APPEALS-53151: Update ECR Workflow to Utilize OIDC Flow (#22348)

* Reconfigure ECR login workflow to utilize Github's OIDC flow * Add permissions * Update AWS account number to one for VAEC * Update account number for main CI workflow * Try using a separate secret in test * Try using a separate secret in test * Change name of secret --------- Co-authored-by: Matthew Thornton <[email protected]>
department-of-veterans-affairs · Jul 31, 2024 · 3367fbe · 3367fbe
1 parent 4d1bfd3
commit 3367fbe
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 23 deletions.
diff --git a/.github/workflows/ecr-login.yml b/.github/workflows/ecr-login.yml
@@ -4,31 +4,47 @@ on:
   # Every 6 hours, the password validity is 12 hours
   schedule:
     - cron:  '0 */6 * * *'
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   login:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials
+        id: acquire-credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-gov-west-1
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          output-credentials: true
+
       - name: retrieve ecr password and store as secret
+        if: steps.acquire-credentials.outcome == 'success'
         run: |
           pip3 install -r .github/workflows/requirements.txt
           python3 .github/workflows/ecr_password_updater.py
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ steps.acquire-credentials.outputs.aws-access-key-id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.acquire-credentials.outputs.aws-secret-access-key }}
           AWS_DEFAULT_REGION: us-gov-west-1
           GH_API_ACCESS_TOKEN: ${{ secrets.GH_API_ACCESS_TOKEN }}
-  # This 'test' job is usefull for fast debugging
+
+  # This 'test' job is useful for fast debugging
   test:
     needs: login
     runs-on: ubuntu-latest
     timeout-minutes: 1
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
         # Here is the password retrieved as a secret that is set by the `login` job
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
     steps:
       - run: echo "Inside a container pulled from ECR!!"
diff --git a/.github/workflows/ecr_password_updater.py b/.github/workflows/ecr_password_updater.py
@@ -41,7 +41,7 @@ def get_ecr_password() -> str:
 
     password = get_ecr_password()
     encrypted_password = encrypt(public_key_value, password)
-    update_password = requests.put('https://api.github.com/repos/department-of-veterans-affairs/caseflow/actions/secrets/ECR_PASSWORD',
+    update_password = requests.put('https://api.github.com/repos/department-of-veterans-affairs/caseflow/actions/secrets/VAEC_ECR_PASSWORD',
                                    headers={'Accept': 'application/vnd.github.v3+json',
                                             'Authorization': 'token ' + os.environ['GH_API_ACCESS_TOKEN']},
                                    data=json.dumps({'encrypted_value': encrypted_password, 'key_id': public_key_id,

diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -38,10 +38,10 @@ jobs:
           - 6379:6379
 
       facols_db:
-        image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+        image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
         credentials:
           username: AWS
-          password: ${{ secrets.ECR_PASSWORD }}
+          password: ${{ secrets.VAEC_ECR_PASSWORD }}
         ports:
           - 1521:1521
 
@@ -52,11 +52,11 @@ jobs:
         ci_node_index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
 
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       options: --privileged # Necessary for Rspec to run with our configuration within GHA
       credentials:
         username: AWS
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
 
       env:
         DBUS_SESSION_BUS_ADDRESS: /dev/null
@@ -266,10 +266,10 @@ jobs:
     if: true
     runs-on: ubuntu-latest
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
       env:
         DBUS_SESSION_BUS_ADDRESS: /dev/null
         RAILS_ENV: test
@@ -328,10 +328,10 @@ jobs:
     if: true
     runs-on: ubuntu-latest
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
 
     steps:
       - name: Checkout

diff --git a/ci-bin/circle_docker_container/build_and_push.sh b/ci-bin/circle_docker_container/build_and_push.sh
@@ -7,12 +7,12 @@ fi
 
 rm instant-client-12-1.tar.gz
 
-aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
+aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
 
 docker build -t cimg-ruby .
 # In case we modify this image and keep the same ruby version, we should use a different tag (i.e. image digest)
-docker tag cimg-ruby:latest 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers
-if docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers ; then
+docker tag cimg-ruby:latest 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers
+if docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers ; then
   echo 'Success the latest docker image has been pushed.'
 else
   echo 'Failed. You likely need to sign in with MFA https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/'

diff --git a/local/vacols/build_push.sh b/local/vacols/build_push.sh
@@ -91,12 +91,12 @@ build(){
 }
 
 push(){
-  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
+  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
   docker tag vacols_db:latest vacols_db:${today}
-  docker tag vacols_db:${today} 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today}
-  docker tag vacols_db:latest 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
-  if docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today} ; then
-    docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+  docker tag vacols_db:${today} 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today}
+  docker tag vacols_db:latest 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+  if docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today} ; then
+    docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
     echo "${bold}Success. ${normal}The latest docker image has been pushed."
   else
     echo "${bold}Failed to Upload. ${normal}Probably you don't have permissions to do this. Ask the DevOps Team please"
@@ -107,7 +107,7 @@ push(){
 download(){
   # get circleci latest image from this same repo
   facols_image=$(cat ${THIS_SCRIPT_DIR}/../../.circleci/config.yml| grep -m 1 facols | awk '{print $3}')
-  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
+  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
   docker pull $facols_image
   docker tag $facols_image vacols_db:latest
 }