Merge pull request #17 from hearchco/as/fix/github-scope

fix(github): sub scope dispatch workflow
hearchco · Apr 11, 2024 · 42f2f77 · 42f2f77
2 parents 9f4849a + dffb40b
commit 42f2f77
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 20 deletions.
diff --git a/.github/workflows/deploy-backend.yml b/.github/workflows/deploy-backend.yml
@@ -31,14 +31,15 @@ jobs:
         with:
           role-to-assume: ${{ secrets.TF_SHARED_ROLE }}
           aws-region: ${{ secrets.AWS_REGION }}
+          output-credentials: true
 
       - name: Configure AWS Credentials File
         run: |
           mkdir -p ~/.aws
           echo "[${{ steps.shared-tf-state.outputs.aws-account-id }}_TFStateLock]" >> ~/.aws/credentials
-          echo "aws_access_key_id=${{ steps.shared-tf-state.outputs.aws-access-key-id }}" >> ~/.aws/credentials
-          echo "aws_secret_access_key=${{ steps.shared-tf-state.outputs.aws-secret-access-key }}" >> ~/.aws/credentials
-          echo "aws_session_token=${{ steps.shared-tf-state.outputs.aws-session-token }}" >> ~/.aws/credentials
+          echo "aws_access_key_id=::add-mask::${{ steps.shared-tf-state.outputs.aws-access-key-id }}" >> ~/.aws/credentials
+          echo "aws_secret_access_key=::add-mask::${{ steps.shared-tf-state.outputs.aws-secret-access-key }}" >> ~/.aws/credentials
+          echo "aws_session_token=::add-mask::${{ steps.shared-tf-state.outputs.aws-session-token }}" >> ~/.aws/credentials
 
       ## AWS (prod)
       - name: Configure AWS credentials for deployment (prod)
@@ -48,14 +49,15 @@ jobs:
         with:
           role-to-assume: ${{ secrets.BACKEND_PROD_ROLE }}
           aws-region: ${{ secrets.AWS_REGION }}
+          output-credentials: true
 
       - name: Configure AWS Credentials File (prod)
         if: github.event.client_payload.environment == 'prod'
         run: |
           echo "[${{ steps.prod-deployment.outputs.aws-account-id }}_Admin]" >> ~/.aws/credentials
-          echo "aws_access_key_id=${{ steps.prod-deployment.outputs.aws-access-key-id }}" >> ~/.aws/credentials
-          echo "aws_secret_access_key=${{ steps.prod-deployment.outputs.aws-secret-access-key }}" >> ~/.aws/credentials
-          echo "aws_session_token=${{ steps.prod-deployment.outputs.aws-session-token }}" >> ~/.aws/credentials
+          echo "aws_access_key_id=::add-mask::${{ steps.prod-deployment.outputs.aws-access-key-id }}" >> ~/.aws/credentials
+          echo "aws_secret_access_key=::add-mask::${{ steps.prod-deployment.outputs.aws-secret-access-key }}" >> ~/.aws/credentials
+          echo "aws_session_token=::add-mask::${{ steps.prod-deployment.outputs.aws-session-token }}" >> ~/.aws/credentials
 
       ## AWS (dev)
       - name: Configure AWS credentials for deployment (dev)
@@ -65,14 +67,15 @@ jobs:
         with:
           role-to-assume: ${{ secrets.BACKEND_DEV_ROLE }}
           aws-region: ${{ secrets.AWS_REGION }}
+          output-credentials: true
 
       - name: Configure AWS Credentials File (dev)
         if: github.event.client_payload.environment == 'dev'
         run: |
           echo "[${{ steps.dev-deployment.outputs.aws-account-id }}_Admin]" >> ~/.aws/credentials
-          echo "aws_access_key_id=${{ steps.dev-deployment.outputs.aws-access-key-id }}" >> ~/.aws/credentials
-          echo "aws_secret_access_key=${{ steps.dev-deployment.outputs.aws-secret-access-key }}" >> ~/.aws/credentials
-          echo "aws_session_token=${{ steps.dev-deployment.outputs.aws-session-token }}" >> ~/.aws/credentials
+          echo "aws_access_key_id=::add-mask::${{ steps.dev-deployment.outputs.aws-access-key-id }}" >> ~/.aws/credentials
+          echo "aws_secret_access_key=::add-mask::${{ steps.dev-deployment.outputs.aws-secret-access-key }}" >> ~/.aws/credentials
+          echo "aws_session_token=::add-mask::${{ steps.dev-deployment.outputs.aws-session-token }}" >> ~/.aws/credentials
 
       # Terraform
       - name: Setup Terraform

diff --git a/aws/dev/github/main.tf b/aws/dev/github/main.tf
@@ -21,9 +21,7 @@ module "github_oidc" {
 module "github_backend_deploy" {
   source = "../../modules/github/role"
 
-  name       = "github-auth-backend-deploy"
-  repository = "hearchco/hearchco"
-
+  name = "github-auth-backend-deploy"
   statements = [
     {
       actions = [

diff --git a/aws/modules/github/role/variables.tf b/aws/modules/github/role/variables.tf
@@ -14,13 +14,14 @@ variable "audience" {
 
 // "<org_name>/<repo_name>"
 variable "repository" {
-  type = string
+  type    = string
+  default = "hearchco/infra"
 }
 
 // to allow all branches use "ref:refs/heads/*", to allow everything from the repo use "*"
 variable "scope" {
   type    = string
-  default = "ref:refs/heads/main"
+  default = "*"
 }
 
 variable "statements" {

diff --git a/aws/prod/github/main.tf b/aws/prod/github/main.tf
@@ -21,9 +21,7 @@ module "github_oidc" {
 module "github_backend_deploy" {
   source = "../../modules/github/role"
 
-  name       = "github-auth-backend-deploy"
-  repository = "hearchco/hearchco"
-
+  name = "github-auth-backend-deploy"
   statements = [
     {
       actions = [

diff --git a/aws/shared/github/main.tf b/aws/shared/github/main.tf
@@ -21,9 +21,7 @@ module "github_oidc" {
 module "github_shared_tf_state" {
   source = "../../modules/github/role"
 
-  name       = "github-auth-shared-tf-state"
-  repository = "hearchco/hearchco"
-
+  name = "github-auth-shared-tf-state"
   statements = [
     {
       actions = [