From 9e301d31841d9de06c58c154e45f9dbc09c49e7d Mon Sep 17 00:00:00 2001 From: Jon Rohan Date: Mon, 14 Oct 2024 15:06:49 -0700 Subject: [PATCH] Move azure ids to secrets (#3151) --- .github/workflows/demo-preview-cleanup.yml | 6 +++--- .github/workflows/demo-preview-destroy.yml | 6 +++--- .github/workflows/demo-production-deploy.yml | 17 ++++++++++------- .github/workflows/preview-deploy.yml | 8 ++++---- demo/kuby.rb | 6 +++--- 5 files changed, 23 insertions(+), 20 deletions(-) diff --git a/.github/workflows/demo-preview-cleanup.yml b/.github/workflows/demo-preview-cleanup.yml index a6e7a7741a..dd8118c717 100644 --- a/.github/workflows/demo-preview-cleanup.yml +++ b/.github/workflows/demo-preview-cleanup.yml @@ -27,9 +27,9 @@ jobs: with: # excluding a client secret here will cause a login via OpenID Connect (OIDC), # which prevents us from having to rotate client credentials, etc - client-id: "5ad1a188-b944-40eb-a2f8-cc683a6a65a0" - tenant-id: "398a6654-997b-47e9-b12b-9515b896b4de" - subscription-id: "550eb99d-d0c7-4651-a337-f53fa6520c4f" + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Do this before repo checkout to prevent running bundle install - uses: ruby/setup-ruby@v1 diff --git a/.github/workflows/demo-preview-destroy.yml b/.github/workflows/demo-preview-destroy.yml index 4f3ae668d0..c00a37fd46 100644 --- a/.github/workflows/demo-preview-destroy.yml +++ b/.github/workflows/demo-preview-destroy.yml @@ -31,9 +31,9 @@ jobs: with: # excluding a client secret here will cause a login via OpenID Connect (OIDC), # which prevents us from having to rotate client credentials, etc - client-id: "5ad1a188-b944-40eb-a2f8-cc683a6a65a0" - tenant-id: "398a6654-997b-47e9-b12b-9515b896b4de" - subscription-id: "550eb99d-d0c7-4651-a337-f53fa6520c4f" + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Check out repo uses: actions/checkout@v4 diff --git a/.github/workflows/demo-production-deploy.yml b/.github/workflows/demo-production-deploy.yml index 80a93bcc8d..b313b559c1 100644 --- a/.github/workflows/demo-production-deploy.yml +++ b/.github/workflows/demo-production-deploy.yml @@ -32,9 +32,9 @@ jobs: with: # excluding a client secret here will cause a login via OpenID Connect (OIDC), # which prevents us from having to rotate client credentials, etc - client-id: "5ad1a188-b944-40eb-a2f8-cc683a6a65a0" - tenant-id: "398a6654-997b-47e9-b12b-9515b896b4de" - subscription-id: "550eb99d-d0c7-4651-a337-f53fa6520c4f" + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Purge tags run: | # only delete tags that aren't "latest" or "latest-assets" @@ -84,13 +84,16 @@ jobs: with: # excluding a client secret here will cause a login via OpenID Connect (OIDC), # which prevents us from having to rotate client credentials, etc - client-id: "5ad1a188-b944-40eb-a2f8-cc683a6a65a0" - tenant-id: "398a6654-997b-47e9-b12b-9515b896b4de" - subscription-id: "550eb99d-d0c7-4651-a337-f53fa6520c4f" + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Deploy env: RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }} AZURE_ACR_PASSWORD: ${{ secrets.AZURE_ACR_PASSWORD }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} run: | - export AZURE_ACCESS_TOKEN=$(az account get-access-token --subscription 550eb99d-d0c7-4651-a337-f53fa6520c4f | jq -r .accessToken) + export AZURE_ACCESS_TOKEN=$(az account get-access-token --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} | jq -r .accessToken) bin/kuby -e production deploy diff --git a/.github/workflows/preview-deploy.yml b/.github/workflows/preview-deploy.yml index e23c14baba..7c68e157a5 100644 --- a/.github/workflows/preview-deploy.yml +++ b/.github/workflows/preview-deploy.yml @@ -62,9 +62,9 @@ jobs: with: # excluding a client secret here will cause a login via OpenID Connect (OIDC), # which prevents us from having to rotate client credentials, etc - client-id: "5ad1a188-b944-40eb-a2f8-cc683a6a65a0" - tenant-id: "398a6654-997b-47e9-b12b-9515b896b4de" - subscription-id: "550eb99d-d0c7-4651-a337-f53fa6520c4f" + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Get preview app info run: ./.github/workflows/demo-preview-app-info.sh @@ -96,7 +96,7 @@ jobs: uses: azure/arm-deploy@a1361c2c2cd398621955b16ca32e01c65ea340f5 with: resourceGroupName: primer - subscriptionId: 550eb99d-d0c7-4651-a337-f53fa6520c4f + subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION_ID }} template: ./.github/workflows/demo-preview-template.json deploymentName: ${{env.DEPLOYMENT_NAME}} parameters: appName="${{env.APP_NAME}}" diff --git a/demo/kuby.rb b/demo/kuby.rb index 5e4e14e966..b9e2ef4834 100644 --- a/demo/kuby.rb +++ b/demo/kuby.rb @@ -151,9 +151,9 @@ def install_from_image(image, dockerfile) kubernetes do provider :azure do - subscription_id "550eb99d-d0c7-4651-a337-f53fa6520c4f" - tenant_id "398a6654-997b-47e9-b12b-9515b896b4de" - client_id "5ad1a188-b944-40eb-a2f8-cc683a6a65a0" + subscription_id ENV["AZURE_SUBSCRIPTION_ID"] + tenant_id ENV["AZURE_TENANT_ID"] + client_id ENV["AZURE_CLIENT_ID"] resource_group_name "primer" resource_name "primer"