update use aws region as secret, add secrets via TF

Vizzuality · May 22, 2024 · 382b1f1 · 382b1f1
1 parent 1208fcd
commit 382b1f1
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 19 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -42,7 +42,7 @@ jobs:
         with:
           aws-access-key-id: ${{ secrets.TF_PIPELINE_USER_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.TF_PIPELINE_USER_SECRET_ACCESS_KEY }}
-          aws-region: ${{ vars.TF_AWS_REGION }}
+          aws-region: ${{ secrets.TF_AWS_REGION }}
 
       - name: Login to Amazon ECR
         if: ${{ github.event_name == 'workflow_dispatch' || steps.client-changes.outputs.client == 'true' }}
@@ -91,7 +91,7 @@ jobs:
         with:
           aws-access-key-id: ${{ secrets.TF_PIPELINE_USER_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.TF_PIPELINE_USER_SECRET_ACCESS_KEY }}
-          aws-region: ${{ vars.TF_AWS_REGION }}
+          aws-region: ${{ secrets.TF_AWS_REGION }}
 
       - name: Login to Amazon ECR
         if: ${{ github.event_name == 'workflow_dispatch' || steps.api-changes.outputs.api == 'true' }}

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -57,5 +57,6 @@ module "github" {
         TF_PIPELINE_USER_SECRET_ACCESS_KEY = module.iam.pipeline_user_access_key_secret
         TF_CLIENT_REPOSITORY_NAME          = module.client_ecr.repository_name
         TF_API_REPOSITORY_NAME             = module.api_ecr.repository_name
+        TF_AWS_REGION                      = var.aws_region
     }
 }
diff --git a/infrastructure/modules/iam/main.tf b/infrastructure/modules/iam/main.tf
@@ -17,23 +17,25 @@ resource "aws_iam_user_policy_attachment" "eb_managed_updates_customer_user_poli
   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy"
 }
 
-# resource "aws_iam_user_policy" "get_ecr_token_policy" {
-#   name = "get_ecr_token_policy"
-#   user = aws_iam_user.pipeline_user.name
-#
-#   policy = jsonencode({
-#     Version = "2012-10-17"
-#     Statement = [
-#       {
-#         Action = [
-#           "ecr:GetAuthorizationToken"
-#         ]
-#         Effect   = "Allow"
-#         Resource = "*"
-#       },
-#     ]
-#   })
-# }
+## Below policies are needed to login through GitHub Actions
+
+resource "aws_iam_user_policy" "get_ecr_token_policy" {
+  name = "get_ecr_token_policy"
+  user = aws_iam_user.pipeline_user.name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ecr:GetAuthorizationToken"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
+}
 
 resource "aws_iam_user_policy" "ecr_push_pull_policy" {
   name = "ecr_push_pull_policy"