From accfb481065db0b2b89b618a576b0dd6b8a78483 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Thu, 15 Aug 2024 12:46:38 -0700 Subject: [PATCH 01/29] Refactor image pipeline module names and update workflows --- workflows/terraform-plan.yaml.tpl | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index c941500..2906111 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -24,7 +24,9 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.GH_TOKEN }} - uses: CSVD/gh-actions-setup-node@v3 with: @@ -48,7 +50,7 @@ jobs: - name: Autoformat Halt if: env.auto_format == 'true' - run: exit 1 + run: exit 0 - name: Terraform Init id: init @@ -71,23 +73,4 @@ jobs: %{ endif } run: terraform plan continue-on-error: true - - - name: Update Pull Request - uses: CSVD/gh-actions-github-script@v6 - if: github.event_name == 'pull_request' - with: - github-token: $${{ secrets.GH_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`$${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`$${{ steps.init.outcome }}\` - #### Terraform Validation 🤖\`$${{ steps.validate.outcome }}\` - #### Terraform Plan: - $${{ steps.plan.outcome }} - *Pushed by: @$${{ github.actor }}, Action: \`$${{ github.event_name }}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) \ No newline at end of file +L \ No newline at end of file From 9741a63541ea38ae33b5c49836494b2306dbf06f Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Thu, 15 Aug 2024 12:53:14 -0700 Subject: [PATCH 02/29] Refactor image pipeline module names and update workflows --- workflows/terraform-plan.yaml.tpl | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/workflows/terraform-plan.yaml.tpl b/workflows/terraform-plan.yaml.tpl index 2906111..a354a76 100644 --- a/workflows/terraform-plan.yaml.tpl +++ b/workflows/terraform-plan.yaml.tpl @@ -73,4 +73,23 @@ jobs: %{ endif } run: terraform plan continue-on-error: true -L \ No newline at end of file + + - name: Update Pull Request + uses: CSVD/gh-actions-github-script@v6 + if: github.event_name == 'pull_request' + with: + github-token: $${{ secrets.GH_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`$${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`$${{ steps.init.outcome }}\` + #### Terraform Validation 🤖\`$${{ steps.validate.outcome }}\` + #### Terraform Plan: + $${{ steps.plan.outcome }} + *Pushed by: @$${{ github.actor }}, Action: \`$${{ github.event_name }}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) From cb6d48492a412650add9d39799f5b56e78cef095 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 20 Aug 2024 12:50:13 -0700 Subject: [PATCH 03/29] Refactor image pipeline module names and update workflows --- actions_secrets.tf | 14 +++++++++++ image-pipeline.tf | 2 +- main.tf | 2 ++ sandbox.tf | 61 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 actions_secrets.tf create mode 100644 sandbox.tf diff --git a/actions_secrets.tf b/actions_secrets.tf new file mode 100644 index 0000000..2c43dce --- /dev/null +++ b/actions_secrets.tf @@ -0,0 +1,14 @@ +locals { + secrets = [ + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "AWS_ACCESS_KEY_ID", + "GITHUB_TOKEN" + ] +} + +module "env_var" { + source = "HappyPathway/var/env" + for_each = toset(local.secrets) + env_var = each.value +} diff --git a/image-pipeline.tf b/image-pipeline.tf index e978deb..f19cd98 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -132,7 +132,7 @@ module "terraform_aws_image_pipeline" { content = templatefile( "${path.module}/workflows/terraform-plan.yaml.tpl", { - repo_name = "aws-image-pipeline", + repo_name = "terraform-aws-image-pipeline", directory = "./examples" git_owner = { name = "arnol377" diff --git a/main.tf b/main.tf index 6c72d56..3f8fa6a 100644 --- a/main.tf +++ b/main.tf @@ -206,3 +206,5 @@ module "ghe_runners" { collaborators = local.collaborators } + + diff --git a/sandbox.tf b/sandbox.tf new file mode 100644 index 0000000..081143c --- /dev/null +++ b/sandbox.tf @@ -0,0 +1,61 @@ + +locals { + workspace_instances = [ + "arnol377-sandbox" + ] +} + +module "ghe_runners" { + source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" + for_each = toset(local.workspace_instances) + github_repo_description = "Sandbox - ${each.value}" + repo_org = "arnol377" + name = each.value + github_repo_topics = [ + "terraform" + ] + force_name = true + github_is_private = false + create_codeowners = false + enforce_prs = false + collaborators = local.collaborators + managed_extra_files = [ + { + path = ".github/workflows/terraform-plan.yaml" + content = templatefile( + "${path.module}/workflows/terraform-plan.yaml.tpl", + { + repo_name = each.value, + directory = null + git_owner = { + name = "arnol377" + email = "david.j.arnold.jr@census.gov" + } + } + ) + }, + { + path = ".github/workflows/terraform-apply.yaml" + content = templatefile( + "${path.module}/workflows/terraform-apply.yaml.tpl", + { + repo_name = each.value, + directory = null + } + ) + } + ] + secrets = [ + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : + { + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value + } + ] + vars = [ + { + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value + } + ] +} \ No newline at end of file From 541131a82af2cccd56023574046f0ece141213cb Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 20 Aug 2024 12:53:07 -0700 Subject: [PATCH 04/29] chore: Update module name in sandbox.tf --- sandbox.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sandbox.tf b/sandbox.tf index 081143c..0dffc67 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -5,7 +5,7 @@ locals { ] } -module "ghe_runners" { +module "sandbox" { source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" for_each = toset(local.workspace_instances) github_repo_description = "Sandbox - ${each.value}" From 28bd0953c8a2015d95bad44d23c2c8e73ba22d68 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 20 Aug 2024 12:56:50 -0700 Subject: [PATCH 05/29] chore: Update module source in sandbox.tf --- sandbox.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sandbox.tf b/sandbox.tf index 0dffc67..29d3c43 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -6,7 +6,7 @@ locals { } module "sandbox" { - source = "git@github.e.it.census.gov:CSVD/terraform-github-repo" + source = "HappyPathway/repo/github" for_each = toset(local.workspace_instances) github_repo_description = "Sandbox - ${each.value}" repo_org = "arnol377" From 66e6caad6930d5bf389b9d84b88a3d213afa32b5 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 20:59:17 -0400 Subject: [PATCH 06/29] first test --- .github/workflows/terraform_plan.yaml | 13 +++-- data.tf | 2 - encode_jwt.py | 80 +++++++++++++++++++++++++++ versions.tf | 2 +- 4 files changed, 90 insertions(+), 7 deletions(-) create mode 100644 encode_jwt.py diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 02841cf..7346d65 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -16,10 +16,10 @@ jobs: runs-on: [ "229685449397" ] env: -# GITHUB_APP_ID: ${{ vars.GH_APP_ID }} -# GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }} -# GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }} - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} +# GITHUB_APP_ID: ${{ vars.GH_APP_ID }} + GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }} + GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }} +# GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} GITHUB_OWNER: CSVD GITHUB_BASE_URL: https://github.e.it.census.gov/ TF_WORKSPACE: ${{ vars.terraform_workspace }} @@ -48,6 +48,11 @@ jobs: echo AWS_SECRET_ACCESS_KEY=`jq -r '.SecretAccessKey' aws_credentials.json` >> $GITHUB_ENV aws configure set aws_session_token `jq -r '.Token' aws_credentials.json` echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV + + - name: Setup GITHUB Credentials + id: github_credentials + run: | + export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) - name: Terraform Init id: init diff --git a/data.tf b/data.tf index 6692404..ff319be 100644 --- a/data.tf +++ b/data.tf @@ -1,3 +1 @@ -data "aws_region" "current" {} - data "github_organization_teams" "teams" {} diff --git a/encode_jwt.py b/encode_jwt.py new file mode 100644 index 0000000..fd640d4 --- /dev/null +++ b/encode_jwt.py @@ -0,0 +1,80 @@ +## Run this script set the private key as github_app_private_key and installation_id as the installation id of the app + +#export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt +#export github_app_private_key="-----BEGIN" +#export github_app_installation_id=11 +#export github_app_url=https://github.e.it.census.gov +#export GITHUB_TOKEN=$(python encode_jwt.py "$github_app_private_key" "$github_app_installation_id" "$github_app_url") + +import time +import json +import base64 +import argparse +import requests +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.serialization import load_pem_private_key +import sys + +# Set up argument parser +parser = argparse.ArgumentParser(description='Encode JWT with RS256 and get GitHub Enterprise installation access token') +parser.add_argument('private_key', type=str, help='PEM formatted private key string') +parser.add_argument('installation_id', type=str, help='GitHub App Installation ID') +parser.add_argument('enterprise_url', type=str, help='GitHub Enterprise API URL (e.g., https://github.e.it.census.gov)') +args = parser.parse_args() + +# Load the PEM private key +private_key = load_pem_private_key(args.private_key.encode(), password=None) + +# JWT Header +header = { + "alg": "RS256", + "typ": "JWT" +} + +# JWT Payload +payload = { + "iat": int(time.time()), + "exp": int(time.time()) + (10 * 60), + "iss": "6" # Replace with your actual GitHub App ID +} + +# Encode Header and Payload as Base64 +header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=") +payload_encoded = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=") + +# Create the message (header + payload) +message = f"{header_encoded}.