From a757199186a77293cd0280f5812b4084e722d12f Mon Sep 17 00:00:00 2001 From: Ben Larabie Date: Thu, 3 Oct 2024 14:34:04 -0400 Subject: [PATCH] fix: VPN Config (#3018) * Adding 1Pass to vpn config * Install 1pass * Service account token * Conditional vault * yep * [review] vault * debug * TF version update * export * adding back error suppression --- .../workflows/helmfile_production_apply.yaml | 14 ++++++++++---- .../workflows/helmfile_production_plan.yaml | 13 +++++++++---- .github/workflows/helmfile_staging_apply.yaml | 14 ++++++++++---- .../helmfile_staging_apply_specific_app.yaml | 14 ++++++++++---- .github/workflows/helmfile_staging_plan.yaml | 18 ++++++++++++------ .../workflows/merge_to_main_production.yaml | 13 +++++++++---- .github/workflows/merge_to_main_staging.yaml | 13 +++++++++---- scripts/createVPNConfig.sh | 8 +++++++- 8 files changed, 76 insertions(+), 31 deletions(-) diff --git a/.github/workflows/helmfile_production_apply.yaml b/.github/workflows/helmfile_production_apply.yaml index 4eecbf2bc..7006f50da 100644 --- a/.github/workflows/helmfile_production_apply.yaml +++ b/.github/workflows/helmfile_production_apply.yaml @@ -12,6 +12,7 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HELMFILE_FILE_PATH: ${{ github.workspace }}/helmfile PRODUCTION_AWS_ACCOUNT: ${{ secrets.PRODUCTION_AWS_ACCOUNT }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PRODUCTION_OP_SERVICE_ACCOUNT_TOKEN }} jobs: helmfile-apply: @@ -51,10 +52,15 @@ jobs: - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 + + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb - name: Retrieve VPN Config run: | diff --git a/.github/workflows/helmfile_production_plan.yaml b/.github/workflows/helmfile_production_plan.yaml index 3c50b211b..44a681e86 100644 --- a/.github/workflows/helmfile_production_plan.yaml +++ b/.github/workflows/helmfile_production_plan.yaml @@ -44,6 +44,11 @@ jobs: install-helm: yes helmfile-version: "v0.151.0" + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb + - name: Install OpenVPN run: | sudo apt update @@ -52,10 +57,10 @@ jobs: - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 - name: Retrieve VPN Config run: | diff --git a/.github/workflows/helmfile_staging_apply.yaml b/.github/workflows/helmfile_staging_apply.yaml index 3cc922e19..1b06222a1 100644 --- a/.github/workflows/helmfile_staging_apply.yaml +++ b/.github/workflows/helmfile_staging_apply.yaml @@ -10,6 +10,7 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HELMFILE_FILE_PATH: ${{ github.workspace }}/helmfile STAGING_AWS_ACCOUNT: ${{ secrets.STAGING_AWS_ACCOUNT }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} jobs: helmfile-apply: @@ -46,13 +47,18 @@ jobs: sudo apt update sudo apt install -y openvpn openvpn-systemd-resolved + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb + - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 - name: Retrieve VPN Config run: | diff --git a/.github/workflows/helmfile_staging_apply_specific_app.yaml b/.github/workflows/helmfile_staging_apply_specific_app.yaml index 1c46b6743..859719f16 100644 --- a/.github/workflows/helmfile_staging_apply_specific_app.yaml +++ b/.github/workflows/helmfile_staging_apply_specific_app.yaml @@ -32,6 +32,7 @@ env: HELMFILE_FILE_PATH: ${{ github.workspace }}/helmfile STAGING_AWS_ACCOUNT: ${{ secrets.STAGING_AWS_ACCOUNT }} DOCKER_TAG: ${{ github.event.inputs.tag }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} jobs: rollout: @@ -67,10 +68,15 @@ jobs: - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 + + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb - name: Retrieve VPN Config run: | diff --git a/.github/workflows/helmfile_staging_plan.yaml b/.github/workflows/helmfile_staging_plan.yaml index d06e4e4d1..1e34087c5 100644 --- a/.github/workflows/helmfile_staging_plan.yaml +++ b/.github/workflows/helmfile_staging_plan.yaml @@ -8,7 +8,8 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HELMFILE_FILE_PATH: ${{ github.workspace }}/helmfile STAGING_AWS_ACCOUNT: ${{ secrets.STAGING_AWS_ACCOUNT }} - + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + jobs: helmfile-diff: @@ -38,14 +39,19 @@ jobs: sudo apt update sudo apt install -y openvpn openvpn-systemd-resolved + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb + - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 - + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 + - name: Retrieve VPN Config run: | scripts/createVPNConfig.sh staging 2> /dev/null diff --git a/.github/workflows/merge_to_main_production.yaml b/.github/workflows/merge_to_main_production.yaml index 33f9d636d..0cf013655 100644 --- a/.github/workflows/merge_to_main_production.yaml +++ b/.github/workflows/merge_to_main_production.yaml @@ -56,10 +56,15 @@ jobs: - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 + + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb - name: Retrieve VPN Config run: | diff --git a/.github/workflows/merge_to_main_staging.yaml b/.github/workflows/merge_to_main_staging.yaml index b8a0f26c8..0f85f4606 100644 --- a/.github/workflows/merge_to_main_staging.yaml +++ b/.github/workflows/merge_to_main_staging.yaml @@ -49,10 +49,15 @@ jobs: - name: Setup Terraform tools uses: cds-snc/terraform-tools-setup@v1 env: # In case you want to override default versions - CONFTEST_VERSION: 0.30.0 - TERRAFORM_VERSION: 1.6.2 - TERRAGRUNT_VERSION: 0.44.4 - TF_SUMMARIZE_VERSION: 0.2.3 + CONFTEST_VERSION: 0.30.0 + TERRAFORM_VERSION: 1.9.5 + TERRAGRUNT_VERSION: 0.66.9 + TF_SUMMARIZE_VERSION: 0.2.3 + + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb - name: Retrieve VPN Config run: | diff --git a/scripts/createVPNConfig.sh b/scripts/createVPNConfig.sh index a5c619c98..9e07b5356 100755 --- a/scripts/createVPNConfig.sh +++ b/scripts/createVPNConfig.sh @@ -2,8 +2,14 @@ # This script will create a VPN configuration file for the specified environment # Usage: ./createVPNConfig.sh # Example: ./createVPNConfig.sh staging -ENVIRONMENT=$1 +export ENVIRONMENT=$1 +if [ "$ENVIRONMENT" == "production" ]; then + VAULT=ppnxsriom3alsxj4ogikyjxlzi +else + VAULT=4eyyuwddp6w4vxlabrr2i2duxm +fi git clone https://github.com/cds-snc/notification-terraform.git /var/tmp/notification-terraform +op read op://$VAULT/"TFVars - $ENVIRONMENT"/notesPlain > /var/tmp/notification-terraform/aws/$ENVIRONMENT.tfvars cd /var/tmp/notification-terraform/env/$ENVIRONMENT/eks export INFRASTRUCTURE_VERSION=$(cat ../../../.github/workflows/infrastructure_version.txt) ENDPOINT_ID=$(terragrunt output --raw gha_vpn_id)