From d8f0e823d652ab593a4a2a905ba4661c72116ce5 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 15:49:12 +0000 Subject: [PATCH 01/23] This really is better done in terraform --- .../management-account-entraid-scim-plan.yml | 39 +++++++++++++++ .../entraid-scim/.terraform.lock.hcl | 44 ++++++++++++++++ .../terraform/entraid-scim/data.tf | 2 + .../terraform/entraid-scim/locals.tf | 29 +++++++++++ .../terraform/entraid-scim/main.tf | 50 +++++++++++++++++++ .../terraform/entraid-scim/providers.tf | 22 ++++++++ .../terraform/entraid-scim/secrets-manager.tf | 20 ++++++++ .../terraform/entraid-scim/versions.tf | 9 ++++ 8 files changed, 215 insertions(+) create mode 100644 .github/workflows/management-account-entraid-scim-plan.yml create mode 100644 management-account/terraform/entraid-scim/.terraform.lock.hcl create mode 100644 management-account/terraform/entraid-scim/data.tf create mode 100644 management-account/terraform/entraid-scim/locals.tf create mode 100644 management-account/terraform/entraid-scim/main.tf create mode 100644 management-account/terraform/entraid-scim/providers.tf create mode 100644 management-account/terraform/entraid-scim/secrets-manager.tf create mode 100644 management-account/terraform/entraid-scim/versions.tf diff --git a/.github/workflows/management-account-entraid-scim-plan.yml b/.github/workflows/management-account-entraid-scim-plan.yml new file mode 100644 index 00000000..68338bd8 --- /dev/null +++ b/.github/workflows/management-account-entraid-scim-plan.yml @@ -0,0 +1,39 @@ +name: terraform plan (management-account/entraid-scim) + +on: + pull_request: + paths: + - 'management-account/terraform/entraid-scim/**å' + - '.github/workflows/management-account-entraid-scim-plan.yml' + - '.github/workflows/management-account-entraid-scim-apply.yml' + workflow_dispatch: + schedule: + - cron: "0 */2 * * *" # Every 2 hours + +jobs: + plan: + runs-on: ubuntu-latest + if: | + github.event_name != 'schedule' || github.ref == 'refs/heads/main' # Run on cron only for main branch + permissions: + id-token: write + contents: read + defaults: + run: + working-directory: ./management-account/terraform/entraid-scim + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: arn:aws:iam::${{secrets.AWS_ROOT_ACCOUNT_ID}}:role/github-actions-plan + role-session-name: GitHubActions + aws-region: eu-west-2 + - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 + with: + terraform_version: 1.7.5 + - run: terraform fmt -check + continue-on-error: true + - run: terraform init + - run: terraform validate -no-color + - run: terraform plan -no-color + diff --git a/management-account/terraform/entraid-scim/.terraform.lock.hcl b/management-account/terraform/entraid-scim/.terraform.lock.hcl new file mode 100644 index 00000000..f94079bf --- /dev/null +++ b/management-account/terraform/entraid-scim/.terraform.lock.hcl @@ -0,0 +1,44 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.76.0" + constraints = "~> 5.0" + hashes = [ + "h1:RIaMr2WLZxL5Xs634b5Sa+hK6mVT7apzWcd9GfsGL20=", + "zh:05b2a0d25fc07576f6698d4840d0d2ae2599484c49f1b911ea1154584557bc13", + "zh:1b22dd1d9c482739e133adb996a9c8b285ca7d978d0fe04deaa5588eba5d254c", + "zh:216088c8800e7b8d7eff7b1a822317bc6faec64f27946ffd22bb3494ac4175cb", + "zh:43e994112b1484bf49945c4885aa2fee32486c9a5d64b9146bbd6f309f24e332", + "zh:46a28ba800f176eef500f998217bccc331605ef05f11abb1728f727a81f3a8b0", + "zh:4fad2743174a600da76a0cceeec2fef8399a18d880ba8929d811cd5cea1b5dee", + "zh:5c42a2c1438cd7533456026f52b562715664490711fdea809f44610a7565c145", + "zh:792d4fd4be434682e4540d2579505c7f11f39d0efe1d12ee2761ed0d46c8cd51", + "zh:7bb5f9f87c9da6d62d6f89504f01a9d6d2f19dcaa0efc46ea51ebdc4bb6fd536", + "zh:81cdbd97f81b1110fce793944d5668a4389904979eb7d178d3142a6b0e175e5e", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:ab4b881eb0f3812b702aaecf921c5c16bbcc33d61d668be4d72d6da9c57ded85", + "zh:c1d9d1166fd948845614deef81f3197568d0d3c2a03b8b97fff308ebc59043f9", + "zh:cda7530f2c01434e483d3faf62fc0685295e7f844176aa38df1ba65fa6a4407a", + "zh:fdad558b1c41aa68123d0da82cc0d65bc86d09eaa1ab1d3a167ec3bce0fc0c66", + ] +} + +provider "registry.terraform.io/hashicorp/azuread" { + version = "3.0.2" + hashes = [ + "h1:HNrx7UJEDY5Kbx/r1LRQDWnziqvB6x3IU+pEA8Vq7dw=", + "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64", + "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867", + "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c", + "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f", + "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0", + "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03", + "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f", + "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669", + "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a", + "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67", + ] +} diff --git a/management-account/terraform/entraid-scim/data.tf b/management-account/terraform/entraid-scim/data.tf new file mode 100644 index 00000000..1e8e3609 --- /dev/null +++ b/management-account/terraform/entraid-scim/data.tf @@ -0,0 +1,2 @@ +data "aws_caller_identity" "current" {} +data "aws_ssoadmin_instances" "identity_store" {} \ No newline at end of file diff --git a/management-account/terraform/entraid-scim/locals.tf b/management-account/terraform/entraid-scim/locals.tf new file mode 100644 index 00000000..b2a9c56c --- /dev/null +++ b/management-account/terraform/entraid-scim/locals.tf @@ -0,0 +1,29 @@ +locals { + tags_default = { + is-production = false + } + github_repository = "github.com/ministryofjustice/aws-root-account/blob/main" + + tags_organisation_management = { + application = "Organisation Management" + business-unit = "Platforms" + infrastructure-support = "Hosting Leads: hosting-leads@digital.justice.gov.uk" + is-production = true + owner = "Hosting Leads: hosting-leads@digital.justice.gov.uk" + source-code = "github.com/ministryofjustice/aws-root-account" + } + + azuread_group_members = toset([for group_id, group_data in data.azuread_group.entraid_group_data : + flatten([group_data.members, group_data.owners]) + ]) + + group_memberships = flatten([ + for group_name, group_data in data.azuread_group.entraid_group_data : [ + for member in distinct(concat(group_data.members, group_data.owners)) : { + group_name = group_name + member_name = member + } + ] + ]) +} + diff --git a/management-account/terraform/entraid-scim/main.tf b/management-account/terraform/entraid-scim/main.tf new file mode 100644 index 00000000..d3b2f688 --- /dev/null +++ b/management-account/terraform/entraid-scim/main.tf @@ -0,0 +1,50 @@ +data "azuread_groups" "azure_aws_sso" { + display_name_prefix = "azure-aws-sso-" +} + +data "azuread_group" "entraid_group_data" { + for_each = toset(data.azuread_groups.azure_aws_sso.display_names) + display_name = each.value +} + +data "azuread_user" "entraid_group_members" { + for_each = toset(flatten(local.azuread_group_members)) + object_id = each.value +} + +resource "aws_identitystore_group" "groups" { + for_each = toset(data.azuread_groups.azure_aws_sso.display_names) + identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0] + display_name = each.key +} + +resource "aws_identitystore_user" "entraid_synchronised_users" { + for_each = data.azuread_user.entraid_group_members + identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0] + + display_name = each.value.display_name + user_name = each.value.user_principal_name + + name { + given_name = each.value.given_name + family_name = each.value.surname + } + + emails { + value = each.value.mail + primary = true + type = "EntraId" + } +} + +resource "aws_identitystore_group_membership" "add_users" { + # Create a unique key for each group-member combination + for_each = { + for entry in local.group_memberships : + "${entry.group_name}-${entry.member_name}" => entry + } + + identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0] + group_id = aws_identitystore_group.groups[each.value.group_name].id + member_id = aws_identitystore_user.entraid_synchronised_users[each.value.member_name].user_id +} \ No newline at end of file diff --git a/management-account/terraform/entraid-scim/providers.tf b/management-account/terraform/entraid-scim/providers.tf new file mode 100644 index 00000000..6650309e --- /dev/null +++ b/management-account/terraform/entraid-scim/providers.tf @@ -0,0 +1,22 @@ +# State config +terraform { + # `backend` blocks do not support variables, so the bucket name is hard-coded here + backend "s3" { + bucket = "moj-aws-root-account-terraform-state" + region = "eu-west-2" + key = "management-account/entraid-scim/terraform.tfstate" + encrypt = true + } +} + +# Default provider +provider "aws" { + region = "eu-west-2" +} + +# Azure provider +provider "azuread" { + tenant_id = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_TENANT_ID"] + client_id = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_CLIENT_ID"] + client_secret = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_CLIENT_SECRET"] +} \ No newline at end of file diff --git a/management-account/terraform/entraid-scim/secrets-manager.tf b/management-account/terraform/entraid-scim/secrets-manager.tf new file mode 100644 index 00000000..4b902365 --- /dev/null +++ b/management-account/terraform/entraid-scim/secrets-manager.tf @@ -0,0 +1,20 @@ +# Email addresses for AWS accounts +# There is a manually added "template" key for templating email addresses for new accounts configured in this account, +# so you can do: +# `email = replace(local.aws_account_email_addresses_template, "{email}", "account-name")` +# Accounts that were configured before this can