-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0a7b17a
commit 22349ce
Showing
2 changed files
with
22 additions
and
119 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,54 +1,7 @@ | ||
| # AppSecretsAction | ||
|
|
||
| Github Action to deploy in aws secret manager a set of secret from the app repository. | ||
| File should match this path `.finalcad/secrets.yaml`. You can find a list of all available keys on this [page](https://finalcad.atlassian.net/wiki/spaces/INFRA/pages/3213590529/Security+secrets) | ||
| This Github Action has been deprecated. Use [Gob](https://finalcad.atlassian.net/wiki/spaces/TE/pages/4264427522/Repository+update+by+Gob) to update your project. | ||
|
|
||
| ## Inputs | ||
| ### `app-name` | ||
| [**Required**] Application ID to identify the apps in eks-apps | ||
| If you don't know what it means, post a message on [Slack #infra-backend](https://finalcad.slack.com/archives/G01GL3EBLAW). | ||
|
|
||
| ### `aws-role` | ||
| [**Required**] AWS role allowing Secret manager usage | ||
|
|
||
| ### `aws-region` | ||
| AWS region for ECR checks, Default: eu-central-1 | ||
|
|
||
| ### `terraform-version` | ||
| Terraform version to use, Default: latest | ||
|
|
||
| ### `terragrunt-version` | ||
| Terragrunt version to use, Default: latest | ||
|
|
||
| ### `appsecret-repo` | ||
| Repository containing terraform code for secret creation, Default: FinalCAD/terraform-app-secrets | ||
|
|
||
| ### `appsecret-ref` | ||
| Reference to use for `appsecret-repo` repository, Default: master | ||
|
|
||
| ### `github-token` | ||
| Github token to avoid limit rate when pulling package | ||
|
|
||
| ### `github-ssh` | ||
| [**Required**] Github ssh key to pull `appsecret-repo` repository | ||
|
|
||
| ### `environment` | ||
| [**Required**] Finalcad envrionment: production, staging, sandbox | ||
|
|
||
| ### `region-friendly` | ||
| Finalcad region: frankfurt or tokyo, Default: frankfurt | ||
|
|
||
| ### `secret-file` | ||
| Path for secret file to create, Default: .finalcad/secrets.yaml | ||
|
|
||
| ## Usage | ||
|
|
||
| ```yaml | ||
| - name: Push secrets | ||
| uses: FinalCAD/[email protected] | ||
| with: | ||
| github-ssh: ${{ secrets.GH_DEPLOY_SSH }} | ||
| environment: sandbox | ||
| region-friendly: frankfurt | ||
| app-name: api1-service-api | ||
| aws-role: ${{ secrets.DEPLOY_ROLE_MASTER }} | ||
| ``` | ||
| In case of emergency and CI migration isn't possible fallback to [`v1.0.2-deprecated`](https://github.com/FinalCAD/AppSecretsAction/tree/v1.0.2-deprecated). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,99 +3,49 @@ description: 'Create a secret for microservice from global secret' | |
| inputs: | ||
| app-name: | ||
| description: 'Applcation id' | ||
| required: true | ||
| default: '' | ||
| aws-role: | ||
| description: 'Aws role to apply changes' | ||
| required: true | ||
| default: '' | ||
| aws-region: | ||
| description: 'Aws region' | ||
| default: 'eu-central-1' | ||
| default: '' | ||
| terraform-version: | ||
| description: 'Terraform version to install.' | ||
| default: 'latest' | ||
| default: '' | ||
| terragrunt-version: | ||
| description: 'Terragrunt version to install.' | ||
| default: 'latest' | ||
| default: '' | ||
| appsecret-repo: | ||
| description: 'appsecret repository' | ||
| default: 'FinalCAD/terraform-app-secrets' | ||
| default: '' | ||
| appsecret-ref: | ||
| descrition: 'Ref to use for pulling repo apopsecret' | ||
