocky9:
+    file: molecule/default/vars-rocky9.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: rl9
+  molecule_default_ubuntu_community:
+    file: molecule/default/vars-ubuntu-community.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: ub24
+  molecule_default_ubuntu22_73:
+    file: molecule/default/vars-ubuntu22-73.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: ub22
+  molecule_multimachine:
+    file: molecule/multimachine/vars.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: rhel9
+  molecule_opensearch:
+    file: molecule/opensearch/vars.yml
+    key: $.MOLECULE_IT_IMAGE_ID
+    source: rhel9

.github/workflows/bumpVersions.yml

@@ -1,8 +1,10 @@
 ---
 name: Bump versions
-run-name: Bump using alfresco-updatecli/${{ inputs.alfresco-updatecli-ref || 'master' }}
+run-name: Bump ${{ inputs.update-type || 'all' }} using alfresco-updatecli/${{ inputs.alfresco-updatecli-ref || 'master' }}
 
 on:
+  schedule:
+    - cron: '52 6 * * 1'
   push:
     paths:
       - .github/workflows/bumpVersions.yml
@@ -13,6 +15,12 @@ on:
         description: "The version to use for alfresco/alfresco-updatecli configs"
         type: string
         default: master
+      update-type:
+          description: 'Which dependencies to bump'
+          type: choice
+          options:
+          - maven
+          - ami
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name || github.run_id }}
@@ -43,14 +51,16 @@ jobs:
           path: alfresco-updatecli
 
       - name: Updatecli scm cache
+        if: inputs.update-type == 'maven' || github.event_name == 'push'
         uses: actions/cache@v4
         with:
           path: /tmp/updatecli/github
           key: updatecli-v1-${{ hashFiles('.github/updatecli/updatecli_amps.tpl') }}
           restore-keys: |
             updatecli-v1-
 
-      - name: Updatecli apply
+      - name: Updatecli apply for Maven
+        if: inputs.update-type == 'maven' || github.event_name == 'push'
         shell: bash
         run: |
           set -x
@@ -67,7 +77,21 @@ jobs:
           NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
           NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
           UPDATECLI_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
-          UPDATECLI_GITHUB_USERNAME: ${{ vars.BOT_GITHUB_USERNAME}}
+          UPDATECLI_GITHUB_USERNAME: ${{ vars.BOT_GITHUB_USERNAME }}
+
+      - name: Updatecli apply for AMIs
+        if: inputs.update-type == 'ami' || github.event_name == 'push' || github.event_name == 'schedule'
+        shell: bash
+        run: |
+          updatecli apply --config .github/updatecli/updatecli_amis.tpl \
+            -v .github/updatecli/updatecli_amis_values.yml
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: eu-west-1
+          UPDATECLI_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          UPDATECLI_GITHUB_USERNAME: ${{ vars.BOT_GITHUB_USERNAME }}
+          UPDATECLI_GITHUB_EMAIL: ${{ vars.BOT_GITHUB_EMAIL }}
 
       - name: Git Auto Commit
         uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0