use: +# `email = local.aws_account_email_addresses["account-name"][0]` + +data "aws_secretsmanager_secret_version" "azure_entraid_oidc" { + secret_id = aws_secretsmanager_secret.azure_entraid_oidc.id +} + +# Retrieving existing secret + +data "aws_secretsmanager_secret" "azure_aws_connectivity_details" { + name = "entra_id_aws_connectivity_details" +} + +data "aws_secretsmanager_secret_version" "azure_aws_connectivity_details" { + secret_id = data.aws_secretsmanager_secret.azure_aws_connectivity_details.id +} diff --git a/management-account/terraform/entraid-scim/versions.tf b/management-account/terraform/entraid-scim/versions.tf new file mode 100644 index 00000000..5b046fb5 --- /dev/null +++ b/management-account/terraform/entraid-scim/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.1.6" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} From d5d27d836f487367e61313f0edb311f54405558f Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 15:53:14 +0000 Subject: [PATCH 02/23] Adding concurrency --- .github/workflows/management-account-entraid-scim-plan.yml | 3 +++ management-account/terraform/entraid-scim/data.tf | 2 +- management-account/terraform/entraid-scim/locals.tf | 2 +- management-account/terraform/entraid-scim/main.tf | 6 +++--- management-account/terraform/entraid-scim/providers.tf | 2 +- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/management-account-entraid-scim-plan.yml b/.github/workflows/management-account-entraid-scim-plan.yml index 68338bd8..7e6334b5 100644 --- a/.github/workflows/management-account-entraid-scim-plan.yml +++ b/.github/workflows/management-account-entraid-scim-plan.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 */2 * * *" # Every 2 hours + concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false jobs: plan: runs-on: ubuntu-latest diff --git a/management-account/terraform/entraid-scim/data.tf b/management-account/terraform/entraid-scim/data.tf index 1e8e3609..404e9227 100644 --- a/management-account/terraform/entraid-scim/data.tf +++ b/management-account/terraform/entraid-scim/data.tf @@ -1,2 +1,2 @@ data "aws_caller_identity" "current" {} -data "aws_ssoadmin_instances" "identity_store" {} \ No newline at end of file +data "aws_ssoadmin_instances" "identity_store" {} diff --git a/management-account/terraform/entraid-scim/locals.tf b/management-account/terraform/entraid-scim/locals.tf index b2a9c56c..f6634ab9 100644 --- a/management-account/terraform/entraid-scim/locals.tf +++ b/management-account/terraform/entraid-scim/locals.tf @@ -17,7 +17,7 @@ locals { flatten([group_data.members, group_data.owners]) ]) - group_memberships = flatten([ + group_memberships = flatten([ for group_name, group_data in data.azuread_group.entraid_group_data : [ for member in distinct(concat(group_data.members, group_data.owners)) : { group_name = group_name diff --git a/management-account/terraform/entraid-scim/main.tf b/management-account/terraform/entraid-scim/main.tf index d3b2f688..16cd3a7e 100644 --- a/management-account/terraform/entraid-scim/main.tf +++ b/management-account/terraform/entraid-scim/main.tf @@ -8,8 +8,8 @@ data "azuread_group" "entraid_group_data" { } data "azuread_user" "entraid_group_members" { - for_each = toset(flatten(local.azuread_group_members)) - object_id = each.value + for_each = toset(flatten(local.azuread_group_members)) + object_id = each.value } resource "aws_identitystore_group" "groups" { @@ -47,4 +47,4 @@ resource "aws_identitystore_group_membership" "add_users" { identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0] group_id = aws_identitystore_group.groups[each.value.group_name].id member_id = aws_identitystore_user.entraid_synchronised_users[each.value.member_name].user_id -} \ No newline at end of file +} diff --git a/management-account/terraform/entraid-scim/providers.tf b/management-account/terraform/entraid-scim/providers.tf index 6650309e..f12ff6d3 100644 --- a/management-account/terraform/entraid-scim/providers.tf +++ b/management-account/terraform/entraid-scim/providers.tf @@ -19,4 +19,4 @@ provider "azuread" { tenant_id = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_TENANT_ID"] client_id = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_CLIENT_ID"] client_secret = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_CLIENT_SECRET"] -} \ No newline at end of file +} From ec9d6e9fc748a4d8e7de2dc357f41fc3144605ea Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 16:03:22 +0000 Subject: [PATCH 03/23] Locking azuread provider --- management-account/terraform/entraid-scim/versions.