From 76cd41f58b719d6a333c5c75111116ce0f28b92f Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 10:15:41 +0100 Subject: [PATCH 01/10] fix: Secrets unavailable for deploy jobs --- .github/workflows/api-deploy-production-ecs.yml | 1 + .github/workflows/api-deploy-staging-ecs.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/api-deploy-production-ecs.yml b/.github/workflows/api-deploy-production-ecs.yml index 66118043bddf..d06d5d7ab1b6 100644 --- a/.github/workflows/api-deploy-production-ecs.yml +++ b/.github/workflows/api-deploy-production-ecs.yml @@ -14,3 +14,4 @@ jobs: uses: ./.github/workflows/.reusable-deploy-ecs.yml with: environment: production + secrets: inherit diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml index 0cc139aeb5e1..b02ff61bebe9 100644 --- a/.github/workflows/api-deploy-staging-ecs.yml +++ b/.github/workflows/api-deploy-staging-ecs.yml @@ -15,3 +15,4 @@ jobs: uses: ./.github/workflows/.reusable-deploy-ecs.yml with: environment: staging + secrets: inherit From 3a413e3677579233b0c42fb688082f4f30e8a524 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 10:16:09 +0100 Subject: [PATCH 02/10] test --- .github/workflows/api-deploy-staging-ecs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml index b02ff61bebe9..bd22a1cfd057 100644 --- a/.github/workflows/api-deploy-staging-ecs.yml +++ b/.github/workflows/api-deploy-staging-ecs.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - fix/ecs-deploy-secrets paths: - api/** - .github/** From 8e5485861a7193928bc93c90ef9b330e815df920 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 10:21:20 +0100 Subject: [PATCH 03/10] avoid chown --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8afc45d4f8d7..994fe539fae5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -167,8 +167,7 @@ FROM api-runtime-private as saas-api RUN --mount=type=secret,id=sse_pgp_pkey \ apt-get update && apt-get install -y gnupg && \ gpg --import /run/secrets/sse_pgp_pkey && \ - mv /root/.gnupg /app/; \ - chown -R nobody /app/.gnupg + mv /root/.gnupg/ /app/ ARG PYTHON_SITE_DIR COPY --from=build-python-private ${PYTHON_SITE_DIR} ${PYTHON_SITE_DIR} From cf4f2ad08341bda251c56a8a2f084f8499cd1021 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 10:37:33 +0100 Subject: [PATCH 04/10] quote the key? --- .github/workflows/.reusable-deploy-ecs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml index c694eeb7f40b..a1a238c66373 100644 --- a/.github/workflows/.reusable-deploy-ecs.yml +++ b/.github/workflows/.reusable-deploy-ecs.yml @@ -61,7 +61,7 @@ jobs: build-args: CI_COMMIT_SHA=${{ github.sha }} secrets: | github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }} - sse_pgp_pkey=${{ secrets.SSE_PGP_PRIVATE_KEY }} + sse_pgp_pkey="${{ secrets.SSE_PGP_PRIVATE_KEY }}" push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From a095e43cef3719b6905217ffe33b19c89059cf55 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 10:42:25 +0100 Subject: [PATCH 05/10] quote gpg secret properly? --- .github/workflows/.reusable-deploy-ecs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml index a1a238c66373..5f6bd2cacf72 100644 --- a/.github/workflows/.reusable-deploy-ecs.yml +++ b/.github/workflows/.reusable-deploy-ecs.yml @@ -61,7 +61,7 @@ jobs: build-args: CI_COMMIT_SHA=${{ github.sha }} secrets: | github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }} - sse_pgp_pkey="${{ secrets.SSE_PGP_PRIVATE_KEY }}" + "sse_pgp_pkey=${{ secrets.SSE_PGP_PRIVATE_KEY }}" push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 26a4d4b642c77915dc64b7daa12109735c1560da Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 10:57:05 +0100 Subject: [PATCH 06/10] remove unused input --- .github/workflows/.reusable-deploy-ecs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml index 5f6bd2cacf72..284387833796 100644 --- a/.github/workflows/.reusable-deploy-ecs.yml +++ b/.github/workflows/.reusable-deploy-ecs.yml @@ -85,7 +85,6 @@ jobs: aws_ecs_service_name: ${{ vars.AWS_ECS_SERVICE_NAME }} aws_vpc_subnet_id: ${{ vars.AWS_VPC_SUBNET_ID }} aws_ecs_security_group_id: ${{ vars.AWS_ECS_SECURITY_GROUP_ID }} - aws_ecr_repository_arn: ${{ vars.AWS_ECR_REPOSITORY_ARN }} aws_identity_migration_event_bus_name: ${{ vars.AWS_IDENTITY_MIGRATION_EVENT_BUS_NAME }} aws_identity_migration_event_bus_rule_id: ${{ vars.AWS_IDENTITY_MIGRATION_EVENT_BUS_RULE_ID }} aws_identity_migration_task_role_arn: ${{ vars.AWS_IDENTITY_MIGRATION_TASK_ROLE_ARN }} From 84e8c7053ee6a9f5dce516c78ed2a5b6d2fb9172 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 11:11:24 +0100 Subject: [PATCH 07/10] bump aws action, unmask image-url output --- .github/actions/api-deploy-ecs/action.yml | 2 +- .github/actions/task-processor-deploy-ecs/action.yml | 2 +- .github/workflows/.reusable-deploy-ecs.yml | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/actions/api-deploy-ecs/action.yml b/.github/actions/api-deploy-ecs/action.yml index d81db5f8f195..e6a367a830a3 100644 --- a/.github/actions/api-deploy-ecs/action.yml +++ b/.github/actions/api-deploy-ecs/action.yml @@ -50,7 +50,7 @@ runs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ inputs.aws_access_key_id }} aws-secret-access-key: ${{ inputs.aws_secret_access_key }} diff --git a/.github/actions/task-processor-deploy-ecs/action.yml b/.github/actions/task-processor-deploy-ecs/action.yml index 48d1b6cb9428..d622636f1ba9 100644 --- a/.github/actions/task-processor-deploy-ecs/action.yml +++ b/.github/actions/task-processor-deploy-ecs/action.yml @@ -26,7 +26,7 @@ runs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ inputs.aws_access_key_id }} aws-secret-access-key: ${{ inputs.aws_secret_access_key }} diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml index 284387833796..72e58be119bd 100644 --- a/.github/workflows/.reusable-deploy-ecs.yml +++ b/.github/workflows/.reusable-deploy-ecs.yml @@ -33,11 +33,12 @@ jobs: uses: depot/setup-action@v1 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-west-2 + mask-aws-account-id: 'no' - name: Login to Amazon ECR id: login-ecr From 9906aff30d85ebd52f0d903ba19e29e70ae54e54 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 11:51:14 +0100 Subject: [PATCH 08/10] testing done --- .github/workflows/api-deploy-staging-ecs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml index bd22a1cfd057..b02ff61bebe9 100644 --- a/.github/workflows/api-deploy-staging-ecs.yml +++ b/.github/workflows/api-deploy-staging-ecs.yml @@ -4,7 +4,6 @@ on: push: branches: - main - - fix/ecs-deploy-secrets paths: - api/** - .github/** From d5162f927c67ad307cc8ad1762e9b21c517ffd05 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 12:54:03 +0100 Subject: [PATCH 09/10] chown --- .github/workflows/api-deploy-staging-ecs.yml | 1 + Dockerfile | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml index b02ff61bebe9..ea05fddfc6b0 100644 --- a/.github/workflows/api-deploy-staging-ecs.yml +++ b/.github/workflows/api-deploy-staging-ecs.yml @@ -8,6 +8,7 @@ on: - api/** - .github/** - infrastructure/aws/staging/** + - fix/ecs-deploy-secrets workflow_dispatch: jobs: diff --git a/Dockerfile b/Dockerfile index 994fe539fae5..914ba471d6f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -167,7 +167,8 @@ FROM api-runtime-private as saas-api RUN --mount=type=secret,id=sse_pgp_pkey \ apt-get update && apt-get install -y gnupg && \ gpg --import /run/secrets/sse_pgp_pkey && \ - mv /root/.gnupg/ /app/ + mv /root/.gnupg/ /app/ && \ + chown -R nobody /app/.gnupg/ ARG PYTHON_SITE_DIR COPY --from=build-python-private ${PYTHON_SITE_DIR} ${PYTHON_SITE_DIR} From 8d16f3f19eb077e175954729e7344dfabbe96837 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Mon, 24 Jun 2024 13:45:31 +0100 Subject: [PATCH 10/10] finish testing --- .github/workflows/api-deploy-staging-ecs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml index ea05fddfc6b0..b02ff61bebe9 100644 --- a/.github/workflows/api-deploy-staging-ecs.yml +++ b/.github/workflows/api-deploy-staging-ecs.yml @@ -8,7 +8,6 @@ on: - api/** - .github/** - infrastructure/aws/staging/** - - fix/ecs-deploy-secrets workflow_dispatch: jobs: