Merge branch 'main' into main_xinranzh

# Conflicts:
#	.github/workflows/post_release_version_bump.yml

Author: XinRanZhAWS

.coveragerc

@@ -0,0 +1,4 @@
+[report]
+include_namespace_packages = true
+fail_under = 95.00
+precision = 2

.github/actions/artifacts_build/action.yml

@@ -1,20 +1,21 @@
 name: Build and Push aws-opentelemetry-distro
 description: |
-  This action assumes that the repo was checked out. Builds and pushes/loads wheel and image files.
+  This action assumes that the repo was checked out. Builds and pushes/loads wheel and image files. Also performs scan
+  of the resultant image.
 
 inputs:
   aws-region:
-    required: true
-    description: "AWS Region"
+    required: false
+    description: "AWS Region, required only if push_image is true"
   image_uri_with_tag:
     required: true
     description: "Image URI with Tag"
   image_registry:
-    required: true
-    description: "Image Registry"
+    required: false
+    description: "Image Registry, required only if push_image is true"
   snapshot-ecr-role:
-    required: true
-    description: "IAM Role used for pushing to snapshot ecr"
+    required: false
+    description: "IAM Role used for pushing to snapshot ecr, required only if push_image is true"
   push_image:
     required: true
     description: "Whether push image to ECR"
@@ -90,4 +91,10 @@ runs:
         file: ./Dockerfile
         platforms: linux/amd64
         tags: ${{ inputs.image_uri_with_tag }}
-        load: ${{ inputs.load_image }}
+        load: ${{ inputs.load_image }}
+
+    - name: Perform image scan
+      uses: ./.github/actions/image_scan
+      with:
+        image-ref: ${{ inputs.image_uri_with_tag }}
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'

.github/actions/execute_and_retry/action.yml

@@ -0,0 +1,60 @@
+# Reusable Action for executing commands and retrying them if it fails
+name: Command Retry Logic
+
+inputs:
+  # (Optional) Command to run before the retry command. To be used for environment setup, etc
+  pre-command:
+    required: false
+    type: string
+  # (Optional) Number of retries to perform. Default is 2
+  max_retry:
+    required: false
+    type: number
+    default: 2
+  # (Required) Command to execute with the retry mechanism
+  command:
+    required: true
+    type: string
+  # (Required) Command to clean up resources before retrying the main command
+  cleanup:
+    required: false
+    type: string
+  # (Optional) Follow-up command after the main command is finished.
+  post-command:
+    required: false
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run command
+      shell: bash
+      env:
+        PRE_COMMAND: ${{ inputs.pre-command }}
+        MAX_RETRY: ${{ inputs.max_retry }}
+        COMMAND: ${{ inputs.command }}
+        CLEANUP: ${{ inputs.cleanup }}
+        POST_COMMAND: ${{ inputs.post-command }}
+      run: |
+        eval "$PRE_COMMAND"
+        
+        retry_counter=0
+        while [ $retry_counter -lt $MAX_RETRY ]; do
+          attempt_failed=0
+          eval "$COMMAND" || attempt_failed=$?
+        
+          if [ $attempt_failed -ne 0 ]; then
+            eval "$CLEANUP"
+            retry_counter=$(($retry_counter+1))
+            sleep 5
+          else
+            break
+          fi
+        
+          if [ $retry_counter -eq $max_retry ]; then
+            echo "Max retry reached, command failed to execute properly. Exiting code"
+            exit 1
+          fi
+        done
+        
+        eval "$POST_COMMAND"

.github/actions/image_scan/action.yml

@@ -0,0 +1,33 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+name: image-scan
+description: |
+  This action performs a scan of a provided (local or public ECR remote) image, using Trivy.
+
+inputs:
+  image-ref:
+    required: true
+    description: "Reference for the image to be scanned"
+  severity:
+    required: true
+    description: "List of severities that will cause a failure"
+
+runs:
+  using: "composite"
+  steps:
+
+  # Per https://docs.aws.amazon.com/AmazonECR/latest/public/docker-pull-ecr-image.html, it is possible to
+  # make unauthorized calls to get public ECR images (needed to build the ADOT Python docker image), but
+  # it can fail if you previously authenticated to a public repo. Adding this step to log out, so we
+  # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
+  # PRs created from forked repos.
+  - name: Logout of public AWS ECR
+    shell: bash
+    run: docker logout public.ecr.aws
+
+  - name: Run Trivy vulnerability scanner on image
+    uses: aquasecurity/trivy-action@master
+    with:
+      image-ref: ${{ inputs.image-ref }}
+      severity: ${{ inputs.severity }}
+      exit-code: '1'

