Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use correct IAM role for TF apply #694

Merged
merged 1 commit into from
Jun 18, 2024
Merged

fix: use correct IAM role for TF apply #694

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/terragrunt-apply-production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply-release
Copy link
Contributor

@wmoussa-gc wmoussa-gc Jun 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, what is going to happen to the -release role? Will it still be used somewhere? How come we did not have a similar issue in staging?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once the 3.10.1 release goes in, I'll get a fix in to remove the -release role since we won't need it anymore. We didn't have this problem in Staging because its TF apply workflow has always executed on pushes to develop, which is what the default SRE OIDC -apply roles are setup to work with.

We needed the -release role for Prod because it used to execute against a tag reference. However, with the latest workflow change to support easier revert PRs, it now executes against develop as well.

role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
role-session-name: TFApply
aws-region: ${{ env.AWS_REGION }}

Expand Down Expand Up @@ -100,7 +100,7 @@ jobs:
- name: Tag and push Lambda images
uses: ./.github/workflows/tag-and-push-lambda-images
with:
aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply-release
aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
aws-role-session-name: TFApply
aws-region: ${{ env.AWS_REGION }}
lambda-name: ${{ matrix.image }}
Expand All @@ -125,7 +125,7 @@ jobs:
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply-release
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
role-session-name: TFApply
aws-region: ${{ env.AWS_REGION }}

Expand Down Expand Up @@ -220,7 +220,7 @@ jobs:
- name: Request Lambda functions to use new image
uses: ./.github/workflows/request-lambda-functions-to-use-new-image
with:
aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply-release
aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
aws-role-session-name: TFApply
aws-region: ${{ env.AWS_REGION }}
lambda-name: ${{ matrix.image }}
Expand Down
29 changes: 4 additions & 25 deletions .github/workflows/terragrunt-plan-production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,35 +51,15 @@ jobs:
with:
is-tagged: ${{ !startsWith(github.head_ref, 'release-please--') }} # If not the release PR branch, assume it is a revert PR

detect-lambda-changes:
needs: get-version
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
outputs:
lambda-to-rebuild: ${{ steps.filter.outputs.changes }}
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ env.VERSION }}

- name: Filter
id: filter
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
with:
filters: .github/lambda-filter.yml

test-lambda-code:
needs: [get-version, detect-lambda-changes]
if: needs.detect-lambda-changes.outputs.lambda-to-rebuild != '[]'
needs: get-version
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.detect-lambda-changes.outputs.lambda-to-rebuild) }}
image: [audit-logs, audit-logs-archiver, cognito-email-sender, cognito-pre-sign-up, form-archiver, nagware, notify-slack, reliability, reliability-dlq-consumer, response-archiver, submission, vault-integrity]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've seen this before. Was it done for staging but not for production?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it was done for the TF apply prod workflow because of the same bug. It's on our list to generate this list dynamically rather than hardcoding it in both workflows.

steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand All @@ -93,15 +73,14 @@ jobs:
lambda-name: ${{ matrix.image }}

build-lambda-images:
needs: [get-version, detect-lambda-changes]
if: needs.detect-lambda-changes.outputs.lambda-to-rebuild != '[]'
needs: get-version
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.detect-lambda-changes.outputs.lambda-to-rebuild) }}
image: [audit-logs, audit-logs-archiver, cognito-email-sender, cognito-pre-sign-up, form-archiver, nagware, notify-slack, reliability, reliability-dlq-consumer, response-archiver, submission, vault-integrity]
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand Down
Loading