Skip to content

Adding IPv6 e2e tests to test workflow #1950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Paramadon merged 2 commits into from
Dec 8, 2025
Merged

Adding IPv6 e2e tests to test workflow #1950

Paramadon merged 2 commits into from
Dec 8, 2025

Conversation

@Paramadon
Copy link
Contributor

@Paramadon Paramadon commented Dec 2, 2025

Description of the issue

Currently we are working on adding EKS IPv6 support for the Cloudwatch Agent, we need to add EKS integration testing to ensure Cloudwatch Agent will work on IPv6 environments

Also have relevant prs that are also included in this change:
Helm Chart: aws-observability/helm-charts#254
Integ test:

Description of changes

We are having all current IPv4 EKS e2e tests that exist to also run for IPv6. How we are doing this is we are making the cluster have ip family IPv6 and using a dualstack subnet vpc. We can not create dualstack vpc on each run as there is a limit of dualstack we can create so we are using an existing subnet for testing.

Here's some info on subnet

Tests

Passing test run: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/19836119811

Subnet Info

Internet traffic for both ipv4 and ipv6

Screenshot 2025-12-02 at 1 21 13 PM

Cluster info being ipv6

Screenshot 2025-12-02 at 1 21 32 PM

Have more testing showcased in helm chart pr: aws-observability/helm-charts#254

@Paramadon Paramadon requested a review from a team as a code owner December 2, 2025 18:24
@Paramadon Paramadon added the ready for testing Indicates this PR is ready for integration tests to run label Dec 2, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 2, 2025
View reviewed changes
.github/workflows/e2e-test.yml
Comment on lines +331 to +356
needs: [ GetLatestOperatorCommitSHA, GenerateTestMatrix, OutputEnvVariables ]
if: always() && !cancelled() && !contains(needs.*.result, 'failure')
name: 'EKSE2EJVMTomcatTestAddonIPv6'
uses: ./.github/workflows/eks-e2e-test.yml
with:
terraform_dir: terraform/eks/e2e
job_id: eks-e2e-jvm-tomcat-test-addon-ipv6
test_props: ${{ needs.GenerateTestMatrix.outputs.eks_e2e_jmx_matrix }}
test_repo_name: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_NAME }}
test_repo_url: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_URL }}
test_repo_branch: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_BRANCH }}
cloudwatch_agent_repository: ${{ needs.OutputEnvVariables.outputs.ECR_INTEGRATION_TEST_REPO }}
cloudwatch_agent_tag: ${{ inputs.build_sha || github.sha }}
cloudwatch_agent_operator_repository: ${{ needs.OutputEnvVariables.outputs.ECR_OPERATOR_REPO }}
cloudwatch_agent_operator_tag: ${{ needs.GetLatestOperatorCommitSHA.outputs.operator_commit_sha }}
region: ${{ inputs.region || 'us-west-2' }}
helm_charts_branch: ${{ inputs.helm-charts-branch || 'main' }}
terraform_assume_role: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
agent_config: resources/cwagent_configs_eks_addon/jvm_tomcat.json
sample_app: resources/sample_apps/tomcat.yaml
eks_installation_type: "EKS_ADDON"
ip_family: "ipv6"
vpc_name: "ipv6-eks-integ-test/VPC"
secrets: inherit

EKSE2EKafkaTestHelmIPv6:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix the problem, add a permissions key to the workflow file .github/workflows/e2e-test.yml. The permissions block can be placed at the root of the workflow (recommended), just below the name and env blocks and before the on block. This will apply least-privilege permissions (by default, no access to actions, contents, deployments, issues, checks, packages, pull-requests, statuses) for all jobs in the workflow unless overridden or expanded in specific jobs. For jobs that require specific permissions, expand the block accordingly. As a minimal fix, adding permissions: {} will enable the strictest setting (no permissions). If, for example, jobs only need to read repository contents, use permissions: contents: read.

The required change is to add:

permissions: {}

on a new line after the name definition and before env, or just after env before the on block.

