diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 3012270..8e13f25 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -88,7 +88,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-backend-deployment" aws-region: "us-west-2" @@ -153,7 +153,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-airflow-sm2a-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -202,7 +202,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-features-deployment" aws-region: "us-west-2" @@ -256,7 +256,7 @@ jobs: if: ${{ env.GH_PAT_CHECK != '' }} uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-monitoring-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -294,7 +294,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-titiler-multidim-deployment" aws-region: "us-west-2" @@ -332,7 +332,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-s3-disaster-recovery-deployment" aws-region: "us-west-2" @@ -376,7 +376,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-titiler-cmr-deployment" aws-region: "us-west-2" @@ -417,7 +417,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-routes-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -480,7 +480,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-integration-test" aws-region: "${{ env.AWS_DEFAULT_REGION }}" @@ -559,4 +559,3 @@ jobs: name: playwright-report path: playwright-report/ retention-days: 30 - diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml index c59c0a6..aeac72b 100644 --- a/.github/workflows/diff.yml +++ b/.github/workflows/diff.yml @@ -46,7 +46,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-airflow-sm2a-deployment" aws-region: "${{ env.AWS_REGION }}" diff --git a/README.md b/README.md index 4f37556..5eaafaa 100644 --- a/README.md +++ b/README.md @@ -15,15 +15,14 @@ Adding new deployment environments requires admin permissions for this veda-depl ## GitHub Environment Each veda-deploy Github Environment needs Environment Secrets and Variables configured in the GitHub UI Settings for this veda-deploy project as well as detailed key-value AWS Secrets Manager secret(s) with configuration for the deployment of all components. -### GitHub Environment Secrets -GitHub Environment secret(s) configured in the GitHub UI settings for this veda-deploy repo: -`DEPLOYMENT_ROLE_ARN` - oidc role with permissions to deploy - ### GitHub Environment Variables GitHub Environment variables need to be set in the GitHub UI project settings. There should be one variable for each AWS Secrets Manager secret name. There should be one variable for each component indicating which GitHub reference to use to deploy that component via checking out that Github reference in the git submodule. More instructions on these Github environment variables is provided below. +#### Roles with Permissions +`DEPLOYMENT_ROLE_ARN` - oidc role with permissions to deploy + #### AWS Secrets Manager Secret Name(s) `DEPLOYMENT_ENV_SECRET_NAME` - the AWS secrets manager secret name with the required component env vars. See [AWS Secrets Requirements](#aws-secrets-requirements) for what env vars are needed. Note that the individual submodule GitHub repositories should be consulted for the most up to date environment variable names and explanations.