Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DEVOPS-12289: Move OIDC config to the open-turo #16

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+105 −2
Open

DEVOPS-12289: Move OIDC config to the open-turo #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions 1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
feat(gha): move OIDC config to the reusable workflow

BREAKING CHANGE: remove aws cli installation and credential configuration from consumer workflow

# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
#
# Date: Fri Dec 13 10:32:31 2024 -0500
#
# On branch f/devops-12289_refactor_actions-s3-artifact_in_open-turo_to_include_additional_logics_d
# Your branch is up to date with 'origin/f/devops-12289_refactor_actions-s3-artifact_in_open-turo_to_include_additional_logics_d'.
#
# Changes to be committed:
# new file: docs/breaking-changes/v2.md
# modified: upload/README.md
# modified: upload/action.yaml
#
61 changes: 61 additions & 0 deletions docs/breaking-changes/v2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Breaking changes in v2

Move OIDC config to the reusable workflow

## Description of changes

The OIDC configuration has been moved to the reusable workflow. This change enable developers to use the OIDC configuration in multiple actions without duplicating the configuration.

## Upgrade instructions

Update from:

```
permissions:
id-token: write # This is required for requesting the JWT for OIDC
contents: read

...
- name: Install aws cli
run: |
pip install awscli==1.33.21
aws --version

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-skip-session-tagging: true
role-to-assume: ROLE-TO-ASSUME-WITH-OIDC
aws-region: us-east-1

- name: Upload to S3 bucket
uses: open-turo/actions-s3-artifact/upload@v1
id: aws-s3-upload
with:
compress: false
path: PATH-TO-UPLOAD
s3uri: S3-URI
aws-region: us-east-1

```

to the following:

```
permissions:
id-token: write # This is required for requesting the JWT for OIDC
contents: read

...

- name: Upload to S3 bucket
uses: open-turo/actions-s3-artifact/upload@v2
id: aws-s3-upload
with:
compress: false
path: PATH-TO-UPLOAD
s3uri: S3-URI
aws-region: us-east-1
role-to-assume-with-oidc: ${{ ROLE-TO-ASSUME-WITH-OIDC }} # the role can be defined in the GHA Repository secrets or inline

```
6 changes: 6 additions & 0 deletions upload/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,12 @@ This action is a `composite` action.
# Required: false
# Default: ${{ github.sha }}-${{ github.run_number }}-${{ github.run_attempt }}

role-to-assume:
# ARN of the role to assume. If not provided, the action will use the provided AWS access key and secret access key
#
# Required: false
# Default: ""

aws-access-key-id:
# AWS access key ID of the S3 location
#
Expand Down
23 changes: 21 additions & 2 deletions upload/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
name: S3 upload
description: Upload a set of artifacts to S3

inputs:
# Path(s) to the artifacts to upload
path:
Expand All @@ -14,6 +15,9 @@ inputs:
required: false
description: Artifact key name (a unique hash or timestamp or other identifier)
default: ${{ github.sha }}-${{ github.run_number }}-${{ github.run_attempt }}
role-to-assume:
required: false
description: ARN of the role to assume. If not provided, the action will use the provided AWS access key and secret access key
aws-access-key-id:
required: false
description: AWS access key ID of the S3 location
Expand Down Expand Up @@ -95,13 +99,28 @@ runs:
echo "folder=$TMPARTIFACT" >> $GITHUB_OUTPUT
fi

- name: Configure AWS credentials
if: inputs.aws-access-key-id != '' && inputs.aws-secret-access-key != ''
- name: Install aws cli
run: |
pip install awscli==1.33.21
aws --version
shell: bash
Comment on lines +102 to +106
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this required? Or should we let the consumer decide how to install / if they need to install the AWS CLI?

Pinning the version here doesn't seem ok (what if a consumer wants to use v2 of the CLI?)


- name: Configure AWS credentials via OIDC
if: inputs.role-to-assume != ''
uses: aws-actions/configure-aws-credentials@v4
with:
role-skip-session-tagging: true
role-to-assume: ${{ inputs.role-to-assume }}
aws-region: ${{ inputs.aws-region }}

- name: Configure AWS credentials via Access Keys
if: inputs.role-to-assume == '' && inputs.aws-access-key-id != '' && inputs.aws-secret-access-key != ''
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-region: ${{ inputs.aws-region }}

- name: Upload artifact to S3
id: s3
shell: bash
Expand Down
Loading