Suggested changeset 1
.github/workflows/e2e-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: MIT
 
 name: Run E2E Tests
+permissions: {}
 env:
   TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
   TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
EOF
@@ -2,6 +2,7 @@
# SPDX-License-Identifier: MIT

name: Run E2E Tests
permissions: {}
env:
TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/e2e-test.yml
Comment on lines +357 to +382
needs: [ GetLatestOperatorCommitSHA, GenerateTestMatrix, OutputEnvVariables ]
if: always() && !cancelled() && !contains(needs.*.result, 'failure')
name: 'EKSE2EKafkaTestHelmIPv6'
uses: ./.github/workflows/eks-e2e-test.yml
with:
terraform_dir: terraform/eks/e2e
job_id: eks-e2e-kafka-test-helm-ipv6
test_props: ${{ needs.GenerateTestMatrix.outputs.eks_e2e_jmx_matrix }}
test_repo_name: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_NAME }}
test_repo_url: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_URL }}
test_repo_branch: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_BRANCH }}
cloudwatch_agent_repository: ${{ needs.OutputEnvVariables.outputs.ECR_INTEGRATION_TEST_REPO }}
cloudwatch_agent_tag: ${{ inputs.build_sha || github.sha }}
cloudwatch_agent_operator_repository: ${{ needs.OutputEnvVariables.outputs.ECR_OPERATOR_REPO }}
cloudwatch_agent_operator_tag: ${{ needs.GetLatestOperatorCommitSHA.outputs.operator_commit_sha }}
region: ${{ inputs.region || 'us-west-2' }}
helm_charts_branch: ${{ inputs.helm-charts-branch || 'main' }}
terraform_assume_role: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
agent_config: resources/cwagent_configs_helm_chart/kafka.json
sample_app: resources/sample_apps/kafka.yaml
eks_installation_type: "HELM_CHART"
ip_family: "ipv6"
vpc_name: "ipv6-eks-integ-test/VPC"
secrets: inherit

EKSE2EKafkaTestAddonIPv6:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix this problem, add a permissions block specifying the minimum required access for the GITHUB_TOKEN. The best approach is to add this block at the top level of the workflow YAML file (just below name: and above env:), so permissions apply to all jobs by default unless overridden per job. If jobs require only read access to repository contents, specify contents: read. If any job requires additional privileges, you can extend the block accordingly, but a minimal starting point is just contents: read. Since the full requirements of each job aren't known from the snippet, we'll add a safe minimal block:

permissions:
  contents: read

If certain jobs require greater permissions, you could add per-job overrides later. For now, insert the block after the name: field.

Suggested changeset 1
.github/workflows/e2e-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: MIT
 
 name: Run E2E Tests
+permissions:
+  contents: read
 env:
   TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
   TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
EOF
@@ -2,6 +2,8 @@
# SPDX-License-Identifier: MIT

name: Run E2E Tests
permissions:
contents: read
env:
TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/e2e-test.yml
Comment on lines +409 to +434
needs: [ GetLatestOperatorCommitSHA, GenerateTestMatrix, OutputEnvVariables ]
if: always() && !cancelled() && !contains(needs.*.result, 'failure')
name: 'EKSE2EJMXContainerInsightsTestHelmIPv6'
uses: ./.github/workflows/eks-e2e-test.yml
with:
terraform_dir: terraform/eks/e2e
job_id: eks-e2e-jmx-containerinsights-test-helm-ipv6
test_props: ${{ needs.GenerateTestMatrix.outputs.eks_e2e_jmx_matrix }}
test_repo_name: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_NAME }}
test_repo_url: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_URL }}
test_repo_branch: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_BRANCH }}
cloudwatch_agent_repository: ${{ needs.OutputEnvVariables.outputs.ECR_INTEGRATION_TEST_REPO }}
cloudwatch_agent_tag: ${{ inputs.build_sha || github.sha }}
cloudwatch_agent_operator_repository: ${{ needs.OutputEnvVariables.outputs.ECR_OPERATOR_REPO }}
cloudwatch_agent_operator_tag: ${{ needs.GetLatestOperatorCommitSHA.outputs.operator_commit_sha }}
region: ${{ inputs.region || 'us-west-2' }}
helm_charts_branch: ${{ inputs.helm-charts-branch || 'main' }}
terraform_assume_role: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
agent_config: resources/cwagent_configs_helm_chart/containerinsights.json
sample_app: resources/sample_apps/tomcat.yaml
eks_installation_type: "HELM_CHART"
ip_family: "ipv6"
vpc_name: "ipv6-eks-integ-test/VPC"
secrets: inherit

EKSE2EJMXContainerInsightsTestAddonIPv6:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix this issue, add an explicit permissions: block to the workflow file, specifying the minimal privileges needed.

  • The best way is to apply the permissions block at the root of the workflow, affecting all jobs that do not override it. This ensures the GITHUB_TOKEN used by all steps/given jobs does not have excessive permissions (such as unnecessary write access).
  • For an e2e testing workflow, typically only contents: read is necessary. If jobs require more (e.g., to update PRs), you can add those types with write access.
  • The change should be placed immediately after the name: field and before any trigger or environment blocks for readability and best practice.

No other methods or imports are required; this is a purely YAML configuration change within .github/workflows/e2e-test.yml.

Suggested changeset 1
.github/workflows/e2e-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: MIT
 
 name: Run E2E Tests
+permissions:
+  contents: read
 env:
   TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
   TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
EOF
@@ -2,6 +2,8 @@
# SPDX-License-Identifier: MIT

name: Run E2E Tests
permissions:
contents: read
env:
TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/e2e-test.yml
Comment on lines +435 to +458
needs: [ GetLatestOperatorCommitSHA, GenerateTestMatrix, OutputEnvVariables ]
if: always() && !cancelled() && !contains(needs.*.result, 'failure')
name: 'EKSE2EJMXContainerInsightsTestAddonIPv6'
uses: ./.github/workflows/eks-e2e-test.yml
with:
terraform_dir: terraform/eks/e2e
job_id: eks-e2e-jmx-containerinsights-test-addon-ipv6
test_props: ${{ needs.GenerateTestMatrix.outputs.eks_e2e_jmx_matrix }}
test_repo_name: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_NAME }}
test_repo_url: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_URL }}
test_repo_branch: ${{ needs.OutputEnvVariables.outputs.CWA_GITHUB_TEST_REPO_BRANCH }}
cloudwatch_agent_repository: ${{ needs.OutputEnvVariables.outputs.ECR_INTEGRATION_TEST_REPO }}
cloudwatch_agent_tag: ${{ inputs.build_sha || github.sha }}
cloudwatch_agent_operator_repository: ${{ needs.OutputEnvVariables.outputs.ECR_OPERATOR_REPO }}
cloudwatch_agent_operator_tag: ${{ needs.GetLatestOperatorCommitSHA.outputs.operator_commit_sha }}
region: ${{ inputs.region || 'us-west-2' }}
helm_charts_branch: ${{ inputs.helm-charts-branch || 'main' }}
terraform_assume_role: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
agent_config: resources/cwagent_configs_eks_addon/containerinsights.json
sample_app: resources/sample_apps/tomcat.yaml
eks_installation_type: "EKS_ADDON"
ip_family: "ipv6"
vpc_name: "ipv6-eks-integ-test/VPC"
secrets: inherit

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix the problem, an explicit permissions block must be added either at the workflow root (applies to all jobs) or specifically to the job flagged by CodeQL. The minimal and safest starting point is to set permissions: {} to grant no default permissions, considering fine-tuned scopes can be added as needed later.

Single best fix:
Add a permissions: {} block at the top of the workflow, after the name: field, but before or after env: (both are valid, but after name: and before any top-level keys like env: is standard). This ensures all jobs run with the least privileges unless individual jobs override this explicitly.

Region/lines to change:
Insert the following lines in .github/workflows/e2e-test.yml after the name: Run E2E Tests line (line 4). No imports, definitions, or other methods are needed; only the YAML is updated.

Suggested changeset 1
.github/workflows/e2e-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: MIT
 
 name: Run E2E Tests
+permissions: {}
 env:
   TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
   TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
EOF
@@ -2,6 +2,7 @@
# SPDX-License-Identifier: MIT

name: Run E2E Tests
permissions: {}
env:
TERRAFORM_AWS_ASSUME_ROLE: ${{ vars.TERRAFORM_AWS_ASSUME_ROLE }}
TERRAFORM_AWS_ASSUME_ROLE_DURATION: 14400 # 4 hours
Copilot is powered by AI and may make mistakes. Always verify output.
@Paramadon Paramadon mentioned this pull request Dec 2, 2025
Merged
@Paramadon Paramadon merged commit 963ad10 into main Dec 8, 2025
1047 of 1055 checks passed
@Paramadon Paramadon deleted the paramadon/IPv6EKSTest branch December 8, 2025 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duhminick duhminick duhminick approved these changes

@the-mann the-mann the-mann approved these changes

Assignees

No one assigned

Labels

ready for testing Indicates this PR is ready for integration tests to run

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Paramadon @duhminick @the-mann