{payload_encoded}".encode() + +# Sign the message using RS256 +signature = private_key.sign( + message, + padding.PKCS1v15(), + hashes.SHA256() +) + +# Encode the signature in Base64 +signature_encoded = base64.urlsafe_b64encode(signature).decode().rstrip("=") + +# Construct the full JWT +jwt_token = f"{header_encoded}.{payload_encoded}.{signature_encoded}" + +# Prepare the request to get the installation access token +headers = { + "Authorization": f"Bearer {jwt_token}", + "Accept": "application/vnd.github+json" +} + +# Make the request to the GitHub Enterprise API to get the installation access token +url = f"{args.enterprise_url}/api/v3/app/installations/{args.installation_id}/access_tokens" +response = requests.post(url, headers=headers) + +# Check if the request was successful +if response.status_code == 201: + installation_access_token = response.json().get('token') + print(installation_access_token) # Output the token only +else: + # Raise an error with a message + sys.stderr.write(f"Error: Failed to get installation access token. Status code: {response.status_code}\n") + sys.stderr.write(f"{response.text}\n") + sys.exit(1) # Exit with an error code diff --git a/versions.tf b/versions.tf index 187b843..1030799 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { random = { source = "integrations/github" - version = ">= 6.2.2" + version = ">= 6.3.0" } aws = { source = "hashicorp/aws" From e0692bf4cf27a34d0957b1ed7eaeb8425e66b8d1 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 21:01:20 -0400 Subject: [PATCH 07/29] make fix --- .github/workflows/terraform_plan.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 7346d65..977585d 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -51,7 +51,8 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials - run: | + run: | + pip install requests export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) - name: Terraform Init From 18eff8e2db442bc96a99ae190c40f7e5d9eedd41 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 21:03:52 -0400 Subject: [PATCH 08/29] make fix --- .github/workflows/terraform_plan.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 977585d..273e158 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,9 +52,11 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: | + python -m venv venv + source venv/bin/activate pip install requests export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) - + - name: Terraform Init id: init run: /opt/tfenv/bin/terraform init -upgrade From bd7eae2dcf8368c187e203513a28ec63b97373d3 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 21:06:36 -0400 Subject: [PATCH 09/29] make fix --- .github/workflows/terraform_plan.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 273e158..537429c 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -49,6 +49,9 @@ jobs: aws configure set aws_session_token `jq -r '.Token' aws_credentials.json` echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV + - name: Install Python venv + run: sudo apt-get update && sudo apt-get install -y python3-venv + - name: Setup GITHUB Credentials id: github_credentials run: | From fd76b31cc4ae98782c367b9dc970fb556053b8aa Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 21:10:10 -0400 Subject: [PATCH 10/29] make fix --- .github/workflows/terraform_plan.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 537429c..52af7f5 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -50,7 +50,9 @@ jobs: echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV - name: Install Python venv - run: sudo apt-get update && sudo apt-get install -y python3-venv + run: | + export http_proxy=http://proxy.tco.census.gov:3128 + sudo apt-get update && sudo apt-get install -y python3-venv - name: Setup GITHUB Credentials id: github_credentials From 882465e443b9ef43d7d8bcc40da3cd149f30a5c7 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 21:13:20 -0400 Subject: [PATCH 11/29] make fix --- .github/workflows/terraform_plan.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 52af7f5..92beb77 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -49,17 +49,10 @@ jobs: aws configure set aws_session_token `jq -r '.Token' aws_credentials.json` echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV - - name: Install Python venv - run: | - export http_proxy=http://proxy.tco.census.gov:3128 - sudo apt-get update && sudo apt-get install -y python3-venv - - name: Setup GITHUB Credentials id: github_credentials run: | - python -m venv venv - source venv/bin/activate - pip install requests + sudo pip install requests export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) - name: Terraform Init From d57284bd26d40248979337dbb2fa5c362c4ad0d0 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 16:05:24 -0400 Subject: [PATCH 12/29] make fix --- .github/workflows/terraform_plan.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 92beb77..1ecaf0b 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -51,8 +51,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials - run: | - sudo pip install requests + run: export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) - name: Terraform Init From 89627f4fdda782e921ae49d86b581f546b6ea258 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:14:05 -0400 Subject: [PATCH 13/29] Empty From 7b54166549b43d8eb4546209ce120dc373471533 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:16:02 -0400 Subject: [PATCH 14/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 1ecaf0b..066a761 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) + export GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") - name: Terraform Init id: init From c25ebb292f146a746451927cefabacacd88659f2 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:21:44 -0400 Subject: [PATCH 15/29] Empty From ee58694d02b5269dbf0713078c2d5c3312ced7c9 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Tue, 1 Oct 2024 14:25:14 -0700 Subject: [PATCH 16/29] Update terraform_plan.yaml --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 066a761..cd6dec1 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - export GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") + echo GITHUB_TOKEN=$(python encode_jwt.py "${{ env.GITHUB_APP_PEM_FILE }}" "${{ env.GITHUB_APP_INSTALLATION_ID }}" "${{ env.GITHUB_BASE_URL }}") >> $GITHUB_ENV - name: Terraform Init id: init From 508e975590ab42260283e5ff94674a228ee3deba Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:26:19 -0400 Subject: [PATCH 17/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index cd6dec1..e06f4cb 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - echo GITHUB_TOKEN=$(python encode_jwt.py "${{ env.GITHUB_APP_PEM_FILE }}" "${{ env.GITHUB_APP_INSTALLATION_ID }}" "${{ env.GITHUB_BASE_URL }}") >> $GITHUB_ENV + python encode_jwt.py "${{ env.GITHUB_APP_PEM_FILE }}" "${{ env.GITHUB_APP_INSTALLATION_ID }}" "${{ env.GITHUB_BASE_URL }}" #>> $GITHUB_ENV - name: Terraform Init id: init From 2f4cfb7a5f4f8722568cae0c8f3d519b9de67081 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:31:05 -0400 Subject: [PATCH 18/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index e06f4cb..1f50699 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - python encode_jwt.py "${{ env.GITHUB_APP_PEM_FILE }}" "${{ env.GITHUB_APP_INSTALLATION_ID }}" "${{ env.GITHUB_BASE_URL }}" #>> $GITHUB_ENV + python encode_jwt.py "${{ secrets.GITHUB_APP_PEM_FILE }}" "${{ vars.GITHUB_APP_INSTALLATION_ID }}" https://github.e.it.census.gov/" #>> $GITHUB_ENV - name: Terraform Init id: init From d455c5b01a8e766e597e8e0710e276467a4f0a32 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:35:08 -0400 Subject: [PATCH 19/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 1f50699..d96ab54 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - python encode_jwt.py "${{ secrets.GITHUB_APP_PEM_FILE }}" "${{ vars.GITHUB_APP_INSTALLATION_ID }}" https://github.e.it.census.gov/" #>> $GITHUB_ENV + python encode_jwt.py "${{ secrets.GITHUB_APP_PEM_FILE }}" "${{ vars.GITHUB_APP_INSTALLATION_ID }}" "https://github.e.it.census.gov/" #>> $GITHUB_ENV - name: Terraform Init id: init From cae233120d2d09b6cd67f2d8e3066a1c99d3fef3 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:38:14 -0400 Subject: [PATCH 20/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index d96ab54..c4847f3 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - python encode_jwt.py "${{ secrets.GITHUB_APP_PEM_FILE }}" "${{ vars.GITHUB_APP_INSTALLATION_ID }}" "https://github.e.it.census.gov/" #>> $GITHUB_ENV + python encode_jwt.py "$GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL" #>> $GITHUB_ENV - name: Terraform Init id: init From b89c1654b40319eaac577a83238663c7a2cc77ed Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:39:34 -0400 Subject: [PATCH 21/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index c4847f3..d4b5f66 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: - python encode_jwt.py "$GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL" #>> $GITHUB_ENV + python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL" #>> $GITHUB_ENV - name: Terraform Init id: init From b37a747abfdc5745fb33416acc8002433aeebd50 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:42:45 -0400 Subject: [PATCH 22/29] make fix --- .github/workflows/terraform_plan.