Refactor GitHub Actions workflows: consolidate token refresh job and …

…update README with build infrastructure requirements
SCT-Engineering · Apr 30, 2025 · 9bd1e83 · 9bd1e83
1 parent ec19f23
commit 9bd1e83
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 43 deletions.
diff --git a/.github/workflows/gh-token.yml b/.github/workflows/gh-token.yml
@@ -4,16 +4,23 @@ on:
   schedule:
     - cron: '*/5 * * * *'  # Runs every 5 minutes
   workflow_dispatch:  # Allows manual triggering
-
+
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
-  refresh-token:
-    name: Refresh GitHub Token
-    uses: CSVD/centralized-actions/.github/workflows/upload-github-token.yml@main
-    with:
-      aws_region: 'us-gov-west-1'
-      secret_name: '/eks-cluster-deployment/github_token'  # This matches the SECRET_NAME in app.py
-      github_app_id: ${{ vars.GH_APP_ID }}
-      github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
-      use_ecs_credentials: true
-    secrets:
-      github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+  build:
+    runs-on: ubuntu-latest
+    if: ${{ github.server_url != 'https://github.com' }}
+    steps:
+      - name: Refresh GitHub Token
+        uses: CSVD/centralized-actions/.github/workflows/upload-github-token.yml@main
+        with:
+          aws_region: 'us-gov-west-1'
+          secret_name: '/eks-cluster-deployment/github_token'  # This matches the SECRET_NAME in app.py
+          github_app_id: ${{ vars.GH_APP_ID }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          use_ecs_credentials: true
+        secrets:
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
diff --git a/.github/workflows/init-cluster-pr.yml b/.github/workflows/init-cluster-pr.yml
@@ -24,38 +24,8 @@ jobs:
           echo "aws_account=${AWS_ACCOUNT}" >> $GITHUB_OUTPUT
           echo "environment=${ENVIRONMENT}" >> $GITHUB_OUTPUT
 
-  expand-config:
-    needs: determine-environment
-    runs-on: [ "${{ needs.determine-environment.outputs.aws_account }}" ]
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-
-      - name: Install Ansible
-        run: |
-          python -m pip install --upgrade pip
-          pip install ansible jinja2
-          
-      - name: Run HCL Generator
-        run: |
-          cd ansible
-          ansible-playbook generate_hcl_files.yml
-          
-      - name: Commit HCL Files
-        run: |
-          git config --global user.name "GitHub Actions Bot"
-          git config --global user.email "actions@github.com"
-          git add environment/
-          git commit -m "Generate HCL files from config" || echo "No changes to commit"
-          git push origin HEAD:${{ github.head_ref }}
-
   terraform-plan:
-    needs: [ determine-environment, expand-config ]
+    needs: [ determine-environment ]
     runs-on: [ "${{ needs.determine-environment.outputs.aws_account }}" ]
 
     steps:

diff --git a/design-docs/README.md b/design-docs/README.md
@@ -11,6 +11,14 @@ This is the terraform module that is repsonsible for deploying our Lambda functi
 ### template-automation-lambda
 This is actual Lambda function, this repo creates a Docker image that we deploy to Lambda. Our actual lambda code is in template_automation/app.py.
 
+### Build Infrastructure Requirements
+The Terraform configuration in this repository is specifically for building the Lambda container image in ECR. Due to tooling restrictions and access requirements, the build process must be executed in GitHub.com rather than in the target organization's environment. This means:
+
+- The container image build pipeline runs in GitHub.com
+- Terraform in this repo manages only build-related resources (ECR repository, build IAM roles)
+- The build process cannot access internal tools or resources of the target organization
+- The resulting container image is then referenced by the terraform-aws-template-automation module for actual deployment
+
 ## Overview
 This document outlines the implementation plan for enhancing the EKS Automation Lambda to improve its GitHub integration workflow and testing capabilities. Most of this work will take place in template_automation/app.py
 

diff --git a/template-automation-lambda.code-workspace b/template-automation-lambda.code-workspace
@@ -1,15 +1,23 @@
 {
 	"folders": [
 		{
+			"name": "template-eks-cluster",
+			"path": "../template-eks-cluster"
+		},
+		{
+			"name": "template-automation-lambda",
 			"path": "."
 		},
 		{
+			"name": "terraform-aws-template-automation",
 			"path": "../terraform-aws-template-automation"
 		},
 		{
+			"name": "d",
 			"path": "../providers/terraform-provider-aws/website/docs/d"
 		},
 		{
+			"name": "r",
 			"path": "../providers/terraform-provider-aws/website/docs/r"
 		}
 	],