From 650efb32f69e04449fb455fe1c746531daccfbe1 Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Mon, 6 Oct 2025 12:06:44 -0400 Subject: [PATCH] SECVULN-22299: Transition AWS Auth to use the Doormat GitHub Action (#9768) (#9877) * SECVULN-22299: Use Doormat GitHub Action in CI * remove step id * remove step id * grab aws account id in separate step * add oidc perms * add perms for other workflows * remove usages of aws login creds * add conditions for CE vs ent * fix lint * test perms * add perms * fix metadata * update role arn * use ci role arn * print secret * try again * try workaround * update all arns * remove echo step * cleanup * cleanup * address feedback * re-add perms * use service account * fix conflict * address feedback * add read permission * use write-all * expose role arn Co-authored-by: Charles Nwokotubo --- .github/workflows/test-ci-bootstrap.yml | 10 ++++++ .github/workflows/test-ci-cleanup.yml | 35 ++++++++++++++++++- .github/workflows/test-enos-scenario-ui.yml | 8 +++++ .../test-run-enos-scenario-matrix.yml | 10 +++++- .github/workflows/test-run-enos-scenario.yml | 13 ++++++- 5 files changed, 73 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-ci-bootstrap.yml b/.github/workflows/test-ci-bootstrap.yml index 36b969d117..48ada2d7fc 100644 --- a/.github/workflows/test-ci-bootstrap.yml +++ b/.github/workflows/test-ci-bootstrap.yml @@ -23,6 +23,7 @@ on: jobs: bootstrap-ci: runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }} + permissions: write-all env: TF_WORKSPACE: "${{ github.event.repository.name }}-ci-enos-bootstrap" TF_VAR_repository: ${{ github.event.repository.name }} @@ -30,11 +31,14 @@ jobs: TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: ./.github/actions/metadata + id: metadata - name: Set up Terraform uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_wrapper: false - name: Configure AWS credentials + if: steps.metadata.outputs.is-ent-repo == 'false' uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }} @@ -43,6 +47,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-skip-session-tagging: true role-duration-seconds: 3600 + - name: Doormat AWS Auth + if: steps.metadata.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com - name: Init Terraform id: tf_init run: | diff --git a/.github/workflows/test-ci-cleanup.yml b/.github/workflows/test-ci-cleanup.yml index 7fe95c7ef2..41106784e6 100644 --- a/.github/workflows/test-ci-cleanup.yml +++ b/.github/workflows/test-ci-cleanup.yml @@ -1,4 +1,5 @@ name: test-ci-cleanup + on: schedule: # * is a special character in YAML so you have to quote this string @@ -7,10 +8,16 @@ on: jobs: setup: runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }} + permissions: write-all outputs: regions: ${{steps.setup.outputs.regions}} + is-ent-repo: ${{ steps.metadata.outputs.is-ent-repo }} steps: + - uses: ./.github/actions/metadata + id: metadata - name: Configure AWS credentials + if: steps.metadata.outputs.is-ent-repo == 'false' + id: aws-configure uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }} @@ -19,6 +26,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-skip-session-tagging: true role-duration-seconds: 3600 + - name: Doormat AWS Auth + if: steps.metadata.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com - name: Get all regions id: setup run: | @@ -39,6 +52,7 @@ jobs: timeout-minutes: 120 steps: - name: Configure AWS credentials + if: needs.setup.outputs.is-ent-repo == 'false' id: aws-configure uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: @@ -49,11 +63,22 @@ jobs: role-skip-session-tagging: true role-duration-seconds: 3600 mask-aws-account-id: false + - name: Doormat AWS Auth + if: needs.setup.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com + - name: Get AWS Account ID + id: aws-info + run: | + AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + echo "aws-account-id=$AWS_ACCOUNT_ID" | tee -a "$GITHUB_OUTPUT" - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Configure run: | cp enos/ci/aws-nuke.yml . - sed -i "s/ACCOUNT_NUM/${{ steps.aws-configure.outputs.aws-account-id }}/g" aws-nuke.yml + sed -i "s/ACCOUNT_NUM/${{ steps.aws-info.outputs.aws-account-id }}/g" aws-nuke.yml sed -i "s/TIME_LIMIT/${TIME_LIMIT}/g" aws-nuke.yml # We don't care if cleanup succeeds or fails, because dependencies be dependenceies, # we'll fail on actually actionable things in the quota steep afterwards. @@ -76,6 +101,8 @@ jobs: region: ${{ fromJSON(needs.setup.outputs.regions) }} steps: - name: Configure AWS credentials + if: needs.setup.outputs.is-ent-repo == 'false' + id: aws-configure uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }} @@ -84,6 +111,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-skip-session-tagging: true role-duration-seconds: 3600 + - name: Doormat AWS Auth + if: needs.setup.