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index d4b5f66..266e1e7 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -51,7 +51,8 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials - run: + run: | + export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL" #>> $GITHUB_ENV - name: Terraform Init From 96aab0969d08471171d1715911193153b72582c0 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:46:19 -0400 Subject: [PATCH 23/29] make fix --- .github/workflows/terraform_plan.yaml | 1 - encode_jwt.py | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 266e1e7..057c608 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,6 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: | - export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL" #>> $GITHUB_ENV - name: Terraform Init diff --git a/encode_jwt.py b/encode_jwt.py index fd640d4..a77dcc1 100644 --- a/encode_jwt.py +++ b/encode_jwt.py @@ -23,6 +23,9 @@ parser.add_argument('enterprise_url', type=str, help='GitHub Enterprise API URL (e.g., https://github.e.it.census.gov)') args = parser.parse_args() +print(args.private_key) +print(args.installation_id) +print(args.enterprise_url) # Load the PEM private key private_key = load_pem_private_key(args.private_key.encode(), password=None) From ac30e945037665334434f501b86f59753b50c41b Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:50:03 -0400 Subject: [PATCH 24/29] make fix --- encode_jwt.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/encode_jwt.py b/encode_jwt.py index a77dcc1..b2e7e51 100644 --- a/encode_jwt.py +++ b/encode_jwt.py @@ -68,8 +68,10 @@ "Accept": "application/vnd.github+json" } +print(jwt_token) + # Make the request to the GitHub Enterprise API to get the installation access token -url = f"{args.enterprise_url}/api/v3/app/installations/{args.installation_id}/access_tokens" +url = f"{args.enterprise_url}api/v3/app/installations/{args.installation_id}/access_tokens" response = requests.post(url, headers=headers) # Check if the request was successful From 25ba273d50d50f9b9f0e73d30f9db4f53cc9b6b9 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:52:32 -0400 Subject: [PATCH 25/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- encode_jwt.py | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 057c608..4a0b337 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: | - python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL" #>> $GITHUB_ENV + export GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") - name: Terraform Init id: init diff --git a/encode_jwt.py b/encode_jwt.py index b2e7e51..a777670 100644 --- a/encode_jwt.py +++ b/encode_jwt.py @@ -23,9 +23,6 @@ parser.add_argument('enterprise_url', type=str, help='GitHub Enterprise API URL (e.g., https://github.e.it.census.gov)') args = parser.parse_args() -print(args.private_key) -print(args.installation_id) -print(args.enterprise_url) # Load the PEM private key private_key = load_pem_private_key(args.private_key.encode(), password=None) @@ -68,8 +65,6 @@ "Accept": "application/vnd.github+json" } -print(jwt_token) - # Make the request to the GitHub Enterprise API to get the installation access token url = f"{args.enterprise_url}api/v3/app/installations/{args.installation_id}/access_tokens" response = requests.post(url, headers=headers) From 6296b58710b7c6db4b4eb1d943c7c9a4c7219ce7 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:55:53 -0400 Subject: [PATCH 26/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 4a0b337..8a2092f 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: | - export GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") + export GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") >> $GITHUB_ENV - name: Terraform Init id: init From 83785c72c97dfe303456bc52979b9de38377a4b4 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Tue, 1 Oct 2024 17:56:28 -0400 Subject: [PATCH 27/29] make fix --- .github/workflows/terraform_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 8a2092f..d57aa70 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,7 +52,7 @@ jobs: - name: Setup GITHUB Credentials id: