diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml index 292208a..b48c1ce 100644 --- a/.github/workflows/terraform_apply.yaml +++ b/.github/workflows/terraform_apply.yaml @@ -17,7 +17,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "${{ vars.AWS_DEFAULT_REGION }}" GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 4ca8302..4684893 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -16,7 +16,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "${{ vars.AWS_SESSION_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" diff --git a/image-pipeline.tf b/image-pipeline.tf index f19cd98..704a128 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -8,6 +8,9 @@ locals { ] } +locals { + s3_upload = "${path.module}/workflows/s3_upload.yaml.tpl" +} module "image_pipeline_repos" { for_each = toset(local.pipeline_repos) @@ -24,11 +27,27 @@ module "image_pipeline_repos" { enforce_prs = true collaborators = merge(local.collaborators, { garri325 = "admin" }) pull_request_bypassers = local.pull_request_bypassers + vars = [ + { + name = "AWS_ACCESS_KEY_ID", + value = module.aws_session_configuration.iam_credentials.iam_access_key_id + }, + { + name = "AWS_DEFAULT_REGION", + value = data.aws_region.current.name + } + ] + secrets = [ + { + name = "AWS_SECRET_ACCESS_KEY" + value = module.aws_session_configuration.iam_credentials.iam_secret_access_key + } + ] managed_extra_files = [ { path = ".github/workflows/s3_upload.yaml" content = templatefile( - "${path.module}/workflows/s3_upload.yaml.tpl", + lookup(var.image_pipeline_workflows, each.value, local.s3_upload), { repo_name = each.value, bucket_name = "image-pipeline-assets" @@ -75,6 +94,20 @@ module "aws_image_pipeline" { { name = "terraform_version" value = "1.9.1" + }, + { + name = "AWS_ACCESS_KEY_ID", + value = module.aws_session_configuration.iam_credentials.iam_access_key_id + }, + { + name = "AWS_DEFAULT_REGION", + value = data.aws_region.current.name + } + ] + secrets = [ + { + name = "AWS_SECRET_ACCESS_KEY" + value = module.aws_session_configuration.iam_credentials.iam_secret_access_key } ] managed_extra_files = [ diff --git a/variables.tf b/variables.tf index e69de29..e8a112b 100644 --- a/variables.tf +++ b/variables.tf @@ -0,0 +1,3 @@ +variable image_pipeline_workflows { + type = map(string) +} diff --git a/workflows/goss-testing.yaml b/workflows/goss-testing.yaml new file mode 100644 index 0000000..ad78527 --- /dev/null +++ b/workflows/goss-testing.yaml @@ -0,0 +1,46 @@ +# This is a basic workflow to help you get started with Actions +name: S3 Upload + +on: + push: + branches: [ "main" ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: [ image-pipeline-goss-testing ] + env: + AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" + AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" + + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + - uses: CSVD/gh-actions-setup-node@v3 + with: + node-version: 16 + + - uses: CSVD/gh-actions-setup-terraform@v2 + with: + terraform_wrapper: false + terraform_version: $${{ vars.terraform_version }} + + - name: get latest + run: | + terraform init -input=false -upgrade + terraform apply -auto-approve -input=false + working-directory: ./update + + - name: archive and upload + run: | + rm -rf .terraform update update/.terraform + zip -r image-pipeline-goss-testing.zip * + aws s3 cp image-pipeline-goss-testing.zip s3://image-pipeline-assets diff --git a/workflows/s3_upload.yaml.tpl b/workflows/s3_upload.yaml.tpl index 531c9b6..08628ce 100644 --- a/workflows/s3_upload.yaml.tpl +++ b/workflows/s3_upload.yaml.tpl @@ -16,7 +16,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/terraform-apply.yaml.tpl b/workflows/terraform-apply.yaml.tpl index c112c78..3f2614a 100644 --- a/workflows/terraform-apply.yaml.tpl +++ b/workflows/terraform-apply.yaml.tpl @@ -18,7 +18,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION # Steps represent a sequence of tasks that will be executed as part of the job diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index f4a20cb..08cc97f 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -17,7 +17,7 @@ jobs: env: AWS_SECRET_ACCESS_KEY: "$${{ secrets.AWS_SECRET_ACCESS_KEY }}" AWS_ACCESS_KEY_ID: "$${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "$${{ secrets.AWS_SESSION_TOKEN }}" + AWS_DEFAULT_REGION: "$${{ vars.AWS_DEFAULT_REGION }}" # Steps represent a sequence of tasks that will be executed as part of the job