-
-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use OIDC to securely connect CircleCI to AWS #5589
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went through the PR, and I have a few questions.
- What is frontend-modern job used for?
- In frontend and backend deploy jobs, what function does the frontend-modern job play?
- I saw that frontend-modern was using a cimg/node:lts image, and I believe that the TM frontend build is not successful in node >=18.
Thanks for the review, @Aadesh-Baral
It's an experimental job I used to play around with different settings. I will remove it in a subsequent commit. But for now it stays because I can work with CircleCI without clobbering on others' work.
Doesn't play any role. It's an independent workflow.
This is a discussion for later. But we need to get TM frontend to work with LTS releases as we move forward. I can switch the version to |
- Legacy webhooks for sending notifications from CircleCI have been deprecated - Orbs or Webhooks v2 are the recommended(?) way to go for sending notifications about CircleCI jobs /workflows to Opsgenie - Removed the legacy notification lines from CircleCI config.yml - Added OpsGenie orb (v1.0.8 last updated 2019) - Added OPSGENIE_WEBHOOK envvar to org-global context and added context to workflows - Added post-steps in workflows to send notifications to OpsGenie [SECURITY] - Enabled execution of uncertified orbs in CircleCI org settings
47e29e9
to
6f3bf19
Compare
Kudos, SonarCloud Quality Gate passed! |
Related to #5539 |
@eternaltyro is this still relevant to review? |
@dakotabenjamin yes, please. I will resolve the conflicts, but for now, can you review for any pitfalls and things like that? |
@dakotabenjamin I have resolved the conflicts. Please review once. If all is good, I'll merge this and then move on to improving the syntax further. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I love how we have separated out the jobs in this new workflow. LGTM, but I have a question: will splitting out some of these jobs into separate containers significantly increase overall runtime or storage capacity? Since they have different base images
@dakotabenjamin Those different tests don't save anything to cache. I don't think there will be a significant increase in project storage usage through saved caches. Re: Runtime - it actually reduces the runtime because the tests are parallelised. There is no change in overall runtime since the build flows are dependent on the test flows and it is all sequential. I have ideas to shorten that too. I will increase the OIDC key lifetime to 45min in the interim. Do you think this PR is good to be merged? |
Kudos, SonarCloud Quality Gate passed! |
This PR introduces OpenID Connect for CircleCI to access AWS. Only jobs running inside a context can fetch AWS credentials. AWS provides temporary (30 min) access tokens for CircleCI to use for running AWS API ops.
Note:
Benefits:
This obsoletes the need to specify an AWS key pair - risking them to exposure. This is a security measure primarily and to an extent a convenience measure to ease-up improvements to CircleCI config later.