From 5d282b5797b38b141245c1e716629b049be625ab Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 19 Sep 2025 12:35:08 +0100 Subject: [PATCH 1/2] NRL-1594 Use commit hash for external github action dependency --- .github/workflows/activate-stack.yml | 2 +- .github/workflows/daily-build.yml | 2 +- .github/workflows/persistent-environment.yml | 12 ++++++------ .github/workflows/pr-env-deploy.yml | 14 +++++++------- .github/workflows/pr-env-destroy.yml | 2 +- .github/workflows/rollback-stack.yml | 2 +- .github/workflows/update-lambda-permissions.yml | 12 ++++++------ 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/activate-stack.yml b/.github/workflows/activate-stack.yml index 97a7e141b..1593fa171 100644 --- a/.github/workflows/activate-stack.yml +++ b/.github/workflows/activate-stack.yml @@ -38,7 +38,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 6a5265431..f7c84d787 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -42,7 +42,7 @@ jobs: run: make build - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml index c4f2e49f4..dae7a9e0f 100644 --- a/.github/workflows/persistent-environment.yml +++ b/.github/workflows/persistent-environment.yml @@ -45,7 +45,7 @@ jobs: run: make build - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -89,7 +89,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -166,7 +166,7 @@ jobs: fail-on-cache-miss: true - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -219,7 +219,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -248,7 +248,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -277,7 +277,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml index d5ac9a878..da40284cd 100644 --- a/.github/workflows/pr-env-deploy.yml +++ b/.github/workflows/pr-env-deploy.yml @@ -67,7 +67,7 @@ jobs: run: make build - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -121,7 +121,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -203,7 +203,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -213,7 +213,7 @@ jobs: run: make truststore-pull-client ENV=dev - name: Configure Dev Account Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-chaining: true @@ -240,7 +240,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -275,7 +275,7 @@ jobs: poetry install --no-root - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -285,7 +285,7 @@ jobs: run: make truststore-pull-client ENV=dev - name: Configure Dev Account Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-chaining: true diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml index ab8f2f4bd..197393e81 100644 --- a/.github/workflows/pr-env-destroy.yml +++ b/.github/workflows/pr-env-destroy.yml @@ -61,7 +61,7 @@ jobs: poetry install --no-root - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.CI_ROLE_NAME }} diff --git a/.github/workflows/rollback-stack.yml b/.github/workflows/rollback-stack.yml index 954abc18b..3ceff7a55 100644 --- a/.github/workflows/rollback-stack.yml +++ b/.github/workflows/rollback-stack.yml @@ -33,7 +33,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml index 6a68e371f..77a4d6e0a 100644 --- a/.github/workflows/update-lambda-permissions.yml +++ b/.github/workflows/update-lambda-permissions.yml @@ -43,7 +43,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -91,7 +91,7 @@ jobs: poetry install --no-root - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -122,14 +122,14 @@ jobs: ref: ${{ github.ref }} - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Configure Account Role - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-chaining: true @@ -180,7 +180,7 @@ jobs: fail-on-cache-miss: true - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} @@ -239,7 +239,7 @@ jobs: fail-on-cache-miss: true - name: Configure Management Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} From 70efcd1c09fd19a6fd1b109a1fdd48b20d7c749d Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 19 Sep 2025 13:10:11 +0100 Subject: [PATCH 2/2] NRL-1594 Avoid expanding variable in block --- .github/workflows/persistent-environment.yml | 4 +++- .github/workflows/pr-env-deploy.yml | 6 +++++- .github/workflows/pr-env-destroy.yml | 4 +++- .github/workflows/update-lambda-permissions.yml | 4 +++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml index dae7a9e0f..e19e46fef 100644 --- a/.github/workflows/persistent-environment.yml +++ b/.github/workflows/persistent-environment.yml @@ -121,11 +121,13 @@ jobs: terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} - name: Terraform Plan + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \ -out tfplan diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml index da40284cd..72f68f1c9 100644 --- a/.github/workflows/pr-env-deploy.yml +++ b/.github/workflows/pr-env-deploy.yml @@ -150,10 +150,12 @@ jobs: terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }} - name: Terraform Plan + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | terraform -chdir=terraform/infrastructure plan \ --var-file=etc/dev.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ needs.set-environment-id.outputs.environment_id }}) \ -out tfplan @@ -286,6 +288,8 @@ jobs: - name: Configure Dev Account Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} with: aws-region: eu-west-2 role-chaining: true diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml index 197393e81..59ac89286 100644 --- a/.github/workflows/pr-env-destroy.yml +++ b/.github/workflows/pr-env-destroy.yml @@ -80,10 +80,12 @@ jobs: run: make build get-s3-perms - name: Terraform Destroy + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | terraform -chdir=terraform/infrastructure destroy \ --var-file=etc/dev.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ -auto-approve - name: Cleanup Terraform Workspace diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml index 77a4d6e0a..d14fe4253 100644 --- a/.github/workflows/update-lambda-permissions.yml +++ b/.github/workflows/update-lambda-permissions.yml @@ -193,10 +193,12 @@ jobs: terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} - name: Terraform Plan + env: + DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} run: | terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ - --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var assume_role_arn=${DEPLOY_ROLE_ARN} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ --out tfplan