Update GitHub action roles

PRX · Apr 21, 2024 · 3803007 · 3803007
1 parent 7167acd
commit 3803007
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 33 deletions.
diff --git a/.github/workflows/deploy-ci-stack.yml b/.github/workflows/deploy-ci-stack.yml
@@ -25,18 +25,28 @@ jobs:
             stack: infrastructure-ci
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.9"
+
       - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployCiStack
+          aws-region: ${{ matrix.region }}
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-ci
+
       - name: Deploy CloudFormation stack
         working-directory: ci
         run: |
-          bucket_name=$(aws cloudformation describe-stacks --region ${{ matrix.region }} --stack-name aws-sam-cli-managed-default | jq -r ".Stacks[0].Outputs[0].OutputValue")
-          sam deploy --region ${{ matrix.region }} --no-confirm-changeset --no-fail-on-empty-changeset --stack-name "${{ matrix.stack }}" --s3-bucket "$bucket_name" --s3-prefix "${{ matrix.stack }}" --capabilities CAPABILITY_IAM
+          sam deploy \
+            --region ${{ matrix.region }} \
+            --resolve_s3 \
+            --no-confirm-changeset \
+            --no-fail-on-empty-changeset \
+            --stack-name "${{ matrix.stack }}" \
+            --s3-bucket "$bucket_name" \
+            --s3-prefix "${{ matrix.stack }}" \
+            --capabilities CAPABILITY_IAM \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-earhustle.com-stack.yml b/.github/workflows/deploy-dns-earhustle.com-stack.yml
@@ -25,8 +25,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployEarhustlesqComStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-earhustle-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -35,4 +35,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-earhustlesq-com \
-            --template-file earhustlesq.com-hosted_zone.yml
+            --template-file earhustlesq.com-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-passengerlist.org-stack.yml b/.github/workflows/deploy-dns-passengerlist.org-stack.yml
@@ -25,14 +25,15 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployPassengerlistOrgStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-passengerlist-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
         run: |
           aws cloudformation deploy \
-            --no-fail-on-empty-changeset
+            --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-passengerlist-org \
-            --template-file passengerlist.org-hosted_zone.yml
+            --template-file passengerlist.org-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-podcastgarage.org-stack.yml b/.github/workflows/deploy-dns-podcastgarage.org-stack.yml
@@ -25,8 +25,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployPodcastgarageOrgStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-passengerlist-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -35,4 +35,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-podcastgarage-org \
-            --template-file podcastgarage.org-hosted_zone.yml
+            --template-file podcastgarage.org-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-prx.mx-stack.yml b/.github/workflows/deploy-dns-prx.mx-stack.yml
@@ -25,8 +25,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployPrxMxStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-prxmx-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -35,4 +35,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-prx-mx \
-            --template-file prx.mx-hosted_zone.yml
+            --template-file prx.mx-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-publicfeeds.net-stack.yml b/.github/workflows/deploy-dns-publicfeeds.net-stack.yml
@@ -25,8 +25,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::838846856186:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployPublicfeedsNetStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-publicfeeds-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -35,4 +35,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hosted-zone-publicfeeds-net \
-            --template-file publicfeeds.net-hosted_zone.yml
+            --template-file publicfeeds.net-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-radiotopia.com-stack.yml b/.github/workflows/deploy-dns-radiotopia.com-stack.yml
@@ -25,8 +25,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployRadiotopiaComStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-radiotopia-com-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -35,4 +35,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-radiotopia-com \
-            --template-file radiotopia.com-hosted_zone.yml
+            --template-file radiotopia.com-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-radiotopia.fm-stack.yml b/.github/workflows/deploy-dns-radiotopia.fm-stack.yml
@@ -25,8 +25,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployRadiotopiaFmStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-radiotopia-fm-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -35,4 +35,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-radiotopia-fm \
-            --template-file radiotopia.fm-hosted_zone.yml
+            --template-file radiotopia.fm-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/.github/workflows/deploy-dns-trax.fm-stack.yml b/.github/workflows/deploy-dns-trax.fm-stack.yml
@@ -26,8 +26,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole
-          role-session-name: GitHubActions-DeployTraxFmStack
+          role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-trax-dns
 
       - name: Deploy CloudFormation Stack
         working-directory: dns
@@ -36,4 +36,5 @@ jobs:
             --no-fail-on-empty-changeset \
             --region us-east-1 \
             --stack-name hostedzone-trax-fm \
-            --template-file trax.fm-hosted_zone.yml
+            --template-file trax.fm-hosted_zone.yml \
+            --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation