[IT-3258] Fix CI build

Fix CI build by enabling github OIDC then assuming a role before updating the image dashboard file. depends on Sage-Bionetworks-IT/organizations-infra#1016
zaro0508 · Oct 31, 2023 · e44ca24 · e44ca24
1 parent 751a6f0
commit e44ca24
Show file tree

Hide file tree

Showing 3 changed files with 167 additions and 9 deletions.
diff --git a/.github/workflows/auto-ghpages.yaml b/.github/workflows/auto-ghpages.yaml
@@ -20,9 +20,17 @@ jobs:
           python -m pip install --upgrade pip
           pip install boto3
 
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::867686887310:role/sagebase-github-oidc-packer-image-deploy
+          role-session-name: GitHubActions-${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+          role-duration-seconds: 600
+
       - name: Run AMI dashboard
         run: |
-          python ami_dashboard.py ${{ secrets.aws_access_key_id }} ${{ secrets.aws_secret_access_key }} ${{ secrets.packer_service_arn }}
+          python ami_dashboard.py
 
       - name: Commit report
         run: |

diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,147 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+
+.idea/
+git-crypt.key
+
+# Elastic Beanstalk Files
+.elasticbeanstalk/*
+!.elasticbeanstalk/*.cfg.yml
+!.elasticbeanstalk/*.global.yml
+
+# sceptre remote templates
+templates/remote/
+
+# lambda artifacts
+lambdas/*.zip
+
+# MAC Crap
+.DS_Store
+
+# temp files
+temp/
+
+# pipenv
+Pipfile*
+
+# npm
+node_modules/
+
+# sceptre
+sceptre/**/templates/remote/
+.dump/
+
+# lerna
+lerna-debug.log
+
+# ofn
+.printed-stacks/
+
+# auto generated files
+org-formation/200-baseline/cdk-bootstrap.json
+org-formation/200-baseline/tmptemplate.json
+
+.project
diff --git a/ami_dashboard.py b/ami_dashboard.py
@@ -30,7 +30,7 @@
 def get_aws_client(service: str, access_key: str,
                    secret_access_key: str,
                    role_arn: str) -> boto3.client:
-    """Get AWS client
+    """Assume a role and return an AWS client
 
     Args:
         service: AWS service to use
@@ -93,12 +93,12 @@ def form_markdown_text(ami_dict: dict) -> List[str]:
 def cli():
     """CLI"""
     parser = argparse.ArgumentParser(
-        description='Challenge utility functions'
+        description='AMI dashboard utility'
     )
-    parser.add_argument("access_key_id", help="AWS access key id", type=str)
-    parser.add_argument("secret_access_key", help="AWS secret access key",
+    parser.add_argument("access_key_id", nargs="+", help="AWS access key id", type=str)
+    parser.add_argument("secret_access_key", nargs="+", help="AWS secret access key",
                         type=str)
-    parser.add_argument("role_arn", help="AWS Role ARN", type=str)
+    parser.add_argument("role_arn", nargs="+", help="AWS Role ARN", type=str)
     parser.add_argument("--exclude_ami", nargs="+",
                         help="Exclude AMIs with these prefixes")
     args = parser.parse_args()
@@ -109,9 +109,12 @@ def main():
     """List available AMI's, form markdown table text with AMIs,
     push to github"""
     args = cli()
-    ec2_client = get_aws_client("ec2", args.access_key_id,
-                                args.secret_access_key,
-                                args.role_arn)
+    if args.access_key_id and args.secret_access_key and args.role_arn:
+        ec2_client = get_aws_client("ec2", args.access_key_id,
+                                    args.secret_access_key,
+                                    args.role_arn)
+    else:
+        ec2_client = client = boto3.client("ec2")
     # Get AMI images
     images = ec2_client.describe_images(Owners=['self'])