Skip to content

Commit

Permalink
Update to aws-actions/configure-aws-credentials@v2
Browse files Browse the repository at this point in the history 
Per the advice from:
- https://github.com/aws-actions/configure-aws-credentials

Per that repo's README, it looks like there may be better, less verbose
ways of getting short-lived credentials via GitHub's OpenID Connect
provider:
- https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

That, however, is a project for another day. Just getting this whole
CI/CD pipeline running correctly as of the previous commit was a day's
work.
  • Loading branch information
@mbland
mbland committed Apr 8, 2023
1 parent e70b97b commit 71fd5f8
Showing 1 changed file with 2 additions and 155 deletions.
157 changes: 2 additions & 155 deletions .github/workflows/pipeline.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
use-installer: true

- name: Assume the testing pipeline user role
uses: aws-actions/configure-aws-credentials@v1-node16
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Expand Down Expand Up @@ -83,160 +83,7 @@ jobs:
- run: SAM_CLI_TELEMETRY=0 sam build --template ${SAM_TEMPLATE}

- name: Assume the testing pipeline user role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.TESTING_REGION }}
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
role-session-name: feature-deployment
role-duration-seconds: 3600
role-skip-session-tagging: true

- name: Deploy to feature stack in the testing account
shell: bash
run: |
tr -d '\r' > .env <<EOF
${{ vars.TEST_ENV_FILE }}
EOF
./bin/sam-with-env.sh .env deploy \
--stack-name $(echo ${GITHUB_REF##*/} | tr -cd '[a-zA-Z0-9-]') \
--capabilities CAPABILITY_IAM \
--region ${TESTING_REGION} \
--s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
--no-fail-on-empty-changeset \
--no-confirm-changeset \
--role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}
build-and-package:
if: github.ref == 'refs/heads/main'
needs: [test]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: aws-actions/setup-sam@v2
with:
use-installer: true
- uses: actions/setup-go@v4
with:
go-version: 1.20.x
- name: Build resources
run: SAM_CLI_TELEMETRY=0 sam build --template ${SAM_TEMPLATE}

- name: Assume the testing pipeline user role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: ${{ env.TESTING_REGION }}
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
role-session-name: testing-packaging
role-duration-seconds: 3600
role-skip-session-tagging: true

- name: Upload artifacts to testing artifact buckets
run: |
SAM_CLI_TELEMETRY=0 sam package \
--s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
--region ${TESTING_REGION} \
--output-template-file packaged-testing.yaml
- uses: actions/upload-artifact@v2
with:
name: packaged-testing.yaml
path: packaged-testing.yaml

- name: Assume the prod pipeline user role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: ${{ env.PROD_REGION }}
role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }}
role-session-name: prod-packaging
role-duration-seconds: 3600
role-skip-session-tagging: true

- name: Upload artifacts to production artifact buckets
run: |
SAM_CLI_TELEMETRY=0 sam package \
--s3-bucket ${PROD_ARTIFACTS_BUCKET} \
--region ${PROD_REGION} \
--output-template-file packaged-prod.yaml
- uses: actions/upload-artifact@v2
with:
name: packaged-prod.yaml
path: packaged-prod.yaml

deploy-testing:
if: github.ref == 'refs/heads/main'
needs: [build-and-package]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: aws-actions/setup-sam@v2
with:
use-installer: true
- uses: actions/download-artifact@v2
with:
name: packaged-testing.yaml

- name: Assume the testing pipeline user role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: ${{ env.TESTING_REGION }}
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
role-session-name: testing-deployment
role-duration-seconds: 3600
role-skip-session-tagging: true

- name: Deploy to testing account
run: |
tr -d '\r' > .env <<EOF
${{ vars.TEST_ENV_FILE }}
EOF
./bin/sam-with-env.sh .env deploy --stack-name ${TESTING_STACK_NAME} \
--template packaged-testing.yaml \
--capabilities CAPABILITY_IAM \
--region ${TESTING_REGION} \
--s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
--no-fail-on-empty-changeset \
--no-confirm-changeset \
--role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}
integration-test:
if: github.ref == 'refs/heads/main'
needs: [deploy-testing]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: |
tr -d '\r' > .env <<EOF
${{ vars.TEST_ENV_FILE }}
EOF
./bin/smoke-test.sh .env
deploy-prod:
if: github.ref == 'refs/heads/main'
needs: [integration-test]
runs-on: ubuntu-latest
# Configure GitHub Action Environment to have a manual approval step before deployment to production
# https://docs.github.com/en/actions/reference/environments
# environment: <configured-environment>
steps:
- uses: actions/checkout@v3
- uses: aws-actions/setup-sam@v2
with:
use-installer: true
- uses: actions/download-artifact@v2
with:
name: packaged-prod.yaml

- name: Assume the prod pipeline user role
uses: aws-actions/configure-aws-credentials@v1-node16
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
Expand Down

0 comments on commit 71fd5f8

Please sign in to comment.