From 93fd03812ac728afb84c3592d4444d6251bb7063 Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Wed, 29 May 2024 14:41:05 +0300 Subject: [PATCH] new commit --- ...nv.yml => get-secret-from-environment.yml} | 28 +++++++++++++++++-- .github/workflows/provision.yml | 13 ++++++--- .../server-setup/tasks/backups/crontab.yml | 2 +- 3 files changed, 35 insertions(+), 8 deletions(-) rename .github/workflows/{get-secret-from-env.yml => get-secret-from-environment.yml} (64%) diff --git a/.github/workflows/get-secret-from-env.yml b/.github/workflows/get-secret-from-environment.yml similarity index 64% rename from .github/workflows/get-secret-from-env.yml rename to .github/workflows/get-secret-from-environment.yml index 2daea4c38..79fe4c73a 100644 --- a/.github/workflows/get-secret-from-env.yml +++ b/.github/workflows/get-secret-from-environment.yml @@ -9,11 +9,24 @@ on: env_name: required: true type: string + outputs: + secret_value: + description: 'Secret value, encrypted with the encryption key' + value: ${{ jobs.fetch-credentials.outputs.secret_value }} + environment_exists: + description: 'Whether the environment exists or not' + value: ${{ jobs.check-environment.outputs.environment_exists }} secrets: gh_token: required: true encryption_key: required: true + # All secrets that are we want to allow access to need + # to be defined in this list + BACKUP_ENCRYPTION_PASSPHRASE: + required: false + SSH_KEY: + required: false jobs: check-environment: @@ -46,17 +59,26 @@ jobs: fetch-credentials: name: Fetch Secret - needs: check-environment runs-on: ubuntu-22.04 + environment: ${{ inputs.env_name }} + needs: check-environment + # Without this Github actions will create the environment when it doesnt exist if: needs.check-environment.outputs.environment_exists == 'true' outputs: secret_value: ${{ steps.fetch-credentials.outputs.secret_value }} - environment_exists: ${{ needs.check-environment.outputs.environment_exists }} steps: - name: Fetch the secret id: fetch-credentials + env: + SECRET_NAME: ${{ inputs.secret_name }} run: | - SECRET_VALUE="${{ secrets[inputs.secret_name] }}" + SECRET_VALUE="${{ secrets[env.SECRET_NAME] }}" + if [ -z "$SECRET_VALUE" ]; then + echo "Secret ${{ inputs.secret_name }} is empty. Usually this means you have not explicitly stated the secrets" + echo "in both the workflow file get-secrets-from-environment and in the file you are using the reusable workflow from." + echo "Please make sure you have added the secret to the workflow files and retry." + exit 1 + fi echo -n "$SECRET_VALUE" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.encryption_key }}" -out encrypted_key.bin ENCODED_ENCRYPTED_SECRET=$(base64 < encrypted_key.bin) EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) diff --git a/.github/workflows/provision.yml b/.github/workflows/provision.yml index eb15823ee..faf10f655 100644 --- a/.github/workflows/provision.yml +++ b/.github/workflows/provision.yml @@ -44,21 +44,27 @@ on: default: false jobs: get-backup-ssh-key: - uses: ./.github/workflows/get-secret-from-env.yml + name: Get backup SSH key + uses: ./.github/workflows/get-secret-from-environment.yml with: secret_name: 'SSH_KEY' env_name: 'backup' secrets: gh_token: ${{ secrets.GH_TOKEN }} encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }} + SSH_KEY: ${{ secrets.SSH_KEY }} + get-production-encryption-key: - uses: ./.github/workflows/get-secret-from-env.yml + name: Get production backup encryption key + if: github.event.inputs.environment == 'staging' + uses: ./.github/workflows/get-secret-from-environment.yml with: secret_name: 'BACKUP_ENCRYPTION_PASSPHRASE' env_name: 'production' secrets: gh_token: ${{ secrets.GH_TOKEN }} encryption_key: ${{ secrets.GH_ENCRYPTION_PASSWORD }} + BACKUP_ENCRYPTION_PASSPHRASE: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }} provision: name: Provision ${{ github.event.inputs.environment }} @@ -83,7 +89,6 @@ jobs: openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_encryption_key BACKUP_RESTORE_ENCRYPTION_PASSPHRASE=$(cat /tmp/backup_encryption_key) echo "backup_restore_encryption_passphrase=$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE" >> $GITHUB_ENV - echo "::add-mask::$BACKUP_RESTORE_ENCRYPTION_PASSPHRASE" - name: Set variables for ansible id: ansible-variables @@ -124,7 +129,7 @@ jobs: - name: Write backup SSH key to file if: needs.get-backup-ssh-key.outputs.environment_exists == 'true' run: | - echo "${{ needs.get-production-encryption-key.outputs.backup-ssh-key }}" | base64 --decode | \ + echo "${{ needs.get-backup-ssh-key.outputs.secret_value }}" | base64 --decode | \ openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.GH_ENCRYPTION_PASSWORD }}" -out /tmp/backup_ssh_private_key chmod 600 /tmp/backup_ssh_private_key diff --git a/infrastructure/server-setup/tasks/backups/crontab.yml b/infrastructure/server-setup/tasks/backups/crontab.yml index d1b04496c..0af6d6d29 100644 --- a/infrastructure/server-setup/tasks/backups/crontab.yml +++ b/infrastructure/server-setup/tasks/backups/crontab.yml @@ -34,7 +34,7 @@ - name: Throw an error if periodic_restore_from_backup is true but backup_restore_encryption_passphrase is not defined fail: - msg: 'Error: backup_restore_encryption_passphrase is not defined. This usually means you have enabled periodic restore from production but you haven't set up a production environment yet. Please set up a production environment first.' + msg: "Error: backup_restore_encryption_passphrase is not defined. This usually means you have enabled periodic restore from production but you haven't set up a production environment yet. Please set up a production environment first." when: periodic_restore_from_backup and backup_restore_encryption_passphrase is not defined - name: 'Setup crontab to download a backup periodically the opencrvs data'