fix: split GitHub Action Secrets for AWS Creds into DEV, STAGING, and…

… PROD
wizeline · May 12, 2020 · cd0482b · cd0482b
1 parent 0427cc2
commit cd0482b
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 12 deletions.
diff --git a/.github/workflows/delete-stack-on-pr-close.yaml b/.github/workflows/delete-stack-on-pr-close.yaml
@@ -24,8 +24,8 @@ jobs:
       run: |
         mkdir ~/.aws
         echo "[myapp_dev]
-        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/credentials
+        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
+        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}" > ~/.aws/credentials
 
     - name: Delete PR preview stack
       run: SERVERLESS_SERVICE_SUFFIX=-${{ github.head_ref }} npm run remove-stack:dev

diff --git a/.github/workflows/on-pr.yaml b/.github/workflows/on-pr.yaml
@@ -36,8 +36,8 @@ jobs:
       run: |
         mkdir ~/.aws
         echo "[myapp_dev]
-        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/credentials
+        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
+        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}" > ~/.aws/credentials
         # TODO: How to also get the PR origin repo if it's coming from an external contributor
         # See: env.GITHUB_REF, env.GITHUB_HEAD_REF, GITHUB_BASE_REF https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables
         NODE_ENV=production ALARMS_NOTIFICATION_EMAIL=alert@example.com SERVERLESS_SERVICE_SUFFIX=-${{ github.head_ref }} npm run deploy:dev

diff --git a/.github/workflows/on-push-to-master.yaml b/.github/workflows/on-push-to-master.yaml
@@ -26,8 +26,8 @@ jobs:
       run: |
         mkdir ~/.aws
         echo "[myapp_staging]
-        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/credentials
+        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }}
+        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }}" > ~/.aws/credentials
         NODE_ENV=production npm run deploy:staging
 
     # TODO: Additional end-to-end tests
@@ -41,8 +41,8 @@ jobs:
         echo "
         
         [myapp_prod]
-        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/credentials
+        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
+        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}" > ~/.aws/credentials
         npm run package:prod
         npm run zip-release
       

diff --git a/.github/workflows/on-release-published.yaml b/.github/workflows/on-release-published.yaml
@@ -24,8 +24,8 @@ jobs:
       run: |
         mkdir ~/.aws
         echo "[myapp_prod]
-        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/credentials
+        aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
+        aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}" > ~/.aws/credentials
     
     - name: Setup Node.js
       uses: actions/setup-node@v1

diff --git a/README.md b/README.md
@@ -17,7 +17,22 @@ Get started developing applications quickly with best practices using Serverless
 
 Clone the repository `git clone https://github.com/wizeline/serverless-fullstack` and replace all instances of "myapp" with the name of your application.
 
-Add `myapp_dev`, `myapp_staging`, and `myapp_prod` profiles to `~/.aws/credentials` (replacing `myapp` with the name of your application). It's recommended that each developer has their own account, and for staging and prod profiles to exist in separate accounts.
+Create AWS Credentials for your developer account and add `myapp_dev` profile to `~/.aws/credentials` (replacing `myapp` with the name of your application). It's recommended that each developer has their own account, and for staging and prod profiles to exist in separate accounts.
+
+If you want to be able to deploy to staging and production manually, you'll need to add `_staging` and `_production` profiles also.
+
+Add your AWS credentials as secrets to your GitHub Repository with the following keys:
+
+* `AWS_ACCESS_KEY_ID_DEV`
+* `AWS_SECRET_ACCESS_KEY_DEV`
+* `AWS_ACCESS_KEY_ID_STAGING`
+* `AWS_SECRET_ACCESS_KEY_STAGING`
+* `AWS_ACCESS_KEY_ID_PROD`
+* `AWS_SECRET_ACCESS_KEY_PROD`
+
+It's advised that development, staging, and production environments exist in separate AWS accounts. However, if you'd prefer to deploy to a single AWS Account for simplicity, you can simply specify the same credentials for each.
+
+Create a GitHub Personal Access Token and add it as a repository secret called `GH_PERSONAL_ACCESS_TOKEN`. This is used to create GitHub releases.
 
 Coming soon: setup script to automate this.
 
@@ -110,7 +125,6 @@ By default, Cognito forces users to verify their email address, but this kit com
 - [ ] Enable stack termination protection on prod and staging
 - [ ] Add [lumigo-cli](https://www.npmjs.com/package/lumigo-cli), especially for tuning
 - [ ] Split stacks to mitigate chance of hitting CloudFormation 200 resource limit
-- [ ] Split secrets.AWS_ACCESS_KEY_ID and secrets.AWS_SECRET_ACCESS_KEY in GitHub Action Workflows into _DEV, _STAGING, and _PROD.
 - [ ] Additional unit/integration tests
 - [ ] End-to-end tests (with Cypress?)
 - [ ] Make it easy to disable this for open-source projects where you don't want to allow people to create resources in your AWS account. 🔒