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/management-account/terraform/entraid-scim/versions.tf b/management-account/terraform/entraid-scim/versions.tf index 5b046fb5..77e9304f 100644 --- a/management-account/terraform/entraid-scim/versions.tf +++ b/management-account/terraform/entraid-scim/versions.tf @@ -5,5 +5,9 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } + azuread = { + source = "hashicorp/azuread" + version = "~> 3.0" + } } } From e8dad515092f92fe643f144cce58574ce5846ca1 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 16:08:26 +0000 Subject: [PATCH 04/23] Workflow syntax fix --- .github/workflows/management-account-entraid-scim-plan.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/management-account-entraid-scim-plan.yml b/.github/workflows/management-account-entraid-scim-plan.yml index 7e6334b5..90de4d91 100644 --- a/.github/workflows/management-account-entraid-scim-plan.yml +++ b/.github/workflows/management-account-entraid-scim-plan.yml @@ -7,17 +7,18 @@ on: - '.github/workflows/management-account-entraid-scim-plan.yml' - '.github/workflows/management-account-entraid-scim-apply.yml' workflow_dispatch: + schedule: - cron: "0 */2 * * *" # Every 2 hours - concurrency: +concurrency: group: ${{ github.workflow }} cancel-in-progress: false jobs: plan: runs-on: ubuntu-latest - if: | - github.event_name != 'schedule' || github.ref == 'refs/heads/main' # Run on cron only for main branch + if: + github.event_name != 'schedule' || github.ref == 'refs/heads/main' permissions: id-token: write contents: read From 2fd7d3c0601f82a7ee337c5408851e970c45ecec Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 16:16:45 +0000 Subject: [PATCH 05/23] Removing unneeded secret --- .../terraform/entraid-scim/secrets-manager.tf | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/management-account/terraform/entraid-scim/secrets-manager.tf b/management-account/terraform/entraid-scim/secrets-manager.tf index 4b902365..a1a53a6e 100644 --- a/management-account/terraform/entraid-scim/secrets-manager.tf +++ b/management-account/terraform/entraid-scim/secrets-manager.tf @@ -1,14 +1,3 @@ -# Email addresses for AWS accounts -# There is a manually added "template" key for templating email addresses for new accounts configured in this account, -# so you can do: -# `email = replace(local.aws_account_email_addresses_template, "{email}", "account-name")` -# Accounts that were configured before this can use: -# `email = local.aws_account_email_addresses["account-name"][0]` - -data "aws_secretsmanager_secret_version" "azure_entraid_oidc" { - secret_id = aws_secretsmanager_secret.azure_entraid_oidc.id -} - # Retrieving existing secret data "aws_secretsmanager_secret" "azure_aws_connectivity_details" { From 28abe41fb2fd4fb4c5792585691a5eec53b3030b Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 16:44:52 +0000 Subject: [PATCH 06/23] Moving contents round --- ...unt-entraid-scim-plan.yml => entraid-scim-plan.yml} | 10 +++++----- .../entraid-scim => entraid-scim}/.terraform.lock.hcl | 0 .../entraid-scim => entraid-scim/terraform}/data.tf | 0 .../entraid-scim => entraid-scim/terraform}/locals.tf | 0 .../entraid-scim => entraid-scim/terraform}/main.tf | 0 .../terraform}/providers.tf | 0 .../terraform}/secrets-manager.tf | 0 .../terraform}/versions.tf | 0 8 files changed, 5 insertions(+), 5 deletions(-) rename .github/workflows/{management-account-entraid-scim-plan.yml => entraid-scim-plan.yml} (77%) rename {management-account/terraform/entraid-scim => entraid-scim}/.terraform.lock.hcl (100%) rename {management-account/terraform/entraid-scim => entraid-scim/terraform}/data.tf (100%) rename {management-account/terraform/entraid-scim => entraid-scim/terraform}/locals.tf (100%) rename {management-account/terraform/entraid-scim => entraid-scim/terraform}/main.tf (100%) rename {management-account/terraform/entraid-scim => entraid-scim/terraform}/providers.tf (100%) rename {management-account/terraform/entraid-scim => entraid-scim/terraform}/secrets-manager.tf (100%) rename {management-account/terraform/entraid-scim => entraid-scim/terraform}/versions.tf (100%) diff --git a/.github/workflows/management-account-entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml similarity index 77% rename from .github/workflows/management-account-entraid-scim-plan.yml rename to .github/workflows/entraid-scim-plan.yml index 90de4d91..3b7caf7b 100644 --- a/.github/workflows/management-account-entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -1,11 +1,11 @@ -name: terraform plan (management-account/entraid-scim) +name: terraform plan (entraid-scim) on: pull_request: paths: - - 'management-account/terraform/entraid-scim/**å' - - '.github/workflows/management-account-entraid-scim-plan.yml' - - '.github/workflows/management-account-entraid-scim-apply.yml' + - 'entraid-scim/terraform/**' + - '.github/workflows/entraid-scim-plan.yml' + - '.github/workflows/entraid-scim-apply.yml' workflow_dispatch: schedule: @@ -24,7 +24,7 @@ jobs: contents: read defaults: run: - working-directory: ./management-account/terraform/entraid-scim + working-directory: ./entraid-scim/terraform steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 diff --git a/management-account/terraform/entraid-scim/.terraform.lock.hcl b/entraid-scim/.terraform.lock.hcl similarity index 100% rename from management-account/terraform/entraid-scim/.terraform.lock.hcl rename to entraid-scim/.terraform.lock.hcl diff --git a/management-account/terraform/entraid-scim/data.tf b/entraid-scim/terraform/data.tf similarity index 100% rename from management-account/terraform/entraid-scim/data.tf rename to entraid-scim/terraform/data.tf diff --git a/management-account/terraform/entraid-scim/locals.tf b/entraid-scim/terraform/locals.tf similarity index 100% rename from management-account/terraform/entraid-scim/locals.tf rename to entraid-scim/terraform/locals.tf diff --git a/management-account/terraform/entraid-scim/main.tf b/entraid-scim/terraform/main.tf similarity index 100% rename from management-account/terraform/entraid-scim/main.tf rename to entraid-scim/terraform/main.tf diff --git a/management-account/terraform/entraid-scim/providers.tf b/entraid-scim/terraform/providers.tf similarity index 100% rename from management-account/terraform/entraid-scim/providers.tf rename to entraid-scim/terraform/providers.tf diff --git a/management-account/terraform/entraid-scim/secrets-manager.tf b/entraid-scim/terraform/secrets-manager.tf similarity index 100% rename from management-account/terraform/entraid-scim/secrets-manager.tf rename to entraid-scim/terraform/secrets-manager.tf diff --git a/management-account/terraform/entraid-scim/versions.tf b/entraid-scim/terraform/versions.tf similarity index 100% rename from management-account/terraform/entraid-scim/versions.tf rename to entraid-scim/terraform/versions.tf From 2227cb232d4f4a960d2af0ad70a2e636bcde8465 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 21 Nov 2024 16:54:41 +0000 Subject: [PATCH 07/23] Turning off workflow --- .github/workflows/entraid-scim-plan.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 3b7caf7b..43cc884f 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -1,15 +1,15 @@ name: terraform plan (entraid-scim) on: - pull_request: - paths: - - 'entraid-scim/terraform/**' - - '.github/workflows/entraid-scim-plan.yml' - - '.github/workflows/entraid-scim-apply.yml' + # pull_request: + # paths: + # - 'entraid-scim/terraform/**' + # - '.github/workflows/entraid-scim-plan.yml' + # - '.github/workflows/entraid-scim-apply.yml' workflow_dispatch: - schedule: - - cron: "0 */2 * * *" # Every 2 hours + # schedule: + # - cron: "0 */2 * * *" # Every 2 hours concurrency: group: ${{ github.workflow }} From cf4710ebefcf15ed2db77054ad36a921beadbe2d Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 22 Nov 2024 16:47:28 +0000 Subject: [PATCH 08/23] Trying slack output --- .github/workflows/entraid-scim-plan.yml | 77 +++++++++++++++++++------ 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 43cc884f..b9e213e3 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -1,24 +1,15 @@ name: terraform plan (entraid-scim) on: - # pull_request: - # paths: - # - 'entraid-scim/terraform/**' - # - '.github/workflows/entraid-scim-plan.yml' - # - '.github/workflows/entraid-scim-apply.yml' workflow_dispatch: - # schedule: - # - cron: "0 */2 * * *" # Every 2 hours - concurrency: group: ${{ github.workflow }} cancel-in-progress: false + jobs: plan: runs-on: ubuntu-latest - if: - github.event_name != 'schedule' || github.ref == 'refs/heads/main' permissions: id-token: write contents: read @@ -26,18 +17,68 @@ jobs: run: working-directory: ./entraid-scim/terraform steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + - uses: actions/checkout@v4.2.2 + + - uses: aws-actions/configure-aws-credentials@v4.0.2 with: - role-to-assume: arn:aws:iam::${{secrets.AWS_ROOT_ACCOUNT_ID}}:role/github-actions-plan + role-to-assume: arn:aws:iam::${{ secrets.AWS_ROOT_ACCOUNT_ID }}:role/github-actions-plan role-session-name: GitHubActions aws-region: eu-west-2 - - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 + + - uses: hashicorp/setup-terraform@v3.1.2 with: terraform_version: 1.7.5 - - run: terraform fmt -check + + - name: Run terraform fmt + run: terraform fmt -check continue-on-error: true - - run: terraform init - - run: terraform validate -no-color - - run: terraform plan -no-color + - name: Run terraform init + run: terraform init + + - name: Run terraform validate + run: terraform validate -no-color + + - name: Run terraform plan and capture output + run: terraform plan -no-color > plan_output.txt + + - name: Retrieve Slack Bot Token from AWS Secrets Manager + id: get_slack_bot_token + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + SLACK_INCOMING_WEBHOOK,aws-root-account-notifications-incoming-slack-webhook + + - name: Send initial message to Slack + id: slack_message + uses: slackapi/slack-github-action@v1.27.0 + with: + webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} + webhook-type: incoming-webhook + payload: | + { + "text": ":information_source: Terraform Plan completed for *<${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>* at `${{ github.ref_name }}`.