Skip to content

Commit ad26eca

Browse files
sdangolsdangol
committed
Removed expanding secrets in run blocks and used env instead
1 parent 4f35872 commit ad26eca

File tree

3 files changed

+91
-44
lines changed

3 files changed

+91
-44
lines changed

.github/workflows/layers_partition_verify.yml

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -112,17 +112,24 @@ jobs:
112112
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
113113
with:
114114
name: AWSLambdaPowertoolsTypeScriptV2.json
115-
- id: role-mapping
115+
- id: role-account-mapping
116+
env:
117+
ROLE_ARN_US_GOV_EAST_1: ${{ secrets.US_GOV_EAST_1 }}
118+
ROLE_ARN_US_GOV_WEST_1: ${{ secrets.US_GOV_WEST_1 }}
119+
ROLE_ARN_CN_NORTH_1: ${{ secrets.CN_NORTH_1 }}
120+
AWS_ACCOUNT_US_GOV_EAST_1: ${{ secrets.AWS_ACCOUNT_US_GOV_EAST_1 }}
121+
AWS_ACCOUNT_US_GOV_WEST_1: ${{ secrets.AWS_ACCOUNT_US_GOV_WEST_1 }}
122+
AWS_ACCOUNT_CN_NORTH_1: ${{ secrets.AWS_ACCOUNT_CN_NORTH_1 }}
116123
run: |
117124
case "${{ matrix.region }}" in
118-
"us-gov-east-1") echo "ROLE_ARN=${{ secrets.US_GOV_EAST_1 }}" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT_US_GOV_EAST_1 }}" >> "$GITHUB_OUTPUT" ;;
119-
"us-gov-west-1") echo "ROLE_ARN=${{ secrets.US_GOV_WEST_1 }}" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT_US_GOV_WEST_1 }}" >> "$GITHUB_OUTPUT" ;;
120-
"cn-north-1") echo "ROLE_ARN=${{ secrets.CN_NORTH_1 }}" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT_CN_NORTH_1 }}" >> "$GITHUB_OUTPUT" ;;
125+
"us-gov-east-1") echo "ROLE_ARN=$ROLE_ARN_US_GOV_EAST_1" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=$AWS_ACCOUNT_US_GOV_EAST_1" >> "$GITHUB_OUTPUT" ;;
126+
"us-gov-west-1") echo "ROLE_ARN=$ROLE_ARN_US_GOV_WEST_1" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=$AWS_ACCOUNT_US_GOV_WEST_1" >> "$GITHUB_OUTPUT" ;;
127+
"cn-north-1") echo "ROLE_ARN=$ROLE_ARN_CN_NORTH_1" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=$AWS_ACCOUNT_CN_NORTH_1" >> "$GITHUB_OUTPUT" ;;
121128
esac
122129
- name: Configure AWS Credentials
123130
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
124131
with:
125-
role-to-assume: ${{ steps.role-mapping.outputs.ROLE_ARN }}
132+
role-to-assume: ${{ steps.role-account-mapping.outputs.ROLE_ARN }}
126133
aws-region: ${{ matrix.region}}
127134
mask-aws-account-id: true
128135
audience: ${{ needs.setup.outputs.aud }}
@@ -133,7 +140,7 @@ jobs:
133140
- name: Verify Layer
134141
run: |
135142
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
136-
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ steps.role-mapping.outputs.AWS_ACCOUNT }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
143+
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ steps.role-account-mapping.outputs.AWS_ACCOUNT }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
137144
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
138145
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
139146
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1

