Skip to content

Commit

Permalink
Api gh secrets (#2371)
Browse files Browse the repository at this point in the history
* normalizing secrets

* aws account ids

* debug

* fixed the secret issues
  • Loading branch information
ben851 authored Nov 28, 2024
1 parent 931f91d commit 58919cb
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 16 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/build_and_push_performance_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ on:

env:
GITHUB_SHA: ${{ github.sha }}
REGISTRY: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify
REGISTRY: ${{ secrets.STAGING_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/notify

jobs:
changes:
Expand Down Expand Up @@ -55,8 +55,8 @@ jobs:
id: aws-creds
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1

- name: Login to ECR
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/docker-vulnerability-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,13 @@ jobs:
runs-on: ubuntu-latest
env:
DOCKERFILE_PATH: "ci/Dockerfile.lambda"
DOCKER_IMAGE: "${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify/api-lambda"
DOCKER_IMAGE: "${{ secrets.PRODUCTION_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/notify/api-lambda"

steps:
- name: Configure credentials to Notify account using OIDC
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
role-to-assume: arn:aws:iam::${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}:role/notification-api-apply
role-to-assume: arn:aws:iam::${{ secrets.PRODUCTION_AWS_ACCOUNT_ID }}:role/notification-api-apply
role-session-name: NotifyApiGitHubActions
aws-region: "ca-central-1"

Expand Down
8 changes: 3 additions & 5 deletions .github/workflows/docker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,7 @@ env:
DOCKER_ORG: public.ecr.aws/v6b8u5o6
DOCKER_SLUG: public.ecr.aws/v6b8u5o6/notify-api
KUBECTL_VERSION: '1.23.6'
WORKFLOW_PAT: ${{ secrets.WORKFLOW_GITHUB_PAT }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_STAGING }}

permissions:
id-token: write # This is required for requesting the OIDC JWT
Expand Down Expand Up @@ -59,8 +58,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1

- name: Install OpenVPN
Expand Down Expand Up @@ -89,7 +88,6 @@ jobs:
uses: "kota65535/github-openvpn-connect-action@cd2ed8a90cc7b060dc4e001143e811b5f7ea0af5"
with:
config_file: /var/tmp/staging.ovpn
client_key: ${{ secrets.STAGING_OVPN_CLIENT_KEY }}
echo_config: false

- name: Configure kubeconfig
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/lambda_production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:
branches: [main]

env:
REGISTRY: ${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify
REGISTRY: ${{ secrets.PRODUCTION_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/notify

jobs:
build-and-push:
Expand All @@ -25,8 +25,8 @@ jobs:
id: aws-creds
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.PRODUCTION_ECR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PRODUCTION_ECR_SECRET_ACCESS_KEY }}
aws-access-key-id: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1

- name: Set Docker image tag
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/lambda_staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:
branches: [main]

env:
REGISTRY: ${{ secrets.STAGING_API_LAMBDA_ECR_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify
REGISTRY: ${{ secrets.STAGING_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/notify

jobs:
build-push-and-deploy:
Expand All @@ -25,8 +25,8 @@ jobs:
id: aws-creds
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.STAGING_ECR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.STAGING_ECR_SECRET_ACCESS_KEY }}
aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1

- name: Build container
Expand Down

0 comments on commit 58919cb

Please sign in to comment.