feat: add Google OAuth pickle string (#327)

Update the ECS task to retrieve the Google OAuth pickle string from SSM ParameterStore.
cds-snc · Dec 6, 2023 · 5a24f86 · 5a24f86
1 parent ca654bb
commit 5a24f86
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 13 deletions.
diff --git a/.github/workflows/tf_apply.yml b/.github/workflows/tf_apply.yml
@@ -5,6 +5,16 @@ on:
     branches:
       - main
 
+env:
+  AWS_REGION: ca-central-1
+  TERRAFORM_VERSION: 1.3.3
+  TERRAGRUNT_VERSION: 0.31.1
+  TF_VAR_google_oauth_pickle_string: "${{ secrets.GOOGLE_PICKLE_STRING }}"
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   terragrunt-apply:
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
@@ -13,9 +23,22 @@ jobs:
       matrix:
         include:
           - module: terraform
-    uses: cds-snc/workflows/.github/workflows/terragrunt-apply.yml@main
-    with:
-      module: ${{ matrix.module }}
-      role_arn: arn:aws:iam::283582579564:role/sre-bot-apply
-      terraform_version: 1.3.3
-      terragrunt_version: 0.31.1
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: setup terraform tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+      - name: configure aws credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          role-to-assume: arn:aws:iam::283582579564:role/sre-bot-apply
+          role-session-name: TFApply
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Apply Terraform
+        working-directory: terraform
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve
diff --git a/.github/workflows/tf_plan.yml b/.github/workflows/tf_plan.yml
@@ -6,16 +6,45 @@ on:
       - "terraform/**"
       - ".github/workflows/**"
 
+env:
+  AWS_REGION: ca-central-1
+  TERRAFORM_VERSION: 1.3.3
+  TERRAGRUNT_VERSION: 0.31.1
+  TF_VAR_google_oauth_pickle_string: "${{ secrets.GOOGLE_PICKLE_STRING }}"
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
 jobs:
   terraform-plan:
     strategy:
       fail-fast: false
       matrix:
         include:
           - module: terraform
-    uses: cds-snc/workflows/.github/workflows/terragrunt-plan.yml@main
-    with:
-      module: ${{ matrix.module }}
-      role_arn: arn:aws:iam::283582579564:role/sre-bot-plan
-      terraform_version: 1.3.3
-      terragrunt_version: 0.31.1
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: setup terraform tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+      - name: configure aws credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          role-to-assume: arn:aws:iam::283582579564:role/sre-bot-plan
+          role-session-name: TFPlan
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terraform plan
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
+        with:
+          comment-delete: true
+          comment-title: "Production: ${{ matrix.module }}"
+          directory: ${{ matrix.module }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          terragrunt: true
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
@@ -18,6 +18,7 @@ data "template_file" "sre-bot" {
     fargate_cpu           = var.fargate_cpu
     fargate_memory        = var.fargate_memory
     aws_region            = "ca-central-1"
+    PICKLE_STRING         = aws_ssm_parameter.google_oauth_pickle_string.arn
   }
 }
 

diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -28,7 +28,8 @@ data "aws_iam_policy_document" "sre-bot_secrets_manager" {
       "ssm:GetParameters",
     ]
     resources = [
-      "arn:aws:ssm:ca-central-1:${data.aws_caller_identity.current.account_id}:parameter/sre-bot-config"
+      "arn:aws:ssm:ca-central-1:${data.aws_caller_identity.current.account_id}:parameter/sre-bot-config",
+      aws_ssm_parameter.google_oauth_pickle_string.arn
     ]
   }
 

diff --git a/terraform/ssm.tf b/terraform/ssm.tf
@@ -0,0 +1,10 @@
+resource "aws_ssm_parameter" "google_oauth_pickle_string" {
+  name  = "google_oauth_pickle_string"
+  type  = "SecureString"
+  value = var.google_oauth_pickle_string
+
+  tags = {
+    CostCentre = var.billing_code
+    Terraform  = true
+  }
+}
diff --git a/terraform/templates/sre-bot.json.tpl b/terraform/templates/sre-bot.json.tpl
@@ -22,6 +22,12 @@
         "containerPort": 8000
       }
     ],
+    "secrets": [
+      {
+        "name": "PICKLE_STRING",
+        "valueFrom": "${PICKLE_STRING}"
+      }
+    ],
     "ulimits": [
       {
         "hardLimit": 1000000,

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -11,4 +11,10 @@ variable "fargate_cpu" {
 variable "fargate_memory" {
   type    = number
   default = 512
+}
+
+variable "google_oauth_pickle_string" {
+  description = "(Required) The Google OAuth pickle string"
+  type        = string
+  sensitive   = true
 }