first test

CSVD · Oct 1, 2024 · 66e6caa · 66e6caa
1 parent 12e3f21
commit 66e6caa
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 7 deletions.
diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml
@@ -16,10 +16,10 @@ jobs:
     runs-on: [ "229685449397" ]
 
     env:
-#       GITHUB_APP_ID: ${{ vars.GH_APP_ID }}
-#       GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }}
-#       GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }}
-      GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+#     GITHUB_APP_ID: ${{ vars.GH_APP_ID }}
+      GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }}
+      GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }}
+#     GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
       GITHUB_OWNER: CSVD
       GITHUB_BASE_URL: https://github.e.it.census.gov/
       TF_WORKSPACE: ${{ vars.terraform_workspace }}
@@ -48,6 +48,11 @@ jobs:
           echo AWS_SECRET_ACCESS_KEY=`jq -r '.SecretAccessKey' aws_credentials.json` >> $GITHUB_ENV
           aws configure set aws_session_token `jq -r '.Token' aws_credentials.json`
           echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV
+
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        run: | 
+          export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL)
           
       - name: Terraform Init
         id: init

diff --git a/data.tf b/data.tf
@@ -1,3 +1 @@
-data "aws_region" "current" {}
-
 data "github_organization_teams" "teams" {}
diff --git a/encode_jwt.py b/encode_jwt.py
@@ -0,0 +1,80 @@
+## Run this script set the private key as github_app_private_key and installation_id as the installation id of the app
+
+#export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
+#export github_app_private_key="-----BEGIN"
+#export github_app_installation_id=11
+#export github_app_url=https://github.e.it.census.gov
+#export GITHUB_TOKEN=$(python encode_jwt.py "$github_app_private_key" "$github_app_installation_id" "$github_app_url")
+
+import time
+import json
+import base64
+import argparse
+import requests
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+import sys
+
+# Set up argument parser
+parser = argparse.ArgumentParser(description='Encode JWT with RS256 and get GitHub Enterprise installation access token')
+parser.add_argument('private_key', type=str, help='PEM formatted private key string')
+parser.add_argument('installation_id', type=str, help='GitHub App Installation ID')
+parser.add_argument('enterprise_url', type=str, help='GitHub Enterprise API URL (e.g., https://github.e.it.census.gov)')
+args = parser.parse_args()
+
+# Load the PEM private key
+private_key = load_pem_private_key(args.private_key.encode(), password=None)
+
+# JWT Header
+header = {
+    "alg": "RS256",
+    "typ": "JWT"
+}
+
+# JWT Payload
+payload = {
+    "iat": int(time.time()),
+    "exp": int(time.time()) + (10 * 60),
+    "iss": "6"  # Replace with your actual GitHub App ID
+}
+
+# Encode Header and Payload as Base64
+header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=")
+payload_encoded = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=")
+
+# Create the message (header + payload)
+message = f"{header_encoded}.{payload_encoded}".encode()
+
+# Sign the message using RS256
+signature = private_key.sign(
+    message,
+    padding.PKCS1v15(),
+    hashes.SHA256()
+)
+
+# Encode the signature in Base64
+signature_encoded = base64.urlsafe_b64encode(signature).decode().rstrip("=")
+
+# Construct the full JWT
+jwt_token = f"{header_encoded}.{payload_encoded}.{signature_encoded}"
+
+# Prepare the request to get the installation access token
+headers = {
+    "Authorization": f"Bearer {jwt_token}",
+    "Accept": "application/vnd.github+json"
+}
+
+# Make the request to the GitHub Enterprise API to get the installation access token
+url = f"{args.enterprise_url}/api/v3/app/installations/{args.installation_id}/access_tokens"
+response = requests.post(url, headers=headers)
+
+# Check if the request was successful
+if response.status_code == 201:
+    installation_access_token = response.json().get('token')
+    print(installation_access_token)  # Output the token only
+else:
+    # Raise an error with a message
+    sys.stderr.write(f"Error: Failed to get installation access token. Status code: {response.status_code}\n")
+    sys.stderr.write(f"{response.text}\n")
+    sys.exit(1)  # Exit with an error code
diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     random = {
       source  = "integrations/github"
-      version = ">= 6.2.2"
+      version = ">= 6.3.0"
     }
     aws = {
       source  = "hashicorp/aws"