.github/actions/set_up/action.yml

@@ -41,4 +41,4 @@ runs:
     - name: Run unit tests/benchmarks with tox
       if: ${{ inputs.run_unit_tests == 'true' }}
       shell: bash
-      run: tox -f ${{ inputs.python_version }}-${{ inputs.package_name }} -- -ra --benchmark-json=${{ inputs.python_version }}-${{ inputs.package_name }}-${{ inputs.os }}-benchmark.json
+      run: tox -f ${{ inputs.python_version }}-${{ inputs.package_name }} -- -ra

.github/dependency-check-suppressions.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!--False positive: opentelemetry-exporter-otlp-proto-grpc incorrectly maps to grpc-->
+    <suppress>
+        <notes><![CDATA[file name: opentelemetry-exporter-otlp-proto-grpc:1.22.0]]></notes>
+        <packageUrl regex="true">^pkg:pypi/opentelemetry\-exporter\-otlp\-proto\-grpc@.*$</packageUrl>
+        <cpe>cpe:/a:grpc:grpc</cpe>
+    </suppress>
+</suppressions>

.github/workflows/appsignals-python-e2e-ec2-test.yml

@@ -45,7 +45,7 @@ jobs:
           ref: main
 
       - name: Set CW Agent RPM environment variable
-        run: echo GET_CW_AGENT_RPM_COMMAND="wget -O cw-agent.rpm https://amazoncloudwatch-agent-${{ inputs.aws-region }}.s3.${{ inputs.aws-region }}.amazonaws.com/amazon_linux/amd64/1.300031.0b313/amazon-cloudwatch-agent.rpm" >> $GITHUB_ENV
+        run: echo GET_CW_AGENT_RPM_COMMAND="wget -O cw-agent.rpm https://amazoncloudwatch-agent-${{ inputs.aws-region }}.s3.${{ inputs.aws-region }}.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm" >> $GITHUB_ENV
 
       - name: Generate testing id
         run: echo TESTING_ID="${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV

.github/workflows/appsignals-python-e2e-eks-test.yml

@@ -46,6 +46,29 @@ jobs:
           ref: main
           fetch-depth: 0
 
+      - name: Download enablement script
+        uses: actions/checkout@v4
+        with:
+          repository: aws-observability/application-signals-demo
+          ref: main
+          path: enablement-script
+          sparse-checkout: |
+            scripts/eks/appsignals/enable-app-signals.sh
+            scripts/eks/appsignals/clean-app-signals.sh
+          sparse-checkout-cone-mode: false
+
+      - name: Resolve Add-on configuration conflict
+        working-directory: enablement-script/scripts/eks/appsignals
+        run: |
+          sed -i 's/aws eks create-addon \\/aws eks create-addon \\\n        --resolve-conflicts OVERWRITE \\/' enable-app-signals.sh
+
+      - name: Remove log group deletion command
+        if: always()
+        working-directory: enablement-script/scripts/eks/appsignals
+        run: |
+          delete_log_group="aws logs delete-log-group --log-group-name '${{ env.LOG_GROUP_NAME }}' --region \$REGION"
+          sed -i "s#$delete_log_group##g" clean-app-signals.sh
+
       - name: Generate testing id
         run: echo TESTING_ID="${{ inputs.aws-region }}-${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV
 
@@ -100,58 +123,6 @@ jobs:
           --region ${{ inputs.aws-region }} \
           --approve
 
