[v9] Refactor Drone Pipelines to use AWS role assumption#17255
Merged
Conversation
github-actions
Bot
requested review from
fheinecke,
justinas,
r0mant and
reedloden
wadells
changed the title
r0mant
approved these changes
Oct 11, 2022
justinas
approved these changes
Oct 11, 2022
Removed for the following reasons: * We don't use a similar pattern with other volume refs * This removes the need to look in another file to determine what is going on * Adding them explicitly is fewer lines of code
Merged
Previously, "${ARTIFACT_PATH}" was interpreted as Drone variable
subsitution, resulting in "rm -rf ${ARTIFACT_PATH}/*" becoming
"rm -rf /*", which deleted credentials on the filesystem.
This was referenced Oct 13, 2022
wadells
force-pushed
the
walt/v9-role-assumption
branch
from
b9ddd9a to
5ad11ea
Compare
This is follow up to #17201, that fixes the buildbox pipeline error seen here: An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action
This gives un-dronegen'ed pipelines the same syntax as dronegen'd ones, which is nice for consistency.
All other roles environment variables end in AWS_ROLE, and consistency is our friend here.
wadells
force-pushed
the
walt/v9-role-assumption
branch
from
5ad11ea to
80fc114
Compare
Contributor
|
@wadells - this PR is large and will require admin approval to merge. Consider breaking it up into a series smaller changes. |
github-actions
Bot
requested review from
fheinecke,
justinas,
r0mant and
reedloden
reedloden
approved these changes
Oct 13, 2022
Contributor
Author
|
Tag & promote are clean -- working on merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backports #17201
Backports #17301
Backports #17334
Backports #17274
Backports #17314
Backports #17406
Contributes to https://github.com/gravitational/SecOps/issues/213
There were a large range of merge conflicts during this port, including:
Strangely, the ECR/Quay flip flop (6a3f802) seen in v10 (#17244) wasn't needed here.
Testing Done
Definitely needed given the wide array of merge conflicts.