Merge pull request #82 from lara-learning/feat/oidc-gh-envs

timbru31 · web-flow · commit 14f1ed3c86eb · 2024-12-16T15:45:32.000+01:00
refactor: use OIDC for AWS deployments, split secrets into GitHub env…
diff --git a/.github/workflows/merge-to-master.yml b/.github/workflows/merge-to-master.yml
@@ -1,11 +1,11 @@
 ########################################################
-# Action to run on pullrequest merge to main         #
+# Action to run on pullrequest merge to main           #
 # Staging build and deployment                         #
 ########################################################
 name: Action on Pullrequest push to main
-on: 
+on:
   push:
-    branches:    
+    branches:
       - 'main'
 
 jobs:
@@ -18,7 +18,7 @@ jobs:
     with:
       environmentName: staging
       debug: 'true'
-      mode: ""
+      mode: ''
     secrets: inherit
 
   deploy:
diff --git a/.github/workflows/reusable-build-job.yml b/.github/workflows/reusable-build-job.yml
@@ -20,58 +20,42 @@ jobs:
   build:
     runs-on: ubuntu-latest
     name: build-job
+    environment: ${{ inputs.environmentName }}
     env:
-      ENVIRONMENT_NAME: ${{ inputs.environmentName }}
       DEBUG: ${{ inputs.debug }}
       MODE: ${{ inputs.mode }}
       AUTH_HEADER: ${{ secrets.AUTH_HEADER }}
       MICROSOFT_TENANT_ID: ${{ secrets.MICROSOFT_TENANT_ID }}
+      MICROSOFT_CLIENT_ID: ${{ secrets.MICROSOFT_CLIENT_ID }}
       SUPPORT_MAIL: ${{ secrets.SUPPORT_MAIL }}
       URL_ORIGIN: ${{ secrets.URL_ORIGIN }}
       COMPANY_ABBREVIATION: ${{ secrets.COMPANY_ABBREVIATION }}
       OLD_COMPANY_NAME: ${{ secrets.OLD_COMPANY_NAME }}
       NEW_COMPANY_NAME: ${{ secrets.NEW_COMPANY_NAME }}
       AVATAR_URL: ${{ secrets.AVATAR_URL }}
       LARA_VERSION: ${{ github.ref_name }}
+      FRONTEND_URL: ${{ secrets.FRONTEND_URL }}
+      BACKEND_URL: ${{ secrets.BACKEND_URL }}
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
             packages/*/node_modules
             .yarn
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}-in-${{ github.ref_name }}
-      ##############
-      # Set BACKEND_URL env varibale this way, so not all variables have to be passed to the reusable workflow
-      - name: Set production BE Url
-        if: env.ENVIRONMENT_NAME == 'production'
-        run: |
-          echo "BACKEND_URL=${{ secrets.PRODUCTION_BE_URL }}" >> $GITHUB_ENV
-      - name: Set staging BE Url
-        if: env.ENVIRONMENT_NAME == 'staging'
-        run: |
-          echo "BACKEND_URL=${{ secrets.STAGING_BE_URL }}" >> $GITHUB_ENV
-
-      ##############
-      # Set MICROSOFT CLIENT_ID env variable this way, so not all variables have to be passed to the reusable workflow
-      - name: Set production MICROSOFT CLIENT_ID
-        if: env.ENVIRONMENT_NAME == 'production'
-        run: |
-          echo "MICROSOFT_CLIENT_ID=${{ secrets.PROD_MICROSOFT_CLIENT_ID }}" >> $GITHUB_ENV
-      - name: Set staging MICROSOFT CLIENT_ID
-        if: env.ENVIRONMENT_NAME == 'staging'
-        run: |
-          echo "MICROSOFT_CLIENT_ID=${{ secrets.STAGING_MICROSOFT_CLIENT_ID }}" >> $GITHUB_ENV
 
       ##############
       - name: Compile and build
         run: yarn clean && yarn compile && yarn build
       - name: Upload dist and lib
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: dist-and-lib
           path: |
diff --git a/.github/workflows/reusable-deploy-job.yml b/.github/workflows/reusable-deploy-job.yml
@@ -19,6 +19,7 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: ${{ inputs.target }}
     name: deploy-job
     env:
       ALEXA_SKILL_STAGE: ${{ inputs.alexaSkillStage }}
@@ -30,6 +31,7 @@ jobs:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       MICROSOFT_TENANT_ID: ${{ secrets.MICROSOFT_TENANT_ID }}
+      MICROSOFT_CLIENT_ID: ${{ secrets.MICROSOFT_CLIENT_ID }}
       LARA_SECRET: ${{ secrets.LARA_SECRET }}
       SES_EMAIL: ${{ secrets.SES_EMAIL }}
       SUPPORT_MAIL: ${{ secrets.SUPPORT_MAIL }}
@@ -40,52 +42,38 @@ jobs:
       AVATAR_URL: ${{ secrets.AVATAR_URL }}
       LARA_VERSION: ${{ github.ref_name }}
       SES_REGION: ${{ secrets.SES_REGION }}
+      FRONTEND_URL: ${{ secrets.FRONTEND_URL }}
+      BACKEND_URL: ${{ secrets.BACKEND_URL }}
 
