Skip to main content

AWS Dev Deployed Persona Smoke

Status

Implemented in OP-083.

Persona Outcome

PersonaWhat is validated after Helm deploy
system_adminCan authenticate through Keycloak, read /api/v1/session, open authenticated API docs, create a throwaway tenant, and bootstrap a tenant admin.
tenant_adminCan authenticate as the new tenant admin, issue and revoke an enrollment token, and read the heartbeat-created asset.
endpoint agentCan exchange the enrollment token for a runtime-lite service-account token and submit heartbeat telemetry.

What Changed

  • Added scripts/ci/aws_dev_persona_smoke.py.
  • Extended scripts/ci/smoke-aws-dev.sh so the manual smoke_aws_dev job can run deployed persona probes after deploy_aws_dev.
  • Added redacted smoke artifacts under artifacts/aws-dev-smoke/.
  • Documented protected/masked AWS_DEV_SMOKE_* variables in the AWS CI variable matrix.
  • Added tests for the smoke driver and redaction behavior.

Journey Validated

  1. Obtain a short-lived OIDC token for an existing system admin.
  2. Verify /api/v1/session, /api/docs, and /api/openapi.json.
  3. Create a unique throwaway smoke tenant.
  4. Bootstrap a tenant-admin user with a non-temporary smoke password.
  5. Obtain a tenant-admin OIDC token and verify tenant/role claims.
  6. Issue an enrollment token.
  7. Exchange the enrollment token for an agent identity and runtime-lite heartbeat token.
  8. Submit heartbeat telemetry.
  9. Verify /api/v1/assets list and detail include the heartbeat-created asset.
  10. Revoke the enrollment token.

Security Boundaries

  • The full persona probe is opt-in with AWS_DEV_PERSONA_SMOKE_ENABLED=true.
  • System-admin and tenant-admin smoke credentials must be protected and masked CI variables.
  • CI logs never print raw OIDC, enrollment, runtime agent, certificate, CSR, or password material.
  • The JSON report artifact is redacted before writing.
  • The job runs only after the Helm deploy job succeeds and emits its deploy marker artifact.

Validation

SMOKE_AWS_DEV_DRY_RUN=true bash scripts/ci/smoke-aws-dev.sh
.venv/bin/python -m unittest tests.test_aws_dev_persona_smoke
make docs-build

Non-Scope

  • No new AWS resources.
  • No Terraform, Helm, or runtime feature changes.
  • No browser SSH broker validation.
  • No cleanup API for smoke tenants yet; smoke tenants are unique and traceable by their generated smoke-* ID.