github_credentials run: | - export GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") >> $GITHUB_ENV + echo GITHUB_TOKEN=$(python encode_jwt.py "$GITHUB_APP_PEM_FILE" "$GITHUB_APP_INSTALLATION_ID" "$GITHUB_BASE_URL") >> $GITHUB_ENV - name: Terraform Init id: init From 1ab25be5a4ad5f21320d4429899f3c58c6cec5c5 Mon Sep 17 00:00:00 2001 From: arnol377 Date: Wed, 2 Oct 2024 15:39:36 -0400 Subject: [PATCH 28/29] pushing latest --- image-pipeline.tf | 6 +++--- main.tf | 8 ++++---- morpheus.tf | 2 +- repolist.tf | 18 ++++++++++++++++++ sandbox.tf | 2 +- varfiles/default | 0 varfiles/default.tfvars | 14 ++++++++++++++ variables.tf | 12 ++++++++++++ 8 files changed, 53 insertions(+), 9 deletions(-) create mode 100644 repolist.tf delete mode 100644 varfiles/default diff --git a/image-pipeline.tf b/image-pipeline.tf index a60ba30..dcc5065 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -50,7 +50,7 @@ module "asset_releases" { github_repo_description = "Terraform Workspace for publishing image-pipeline-assets" repo_org = "CSVD" name = "image-pipeline-asset-releases" - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams github_repo_topics = [ "terraform" ] @@ -68,7 +68,7 @@ module "aws_image_pipeline" { github_repo_description = "Terraform Workspace for creating and managing AWS Image Pipelines" repo_org = "CSVD" name = "aws-image-pipeline" - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams github_repo_topics = [ "terraform" ] @@ -112,7 +112,7 @@ module "terraform_aws_image_pipeline" { github_repo_description = "Terraform Module that creates codepipeline and codebuild jobs and other resources for building and deploying images" repo_org = "CSVD" name = "terraform-aws-image-pipeline" - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams github_repo_topics = [ "terraform" ] diff --git a/main.tf b/main.tf index e0457de..a10c620 100644 --- a/main.tf +++ b/main.tf @@ -27,7 +27,7 @@ module "elastic_beanstalk" { enforce_prs = false collaborators = local.collaborators pull_request_bypassers = local.pull_request_bypassers - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams } @@ -273,7 +273,7 @@ module "setup_terraform" { create_codeowners = false enforce_prs = false collaborators = local.collaborators - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams } module "setup_node" { @@ -289,7 +289,7 @@ module "setup_node" { create_codeowners = false enforce_prs = false collaborators = local.collaborators - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams } # ghe-runner @@ -306,7 +306,7 @@ module "ghe_runners" { create_codeowners = false enforce_prs = false collaborators = local.collaborators - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams } module "vpc_services" { diff --git a/morpheus.tf b/morpheus.tf index 132b969..4a82a28 100644 --- a/morpheus.tf +++ b/morpheus.tf @@ -10,7 +10,7 @@ module "morpheus_repos" { source = "HappyPathway/repo/github" #github_codeowners_team = "CSVD" github_repo_description = "Repo for morpheus cloud" - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams repo_org = "CSVD" name = each.value github_repo_topics = [ diff --git a/repolist.tf b/repolist.tf new file mode 100644 index 0000000..4c11376 --- /dev/null +++ b/repolist.tf @@ -0,0 +1,18 @@ +module "repo_list" { + source = "HappyPathway/repo/github" + for_each = tomap({ for repo in var.repolist : repo.name => repo }) + #github_codeowners_team = "CSVD" + github_repo_description = each.value.description + repo_org = each.value.repo_org + name = each.value.name + github_repo_topics = [ + "terraform" + ] + is_template = each.value.is_template + force_name = true + create_codeowners = false + enforce_prs = each.value.enforce_prs + collaborators = local.collaborators + pull_request_bypassers = local.pull_request_bypassers + github_org_teams = local.github_organization_teams +} diff --git a/sandbox.tf b/sandbox.tf index e80f158..38e5611 100644 --- a/sandbox.tf +++ b/sandbox.tf @@ -19,7 +19,7 @@ module "sandbox" { create_codeowners = false enforce_prs = false collaborators = { "arnol377" : "admin" } - github_org_teams = local.github_organization_teams + github_org_teams = local.github_organization_teams managed_extra_files = [ { path = ".github/workflows/terraform-plan.yaml" diff --git a/varfiles/default b/varfiles/default deleted file mode 100644 index e69de29..0000000 diff --git a/varfiles/default.tfvars b/varfiles/default.tfvars index fa1a342..6ad4a1d 100644 --- a/varfiles/default.tfvars +++ b/varfiles/default.tfvars @@ -1,3 +1,17 @@ image_pipeline_workflows = { "image-pipeline-goss-testing" = "./workflows/goss-testing.yaml" } + +repolist = [ + { + description = "Managing AWS CSVD