Use vault github action to retrieve keys

scoremedia · Apr 27, 2024 · a6b5599 · a6b5599
1 parent f458e0c
commit a6b5599
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 281 deletions.
diff --git a/.github/workflows/verify-vault-secrets.yaml b/.github/workflows/verify-vault-secrets.yaml
@@ -9,10 +9,13 @@ on:
       edges:
         required: true
         type: string
+      path_suffixes:
+        required: true
+        type: string
       environments:
         required: false
         type: string
-        default: "staging,demo,uat,audit1,ps,production"
+        default: "['staging','demo','uat','audit1','ps','production']"
       vault_addr_prod:
         required: false
         type: string
@@ -23,13 +26,38 @@ on:
         default: "https://vault.non-prod.thescore.is"
 
 jobs:
+  retrieve-vault-secret-keys:
+    runs-on: non-prod-scorebet-org-runner
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        env: [ ${{ fromJSON(inputs.environments) }} ]
+        edge: [ ${{ fromJSON(inputs.edges) }} ]
+        suffix: [ ${{ fromJSON(inputs.path_suffixes) }} ]
+    outputs:
+      output1: ${{ steps.vault-keys.outputs.subkeys }}
+    steps:
+      - name: Get Vault Keys
+        id: vault-keys
+        uses: hashicorp/vault-action@v3
+        with:
+          method: jwt
+          path: github-actions
+          url: ${{ matrix.env == 'production' && 'https://vault.prod.thescore.is' || 'https://vault.non-prod.thescore.is' }}
+          role: identity
+          exportToken: true
+          secrets: |
+            scorebet/subkeys/identity/${{ matrix.env }}/us-core/${{ matrix.suffix }} subkeys ;
+  
   verify-vault-secrets:
     runs-on: non-prod-scorebet-org-runner
-    permissions: write-all
+    needs: retrieve-vault-secret-keys
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      #- uses: actions/checkout@v4
       - uses: actions/checkout@v4
         with:
           repository: scoremedia/devops-github-workflow
@@ -42,39 +70,10 @@ jobs:
         shell: bash
         run: |
           cd ./shared-actions/.github/workflows/verify-vault-secrets && npm install
-      - name: Get Non-Prod Token from Vault
-        id: non-prod-vault-token
-        uses: hashicorp/vault-action@v3
-        with:
-          method: jwt
-          path: github-actions
-          url: https://vault.non-prod.thescore.is
-          role: ${{ inputs.service }}
-          exportToken: true
-          secrets: |
-            thescore/data/infrastructure/github/tokens/scorebet-bot token | GITHUB_PAT ;
-
-      - name: Get Prod Token from Vault
-        id: prod-vault-token
-        uses: hashicorp/vault-action@v3
-        with:
-          method: jwt
-          path: github-actions
-          url: https://vault.prod.thescore.is
-          role: ${{ inputs.service }}
-          exportToken: true
-          secrets: |
-            thescore/data/infrastructure/github/tokens/scorebet-bot token | GITHUB_PAT ;
 
       - uses: actions/github-script@v7
         with:
           script: |
             const script = require('./shared-actions/.github/workflows/verify-vault-secrets/verifyVaultSecrets.js')
             await script({github, context, core})
-          service: ${{ inputs.service }}
-          edges: ${{ inputs.edges }}
-          non_prod_vault_token: ${{ steps.non-prod-vault-token.outputs.GITHUB_PAT }}
-          prod_vault_token: ${{ steps.prod-vault-token.outputs.GITHUB_PAT }}
-          environments: ${{ inputs.environments }}
-          vault_addr_prod: ${{ inputs.vault_addr_prod }}
-          vault_addr_non_prod: ${{ inputs.vault_addr_non_prod }}
+          keys: ${{fromJson(needs.retrieve-vault-secret-keys.outputs.subkeys)}}