.github/workflows/layers_partitions.yml

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -136,17 +136,24 @@ jobs:
136136
run: |
137137
SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
138138
test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
139-
- id: role-mapping
139+
- id: role-account-mapping
140+
env:
141+
ROLE_ARN_US_GOV_EAST_1: ${{ secrets.US_GOV_EAST_1 }}
142+
ROLE_ARN_US_GOV_WEST_1: ${{ secrets.US_GOV_WEST_1 }}
143+
ROLE_ARN_CN_NORTH_1: ${{ secrets.CN_NORTH_1 }}
144+
AWS_ACCOUNT_US_GOV_EAST_1: ${{ secrets.AWS_ACCOUNT_US_GOV_EAST_1 }}
145+
AWS_ACCOUNT_US_GOV_WEST_1: ${{ secrets.AWS_ACCOUNT_US_GOV_WEST_1 }}
146+
AWS_ACCOUNT_CN_NORTH_1: ${{ secrets.AWS_ACCOUNT_CN_NORTH_1 }}
140147
run: |
141148
case "${{ matrix.region }}" in
142-
"us-gov-east-1") echo "ROLE_ARN=${{ secrets.US_GOV_EAST_1 }}" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT_US_GOV_EAST_1 }}" >> "$GITHUB_OUTPUT" ;;
143-
"us-gov-west-1") echo "ROLE_ARN=${{ secrets.US_GOV_WEST_1 }}" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT_US_GOV_WEST_1 }}" >> "$GITHUB_OUTPUT" ;;
144-
"cn-north-1") echo "ROLE_ARN=${{ secrets.CN_NORTH_1 }}" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT_CN_NORTH_1 }}" >> "$GITHUB_OUTPUT" ;;
149+
"us-gov-east-1") echo "ROLE_ARN=$ROLE_ARN_US_GOV_EAST_1" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=$AWS_ACCOUNT_US_GOV_EAST_1" >> "$GITHUB_OUTPUT" ;;
150+
"us-gov-west-1") echo "ROLE_ARN=$ROLE_ARN_US_GOV_WEST_1" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=$AWS_ACCOUNT_US_GOV_WEST_1" >> "$GITHUB_OUTPUT" ;;
151+
"cn-north-1") echo "ROLE_ARN=$ROLE_ARN_CN_NORTH_1" >> "$GITHUB_OUTPUT"; echo "AWS_ACCOUNT=$AWS_ACCOUNT_CN_NORTH_1" >> "$GITHUB_OUTPUT" ;;
145152
esac
146153
- name: Configure AWS Credentials
147154
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
148155
with:
149-
role-to-assume: ${{ steps.role-mapping.outputs.ROLE_ARN }}
156+
role-to-assume: ${{ steps.role-account-mapping.outputs.ROLE_ARN }}
150157
aws-region: ${{ matrix.region}}
151158
mask-aws-account-id: true
152159
audience: ${{ needs.setup.outputs.aud }}
@@ -179,7 +186,7 @@ jobs:
179186
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
180187
run: |
181188
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
182-
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ steps.role-mapping.outputs.AWS_ACCOUNT }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
189+
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ steps.role-account-mapping.outputs.AWS_ACCOUNT }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
183190
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
184191
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
185192
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1

.github/workflows/update_ssm.yml

Lines changed: 65 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -90,40 +90,73 @@ jobs:
9090
id-token: write
9191
steps:
9292
- id: role-mapping
93+
env:
94+
ROLE_ARN_AF_SOUTH_1: ${{ secrets.AF_SOUTH_1 }}
95+
ROLE_ARN_EU_CENTRAL_1: ${{ secrets.EU_CENTRAL_1 }}
96+
ROLE_ARN_EU_CENTRAL_2: ${{ secrets.EU_CENTRAL_2 }}
97+
ROLE_ARN_US_EAST_1: ${{ secrets.US_EAST_1 }}
98+
ROLE_ARN_US_EAST_2: ${{ secrets.US_EAST_2 }}
99+
ROLE_ARN_US_WEST_1: ${{ secrets.US_WEST_1 }}
100+
ROLE_ARN_US_WEST_2: ${{ secrets.US_WEST_2 }}
101+
ROLE_ARN_AP_EAST_1: ${{ secrets.AP_EAST_1 }}
102+
ROLE_ARN_AP_SOUTH_1: ${{ secrets.AP_SOUTH_1 }}
103+
ROLE_ARN_AP_SOUTH_2: ${{ secrets.AP_SOUTH_2 }}
104+
ROLE_ARN_AP_NORTHEAST_1: ${{ secrets.AP_NORTHEAST_1 }}
105+
ROLE_ARN_AP_NORTHEAST_2: ${{ secrets.AP_NORTHEAST_2 }}
106+
ROLE_ARN_AP_NORTHEAST_3: ${{ secrets.AP_NORTHEAST_3 }}
107+
ROLE_ARN_AP_SOUTHEAST_1: ${{ secrets.AP_SOUTHEAST_1 }}
108+
ROLE_ARN_AP_SOUTHEAST_2: ${{ secrets.AP_SOUTHEAST_2 }}
109+
ROLE_ARN_AP_SOUTHEAST_3: ${{ secrets.AP_SOUTHEAST_3 }}
110+
ROLE_ARN_AP_SOUTHEAST_4: ${{ secrets.AP_SOUTHEAST_4 }}
111+
ROLE_ARN_AP_SOUTHEAST_5: ${{ secrets.AP_SOUTHEAST_5 }}
112+
ROLE_ARN_AP_SOUTHEAST_7: ${{ secrets.AP_SOUTHEAST_7 }}
113+
ROLE_ARN_CA_CENTRAL_1: ${{ secrets.CA_CENTRAL_1 }}
114+
ROLE_ARN_CA_WEST_1: ${{ secrets.CA_WEST_1 }}
115+
ROLE_ARN_EU_WEST_1: ${{ secrets.EU_WEST_1 }}
116+
ROLE_ARN_EU_WEST_2: ${{ secrets.EU_WEST_2 }}
117+
ROLE_ARN_EU_WEST_3: ${{ secrets.EU_WEST_3 }}
118+
ROLE_ARN_EU_SOUTH_1: ${{ secrets.EU_SOUTH_1 }}
119+
ROLE_ARN_EU_SOUTH_2: ${{ secrets.EU_SOUTH_2 }}
120+
ROLE_ARN_EU_NORTH_1: ${{ secrets.EU_NORTH_1 }}
121+
ROLE_ARN_SA_EAST_1: ${{ secrets.SA_EAST_1 }}
122+
ROLE_ARN_ME_SOUTH_1: ${{ secrets.ME_SOUTH_1 }}
123+
ROLE_ARN_ME_CENTRAL_1: ${{ secrets.ME_CENTRAL_1 }}
124+
ROLE_ARN_IL_CENTRAL_1: ${{ secrets.IL_CENTRAL_1 }}
125+
ROLE_ARN_MX_CENTRAL_1: ${{ secrets.MX_CENTRAL_1 }}
93126
run: |
94127
case "${{ matrix.region }}" in
95-
"af-south-1") echo "ROLE_ARN=${{ secrets.AF_SOUTH_1 }}" >> "$GITHUB_OUTPUT" ;;
96-
"eu-central-1") echo "ROLE_ARN=${{ secrets.EU_CENTRAL_1 }}" >> "$GITHUB_OUTPUT" ;;
97-
"eu-central-2") echo "ROLE_ARN=${{ secrets.EU_CENTRAL_2 }}" >> "$GITHUB_OUTPUT" ;;
98-
"us-east-1") echo "ROLE_ARN=${{ secrets.US_EAST_1 }}" >> "$GITHUB_OUTPUT" ;;
99-
"us-east-2") echo "ROLE_ARN=${{ secrets.US_EAST_2 }}" >> "$GITHUB_OUTPUT" ;;
100-
"us-west-1") echo "ROLE_ARN=${{ secrets.US_WEST_1 }}" >> "$GITHUB_OUTPUT" ;;
101-
"us-west-2") echo "ROLE_ARN=${{ secrets.US_WEST_2 }}" >> "$GITHUB_OUTPUT" ;;
