upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-09 08:55:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

SECVULN-22299: Transition AWS Auth to use the Doormat GitHub Action (#9768) (#9877)

Browse source 
* SECVULN-22299: Use Doormat GitHub Action in CI

* remove step id

* remove step id

* grab aws account id in separate step

* add oidc perms

* add perms for other workflows

* remove usages of aws login creds

* add conditions for CE vs ent

* fix lint

* test perms

* add perms

* fix metadata

* update role arn

* use ci role arn

* print secret

* try again

* try workaround

* update all arns

* remove echo step

* cleanup

* cleanup

* address feedback

* re-add perms

* use service account

* fix conflict

* address feedback

* add read permission

* use write-all

* expose role arn

Co-authored-by: Charles Nwokotubo <charles.nwokotubo@hashicorp.com>
This commit is contained in:
Vault Automation 2025-10-06 12:06:44 -04:00 committed by GitHub
parent 3f43f96c04
commit 650efb32f6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 73 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.github/workflows/test-ci-bootstrap.yml vendored
View file

@ -23,6 +23,7 @@ on:
jobs:
bootstrap-ci:
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
permissions: write-all
env:
TF_WORKSPACE: "${{ github.event.repository.name }}-ci-enos-bootstrap"
TF_VAR_repository: ${{ github.event.repository.name }}
@ -30,11 +31,14 @@ jobs:
TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/metadata
id: metadata
- name: Set up Terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_wrapper: false
- name: Configure AWS credentials
if: steps.metadata.outputs.is-ent-repo == 'false'
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
@ -43,6 +47,12 @@ jobs:
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Doormat AWS Auth
if: steps.metadata.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
- name: Init Terraform
id: tf_init
run: |

35
.github/workflows/test-ci-cleanup.yml vendored
View file

@ -1,4 +1,5 @@
name: test-ci-cleanup
on:
schedule:
# * is a special character in YAML so you have to quote this string
@ -7,10 +8,16 @@ on:
jobs:
setup:
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
permissions: write-all
outputs:
regions: ${{steps.setup.outputs.regions}}
is-ent-repo: ${{ steps.metadata.outputs.is-ent-repo }}
steps:
- uses: ./.github/actions/metadata
id: metadata
- name: Configure AWS credentials
if: steps.metadata.outputs.is-ent-repo == 'false'
id: aws-configure
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
@ -19,6 +26,12 @@ jobs:
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Doormat AWS Auth
if: steps.metadata.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
- name: Get all regions
id: setup
run: |
@ -39,6 +52,7 @@ jobs:
timeout-minutes: 120
steps:
- name: Configure AWS credentials
if: needs.setup.outputs.is-ent-repo == 'false'
id: aws-configure
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
@ -49,11 +63,22 @@ jobs:
role-skip-session-tagging: true
role-duration-seconds: 3600
mask-aws-account-id: false
- name: Doormat AWS Auth
if: needs.setup.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
- name: Get AWS Account ID
id: aws-info
run: |
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo "aws-account-id=$AWS_ACCOUNT_ID" | tee -a "$GITHUB_OUTPUT"
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Configure
run: |
cp enos/ci/aws-nuke.yml .
sed -i "s/ACCOUNT_NUM/${{ steps.aws-configure.outputs.aws-account-id }}/g" aws-nuke.yml
sed -i "s/ACCOUNT_NUM/${{ steps.aws-info.outputs.aws-account-id }}/g" aws-nuke.yml
sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml
# We don't care if cleanup succeeds or fails, because dependencies be dependenceies,
# we'll fail on actually actionable things in the quota steep afterwards.
@ -76,6 +101,8 @@ jobs:
region: ${{ fromJSON(needs.setup.outputs.regions) }}
steps:
- name: Configure AWS credentials
if: needs.setup.outputs.is-ent-repo == 'false'
id: aws-configure
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
@ -84,6 +111,12 @@ jobs:
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Doormat AWS Auth
if: needs.setup.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
# Currently just checking VPC limits across all region, can add more checks here in future
- name: Check AWS Quotas
run: awslimitchecker -S "VPC" -r ${{matrix.region}}

8
.github/workflows/test-enos-scenario-ui.yml vendored
View file

@ -65,6 +65,7 @@ jobs:
name: Run UI Tests
needs: get-metadata
runs-on: ${{ fromJSON(needs.get-metadata.outputs.runs-on) }}
permissions: write-all
timeout-minutes: 90
env:
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@ -118,6 +119,7 @@ jobs:
run: |
echo "Installed Chrome Version = [$(chrome --version 2> /dev/null || google-chrome --version 2> /dev/null || google-chrome-stable --version 2> /dev/null)]"
- name: Configure AWS credentials from Test account
if: needs.get-metadata.outputs.is-ent-repo == 'false'
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
@ -126,6 +128,12 @@ jobs:
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Doormat AWS Auth
if: needs.get-metadata.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
- name: Set Up Cluster
id: setup_cluster
env:

10
.github/workflows/test-run-enos-scenario-matrix.yml vendored
View file

@ -206,7 +206,9 @@ jobs:
# the Terraform wrapper will break Terraform execution in Enos because
# it changes the output to text when we expect it to be JSON.
terraform_wrapper: false
- uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
- name: Configure AWS credentials
if: needs.metadata.outputs.is-ent-repo == 'false'
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
aws-access-key-id: ${{ steps.secrets.outputs.aws-access-key-id }}
aws-secret-access-key: ${{ steps.secrets.outputs.aws-secret-access-key }}
@ -214,6 +216,12 @@ jobs:
role-to-assume: ${{ steps.secrets.outputs.aws-role-arn }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Doormat AWS Auth
if: needs.metadata.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
- uses: hashicorp/action-setup-enos@39a8f388434bea5eeba6649b99aa9949a55a1150 # v1.38
with:
github-token: ${{ steps.secrets.outputs.github-token }}

13
.github/workflows/test-run-enos-scenario.yml vendored
View file

@ -36,6 +36,7 @@ jobs:
enos-run-vault-interactive-test:
name: Enos run Vault interactive test
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
permissions: write-all
timeout-minutes: 120
env:
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@ -75,7 +76,11 @@ jobs:
# the Terraform wrapper will break Terraform execution in Enos because
# it changes the output to text when we expect it to be JSON.
terraform_wrapper: false
- uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
- uses: ./.github/actions/metadata
id: metadata
- name: Configure AWS credentials
if: steps.metadata.outputs.is-ent-repo == 'false'
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
@ -83,6 +88,12 @@ jobs:
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true
role-duration-seconds: 3600
- name: Doormat AWS Auth
if: steps.metadata.outputs.is-ent-repo == 'true'
uses: hashicorp/doormat-action@v1
with:
aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci
service-account: github-actions-vault-enterprise-ci@hashicorp.com
- uses: hashicorp/action-setup-enos@39a8f388434bea5eeba6649b99aa9949a55a1150 # v1.38
with:
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}