| default: 'master' | ||
| description: 'Ref to use for pulling repo apopsecret' | ||
| default: '' | ||
| github-token: | ||
| description: 'Github token to pull package to avoid limit rate' | ||
| default: '' | ||
| github-ssh: | ||
| description: 'Github ssh key to pull terragrunt from github api' | ||
| required: true | ||
| default: '' | ||
| environment: | ||
| description: 'Finalcad envrionment: production, staging, sandbox' | ||
| require: true | ||
| default: '' | ||
| region-friendly: | ||
| description: 'Finalcad region: frankfurt or tokyo' | ||
| default: 'frankfurt' | ||
| default: '' | ||
| secret-file: | ||
| description: 'File with path for secret configuration' | ||
| default: '.finalcad/secrets.yaml' | ||
| default: '' | ||
| runs: | ||
| using: 'composite' | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| path: 'app' | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| ssh-key: ${{ inputs.github-ssh }} | ||
| repository: ${{ inputs.appsecret-repo }} | ||
| ref: ${{ inputs.appsecret-ref }} | ||
| path: 'terragrunt' | ||
| # Setup ssh key | ||
| - name: Add ssh key | ||
| shell: bash | ||
| run: | | ||
| mkdir -p ~/.ssh | ||
| echo "${{ inputs.github-ssh }}" > ~/.ssh/id_rsa | ||
| ssh-keyscan github.com >> ~/.ssh/known_hosts | ||
| chmod 600 ~/.ssh/id_rsa ~/.ssh/known_hosts | ||
| eval $(ssh-agent) | ||
| ssh-add ~/.ssh/id_rsa | ||
| # Setup terraform | ||
| - name: Setup Terraform | ||
| uses: hashicorp/setup-terraform@v2 | ||
| with: | ||
| terraform_version: ${{ inputs.terraform-version }} | ||
| terraform_wrapper: false | ||
| # Setup terragrunt | ||
| - name: Terragrunt Binary Installer Action | ||
| uses: autero1/[email protected] | ||
| if: inputs.terragrunt-version != 'disabled' | ||
| with: | ||
| terragrunt_version: ${{ inputs.terragrunt-version }} | ||
| token: ${{ inputs.github-token }} | ||
| # Copy secret configuration file | ||
| - name: Secret file | ||
| id: secretfile | ||
| shell: bash | ||
| run: | | ||
| set -e | ||
| if [ -f ./app/${{ inputs.secret-file }} ]; then | ||
| cp ./app/${{ inputs.secret-file }} ./terragrunt/secrets.yaml | ||
| echo "secretfile=ok" >> $GITHUB_OUTPUT | ||
| fi | ||
| # Configure aws credentials | ||
| - name: Configure AWS credentials for security | ||
| uses: aws-actions/configure-aws-credentials@v1 | ||
| with: | ||
| aws-region: ${{ inputs.aws-region }} | ||
| role-to-assume: ${{ inputs.aws-role }} | ||
| role-session-name: OIDCSession | ||
| # Apply terragrunt | ||
| - name: Terragrunt apply | ||
| - name: "[deprecated] AppSecretsAction" | ||
| shell: bash | ||
| if: ${{ steps.secretfile.outputs.secretfile }} == "ok" | ||
| run: | | ||
| cd ./terragrunt/${{ inputs.environment }}/${{ inputs.region-friendly }}/appsecrets | ||
| terragrunt init -backend-config=key=appsecrets/${{ inputs.environment }}/${{ inputs.region-friendly }}/${{ inputs.app-name }}/terraform.tfstate | ||
| export TF_VAR_application_id=${{ inputs.app-name }} | ||
| export TF_VAR_region_finalcad=${{ inputs.region-friendly }} | ||
| terragrunt apply -auto-approve | ||
| cat <<EOF | ||
| The Github Action https://github.com/FinalCAD/AppSecretsAction is deprecated. Use Gob (https://finalcad.atlassian.net/wiki/spaces/TE/pages/4264427522/Repository+update+by+Gob) to update your project. | ||
| If you don't know what it means, post a message on Slack #infra-backend (https://finalcad.slack.com/archives/G01GL3EBLAW). | ||
| EOF | ||
| exit 1 | ||