102-
"ap-east-1") echo "ROLE_ARN=${{ secrets.AP_EAST_1 }}" >> "$GITHUB_OUTPUT" ;;
103-
"ap-south-1") echo "ROLE_ARN=${{ secrets.AP_SOUTH_1 }}" >> "$GITHUB_OUTPUT" ;;
104-
"ap-south-2") echo "ROLE_ARN=${{ secrets.AP_SOUTH_2 }}" >> "$GITHUB_OUTPUT" ;;
105-
"ap-northeast-1") echo "ROLE_ARN=${{ secrets.AP_NORTHEAST_1 }}" >> "$GITHUB_OUTPUT" ;;
106-
"ap-northeast-2") echo "ROLE_ARN=${{ secrets.AP_NORTHEAST_2 }}" >> "$GITHUB_OUTPUT" ;;
107-
"ap-northeast-3") echo "ROLE_ARN=${{ secrets.AP_NORTHEAST_3 }}" >> "$GITHUB_OUTPUT" ;;
108-
"ap-southeast-1") echo "ROLE_ARN=${{ secrets.AP_SOUTHEAST_1 }}" >> "$GITHUB_OUTPUT" ;;
109-
"ap-southeast-2") echo "ROLE_ARN=${{ secrets.AP_SOUTHEAST_2 }}" >> "$GITHUB_OUTPUT" ;;
110-
"ap-southeast-3") echo "ROLE_ARN=${{ secrets.AP_SOUTHEAST_3 }}" >> "$GITHUB_OUTPUT" ;;
111-
"ap-southeast-4") echo "ROLE_ARN=${{ secrets.AP_SOUTHEAST_4 }}" >> "$GITHUB_OUTPUT" ;;
112-
"ap-southeast-5") echo "ROLE_ARN=${{ secrets.AP_SOUTHEAST_5 }}" >> "$GITHUB_OUTPUT" ;;
113-
"ap-southeast-7") echo "ROLE_ARN=${{ secrets.AP_SOUTHEAST_7 }}" >> "$GITHUB_OUTPUT" ;;
114-
"ca-central-1") echo "ROLE_ARN=${{ secrets.CA_CENTRAL_1 }}" >> "$GITHUB_OUTPUT" ;;
115-
"ca-west-1") echo "ROLE_ARN=${{ secrets.CA_WEST_1 }}" >> "$GITHUB_OUTPUT" ;;
116-
"eu-west-1") echo "ROLE_ARN=${{ secrets.EU_WEST_1 }}" >> "$GITHUB_OUTPUT" ;;
117-
"eu-west-2") echo "ROLE_ARN=${{ secrets.EU_WEST_2 }}" >> "$GITHUB_OUTPUT" ;;
118-
"eu-west-3") echo "ROLE_ARN=${{ secrets.EU_WEST_3 }}" >> "$GITHUB_OUTPUT" ;;
119-
"eu-south-1") echo "ROLE_ARN=${{ secrets.EU_SOUTH_1 }}" >> "$GITHUB_OUTPUT" ;;
120-
"eu-south-2") echo "ROLE_ARN=${{ secrets.EU_SOUTH_2 }}" >> "$GITHUB_OUTPUT" ;;
121-
"eu-north-1") echo "ROLE_ARN=${{ secrets.EU_NORTH_1 }}" >> "$GITHUB_OUTPUT" ;;
122-
"sa-east-1") echo "ROLE_ARN=${{ secrets.SA_EAST_1 }}" >> "$GITHUB_OUTPUT" ;;
123-
"me-south-1") echo "ROLE_ARN=${{ secrets.ME_SOUTH_1 }}" >> "$GITHUB_OUTPUT" ;;
124-
"me-central-1") echo "ROLE_ARN=${{ secrets.ME_CENTRAL_1 }}" >> "$GITHUB_OUTPUT" ;;
125-
"il-central-1") echo "ROLE_ARN=${{ secrets.IL_CENTRAL_1 }}" >> "$GITHUB_OUTPUT" ;;
126-
"mx-central-1") echo "ROLE_ARN=${{ secrets.MX_CENTRAL_1 }}" >> "$GITHUB_OUTPUT" ;;
128+
"af-south-1") echo "ROLE_ARN=$ROLE_ARN_AF_SOUTH_1" >> "$GITHUB_OUTPUT" ;;
129+
"eu-central-1") echo "ROLE_ARN=$ROLE_ARN_EU_CENTRAL_1" >> "$GITHUB_OUTPUT" ;;
130+
"eu-central-2") echo "ROLE_ARN=$ROLE_ARN_EU_CENTRAL_2" >> "$GITHUB_OUTPUT" ;;
131+
"us-east-1") echo "ROLE_ARN=$ROLE_ARN_US_EAST_1" >> "$GITHUB_OUTPUT" ;;
132+