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com # Currently just checking VPC limits across all region, can add more checks here in future - name: Check AWS Quotas run: awslimitchecker -S "VPC" -r ${{matrix.region}} diff --git a/.github/workflows/test-enos-scenario-ui.yml b/.github/workflows/test-enos-scenario-ui.yml index b62782f47d..3c12a0c50a 100644 --- a/.github/workflows/test-enos-scenario-ui.yml +++ b/.github/workflows/test-enos-scenario-ui.yml @@ -65,6 +65,7 @@ jobs: name: Run UI Tests needs: get-metadata runs-on: ${{ fromJSON(needs.get-metadata.outputs.runs-on) }} + permissions: write-all timeout-minutes: 90 env: GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} @@ -118,6 +119,7 @@ jobs: run: | echo "Installed Chrome Version = [$(chrome --version 2> /dev/null || google-chrome --version 2> /dev/null || google-chrome-stable --version 2> /dev/null)]" - name: Configure AWS credentials from Test account + if: needs.get-metadata.outputs.is-ent-repo == 'false' uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }} @@ -126,6 +128,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-skip-session-tagging: true role-duration-seconds: 3600 + - name: Doormat AWS Auth + if: needs.get-metadata.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com - name: Set Up Cluster id: setup_cluster env: diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml index 28641a5b21..6bdca8ea83 100644 --- a/.github/workflows/test-run-enos-scenario-matrix.yml +++ b/.github/workflows/test-run-enos-scenario-matrix.yml @@ -206,7 +206,9 @@ jobs: # the Terraform wrapper will break Terraform execution in Enos because # it changes the output to text when we expect it to be JSON. terraform_wrapper: false - - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + - name: Configure AWS credentials + if: needs.metadata.outputs.is-ent-repo == 'false' + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ steps.secrets.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.secrets.outputs.aws-secret-access-key }} @@ -214,6 +216,12 @@ jobs: role-to-assume: ${{ steps.secrets.outputs.aws-role-arn }} role-skip-session-tagging: true role-duration-seconds: 3600 + - name: Doormat AWS Auth + if: needs.metadata.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com - uses: hashicorp/action-setup-enos@39a8f388434bea5eeba6649b99aa9949a55a1150 # v1.38 with: github-token: ${{ steps.secrets.outputs.github-token }} diff --git a/.github/workflows/test-run-enos-scenario.yml b/.github/workflows/test-run-enos-scenario.yml index f0d3672944..9a7073ea90 100644 --- a/.github/workflows/test-run-enos-scenario.yml +++ b/.github/workflows/test-run-enos-scenario.yml @@ -36,6 +36,7 @@ jobs: enos-run-vault-interactive-test: name: Enos run Vault interactive test runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }} + permissions: write-all timeout-minutes: 120 env: GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} @@ -75,7 +76,11 @@ jobs: # the Terraform wrapper will break Terraform execution in Enos because # it changes the output to text when we expect it to be JSON. terraform_wrapper: false - - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + - uses: ./.github/actions/metadata + id: metadata + - name: Configure AWS credentials + if: steps.metadata.outputs.is-ent-repo == 'false' + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }} @@ -83,6 +88,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-skip-session-tagging: true role-duration-seconds: 3600 + - name: Doormat AWS Auth + if: steps.metadata.outputs.is-ent-repo == 'true' + uses: hashicorp/doormat-action@v1 + with: + aws-role-arn: arn:aws:iam::505811019928:role/github_actions-vault_enterprise_ci + service-account: github-actions-vault-enterprise-ci@hashicorp.com - uses: hashicorp/action-setup-enos@39a8f388434bea5eeba6649b99aa9949a55a1150 # v1.38 with: github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}