From 38030074ff4ed45d5f625dabba50d7abaaaa2146 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Sun, 21 Apr 2024 09:57:02 -0400 Subject: [PATCH] Update GitHub action roles --- .github/workflows/deploy-ci-stack.yml | 26 +++++++++++++------ .../deploy-dns-earhustle.com-stack.yml | 7 ++--- .../deploy-dns-passengerlist.org-stack.yml | 9 ++++--- .../deploy-dns-podcastgarage.org-stack.yml | 7 ++--- .github/workflows/deploy-dns-prx.mx-stack.yml | 7 ++--- .../deploy-dns-publicfeeds.net-stack.yml | 7 ++--- .../deploy-dns-radiotopia.com-stack.yml | 7 ++--- .../deploy-dns-radiotopia.fm-stack.yml | 7 ++--- .../workflows/deploy-dns-trax.fm-stack.yml | 7 ++--- 9 files changed, 51 insertions(+), 33 deletions(-) diff --git a/.github/workflows/deploy-ci-stack.yml b/.github/workflows/deploy-ci-stack.yml index 1f2263d83..6cdd818e8 100644 --- a/.github/workflows/deploy-ci-stack.yml +++ b/.github/workflows/deploy-ci-stack.yml @@ -25,18 +25,28 @@ jobs: stack: infrastructure-ci steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: "3.9" + - uses: aws-actions/setup-sam@v2 + with: + use-installer: true + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployCiStack + aws-region: ${{ matrix.region }} + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-ci + - name: Deploy CloudFormation stack working-directory: ci run: | - bucket_name=$(aws cloudformation describe-stacks --region ${{ matrix.region }} --stack-name aws-sam-cli-managed-default | jq -r ".Stacks[0].Outputs[0].OutputValue") - sam deploy --region ${{ matrix.region }} --no-confirm-changeset --no-fail-on-empty-changeset --stack-name "${{ matrix.stack }}" --s3-bucket "$bucket_name" --s3-prefix "${{ matrix.stack }}" --capabilities CAPABILITY_IAM + sam deploy \ + --region ${{ matrix.region }} \ + --resolve_s3 \ + --no-confirm-changeset \ + --no-fail-on-empty-changeset \ + --stack-name "${{ matrix.stack }}" \ + --s3-bucket "$bucket_name" \ + --s3-prefix "${{ matrix.stack }}" \ + --capabilities CAPABILITY_IAM \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-earhustle.com-stack.yml b/.github/workflows/deploy-dns-earhustle.com-stack.yml index aeb8a2039..0eceee572 100644 --- a/.github/workflows/deploy-dns-earhustle.com-stack.yml +++ b/.github/workflows/deploy-dns-earhustle.com-stack.yml @@ -25,8 +25,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployEarhustlesqComStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-earhustle-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -35,4 +35,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-earhustlesq-com \ - --template-file earhustlesq.com-hosted_zone.yml + --template-file earhustlesq.com-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-passengerlist.org-stack.yml b/.github/workflows/deploy-dns-passengerlist.org-stack.yml index 7bd4f0b59..5181ff3fc 100644 --- a/.github/workflows/deploy-dns-passengerlist.org-stack.yml +++ b/.github/workflows/deploy-dns-passengerlist.org-stack.yml @@ -25,14 +25,15 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployPassengerlistOrgStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-passengerlist-dns - name: Deploy CloudFormation Stack working-directory: dns run: | aws cloudformation deploy \ - --no-fail-on-empty-changeset + --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-passengerlist-org \ - --template-file passengerlist.org-hosted_zone.yml + --template-file passengerlist.org-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-podcastgarage.org-stack.yml b/.github/workflows/deploy-dns-podcastgarage.org-stack.yml index e73cd6eac..09394459f 100644 --- a/.github/workflows/deploy-dns-podcastgarage.org-stack.yml +++ b/.github/workflows/deploy-dns-podcastgarage.org-stack.yml @@ -25,8 +25,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployPodcastgarageOrgStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-passengerlist-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -35,4 +35,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-podcastgarage-org \ - --template-file podcastgarage.org-hosted_zone.yml + --template-file podcastgarage.org-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-prx.mx-stack.yml b/.github/workflows/deploy-dns-prx.mx-stack.yml index ef50dfecf..311aefc5e 100644 --- a/.github/workflows/deploy-dns-prx.mx-stack.yml +++ b/.github/workflows/deploy-dns-prx.mx-stack.yml @@ -25,8 +25,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployPrxMxStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-prxmx-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -35,4 +35,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-prx-mx \ - --template-file prx.mx-hosted_zone.yml + --template-file prx.mx-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-publicfeeds.net-stack.yml b/.github/workflows/deploy-dns-publicfeeds.net-stack.yml index 46de9155d..e29ececa9 100644 --- a/.github/workflows/deploy-dns-publicfeeds.net-stack.yml +++ b/.github/workflows/deploy-dns-publicfeeds.net-stack.yml @@ -25,8 +25,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::838846856186:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployPublicfeedsNetStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-publicfeeds-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -35,4 +35,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hosted-zone-publicfeeds-net \ - --template-file publicfeeds.net-hosted_zone.yml + --template-file publicfeeds.net-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-radiotopia.com-stack.yml b/.github/workflows/deploy-dns-radiotopia.com-stack.yml index e4234303b..ee11b230c 100644 --- a/.github/workflows/deploy-dns-radiotopia.com-stack.yml +++ b/.github/workflows/deploy-dns-radiotopia.com-stack.yml @@ -25,8 +25,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployRadiotopiaComStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-radiotopia-com-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -35,4 +35,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-radiotopia-com \ - --template-file radiotopia.com-hosted_zone.yml + --template-file radiotopia.com-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-radiotopia.fm-stack.yml b/.github/workflows/deploy-dns-radiotopia.fm-stack.yml index b73fec3bb..b032f076c 100644 --- a/.github/workflows/deploy-dns-radiotopia.fm-stack.yml +++ b/.github/workflows/deploy-dns-radiotopia.fm-stack.yml @@ -25,8 +25,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployRadiotopiaFmStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-radiotopia-fm-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -35,4 +35,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-radiotopia-fm \ - --template-file radiotopia.fm-hosted_zone.yml + --template-file radiotopia.fm-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/.github/workflows/deploy-dns-trax.fm-stack.yml b/.github/workflows/deploy-dns-trax.fm-stack.yml index 8b7e87548..e05d28e91 100644 --- a/.github/workflows/deploy-dns-trax.fm-stack.yml +++ b/.github/workflows/deploy-dns-trax.fm-stack.yml @@ -26,8 +26,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 - role-to-assume: arn:aws:iam::561178107736:role/DevOps-GitHubOidcFederatedRole - role-session-name: GitHubActions-DeployTraxFmStack + role-to-assume: arn:aws:iam::561178107736:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-trax-dns - name: Deploy CloudFormation Stack working-directory: dns @@ -36,4 +36,5 @@ jobs: --no-fail-on-empty-changeset \ --region us-east-1 \ --stack-name hostedzone-trax-fm \ - --template-file trax.fm-hosted_zone.yml + --template-file trax.fm-hosted_zone.yml \ + --role-arn arn:aws:iam::561178107736:role/PRX-GHA-ServiceRoleForCloudFormation