-      # TODO: This step is used for custom pre-release instrumentation
-      # It is a temporary measure until the cw add-on is released with python support
-      - name: Setup Helm
-        uses: azure/setup-helm@v3
-
-      # TODO: This step is used for custom pre-release instrumentation
-      # It is a temporary measure until the cw add-on is released with python support
-      - name: Checkout Amazon Cloudwatch Agent Operator
-        uses: actions/checkout@v4
-        with:
-          repository: aws/amazon-cloudwatch-agent-operator
-          # SHA as of March 4
-          ref: abf75babe672412cb63c56cbcf1c5ce2d8c97a1c
-          path: amazon-cloudwatch-agent-operator
-
-      # TODO: This step is used for custom pre-release instrumentation
-      # It is a temporary measure until the cw add-on is released with python support
-      - name: Edit Helm values for Amazon Cloudwatch Agent Operator
-        working-directory: amazon-cloudwatch-agent-operator/helm/
-        run: |
-          sed -i 's/clusterName:/clusterName: ${{ inputs.test-cluster-name }}/g' values.yaml
-          sed -i 's/region:/region: ${{ inputs.aws-region }}/g' values.yaml
-          sed -i 's/tag: 1.0.2/tag: 1.1.0/g' values.yaml
-          if [ ${{ inputs.appsignals-adot-image }} != "" ]; then
-            echo "Using provided AppSignals ADOT image"
-            sed -i 's~repository: ghcr.io/open-telemetry/opentelemetry-operator/autoinstrumentation-python~repository: ${{ inputs.appsignals-adot-image }}~g' values.yaml
-          else
-            echo "AppSignals ADOT image is not provided"
-            sed -i 's~repository: ghcr.io/open-telemetry/opentelemetry-operator/autoinstrumentation-python~repository: ${{ secrets.TEMP_TEST_ADOT_PYTHON_IMAGE }}~g' values.yaml
-          fi
-          if [ ${{ inputs.appsignals-adot-image-tag }} != "" ]; then
-            echo "Using appsignals-adot-image-tag"
-            sed -i 's/tag: 0.43b0/tag: ${{ inputs.appsignals-adot-image-tag }}/g' values.yaml
-          else
-            echo "appsignals-adot-image-tag is empty"
-            sed -i 's/tag: 0.43b0/tag: latest/g' values.yaml
-          fi
-
-      # TODO: This step is used for custom pre-release instrumentation
-      # It is a temporary measure until the cw add-on is released with python support
-      - name: Create CWA Operator Namespace file
-        working-directory: amazon-cloudwatch-agent-operator/
-        run: |
-          cat <<EOF > ./namespace.yaml
-          apiVersion: v1
-          kind: Namespace
-          metadata:
-            name: amazon-cloudwatch
-            labels:
-              name: amazon-cloudwatch
-          EOF
-
       - name: Set up terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -192,21 +163,24 @@ jobs:
             # If the deployment_failed is still 0, then the terraform deployment succeeded and now try to connect to the endpoint 
             # after installing App Signals. Attempts to connect will be made for up to 10 minutes
             if [ $deployment_failed -eq 0 ]; then          
-
               kubectl wait --for=condition=Ready pod --all -n ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}
 
               echo "Installing app signals to the sample app"
-
-              # TODO: The next 7 lines are used for custom pre-release instrumentation
-              # It is a temporary measure until the cw add-on is released with python support
-              cd ${{ github.workspace }}/amazon-cloudwatch-agent-operator/
-              kubectl apply -f namespace.yaml
-              helm template amazon-cloudwatch-observability ./helm --include-crds --namespace amazon-cloudwatch | kubectl apply --namespace amazon-cloudwatch --server-side --force-conflicts -f -
-
-              kubectl wait --for=condition=Ready pod --all -n amazon-cloudwatch
-              kubectl delete pods --all -n ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}
-              kubectl wait --for=condition=Ready pod --all -n ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}
-              cd ${{ github.workspace }}/terraform/python/eks
+              source ${GITHUB_WORKSPACE}/.github/workflows/util/execute_and_retry.sh
+              execute_and_retry 2 \
+              "${GITHUB_WORKSPACE}/enablement-script/scripts/eks/appsignals/enable-app-signals.sh \
+              ${{ inputs.test-cluster-name }} \
+              ${{ inputs.aws-region }} \
+              ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}" \
+              "${GITHUB_WORKSPACE}/enablement-script/scripts/eks/appsignals/clean-app-signals.sh \
+              ${{ inputs.test-cluster-name }} \
+              ${{ inputs.aws-region }} \
+              ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }} && \
+              aws eks update-kubeconfig --name ${{ inputs.test-cluster-name }} --region ${{ inputs.aws-region }}"
+
+
+              execute_and_retry 2 "kubectl delete pods --all -n ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}"
+              execute_and_retry 2 "kubectl wait --for=condition=Ready --request-timeout '5m' pod --all -n ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}"
 
               echo "Attempting to connect to the endpoint"
               python_app_endpoint=http://$(terraform output python_app_endpoint)
@@ -374,9 +348,12 @@ jobs:
       - name: Clean Up App Signals
         if: always()
         continue-on-error: true
-        working-directory: amazon-cloudwatch-agent-operator/
+        working-directory: enablement-script/scripts/eks/appsignals
         run: |
-          kubectl delete -f ./namespace.yaml
+          ./clean-app-signals.sh \
+          ${{ inputs.test-cluster-name }} \
+          ${{ inputs.aws-region }} \
+          ${{ env.PYTHON_SAMPLE_APP_NAMESPACE }}
 
       # This step also deletes lingering resources from previous test runs
       - name: Delete all sample app resources