\n*Workflow:* `${{ github.workflow }}`\n*Run ID:* `${{ github.run_id }}`\n*Initiated by:* `${{ github.actor }}`" + } + + + - name: Read plan output + id: read_plan_output + run: | + # Read the plan output + CONTENT=$(cat plan_output.txt) + # Escape backslashes and double quotes for JSON + CONTENT_ESCAPED=$(echo "$CONTENT" | sed 's/\\/\\\\/g; s/"/\\"/g') + # Save the escaped content to the GITHUB_ENV file + echo "content=$CONTENT_ESCAPED" >> $GITHUB_OUTPUT + + - name: Send Terraform plan output to Slack + uses: slackapi/slack-github-action@v1.27.0 + with: + webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} + webhook-type: incoming-webhook + payload: | + { + "channel": "${{ secrets.SLACK_CHANNEL_ID }}", + "text": "```\n${{ steps.read_plan_output.outputs.content }}\n```", + "thread_ts: "${{ steps.slack_message.outputs.ts }}" + } From b902bfd462fd4de196e66b93d2a52754d023554a Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 22 Nov 2024 16:50:44 +0000 Subject: [PATCH 09/23] Adding PR trigger to test --- .github/workflows/entraid-scim-plan.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index b9e213e3..bc3fee2b 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -2,6 +2,10 @@ name: terraform plan (entraid-scim) on: workflow_dispatch: + pull_request: + paths: + - 'entraid-scim/terraform/**' + - '.github/workflows/entraid-scim-plan.yml' concurrency: group: ${{ github.workflow }} From 2c2ae02e2becd28a0cab3324b12eb072eb833e96 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 22 Nov 2024 16:53:41 +0000 Subject: [PATCH 10/23] Fixing actions version --- .github/workflows/entraid-scim-plan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index bc3fee2b..7442e394 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -55,7 +55,7 @@ jobs: - name: Send initial message to Slack id: slack_message - uses: slackapi/slack-github-action@v1.27.0 + uses: slackapi/slack-github-action@v2.0.0 with: webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} webhook-type: incoming-webhook @@ -76,7 +76,7 @@ jobs: echo "content=$CONTENT_ESCAPED" >> $GITHUB_OUTPUT - name: Send Terraform plan output to Slack - uses: slackapi/slack-github-action@v1.27.0 + uses: slackapi/slack-github-action@v2.0.0 with: webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} webhook-type: incoming-webhook From 3398e8a0d076a5fe0a4abab79f775005222aa4fe Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 22 Nov 2024 17:11:04 +0000 Subject: [PATCH 11/23] Composing json payload file --- .github/workflows/entraid-scim-plan.yml | 34 ++++++++++--------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 7442e394..92107dca 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -43,9 +43,6 @@ jobs: - name: Run terraform validate run: terraform validate -no-color - - name: Run terraform plan and capture output - run: terraform plan -no-color > plan_output.txt - - name: Retrieve Slack Bot Token from AWS Secrets Manager id: get_slack_bot_token uses: aws-actions/aws-secretsmanager-get-secrets@v2 @@ -55,7 +52,7 @@ jobs: - name: Send initial message to Slack id: slack_message - uses: slackapi/slack-github-action@v2.0.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} webhook-type: incoming-webhook @@ -64,25 +61,22 @@ jobs: "text": ":information_source: Terraform Plan completed for *<${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>* at `${{ github.ref_name }}`.\n*Workflow:* `${{ github.workflow }}`\n*Run ID:* `${{ github.run_id }}`\n*Initiated by:* `${{ github.actor }}`" } - - - name: Read plan output - id: read_plan_output + - name: Run terraform plan and generate JSON payload run: | - # Read the plan output - CONTENT=$(cat plan_output.txt) - # Escape backslashes and double quotes for JSON - CONTENT_ESCAPED=$(echo "$CONTENT" | sed 's/\\/\\\\/g; s/"/\\"/g') - # Save the escaped content to the GITHUB_ENV file - echo "content=$CONTENT_ESCAPED" >> $GITHUB_OUTPUT + # Run Terraform plan and save to plan_output.txt + terraform plan -no-color > plan_output.txt + + # Create the payload JSON file + echo '{ + "text": "```"' + cat plan_output.txt + echo '```", + "thread_ts": "'"${{ steps.slack_message.outputs.ts }}"'" + }' > slack_plan_payload.json - name: Send Terraform plan output to Slack - uses: slackapi/slack-github-action@v2.0.