DEVPROD-4976: Use temporary AWS credentials from ec2.assume_role comm…

…and (#2269)
evergreen-ci · Feb 21, 2024 · 8ecfa7c · 8ecfa7c
1 parent c664610
commit 8ecfa7c
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 51 deletions.
diff --git a/.evergreen.yml b/.evergreen.yml
@@ -33,6 +33,11 @@ post:
 #              Functions              #
 #######################################
 functions:
+  assume-ec2-role:
+    command: ec2.assume_role
+    params:
+      role_arn: ${ASSUME_ROLE_ARN}
+
   get-project:
     command: git.get_project
     type: setup
@@ -126,12 +131,10 @@ functions:
       script: ./scripts/wait-for-evergreen.sh
 
   sym-link:
-    command: shell.exec
+    command: subprocess.exec
     params:
       working_dir: spruce
-      shell: bash
-      script: |
-        ln -s evergreen/graphql/schema sdlschema
+      command: ln -s evergreen/graphql/schema sdlschema
 
   run-logkeeper:
     command: shell.exec
@@ -149,8 +152,9 @@ functions:
     command: s3.get
     type: setup
     params:
-      aws_key: ${aws_key}
-      aws_secret: ${aws_secret}
+      aws_key: ${AWS_ACCESS_KEY_ID}
+      aws_secret: ${AWS_SECRET_ACCESS_KEY}
+      aws_session_token: ${AWS_SESSION_TOKEN}
       extract_to: spruce/logkeeper
       remote_file: _bucketdata.tar.gz
       bucket: parsley-test
@@ -260,8 +264,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter: ["spruce/cypress/screenshots/*"]
         remote_file: spruce/${task_id}/
         bucket: mciuploads
@@ -271,8 +276,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter: ["spruce/cypress/videos/*"]
         remote_file: spruce/${task_id}/
         bucket: mciuploads
@@ -288,8 +294,9 @@ functions:
     command: s3.put
     type: system
     params:
-      aws_key: ${aws_key}
-      aws_secret: ${aws_secret}
+      aws_key: ${AWS_ACCESS_KEY_ID}
+      aws_secret: ${AWS_SECRET_ACCESS_KEY}
+      aws_session_token: ${AWS_SESSION_TOKEN}
       local_file: "spruce/build/source_map.html"
       remote_file: spruce/${task_id}/source_map.html
       bucket: mciuploads
@@ -301,8 +308,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter: ["spruce/storybook-static/*.html"]
         remote_file: spruce/${task_id}/storybook/
         bucket: mciuploads
@@ -312,8 +320,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter:
           [
             "spruce/storybook-static/**/*.js$",
@@ -327,8 +336,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter: ["spruce/storybook-static/**/*.js.map"]
         remote_file: spruce/${task_id}/storybook/
         bucket: mciuploads
@@ -338,8 +348,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter: ["spruce/storybook-static/**/*.css"]
         remote_file: spruce/${task_id}/storybook/
         bucket: mciuploads
@@ -349,8 +360,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter: ["spruce/storybook-static/**/*.json"]
         remote_file: spruce/${task_id}/storybook/
         bucket: mciuploads
@@ -360,8 +372,9 @@ functions:
     - command: s3.put
       type: system
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
         local_files_include_filter:
           - "spruce/storybook-static/**/*.woff"
           - "spruce/storybook-static/**/*.woff2"
@@ -375,8 +388,9 @@ functions:
     command: s3.put
     type: system
     params:
-      aws_key: ${aws_key}
-      aws_secret: ${aws_secret}
+      aws_key: ${AWS_ACCESS_KEY_ID}
+      aws_secret: ${AWS_SECRET_ACCESS_KEY}
+      aws_session_token: ${AWS_SESSION_TOKEN}
       local_files_include_filter:
         - "spruce/bin/codegen.diff"
       remote_file: spruce/${task_id}/codegen/
@@ -388,8 +402,9 @@ functions:
     command: s3.put
     type: system
     params:
-      aws_key: ${aws_key}
-      aws_secret: ${aws_secret}
+      aws_key: ${AWS_ACCESS_KEY_ID}
+      aws_secret: ${AWS_SECRET_ACCESS_KEY}
+      aws_session_token: ${AWS_SESSION_TOKEN}
       local_files_include_filter:
         - "spruce/body.txt"
       remote_file: spruce/${task_id}/
@@ -401,42 +416,44 @@ functions:
     command: shell.exec
     params:
       working_dir: spruce
+      env:
+        REACT_APP_SENTRY_AUTH_TOKEN: ${REACT_APP_SENTRY_AUTH_TOKEN}
+        REACT_APP_SENTRY_DSN: ${REACT_APP_SENTRY_DSN}
+        REACT_APP_NEW_RELIC_ACCOUNT_ID: ${REACT_APP_NEW_RELIC_ACCOUNT_ID}
+        REACT_APP_NEW_RELIC_AGENT_ID: ${REACT_APP_NEW_RELIC_AGENT_ID}
+        REACT_APP_NEW_RELIC_APPLICATION_ID: ${REACT_APP_NEW_RELIC_APPLICATION_ID}
+        REACT_APP_NEW_RELIC_LICENSE_KEY: ${REACT_APP_NEW_RELIC_LICENSE_KEY}
+        REACT_APP_NEW_RELIC_TRUST_KEY: ${REACT_APP_NEW_RELIC_TRUST_KEY}
+        REACT_APP_DEPLOYS_EMAIL: ${REACT_APP_DEPLOYS_EMAIL}
+        REACT_APP_HONEYCOMB_BASE_URL: ${REACT_APP_HONEYCOMB_BASE_URL}
+        EVERGREEN_API_SERVER_HOST: ${evergreen_api_server_host}
+        EVERGREEN_UI_SERVER_HOST: ${evergreen_api_server_host}
+        EVERGREEN_API_KEY: ${evergreen_api_key}
+        EVERGREEN_USER: ${evergreen_user}
       script: |
         echo "Generating .env-cmdrc.json"
-        REACT_APP_SENTRY_AUTH_TOKEN=${REACT_APP_SENTRY_AUTH_TOKEN} \
-        REACT_APP_SENTRY_DSN=${REACT_APP_SENTRY_DSN} \
-        REACT_APP_NEW_RELIC_ACCOUNT_ID=${REACT_APP_NEW_RELIC_ACCOUNT_ID} \
-        REACT_APP_NEW_RELIC_AGENT_ID=${REACT_APP_NEW_RELIC_AGENT_ID} \
-        REACT_APP_NEW_RELIC_APPLICATION_ID=${REACT_APP_NEW_RELIC_APPLICATION_ID} \
-        REACT_APP_NEW_RELIC_LICENSE_KEY=${REACT_APP_NEW_RELIC_LICENSE_KEY} \
-        REACT_APP_NEW_RELIC_TRUST_KEY=${REACT_APP_NEW_RELIC_TRUST_KEY} \
-        REACT_APP_DEPLOYS_EMAIL=${REACT_APP_DEPLOYS_EMAIL} \
-        REACT_APP_HONEYCOMB_BASE_URL=${REACT_APP_HONEYCOMB_BASE_URL} \
         node scripts/setup-credentials.js
 
         echo "populating evergreen.yml"
-        cat <<EOF > .evergreen.yml
-        api_server_host: ${evergreen_api_server_host}
-        ui_server_host: ${evergreen_ui_server_host}
-        api_key: ${evergreen_api_key}
-        user: ${evergreen_user}
-        EOF
-
-        echo "Done populating"
+        chmod +x ./scripts/create-evergreen-yml.sh
+        ./scripts/create-evergreen-yml.sh
+        echo "Done populating evergreen.yml"
 
   prod-deploy:
     command: shell.exec
     params:
       working_dir: spruce
       shell: bash
+      env:
+        BUCKET: ${bucket}
+        AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+        AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
+        AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN}
+        EXECUTION: ${execution}
+        DEPLOYS_EMAIL: ${DEPLOYS_EMAIL}
+        AUTHOR_EMAIL: ${author_email}
       script: |
         ${PREPARE_SHELL}
-        BUCKET=${bucket} \
-        AWS_ACCESS_KEY_ID=${aws_key} \
-        AWS_SECRET_ACCESS_KEY=${aws_secret} \
-        EXECUTION=${execution} \
-        DEPLOYS_EMAIL=${DEPLOYS_EMAIL} \
-        AUTHOR_EMAIL=${author_email} \
         yarn deploy:prod
 
 #######################################
@@ -446,11 +463,13 @@ functions:
 tasks:
   - name: compile
     commands:
+      - func: assume-ec2-role
       - func: sym-link
       - func: yarn-build
 
   - name: storybook
     commands:
+      - func: assume-ec2-role
       - func: yarn-build-storybook
 
   - name: test
@@ -473,6 +492,7 @@ tasks:
 
   - name: e2e_test
     commands:
+      - func: assume-ec2-role
       - func: setup-mongodb
       - func: run-make-background
         vars:
@@ -487,11 +507,13 @@ tasks:
 
   - name: check_codegen
     commands:
+      - func: assume-ec2-role
       - func: sym-link
       - func: check-codegen
 
   - name: deploy_to_prod
     commands:
+      - func: assume-ec2-role
       - func: setup-credentials
       - func: sym-link
       - func: prod-deploy

diff --git a/scripts/deploy/create-evergreen-yml.sh b/scripts/deploy/create-evergreen-yml.sh
@@ -0,0 +1,6 @@
+cat <<EOF > .evergreen.yml
+api_server_host: $EVERGREEN_API_SERVER_HOST
+ui_server_host: $EVERGREEN_UI_SERVER_HOST
+api_key: $EVERGREEN_API_KEY
+user: $EVERGREEN_USER
+EOF