"us-east-2") echo "ROLE_ARN=$ROLE_ARN_US_EAST_2" >> "$GITHUB_OUTPUT" ;;
133+
"us-west-1") echo "ROLE_ARN=$ROLE_ARN_US_WEST_1" >> "$GITHUB_OUTPUT" ;;
134+
"us-west-2") echo "ROLE_ARN=$ROLE_ARN_US_WEST_2" >> "$GITHUB_OUTPUT" ;;
135+
"ap-east-1") echo "ROLE_ARN=$ROLE_ARN_AP_EAST_1" >> "$GITHUB_OUTPUT" ;;
136+
"ap-south-1") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTH_1" >> "$GITHUB_OUTPUT" ;;
137+
"ap-south-2") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTH_2" >> "$GITHUB_OUTPUT" ;;
138+
"ap-northeast-1") echo "ROLE_ARN=$ROLE_ARN_AP_NORTHEAST_1" >> "$GITHUB_OUTPUT" ;;
139+
"ap-northeast-2") echo "ROLE_ARN=$ROLE_ARN_AP_NORTHEAST_2" >> "$GITHUB_OUTPUT" ;;
140+
"ap-northeast-3") echo "ROLE_ARN=$ROLE_ARN_AP_NORTHEAST_3" >> "$GITHUB_OUTPUT" ;;
141+
"ap-southeast-1") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTHEAST_1" >> "$GITHUB_OUTPUT" ;;
142+
"ap-southeast-2") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTHEAST_2" >> "$GITHUB_OUTPUT" ;;
143+
"ap-southeast-3") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTHEAST_3" >> "$GITHUB_OUTPUT" ;;
144+
"ap-southeast-4") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTHEAST_4" >> "$GITHUB_OUTPUT" ;;
145+
"ap-southeast-5") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTHEAST_5" >> "$GITHUB_OUTPUT" ;;
146+
"ap-southeast-7") echo "ROLE_ARN=$ROLE_ARN_AP_SOUTHEAST_7" >> "$GITHUB_OUTPUT" ;;
147+
"ca-central-1") echo "ROLE_ARN=$ROLE_ARN_CA_CENTRAL_1" >> "$GITHUB_OUTPUT" ;;
148+
"ca-west-1") echo "ROLE_ARN=$ROLE_ARN_CA_WEST_1" >> "$GITHUB_OUTPUT" ;;
149+
"eu-west-1") echo "ROLE_ARN=$ROLE_ARN_EU_WEST_1" >> "$GITHUB_OUTPUT" ;;
150+
"eu-west-2") echo "ROLE_ARN=$ROLE_ARN_EU_WEST_2" >> "$GITHUB_OUTPUT" ;;
151+
"eu-west-3") echo "ROLE_ARN=$ROLE_ARN_EU_WEST_3" >> "$GITHUB_OUTPUT" ;;
152+
"eu-south-1") echo "ROLE_ARN=$ROLE_ARN_EU_SOUTH_1" >> "$GITHUB_OUTPUT" ;;
153+
"eu-south-2") echo "ROLE_ARN=$ROLE_ARN_EU_SOUTH_2" >> "$GITHUB_OUTPUT" ;;
154+
"eu-north-1") echo "ROLE_ARN=$ROLE_ARN_EU_NORTH_1" >> "$GITHUB_OUTPUT" ;;
155+
"sa-east-1") echo "ROLE_ARN=$ROLE_ARN_SA_EAST_1" >> "$GITHUB_OUTPUT" ;;
156+
"me-south-1") echo "ROLE_ARN=$ROLE_ARN_ME_SOUTH_1" >> "$GITHUB_OUTPUT" ;;
157+
"me-central-1") echo "ROLE_ARN=$ROLE_ARN_ME_CENTRAL_1" >> "$GITHUB_OUTPUT" ;;
158+
"il-central-1") echo "ROLE_ARN=$ROLE_ARN_IL_CENTRAL_1" >> "$GITHUB_OUTPUT" ;;
159+
"mx-central-1") echo "ROLE_ARN=$ROLE_ARN_MX_CENTRAL_1" >> "$GITHUB_OUTPUT" ;;
127160
esac
128161
- id: creds
129162
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a

0 commit comments

Comments
 (0)