Skip to content

Commit

Permalink
[PRMP-639] - add read only aws role
Browse files Browse the repository at this point in the history
  • Loading branch information
NogaNHS committed Aug 8, 2024
1 parent fe13cfd commit 7022c09
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 42 deletions.
60 changes: 19 additions & 41 deletions .github/workflows/base-gp-registrations-mi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
required: true
type: string
default: "dev"
is_deployment:
description: "Is workflow run on deployment"
type: boolean
default: false

jobs:
terraform_process:
Expand All @@ -20,7 +24,7 @@ jobs:
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
role-to-assume: ${{inputs.is_deployment && secrets.AWS_ASSUME_ROLE || secrets.AWS_ASSUME_ROLE_READ_ONLY}}
role-skip-session-tagging: true

- name: Setup Terraform
Expand Down Expand Up @@ -52,19 +56,19 @@ jobs:
./tasks_github_actions.sh build-lambdas
- name: Set up Python
if: github.ref == 'refs/heads/master'
if: github.ref == 'refs/heads/master' && inputs.is_deployment
uses: actions/setup-python@v5
with:
python-version: '3.12'

- name: Make virtual environment
if: github.ref == 'refs/heads/master'
if: github.ref == 'refs/heads/master' && inputs.is_deployment
run: |
python3 -m venv ./venv
./venv/bin/pip3 install --upgrade pip requests
- name: Get ODS CSV Files
if: github.ref == 'refs/heads/master'
if: github.ref == 'refs/heads/master' && inputs.is_deployment
run: |
PYTHONPATH=$PYTHONPATH:. ./venv/bin/python3 stacks/gp-registrations-mi/scripts/get_latest_ods_csv.py ${{ secrets.TRUD_API_KEY }} ${{ vars.TRUD_API_URL }}
Expand All @@ -87,14 +91,9 @@ jobs:
working-directory: ./stacks/gp-registrations-mi/terraform
shell: bash

- name: Terraform Apply
if: github.ref == 'refs/heads/master'
run: terraform apply -auto-approve -input=false tf.plan
working-directory: ./stacks/gp-registrations-mi/terraform

- name: Add PR comment
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
if: github.event_name == 'pull_request' && (success() || failure())
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand All @@ -103,64 +102,43 @@ jobs:
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
});
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Report for environment: ${{ inputs.environment }}')
})
});
// 2. Prepare format of the comment
const output = `### Report for environment: ${{ matrix.environment }}
const output = `### Report for environment: ${{ inputs.environment }}
#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
<details><summary>Format Output</summary>
\`\`\`\n
${{ steps.fmt.outputs.stdout }}
\`\`\`
</details>
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
<details><summary>Initialization Output</summary>
\`\`\`\n
${{ steps.init.outputs.stdout }}
\`\`\`
</details>
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan (${{ steps.plan.outputs.summary }})</summary>
\`\`\`\n
${{ steps.plan.outputs.stdout }}
\`\`\`
</details>`;
Plan results: ${{ steps.plan.outputs.summary }}`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
});
- name: Terraform Apply
if: github.ref == 'refs/heads/master' && inputs.is_deployment
run: terraform apply -auto-approve -input=false tf.plan
working-directory: ./stacks/gp-registrations-mi/terraform
3 changes: 2 additions & 1 deletion .github/workflows/deploy-gp-registrations-mi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,5 @@ jobs:
uses: ./.github/workflows/base-gp-registrations-mi.yml
with:
environment: ${{ inputs.environment }}
secrets: inherit
is_deployment: true
secrets: inherit
1 change: 1 addition & 0 deletions .github/workflows/pr-gp-registrations-mi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ jobs:
environment: ${{ matrix.environment }}
secrets: inherit


0 comments on commit 7022c09

Please sign in to comment.