From d8affe4ff403d413a1e61033e794f72b6fd3e035 Mon Sep 17 00:00:00 2001 From: sophia Date: Fri, 19 Feb 2021 12:31:35 -0600 Subject: [PATCH] Update ci scripts for assume role setup --- .ci/load-ci.sh | 30 ++++++++++++++++++++++++++++++ .github/workflows/build.yml | 1 + .github/workflows/code.yml | 1 + .github/workflows/release.yml | 1 + .github/workflows/spectesting.yml | 1 - 5 files changed, 33 insertions(+), 1 deletion(-) diff --git a/.ci/load-ci.sh b/.ci/load-ci.sh index 56d433320..2b77d344a 100644 --- a/.ci/load-ci.sh +++ b/.ci/load-ci.sh @@ -13,6 +13,36 @@ if [ ! -e "${ldir}/.complete" ]; then exit 1 fi + # Validate that we have the jq tool available + if ! command -v jq > /dev/null 2>&1; then + echo "⚠ ERROR: Missing required jq executable ⚠" + exit 1 + fi + + # If we have a role defined, assume it so we can get access to files + if [ "${AWS_ASSUME_ROLE_ARN}" != "" ] && [ "${AWS_SESSION_TOKEN}" = "" ]; then + if output="$(aws sts assume-role --role-arn "${AWS_ASSUME_ROLE_ARN}" --role-session-name "CI-initializer")"; then + export CORE_AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" + export CORE_AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" + id="$(printf '%s' "${output}" | jq -r .Credentials.AccessKeyId)" || failed=1 + key="$(printf '%s' "${output}" | jq -r .Credentials.SecretAccessKey)" || failed=1 + token="$(printf '%s' "${output}" | jq -r .Credentials.SessionToken)" || failed=1 + expire="$(printf '%s' "${output}" | jq -r .Credentials.Expiration)" || failed=1 + if [ "${failed}" = "1" ]; then + echo "🛑 ERROR: Failed to extract role credentials 🛑" + exit 1 + fi + export AWS_ACCESS_KEY_ID="${id}" + export AWS_SECRET_ACCESS_KEY="${key}" + export AWS_SESSION_TOKEN="${token}" + export AWS_SESSION_EXPIRATION="${expire}" + else + echo "⛔ ERROR: Failed to assume configured AWS role ⛔" + exit 1 + fi + fi + + # Create a local directory to stash our stuff in if ! mkdir -p "${ldir}"; then echo "⛔ ERROR: Failed to create utility file directory ⛔" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 408e1383b..47bb49142 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,6 +32,7 @@ jobs: ASSETS_SHORTTERM_PREFIX: est AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} HASHIBOT_EMAIL: ${{ secrets.HASHIBOT_EMAIL }} HASHIBOT_TOKEN: ${{ secrets.HASHIBOT_TOKEN }} HASHIBOT_USERNAME: ${{ secrets.HASHIBOT_USERNAME }} diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml index 226c760ee..d63f7986f 100644 --- a/.github/workflows/code.yml +++ b/.github/workflows/code.yml @@ -24,6 +24,7 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} HASHIBOT_TOKEN: ${{ secrets.HASHIBOT_TOKEN }} HASHIBOT_USERNAME: ${{ secrets.HASHIBOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fab1f83e1..6ee9f253a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: ASSETS_SHORTTERM_PREFIX: ${{ secrets.ASSETS_SHORTTERM_PREFIX }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} HASHIBOT_EMAIL: ${{ secrets.HASHIBOT_EMAIL }} HASHIBOT_TOKEN: ${{ secrets.HASHIBOT_TOKEN }} HASHIBOT_USERNAME: ${{ secrets.HASHIBOT_USERNAME }} diff --git a/.github/workflows/spectesting.yml b/.github/workflows/spectesting.yml index 89f6bd164..e0669f4b1 100644 --- a/.github/workflows/spectesting.yml +++ b/.github/workflows/spectesting.yml @@ -19,7 +19,6 @@ jobs: env: VAGRANT_CI_LOADER_BUCKET: ${{ secrets.VAGRANT_CI_LOADER_BUCKET }} - setup-hosts: if: github.repository == 'hashicorp/vagrant-acceptance' runs-on: self-hosted