This repository has been archived by the owner on Feb 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yml
100 lines (87 loc) · 3.94 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Vault Approle Token extractor through Vault Broker API
description: Acquires a token to be used on vault through the broker API
branding:
icon: package
color: blue
inputs:
### Required
broker_jwt:
description: The JWT to be used on the broker
required: true
provision_role_id:
description: The id of the role to be used during provisioning
required: true
project_name:
description: Name of the project on vault, Ex. client
required: true
app_name:
description: Name of the app on vault, Ex. app-client
required: true
environment:
description: Name of the vault environment, Ex. development
required: true
### Usually a bad idea / not recommended
diff_branch:
default: ${{ github.event.repository.default_branch }}
description: Branch to diff against
repository:
default: ${{ github.repository }}
description: Non-default repo to clone
broker_url:
default: https://nr-broker.apps.silver.devops.gov.bc.ca
description: Something other than the default broker URL
vault_addr:
description: Something other than the default vault address
default: https://vault-iit.apps.silver.devops.gov.bc.ca
outputs:
vault_token:
description: The vault token acquired by the action
value: ${{ steps.broker.outputs.vault_token }}
runs:
using: composite
steps:
- uses: actions/checkout@v3
with:
# Check out build repo
repository: ${{ inputs.repository }}
# Process variables and inputs
- id: broker
name: Vault Broker
shell: bash
run: |
# Read the intention file and replace the event url and the user id
PAYLOAD=$(cat .github/intention.json | \
jq ".event.url=\"${GITHUB_SERVER_URL}${GITHUB_ACTION_PATH}\" | \
.user.id=\"${GITHUB_ACTOR}\" | \
.event.provider=\"${{ github.repository }}-github-action\" | \
.actions[0].service.name=\"${{ inputs.app_name }}\" | \
.actions[0].service.project=\"${{ inputs.project_name }}\" | \
.actions[0].service.environment=\"${{ inputs.environment }}\"")
# Open an intention to the broker
INTENTION=$(curl -s -X POST ${{ inputs.broker_url }}/v1/intention/open \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${{ inputs.broker_jwt}}" \
--data-raw "${PAYLOAD}")
# Extract both the action and the intention token
INTENTION_TOKEN=$(echo "${INTENTION}" | jq -r '.token')
ACTION_TOKEN=$(echo "${INTENTION}" | jq -r '.actions.provision.token')
# With the action token in hand, provision a secret id for our app role
WRAPPED_DATA=$(curl -s -X POST ${{ inputs.broker_url }}/v1/provision/approle/secret-id \
-H "x-broker-token: "${ACTION_TOKEN}"" \
-H "x-vault-role-id: "${{ inputs.provision_role_id }}"")
WRAPPED_TOKEN=$(echo ${WRAPPED_DATA} | jq -r '.wrap_info.token')
# Unwrap the token to get the secret id
SECRET_ID=$(curl -s -X POST ${{ inputs.vault_addr }}/v1/sys/wrapping/unwrap \
-H "X-Vault-Token: ${WRAPPED_TOKEN}"|jq '.data.secret_id')
# Log into vault using the app role url, this will give us back the vault token we need to read the secrets
LOGIN=$(curl -s -X POST ${{ inputs.vault_addr }}/v1/auth/vs_apps_approle/login \
--data-raw '{ "role_id": "'${{ inputs.provision_role_id }}'", "secret_id": '${SECRET_ID}' }' \
--header 'Content-Type: application/json' | jq -r '.auth.client_token')
# Close the broker intention
curl -s -X POST ${{ inputs.broker_url }}/v1/intention/close \
-H 'Content-Type: application/json' \
-H "x-broker-token: ${INTENTION_TOKEN}"
# Forward the vault token to be consumed
echo vault_token=${LOGIN} >> $GITHUB_OUTPUT
- name: Checkout Action repo to pass tests
uses: actions/checkout@v3