From e8b4fede4d74034c7b5c35ae5af856823df431b2 Mon Sep 17 00:00:00 2001 From: arnol377 Date: Fri, 30 Aug 2024 17:12:23 -0400 Subject: [PATCH 1/3] using a service account instead of my own personal account --- .github/workflows/terraform_apply.yaml | 2 +- .github/workflows/terraform_plan.yaml | 2 +- image-pipeline.tf | 35 +++++++++++++++++++- variables.tf | 3 ++ workflows/goss-testing.yaml | 46 ++++++++++++++++++++++++++ workflows/s3_upload.yaml.tpl | 2 +- workflows/terraform-apply.yaml.tpl | 2 +- workflows/terraform-plan.yaml.tpl | 2 +- 8 files changed, 88 insertions(+), 6 deletions(-) create mode 100644 workflows/goss-testing.yaml diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml index 292208a..b48c1ce 100644 --- a/.github/workflows/terraform_apply.yaml +++ b/.github/workflows/terraform_apply.yaml @@ -17,7 +17,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "${{ vars.AWS_DEFAULT_REGION }}" GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 4ca8302..4684893 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -16,7 +16,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "${{ vars.AWS_SESSION_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" diff --git a/image-pipeline.tf b/image-pipeline.tf index f19cd98..704a128 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -8,6 +8,9 @@ locals { ] } +locals { + s3_upload = "${path.module}/workflows/s3_upload.yaml.tpl" +} module "image_pipeline_repos" { for_each = toset(local.pipeline_repos) @@ -24,11 +27,27 @@ module "image_pipeline_repos" { enforce_prs = true collaborators = merge(local.collaborators, { garri325 = "admin" }) pull_request_bypassers = local.pull_request_bypassers + vars = [ + { + name = "AWS_ACCESS_KEY_ID", + value = module.aws_session_configuration.iam_credentials.iam_access_key_id + }, + { + name = "AWS_DEFAULT_REGION", + value = data.aws_region.current.name + } + ] + secrets = [ + { + name = "AWS_SECRET_ACCESS_KEY" + value = module.aws_session_configuration.iam_credentials.iam_secret_access_key + } + ] managed_extra_files = [ { path = ".github/workflows/s3_upload.yaml" content = templatefile( - "${path.module}/workflows/s3_upload.yaml.tpl", + lookup(var.image_pipeline_workflows, each.value, local.s3_upload), { repo_name = each.value, bucket_name = "image-pipeline-assets" @@ -75,6 +94,20 @@ module "aws_image_pipeline" { { name = "terraform_version" value = "1.9.1" + }, + { + name = "AWS_ACCESS_KEY_ID", + value = module.aws_session_configuration.iam_credentials.iam_access_key_id + }, + { + name = "AWS_DEFAULT_REGION", + value = data.aws_region.current.name + } + ] + secrets = [ + { + name = "AWS_SECRET_ACCESS_KEY" + value = module.aws_session_configuration.iam_credentials.iam_secret_access_key } ] managed_extra_files = [ diff --git a/variables.tf b/variables.tf index e69de29..e8a112b 100644 --- a/variables.tf +++ b/variables.tf @@ -0,0 +1,3 @@ +variable image_pipeline_workflows { + type = map(string) +} diff --git a/workflows/goss-testing.yaml b/workflows/goss-testing.yaml new file mode 100644 index 0000000..ad78527 --- /dev/null +++ b/workflows/goss-testing.yaml @@ -0,0 +1,46 @@ +# This is a basic workflow to help you get started with Actions +name: S3 Upload + +on: + push: + branches: [ "main" ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: [ image-pipeline-goss-testing ] + env: + AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" + AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" + + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + - uses: CSVD/gh-actions-setup-node@v3 + with: + node-version: 16 + + - uses: CSVD/gh-actions-setup-terraform@v2 + with: + terraform_wrapper: false + terraform_version: $${{ vars.terraform_version }} + + - name: get latest + run: | + terraform init -input=false -upgrade + terraform apply -auto-approve -input=false + working-directory: ./update + + - name: archive and upload + run: | + rm -rf .terraform update update/.terraform + zip -r image-pipeline-goss-testing.zip * + aws s3 cp image-pipeline-goss-testing.zip s3://image-pipeline-assets diff --git a/workflows/s3_upload.yaml.tpl b/workflows/s3_upload.yaml.tpl index 531c9b6..08628ce 100644 --- a/workflows/s3_upload.yaml.tpl +++ b/workflows/s3_upload.yaml.tpl @@ -16,7 +16,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/terraform-apply.yaml.tpl b/workflows/terraform-apply.yaml.tpl index c112c78..3f2614a 100644 --- a/workflows/terraform-apply.yaml.tpl +++ b/workflows/terraform-apply.yaml.tpl @@ -18,7 +18,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index f4a20cb..08cc97f 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -17,7 +17,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" # Steps represent a sequence of tasks that will be executed as part of the job From e396af826e7607888084799435590118dcc7fa1f Mon Sep 17 00:00:00 2001 From: arnol377 Date: Thu, 5 Sep 2024 15:19:07 -0400 Subject: [PATCH 2/3] updating --- image-pipeline.tf | 52 ++++++++++++++++-------------- main.tf | 4 +-- sandbox.tf | 2 +- variables.tf | 2 +- workflows/goss-testing.yaml | 2 +- workflows/s3_upload.yaml.tpl | 2 +- workflows/terraform-apply.yaml.tpl | 2 +- workflows/terraform-plan.yaml.tpl | 2 +- 8 files changed, 35 insertions(+), 33 deletions(-) diff --git a/image-pipeline.tf b/image-pipeline.tf index 704a128..8cb3ae0 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -25,22 +25,19 @@ module "image_pipeline_repos" { force_name = true create_codeowners = false enforce_prs = true - collaborators = merge(local.collaborators, { garri325 = "admin" }) + collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers - vars = [ - { - name = "AWS_ACCESS_KEY_ID", - value = module.aws_session_configuration.iam_credentials.iam_access_key_id - }, + secrets = [ + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : { - name = "AWS_DEFAULT_REGION", - value = data.aws_region.current.name + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value } ] - secrets = [ + vars = [ { - name = "AWS_SECRET_ACCESS_KEY" - value = module.aws_session_configuration.iam_credentials.iam_secret_access_key + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value } ] managed_extra_files = [ @@ -90,24 +87,17 @@ module "aws_image_pipeline" { enforce_prs = true collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers - vars = [ - { - name = "terraform_version" - value = "1.9.1" - }, - { - name = "AWS_ACCESS_KEY_ID", - value = module.aws_session_configuration.iam_credentials.iam_access_key_id - }, + secrets = [ + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : { - name = "AWS_DEFAULT_REGION", - value = data.aws_region.current.name + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value } ] - secrets = [ + vars = [ { - name = "AWS_SECRET_ACCESS_KEY" - value = module.aws_session_configuration.iam_credentials.iam_secret_access_key + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value } ] managed_extra_files = [ @@ -157,6 +147,18 @@ module "terraform_aws_image_pipeline" { { name = "terraform_version" value = "1.9.1" + }, + { + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value + } + + ] + secrets = [ + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : + { + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value } ] managed_extra_files = [ diff --git a/main.tf b/main.tf index e651048..e945d20 100644 --- a/main.tf +++ b/main.tf @@ -47,7 +47,7 @@ module "automation-repos" { collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers } - + # centralized-actions module "centralized-actions" { source = "HappyPathway/repo/github" @@ -65,7 +65,7 @@ module "centralized-actions" { pull_request_bypassers = local.pull_request_bypassers github_is_private = false } - + # terraform-github-repo module "terraform-github-repo" { source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" diff --git a/sandbox.tf b/sandbox.tf index 99ff22e..439a539 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -18,7 +18,7 @@ module "sandbox" { github_is_private = false create_codeowners = false enforce_prs = false - collaborators = {"arnol377": "admin"} + collaborators = { "arnol377" : "admin" } managed_extra_files = [ { path = ".github/workflows/terraform-plan.yaml" diff --git a/variables.tf b/variables.tf index e8a112b..0f1b652 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,3 @@ -variable image_pipeline_workflows { +variable "image_pipeline_workflows" { type = map(string) } diff --git a/workflows/goss-testing.yaml b/workflows/goss-testing.yaml index ad78527..5fa7ca6 100644 --- a/workflows/goss-testing.yaml +++ b/workflows/goss-testing.yaml @@ -16,7 +16,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" + AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/s3_upload.yaml.tpl b/workflows/s3_upload.yaml.tpl index 08628ce..531c9b6 100644 --- a/workflows/s3_upload.yaml.tpl +++ b/workflows/s3_upload.yaml.tpl @@ -16,7 +16,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" + AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/terraform-apply.yaml.tpl b/workflows/terraform-apply.yaml.tpl index 3f2614a..c112c78 100644 --- a/workflows/terraform-apply.yaml.tpl +++ b/workflows/terraform-apply.yaml.tpl @@ -18,7 +18,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION + AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index 08cc97f..f4a20cb 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -17,7 +17,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" + AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" # Steps represent a sequence of tasks that will be executed as part of the job From 56a76a70ad730f15d5b822a0b3900f1790ec184d Mon Sep 17 00:00:00 2001 From: arnol377 Date: Thu, 5 Sep 2024 16:20:56 -0400 Subject: [PATCH 3/3] adding stuff --- image-pipeline.tf | 38 -------------------------------------- sandbox.tf | 13 ------------- 2 files changed, 51 deletions(-) diff --git a/image-pipeline.tf b/image-pipeline.tf index 8cb3ae0..8a3a8f3 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -27,19 +27,6 @@ module "image_pipeline_repos" { enforce_prs = true collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers - secrets = [ - for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : - { - name = replace(secret, "GITHUB", "GH") - value = lookup(module.env_var, secret).value - } - ] - vars = [ - { - name = "AWS_ACCESS_KEY_ID" - value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value - } - ] managed_extra_files = [ { path = ".github/workflows/s3_upload.yaml" @@ -87,19 +74,6 @@ module "aws_image_pipeline" { enforce_prs = true collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers - secrets = [ - for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : - { - name = replace(secret, "GITHUB", "GH") - value = lookup(module.env_var, secret).value - } - ] - vars = [ - { - name = "AWS_ACCESS_KEY_ID" - value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value - } - ] managed_extra_files = [ { path = ".github/workflows/terraform-plan.yaml" @@ -148,18 +122,6 @@ module "terraform_aws_image_pipeline" { name = "terraform_version" value = "1.9.1" }, - { - name = "AWS_ACCESS_KEY_ID" - value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value - } - - ] - secrets = [ - for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : - { - name = replace(secret, "GITHUB", "GH") - value = lookup(module.env_var, secret).value - } ] managed_extra_files = [ { diff --git a/sandbox.tf b/sandbox.tf index 439a539..4919232 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -45,17 +45,4 @@ module "sandbox" { ) } ] - secrets = [ - for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : - { - name = replace(secret, "GITHUB", "GH") - value = lookup(module.env_var, secret).value - } - ] - vars = [ - { - name = "AWS_ACCESS_KEY_ID" - value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value - } - ] }