test update gihub secret api + update token scope

msi-se · Jan 20, 2024 · 4763641 · 4763641
1 parent 94d1de5
commit 4763641
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 12 deletions.
diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: self-hosted
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
       - name: Terraform
@@ -29,7 +29,12 @@ jobs:
           REGISTRY_USERNAME=$(terraform output -raw acr_token_name)
           REGISTRY=$(terraform output -raw acr_server_name)
           REGISTRY_ID=$(terraform output -raw acr_id)
-          keys=("${REGISTRY}" "${POSTGRESQL_FQDN}")
-          for item in "${keys[@]}"; do
-            echo $item
-          done
+          keys=($MONGODB_URI $POSTGRESQL_FQDN $POSTGRESQL_ROOT_USERNAME $POSTGRESQL_ROOT_PASSWORD $REGISTRY_PASSWORD $REGISTRY_USERNAME $REGISTRY $REGISTRY_ID)
+          cd ..
+          public_key_info=$(curl -H "Authorization: token $ACCESS_TOKEN" -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/public-key)
+          public_key_value=$(echo "$public_key_info" | jq -r '.key')
+          public_key_id=$(echo "$public_key_info" | jq -r '.key_id')
+          MONGODB_URI=$(python3 encrypt-secret.py $MONGODB_URI $public_key_value)
+          echo '{"encrypted_value":"'$MONGODB_URI'","key_id":"'$public_key_id'"}' > body.json
+          curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/MONGODB_URI -d @body.json
+
diff --git a/deployement/README.md b/deployement/README.md
@@ -23,15 +23,13 @@ https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resour
 
 # FOR DEPLOYING DATASTORE
 Already actions secret:
-  - ARM_ACCESS_KEY (necessary for terraform)
   - AZURE_CLIENT_ID: the service principal client ID or user-assigned managed identity client ID
   - AZURE_SUBSCRIPTION_ID: the subscription ID
   - AZURE_TENANT_ID: the tenant ID
   - ACCESS_TOKEN
   - ORG_NAME
   - REPO_NAME
 
-- az login
 - terraform init
 - terraform plan -out datastore.tfplan
 - terraform apply datastore.tfplan
@@ -90,11 +88,6 @@ Already actions secret:
 
 
 # FOR DEPLOYING AKS
-Already actions secret:
-  - ARM_ACCESS_KEY (necessary for terraform)
-
-- az login
-
 - echo -n $REGISTRY_ID > ./registry_id.txt 
 - terraform init
 - terraform plan -out aks.tfplan

diff --git a/deployement/datastore-deployment/datastore-deployment.tf b/deployement/datastore-deployment/datastore-deployment.tf
@@ -16,6 +16,7 @@ resource "azurerm_container_registry_scope_map" "rtwcr1-scope-map-push" {
   resource_group_name     = azurerm_resource_group.rgdata.name
   actions = [
     "repositories/*/content/write",
+    "repositories/*/content/read",
     "repositories/*/metadata/write"
   ]
 }