using a service account instead of my own personal account

CSVD · Aug 30, 2024 · e8b4fed · e8b4fed
1 parent 064278d
commit e8b4fed
Show file tree

Hide file tree

Showing 8 changed files with 88 additions and 6 deletions.
diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml
@@ -17,7 +17,7 @@ jobs:
     env:
       AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
       AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
-      AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}"
+      AWS_DEFAULT_REGION: "${{ vars.AWS_DEFAULT_REGION }}"
       GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
 
 

diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml
@@ -16,7 +16,7 @@ jobs:
     env:
       AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
       AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
-      AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}"
+      AWS_DEFAULT_REGION: "${{ vars.AWS_SESSION_TOKEN }}"
       GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
 
 

diff --git a/image-pipeline.tf b/image-pipeline.tf
@@ -8,6 +8,9 @@ locals {
   ]
 }
 
+locals {
+  s3_upload = "${path.module}/workflows/s3_upload.yaml.tpl"
+}
 
 module "image_pipeline_repos" {
   for_each = toset(local.pipeline_repos)
@@ -24,11 +27,27 @@ module "image_pipeline_repos" {
   enforce_prs            = true
   collaborators          = merge(local.collaborators, { garri325 = "admin" })
   pull_request_bypassers = local.pull_request_bypassers
+  vars = [
+    {
+      name  = "AWS_ACCESS_KEY_ID",
+      value = module.aws_session_configuration.iam_credentials.iam_access_key_id
+    },
+    {
+      name  = "AWS_DEFAULT_REGION",
+      value = data.aws_region.current.name
+    }
+  ]
+  secrets = [
+    {
+      name  = "AWS_SECRET_ACCESS_KEY"
+      value = module.aws_session_configuration.iam_credentials.iam_secret_access_key
+    }
+  ]
   managed_extra_files = [
     {
       path = ".github/workflows/s3_upload.yaml"
       content = templatefile(
-        "${path.module}/workflows/s3_upload.yaml.tpl",
+        lookup(var.image_pipeline_workflows, each.value, local.s3_upload),
         {
           repo_name   = each.value,
           bucket_name = "image-pipeline-assets"
@@ -75,6 +94,20 @@ module "aws_image_pipeline" {
     {
       name  = "terraform_version"
       value = "1.9.1"
+    },
+    {
+      name  = "AWS_ACCESS_KEY_ID",
+      value = module.aws_session_configuration.iam_credentials.iam_access_key_id
+    },
+    {
+      name  = "AWS_DEFAULT_REGION",
+      value = data.aws_region.current.name
+    }
+  ]
+  secrets = [
+    {
+      name  = "AWS_SECRET_ACCESS_KEY"
+      value = module.aws_session_configuration.iam_credentials.iam_secret_access_key
     }
   ]
   managed_extra_files = [

diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,3 @@
+variable image_pipeline_workflows {
+  type = map(string)
+}
diff --git a/workflows/goss-testing.yaml b/workflows/goss-testing.yaml
@@ -0,0 +1,46 @@
+# This is a basic workflow to help you get started with Actions
+name: S3 Upload
+
+on:
+  push:
+    branches: [ "main" ]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: [ image-pipeline-goss-testing ]
+    env:
+      AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+      AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}"
+      AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}"
+
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+
+      - uses: CSVD/gh-actions-setup-node@v3
+        with:
+           node-version: 16
+
+      - uses: CSVD/gh-actions-setup-terraform@v2
+        with:
+          terraform_wrapper: false
+          terraform_version: $${{ vars.terraform_version }}
+
+      - name: get latest
+        run: |
+          terraform init -input=false -upgrade
+          terraform apply -auto-approve -input=false
+        working-directory: ./update
+
+      - name: archive and upload
+        run: |
+          rm -rf .terraform update update/.terraform
+          zip -r image-pipeline-goss-testing.zip *
+          aws s3 cp image-pipeline-goss-testing.zip s3://image-pipeline-assets
diff --git a/workflows/s3_upload.yaml.tpl b/workflows/s3_upload.yaml.tpl
@@ -16,7 +16,7 @@ jobs:
     env:
       AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}"
       AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}"
-      AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}"
+      AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}"
 
 
     # Steps represent a sequence of tasks that will be executed as part of the job

diff --git a/workflows/terraform-apply.yaml.tpl b/workflows/terraform-apply.yaml.tpl
@@ -18,7 +18,7 @@ jobs:
     env:
       AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}"
       AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}"
-      AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}"
+      AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION
       
 
     # Steps represent a sequence of tasks that will be executed as part of the job

diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl
@@ -17,7 +17,7 @@ jobs:
     env:
       AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}"
       AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}"
-      AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}"
+      AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}"
 
 
     # Steps represent a sequence of tasks that will be executed as part of the job