diff --git a/.github/workflows/activate-stack.yml b/.github/workflows/activate-stack.yml index 97a7e141b..1593fa171 100644 --- a/.github/workflows/activate-stack.yml +++ b/.github/workflows/activate-stack.yml @@ -38,7 +38,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 6a5265431..f7c84d787 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -42,7 +42,7 @@ jobs: run: make build - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml index c4f2e49f4..e19e46fef 100644 --- a/.github/workflows/persistent-environment.yml +++ b/.github/workflows/persistent-environment.yml @@ -45,7 +45,7 @@ jobs: run: make build - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -89,7 +89,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -121,11 +121,13 @@ jobs: terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} - name: Terraform Plan + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \ -out tfplan @@ -166,7 +168,7 @@ jobs: fail-on-cache-miss: true - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -219,7 +221,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -248,7 +250,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -277,7 +279,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml index d5ac9a878..72f68f1c9 100644 --- a/.github/workflows/pr-env-deploy.yml +++ b/.github/workflows/pr-env-deploy.yml @@ -67,7 +67,7 @@ jobs: run: make build - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -121,7 +121,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -150,10 +150,12 @@ jobs: terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }} - name: Terraform Plan + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | terraform -chdir=terraform/infrastructure plan \ --var-file=etc/dev.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ needs.set-environment-id.outputs.environment_id }}) \ -out tfplan @@ -203,7 +205,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -213,7 +215,7 @@ jobs: run: make truststore-pull-client ENV=dev - name: Configure Dev Account Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-chaining: true @@ -240,7 +242,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -275,7 +277,7 @@ jobs: poetry install --no-root - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -285,7 +287,9 @@ jobs: run: make truststore-pull-client ENV=dev - name: Configure Dev Account Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} with: aws-region: eu-west-2 role-chaining: true diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml index ab8f2f4bd..59ac89286 100644 --- a/.github/workflows/pr-env-destroy.yml +++ b/.github/workflows/pr-env-destroy.yml @@ -61,7 +61,7 @@ jobs: poetry install --no-root - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.CI_ROLE_NAME }} @@ -80,10 +80,12 @@ jobs: run: make build get-s3-perms - name: Terraform Destroy + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | terraform -chdir=terraform/infrastructure destroy \ --var-file=etc/dev.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ -auto-approve - name: Cleanup Terraform Workspace diff --git a/.github/workflows/rollback-stack.yml b/.github/workflows/rollback-stack.yml index 954abc18b..3ceff7a55 100644 --- a/.github/workflows/rollback-stack.yml +++ b/.github/workflows/rollback-stack.yml @@ -33,7 +33,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml index 6a68e371f..d14fe4253 100644 --- a/.github/workflows/update-lambda-permissions.yml +++ b/.github/workflows/update-lambda-permissions.yml @@ -43,7 +43,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -91,7 +91,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -122,14 +122,14 @@ jobs: ref: ${{ github.ref }} - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Configure Account Role - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-chaining: true @@ -180,7 +180,7 @@ jobs: fail-on-cache-miss: true - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -193,10 +193,12 @@ jobs: terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} - name: Terraform Plan + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ --out tfplan @@ -239,7 +241,7 @@ jobs: fail-on-cache-miss: true - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}