new commit

.github/workflows/get-secret-from-env.yml → .github/workflows/get-secret-from-environment.yml

@@ -9,11 +9,24 @@ on:
       env_name:
         required: true
         type: string
+    outputs:
+      secret_value:
+        description: 'Secret value, encrypted with the encryption key'
+        value: ${{ jobs.fetch-credentials.outputs.secret_value }}
+      environment_exists:
+        description: 'Whether the environment exists or not'
+        value: ${{ jobs.check-environment.outputs.environment_exists }}
     secrets:
       gh_token:
         required: true
       encryption_key:
         required: true
+      # All secrets that are we want to allow access to need
+      # to be defined in this list
+      BACKUP_ENCRYPTION_PASSPHRASE:
+        required: false
+      SSH_KEY:
+        required: false
 
 jobs:
   check-environment:
@@ -46,17 +59,26 @@ jobs:
 
   fetch-credentials:
     name: Fetch Secret
-    needs: check-environment
     runs-on: ubuntu-22.04
+    environment: ${{ inputs.env_name }}
+    needs: check-environment
+    # Without this Github actions will create the environment when it doesnt exist
     if: needs.check-environment.outputs.environment_exists == 'true'
     outputs:
       secret_value: ${{ steps.fetch-credentials.outputs.secret_value }}
-      environment_exists: ${{ needs.check-environment.outputs.environment_exists }}
     steps:
       - name: Fetch the secret
         id: fetch-credentials
+        env:
+          SECRET_NAME: ${{ inputs.secret_name }}
         run: |
-          SECRET_VALUE="${{ secrets[inputs.secret_name] }}"
+          SECRET_VALUE="${{ secrets[env.SECRET_NAME] }}"
+          if [ -z "$SECRET_VALUE" ]; then
+            echo "Secret ${{ inputs.secret_name }} is empty. Usually this means you have not explicitly stated the secrets"
+            echo "in both the workflow file get-secrets-from-environment and in the file you are using the reusable workflow from."
+            echo "Please make sure you have added the secret to the workflow files and retry."
+            exit 1
+          fi
           echo -n "$SECRET_VALUE" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.encryption_key }}" -out encrypted_key.bin
           ENCODED_ENCRYPTED_SECRET=$(base64 < encrypted_key.bin)
           EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)

.github/workflows/provision.yml

@@ -44,21 +44,27 @@ on:
         default: false
 jobs:
   get-backup-ssh-key:
-    uses: ./.github/workflows/get-secret-from-env.yml
+    name: Get backup SSH key
+    uses: ./.github/workflows/get-secret-from-environment.yml
     with:
       secret_name: 'SSH_KEY'
       env_name: 'backup'
     secrets:
       gh_token: ${{ secrets.GH_TOKEN }}
       encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
+      SSH_KEY: ${{ secrets.SSH_KEY }}
+
   get-production-encryption-key:
-    uses: ./.github/workflows/get-secret-from-env.yml
+    name: Get production backup encryption key
+    if: github.event.inputs.environment == 'staging'
+    uses: ./.github/workflows/get-secret-from-environment.yml
     with:
       secret_name: 'BACKUP_ENCRYPTION_PASSPHRASE'
       env_name: 'production'
     secrets:
       gh_token: ${{ secrets.GH_TOKEN }}
       encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }}
+      BACKUP_ENCRYPTION_PASSPHRASE: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }}
 
   provision:
     name: Provision ${{ github.event.inputs.environment }}
@@ -83,7 +89,6 @@ jobs:
           openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_encryption_key
           BACKUP_RESTORE_ENCRYPTION_PASSPHRASE=$(cat /tmp/backup_encryption_key)
           echo "backup_restore_encryption_passphrase=$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE" >> $GITHUB_ENV
-          echo "::add-mask::$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE"
 
       - name: Set variables for ansible
         id: ansible-variables
@@ -124,7 +129,7 @@ jobs:
       - name: Write backup SSH key to file
         if: needs.get-backup-ssh-key.outputs.environment_exists == 'true'
         run: |
-          echo "${{ needs.get-production-encryption-key.outputs.backup-ssh-key }}" | base64 --decode | \
+          echo "${{ needs.get-backup-ssh-key.outputs.secret_value }}" | base64 --decode | \
           openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_ssh_private_key
           chmod 600 /tmp/backup_ssh_private_key
 

infrastructure/server-setup/tasks/backups/crontab.yml

@@ -34,7 +34,7 @@
 
 - name: Throw an error if periodic_restore_from_backup is true but backup_restore_encryption_passphrase is not defined
   fail:
-    msg: 'Error: backup_restore_encryption_passphrase is not defined. This usually means you have enabled periodic restore from production but you haven't set up a production environment yet. Please set up a production environment first.'
+    msg: "Error: backup_restore_encryption_passphrase is not defined. This usually means you have enabled periodic restore from production but you haven't set up a production environment yet. Please set up a production environment first."
   when: periodic_restore_from_backup and backup_restore_encryption_passphrase is not defined
 
 - name: 'Setup crontab to download a backup periodically the opencrvs data'