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version-file: '.nvmrc'
 
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
             packages/*/node_modules
             .yarn
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}-in-${{ github.ref_name }}
+
       - run: npm i -g serverless
 
       - name: Download built dist and lib
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: dist-and-lib
           path: packages
 
-      # Set FRONTEND_URL & BACKEND_URL env varibale this way, so not all variables have to be passed to the reusable workflow
-      - name: Set production FE & BE Url
-        if: inputs.target == 'production'
-        run: |
-          echo "FRONTEND_URL=${{ secrets.PRODUCTION_FE_URL }}" >> $GITHUB_ENV
-          echo "BACKEND_URL=${{ secrets.PRODUCTION_BE_URL }}" >> $GITHUB_ENV
-
-      - name: Set staging FE & BE Url
-        if: inputs.target == 'staging'
-        run: |
-          echo "FRONTEND_URL=${{ secrets.STAGING_FE_URL }}" >> $GITHUB_ENV
-          echo "BACKEND_URL=${{ secrets.STAGING_BE_URL }}" >> $GITHUB_ENV
-
-      ##############
-      # Set MICROSOFT CLIENT_ID env variable this way, so not all variables have to be passed to the reusable workflow
-      - name: Set production MICROSOFT CLIENT_ID
-        if: env.ENVIRONMENT_NAME == 'production'
-        run: |
-          echo "MICROSOFT_CLIENT_ID=${{ secrets.PROD_MICROSOFT_CLIENT_ID }}" >> $GITHUB_ENV
-      - name: Set staging MICROSOFT CLIENT_ID
-        if: env.ENVIRONMENT_NAME == 'staging'
-        run: |
-          echo "MICROSOFT_CLIENT_ID=${{ secrets.STAGING_MICROSOFT_CLIENT_ID }}" >> $GITHUB_ENV
+      - name: Configure AWS Credentials for China region audience
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com.cn
+          aws-region: eu-central-1
+          role-to-assume: arn:aws-cn:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-deploy-user
 
       - name: Deploy Frontend
         run: serverless s3sync bucket --bucket ${{ secrets.COMPANY_ABBREVIATION }}-lara-frontend-${{ inputs.target }}
diff --git a/.github/workflows/reusable-e2e-test-job.yml b/.github/workflows/reusable-e2e-test-job.yml
@@ -10,27 +10,31 @@ jobs:
   e2e:
     name: e2e-job
     runs-on: ubuntu-latest
+    environment: staging
     container: mcr.microsoft.com/playwright:focal
     env:
       USER_ID: ${{ secrets.TEST_TRAINEE_ID }}
-      URL: ${{ secrets.STAGING_FE_URL }}
+      URL: ${{ secrets.FRONTEND_URL }}
       BASICAUTHENTICATION_USERNAME: ${{ secrets.BASICAUTHENTICATION_USERNAME }}
       BASICAUTHENTICATION_PASSWORD: ${{ secrets.BASICAUTHENTICATION_PASSWORD }}
       ENVIRONMENT_NAME: staging
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/cache@v3
+
+      - uses: actions/cache@v4
         with:
           path: |
-            node_modules 
+            node_modules
             packages/*/node_modules
             .yarn
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}-in-${{ github.ref_name }}
+
       - name: Download built dist and lib
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: dist-and-lib
           path: packages
+
       - run: |
           cd packages/e2e
           unset NODE_OPTIONS
diff --git a/.github/workflows/reusable-install-job.yml b/.github/workflows/reusable-install-job.yml
@@ -12,10 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
diff --git a/.github/workflows/reusable-test-job.yml b/.github/workflows/reusable-test-job.yml
@@ -12,10 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
@@ -29,10 +31,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
@@ -46,10 +50,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
@@ -63,18 +69,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
             packages/*/node_modules
             .yarn
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}-in-${{ github.ref_name }}
+
       - name: Download built dist and lib
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: dist-and-lib
           path: packages
@@ -85,10 +94,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18'
-      - uses: actions/cache@v3
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@v4
         with:
           path: |
             node_modules
diff --git a/packages/authorizer/src/handler.ts b/packages/authorizer/src/handler.ts
@@ -1,6 +1,10 @@
-import { APIGatewayAuthorizerHandler, CustomAuthorizerResult } from 'aws-lambda'
+import { APIGatewayAuthorizerHandler, CustomAuthorizerResult, StatementEffect } from 'aws-lambda'
 
-const generatePolicy = (principalId: string, effect: string, resource: string): CustomAuthorizerResult | undefined => {
+const generatePolicy = (
+  principalId: string,
+  effect: StatementEffect,
+  resource: string
+): CustomAuthorizerResult | undefined => {
   if (!effect || !resource) {
     return
   }
diff --git a/yarn.lock b/yarn.lock