Secrets" + repo_org = "CSVD" + name = "aws-secrets" + }, + { + description = "Tools for managing Terraform" + repo_org = "CSVD" + name = "tf-tools" + } +] + diff --git a/variables.tf b/variables.tf index 0f1b652..82faa87 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,15 @@ variable "image_pipeline_workflows" { type = map(string) } + +variable "repolist" { + type = list(object({ + description = string + repo_org = string + name = string + is_template = optional(bool, false) + create_codeowners = optional(bool, false) + enforce_prs = optional(bool, false) + })) + default = [] +} From 4f26fa9ca16a3246ed74395b1cc24f84b10e7896 Mon Sep 17 00:00:00 2001 From: arnol377 Date: Mon, 7 Oct 2024 19:02:37 -0400 Subject: [PATCH 29/29] uypdating --- imported-repos.tf | 14 ++++++++++++ main.tf | 17 --------------- repolist.tf | 18 +++++++--------- varfiles/default.tfvars | 48 ++++++++++++++++++++++++++++++++++++++++- variables.tf | 1 + 5 files changed, 70 insertions(+), 28 deletions(-) create mode 100644 imported-repos.tf diff --git a/imported-repos.tf b/imported-repos.tf new file mode 100644 index 0000000..cfc8959 --- /dev/null +++ b/imported-repos.tf @@ -0,0 +1,14 @@ +module "netbackup_automation_platform" { + source = "HappyPathway/gh-actions/importer" + github_repo_topics = [] + vulnerability_alerts = false + public_repo = { + default_branch = "main" + clone_url = "https://github.com/VeritasOS/netbackup-automation-platform.git" + } + internal_repo = { + name = "netbackup-automation-platform" + org = "CSVD" + topics = ["automation-platform"] + } +} diff --git a/main.tf b/main.tf index a10c620..1205503 100644 --- a/main.tf +++ b/main.tf @@ -68,23 +68,6 @@ module "csvd-org-management" { github_org_teams = local.github_organization_teams } -module "external-actions" { - source = "HappyPathway/repo/github" - #github_codeowners_team = "CSVD" - github_repo_description = "Automation Repos for Morpheus POC" - repo_org = "CSVD" - name = "external-actions" - github_repo_topics = [ - "terraform" - ] - force_name = true - create_codeowners = false - enforce_prs = false - collaborators = local.collaborators - pull_request_bypassers = local.pull_request_bypassers - github_org_teams = local.github_organization_teams -} - module "github-runner-images" { source = "HappyPathway/repo/github" #github_codeowners_team = "CSVD" diff --git a/repolist.tf b/repolist.tf index 4c11376..bed6c3a 100644 --- a/repolist.tf +++ b/repolist.tf @@ -5,14 +5,12 @@ module "repo_list" { github_repo_description = each.value.description repo_org = each.value.repo_org name = each.value.name - github_repo_topics = [ - "terraform" - ] - is_template = each.value.is_template - force_name = true - create_codeowners = false - enforce_prs = each.value.enforce_prs - collaborators = local.collaborators - pull_request_bypassers = local.pull_request_bypassers - github_org_teams = local.github_organization_teams + github_repo_topics = each.value.repo_topics + is_template = each.value.is_template + force_name = true + create_codeowners = false + enforce_prs = each.value.enforce_prs + collaborators = local.collaborators + pull_request_bypassers = local.pull_request_bypassers + github_org_teams = local.github_organization_teams } diff --git a/varfiles/default.tfvars b/varfiles/default.tfvars index 6ad4a1d..9e37a68 100644 --- a/varfiles/default.tfvars +++ b/varfiles/default.tfvars @@ -7,11 +7,57 @@ repolist = [ description = "Managing AWS CSVD Secrets" repo_org = "CSVD" name = "aws-secrets" + repo_topics = [ + "terraform-tools" + ] }, { description = "Tools for managing Terraform" repo_org = "CSVD" name = "tf-tools" - } + repo_topics = [ + "terraform-tools" + ] + }, + { + description = "Composite Action for Terraform-Validate" + repo_org = "CSVD" + name = "terraform-validate" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for Terraform-Plan" + repo_org = "CSVD" + name = "terraform-plan" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for Terraform-Apply" + repo_org = "CSVD" + name = "terraform-apply" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for Terraform-Apply" + repo_org = "CSVD" + name = "terraform-init" + repo_topics = [ + "composite-action" + ] + }, + { + description = "Composite Action for AWS Auth" + repo_org = "CSVD" + name = "aws-auth" + repo_topics = [ + "composite-action" + ] + } ] diff --git a/variables.tf b/variables.tf index 82faa87..a8b1a49 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,7 @@ variable "repolist" { is_template = optional(bool, false) create_codeowners = optional(bool, false) enforce_prs = optional(bool, false) + repo_topics = optional(list(string), ["terraform-workspace"]) })) default = [] }