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} webhook-type: incoming-webhook - payload: | - { - "channel": "${{ secrets.SLACK_CHANNEL_ID }}", - "text": "```\n${{ steps.read_plan_output.outputs.content }}\n```", - "thread_ts: "${{ steps.slack_message.outputs.ts }}" - } + payload_file_path: slack_plan_payload.json From 36275252e1043ecd08c084319747047b928a13ca Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 22 Nov 2024 17:13:34 +0000 Subject: [PATCH 12/23] Composing json payload file --- .github/workflows/entraid-scim-plan.yml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 92107dca..023d0d19 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -31,7 +31,7 @@ jobs: - uses: hashicorp/setup-terraform@v3.1.2 with: - terraform_version: 1.7.5 + terraform_version: latest - name: Run terraform fmt run: terraform fmt -check @@ -49,6 +49,8 @@ jobs: with: secret-ids: | SLACK_INCOMING_WEBHOOK,aws-root-account-notifications-incoming-slack-webhook + aws-root-account-notifications-slack-information + parse-json-secrets: true - name: Send initial message to Slack id: slack_message @@ -66,17 +68,13 @@ jobs: # Run Terraform plan and save to plan_output.txt terraform plan -no-color > plan_output.txt - # Create the payload JSON file - echo '{ - "text": "```"' - cat plan_output.txt - echo '```", - "thread_ts": "'"${{ steps.slack_message.outputs.ts }}"'" - }' > slack_plan_payload.json - - name: Send Terraform plan output to Slack uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: - webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} - webhook-type: incoming-webhook - payload_file_path: slack_plan_payload.json + token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }} + method: files.uploadV2 + payload: | + channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }} + initial_comment: Terraform output attached! + file: "plan_output.txt" + filename: "plan-output-${{ github.run_id }}.txt" From 5aa6f30656bcc6f47fd64dce42be9bfe43800726 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 22 Nov 2024 17:54:57 +0000 Subject: [PATCH 13/23] Just attaching as a file --- .github/workflows/entraid-scim-plan.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 023d0d19..e8e94cd9 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -71,10 +71,11 @@ jobs: - name: Send Terraform plan output to Slack uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: + errors: true token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }} method: files.uploadV2 payload: | channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }} initial_comment: Terraform output attached! - file: "plan_output.txt" - filename: "plan-output-${{ github.run_id }}.txt" + file: plan_output.txt + filename: plan-output.txt From 60beffb19f707e059d5a93bc3af216c4aba472fb Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 09:08:19 +0000 Subject: [PATCH 14/23] Just attaching as a file --- .github/workflows/entraid-scim-plan.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index e8e94cd9..cf077bfe 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -67,6 +67,17 @@ jobs: run: | # Run Terraform plan and save to plan_output.txt terraform plan -no-color > plan_output.txt + comment() { + url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + len=$(cat plan_output.txt | wc -c) + echo '```' + head -c 65476 tfplan.txt | sed -n '/Terraform will perform/,$p' + echo + echo '```' + } + echo 'TF_PLAN_OUT<> $GITHUB_ENV + comment >> $GITHUB_ENV + echo 'EOF' >> $GITHUB_ENV - name: Send Terraform plan output to Slack uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 @@ -77,5 +88,5 @@ jobs: payload: | channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }} initial_comment: Terraform output attached! - file: plan_output.txt + file: ${{env.TF_PLAN_OUT}} filename: plan-output.txt From 2f668bb930198268ad55ab36d89fcbcbf522856e Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:28:18 +0000 Subject: [PATCH 15/23] Going back to messaging --- .github/workflows/entraid-scim-plan.yml | 27 +++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index cf077bfe..3083e2a7 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -79,14 +79,25 @@ jobs: comment >> $GITHUB_ENV echo 'EOF' >> $GITHUB_ENV - - name: Send Terraform plan output to Slack + - name: Send final message to Slack + id: second-slack-message uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: - errors: true - token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }} - method: files.uploadV2 + webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} + webhook-type: incoming-webhook payload: | - channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }} - initial_comment: Terraform output attached! - file: ${{env.TF_PLAN_OUT}} - filename: plan-output.txt + thread_ts: "${{ steps.slack_message.outputs.ts }}" + text: "```\n ${{ env.TF_PLAN_OUT}} \n ``` " + + # - name: Send Terraform plan output to Slack + # uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 + # with: + # errors: true + # token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }} + # method: files.uploadV2 + # payload: | + # channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }} + # initial_comment: Terraform output attached! + # file: ${{env.TF_PLAN_OUT}} + # filename: plan-output.txt + From f12fb63651fc82da927e892d577590b6ba307e78 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:29:27 +0000 Subject: [PATCH 16/23] Avoiding spam --- .github/workflows/test-alert-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-alert-workflow.yml b/.github/workflows/test-alert-workflow.yml index 4dd48348..3149fe48 100644 --- a/.github/workflows/test-alert-workflow.yml +++ b/.github/workflows/test-alert-workflow.yml @@ -1,7 +1,7 @@ name: Test Alert Workflow on: - pull_request: + push: branches: - main From d6ded059f887425b8f2b5d12c02a39904e4a42a2 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:30:27 +0000 Subject: [PATCH 17/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 3083e2a7..cd3fb8d3 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -83,6 +83,7 @@ jobs: id: second-slack-message uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: + error: true webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} webhook-type: incoming-webhook payload: | From bb55c68af11b0a43005084f7c1cce72a1f983d63 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:31:56 +0000 Subject: [PATCH 18/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index cd3fb8d3..c7f991f1 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -83,7 +83,7 @@ jobs: id: second-slack-message uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: - error: true + errors: true webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} webhook-type: incoming-webhook payload: | From 2b0a86ac1b177c38467be11ffb62379acfe68fdc Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:34:15 +0000 Subject: [PATCH 19/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index c7f991f1..7b10709f 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -71,7 +71,7 @@ jobs: url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" len=$(cat plan_output.txt | wc -c) echo '```' - head -c 65476 tfplan.txt | sed -n '/Terraform will perform/,$p' + head -c 65476 plan_output.txt | sed -n '/Terraform will perform/,$p' echo echo '```' } @@ -88,7 +88,7 @@ jobs: webhook-type: incoming-webhook payload: | thread_ts: "${{ steps.slack_message.outputs.ts }}" - text: "```\n ${{ env.TF_PLAN_OUT}} \n ``` " + text: "${{ env.TF_PLAN_OUT}}" # - name: Send Terraform plan output to Slack # uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 From fdfe079512b4769b3c3a4f4e7f16b8bce61e90d3 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:37:30 +0000 Subject: [PATCH 20/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 7b10709f..b25e0c17 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -90,6 +90,7 @@ jobs: thread_ts: "${{ steps.slack_message.outputs.ts }}" text: "${{ env.TF_PLAN_OUT}}" + # - name: Send Terraform plan output to Slack # uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 # with: From d9cf896a3941a3d96be5882e1bc61f77dc722589 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:39:41 +0000 Subject: [PATCH 21/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index b25e0c17..7b10709f 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -90,7 +90,6 @@ jobs: thread_ts: "${{ steps.slack_message.outputs.ts }}" text: "${{ env.TF_PLAN_OUT}}" - # - name: Send Terraform plan output to Slack # uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 # with: From 49f02eee1a716bc38ee0901e6ec6b5ae15daeeea Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:41:50 +0000 Subject: [PATCH 22/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 7b10709f..25f01b36 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -88,7 +88,7 @@ jobs: webhook-type: incoming-webhook payload: | thread_ts: "${{ steps.slack_message.outputs.ts }}" - text: "${{ env.TF_PLAN_OUT}}" + text: "TEST" # - name: Send Terraform plan output to Slack # uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 From 52f0da4545d2f8d1db802e9988edb1cfaa20a900 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 10:53:37 +0000 Subject: [PATCH 23/23] Avoiding spam --- .github/workflows/entraid-scim-plan.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/entraid-scim-plan.yml b/.github/workflows/entraid-scim-plan.yml index 25f01b36..395d2e36 100644 --- a/.github/workflows/entraid-scim-plan.yml +++ b/.github/workflows/entraid-scim-plan.yml @@ -84,9 +84,10 @@ jobs: uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0 with: errors: true - webhook: ${{ env.SLACK_INCOMING_WEBHOOK }} - webhook-type: incoming-webhook + token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }} + method: chat.postMessage payload: | + channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }} thread_ts: "${{ steps.slack_message.outputs.ts }}" text: "TEST"