From 94a4ceadd628712d617b8bb3763fa42d10896a0c Mon Sep 17 00:00:00 2001 From: Sandra Hoang Date: Tue, 28 Apr 2026 15:48:53 -0400 Subject: [PATCH 1/2] update deployment_role_arn from secret to var --- .github/workflows/deploy.yml | 20 ++++++++++---------- .github/workflows/diff.yml | 2 +- README.md | 7 +++---- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e363611..8e028ab 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -93,7 +93,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-auth-deployment" aws-region: "us-west-2" @@ -140,7 +140,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-backend-deployment" aws-region: "us-west-2" @@ -205,7 +205,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-airflow-sm2a-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -254,7 +254,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-features-deployment" aws-region: "us-west-2" @@ -308,7 +308,7 @@ jobs: if: ${{ env.GH_PAT_CHECK != '' }} uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-monitoring-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -346,7 +346,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-titiler-multidim-deployment" aws-region: "us-west-2" @@ -384,7 +384,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-s3-disaster-recovery-deployment" aws-region: "us-west-2" @@ -428,7 +428,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-titiler-cmr-deployment" aws-region: "us-west-2" @@ -469,7 +469,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-routes-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -532,7 +532,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-integration-test" aws-region: "${{ env.AWS_DEFAULT_REGION }}" diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml index c59c0a6..b10691a 100644 --- a/.github/workflows/diff.yml +++ b/.github/workflows/diff.yml @@ -46,7 +46,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-airflow-sm2a-deployment" aws-region: "${{ env.AWS_REGION }}" diff --git a/README.md b/README.md index 9a59ff4..7ceee70 100644 --- a/README.md +++ b/README.md @@ -15,15 +15,14 @@ Adding new deployment environments requires admin permissions for this veda-depl ## GitHub Environment Each veda-deploy Github Environment needs Environment Secrets and Variables configured in the GitHub UI Settings for this veda-deploy project as well as detailed key-value AWS Secrets Manager secret(s) with configuration for the deployment of all components. -### GitHub Environment Secrets -GitHub Environment secret(s) configured in the GitHub UI settings for this veda-deploy repo: -`DEPLOYMENT_ROLE_ARN` - oidc role with permissions to deploy - ### GitHub Environment Variables GitHub Environment variables need to be set in the GitHub UI project settings. There should be one variable for each AWS Secrets Manager secret name. There should be one variable for each component indicating which GitHub reference to use to deploy that component via checking out that Github reference in the git submodule. More instructions on these Github environment variables is provided below. +#### Roles with Permissions +`DEPLOYMENT_ROLE_ARN` - oidc role with permissions to deploy + #### AWS Secrets Manager Secret Name(s) `DEPLOYMENT_ENV_SECRET_NAME` - the AWS secrets manager secret name with the required component env vars. See [AWS Secrets Requirements](#aws-secrets-requirements) for what env vars are needed. Note that the individual submodule GitHub repositories should be consulted for the most up to date environment variable names and explanations. From 14e5b16d4a1db4a65303f54cec16a8511f77ae24 Mon Sep 17 00:00:00 2001 From: Sandra Hoang Date: Mon, 8 Jun 2026 14:24:54 -0400 Subject: [PATCH 2/2] make backwards compatible --- .github/workflows/deploy.yml | 18 +++++++++--------- .github/workflows/diff.yml | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7fb5e84..8e13f25 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -88,7 +88,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-backend-deployment" aws-region: "us-west-2" @@ -153,7 +153,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-airflow-sm2a-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -202,7 +202,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-features-deployment" aws-region: "us-west-2" @@ -256,7 +256,7 @@ jobs: if: ${{ env.GH_PAT_CHECK != '' }} uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-monitoring-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -294,7 +294,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-titiler-multidim-deployment" aws-region: "us-west-2" @@ -332,7 +332,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-s3-disaster-recovery-deployment" aws-region: "us-west-2" @@ -376,7 +376,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-titiler-cmr-deployment" aws-region: "us-west-2" @@ -417,7 +417,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-routes-deployment" aws-region: "${{ env.AWS_REGION }}" @@ -480,7 +480,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-integration-test" aws-region: "${{ env.AWS_DEFAULT_REGION }}" diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml index b10691a..aeac72b 100644 --- a/.github/workflows/diff.yml +++ b/.github/workflows/diff.yml @@ -46,7 +46,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: - role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN }} + role-to-assume: ${{ vars.DEPLOYMENT_ROLE_ARN || secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: "gh-${{ env.ENVIRONMENT }}-airflow-sm2a-deployment" aws-region: "${{ env.AWS_REGION }}"