From 70152005abc21579d4dd3a6d40d20b6968e454c9 Mon Sep 17 00:00:00 2001
From: Matthew Thornton <99351305+ThorntonMatthew@users.noreply.github.com>
Date: Wed, 31 Jul 2024 12:10:03 -0400
Subject: [PATCH] APPEALS-53151: Update ECR Workflow to Utilize OIDC Flow
 (#22348)

* Reconfigure ECR login workflow to utilize Github's OIDC flow

* Add permissions

* Update AWS account number to one for VAEC

* Update account number for main CI workflow

* Try using a separate secret in test

* Try using a separate secret in test

* Change name of secret

---------

Co-authored-by: Matthew Thornton <ThorntonMatthew@users.noreply.github.com>
---
 .github/workflows/ecr-login.yml               | 26 +++++++++++++++----
 .github/workflows/ecr_password_updater.py     |  2 +-
 .github/workflows/workflow.yml                | 16 ++++++------
 .../circle_docker_container/build_and_push.sh |  6 ++---
 local/vacols/build_push.sh                    | 12 ++++-----
 5 files changed, 39 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/ecr-login.yml b/.github/workflows/ecr-login.yml
index 49d0ca2aab0..51abaf38032 100644
--- a/.github/workflows/ecr-login.yml
+++ b/.github/workflows/ecr-login.yml
@@ -4,31 +4,47 @@ on:
   # Every 6 hours, the password validity is 12 hours
   schedule:
     - cron:  '0 */6 * * *'
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   login:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials
+        id: acquire-credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-gov-west-1
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          output-credentials: true
+
       - name: retrieve ecr password and store as secret
+        if: steps.acquire-credentials.outcome == 'success'
         run: |
           pip3 install -r .github/workflows/requirements.txt
           python3 .github/workflows/ecr_password_updater.py
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ steps.acquire-credentials.outputs.aws-access-key-id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.acquire-credentials.outputs.aws-secret-access-key }}
           AWS_DEFAULT_REGION: us-gov-west-1
           GH_API_ACCESS_TOKEN: ${{ secrets.GH_API_ACCESS_TOKEN }}
-  # This 'test' job is usefull for fast debugging
+
+  # This 'test' job is useful for fast debugging
   test:
     needs: login
     runs-on: ubuntu-latest
     timeout-minutes: 1
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
         # Here is the password retrieved as a secret that is set by the `login` job
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
     steps:
       - run: echo "Inside a container pulled from ECR!!"
diff --git a/.github/workflows/ecr_password_updater.py b/.github/workflows/ecr_password_updater.py
index 5dec932e066..b1038d2c2b7 100644
--- a/.github/workflows/ecr_password_updater.py
+++ b/.github/workflows/ecr_password_updater.py
@@ -41,7 +41,7 @@ def get_ecr_password() -> str:
 
     password = get_ecr_password()
     encrypted_password = encrypt(public_key_value, password)
-    update_password = requests.put('https://api.github.com/repos/department-of-veterans-affairs/caseflow/actions/secrets/ECR_PASSWORD',
+    update_password = requests.put('https://api.github.com/repos/department-of-veterans-affairs/caseflow/actions/secrets/VAEC_ECR_PASSWORD',
                                    headers={'Accept': 'application/vnd.github.v3+json',
                                             'Authorization': 'token ' + os.environ['GH_API_ACCESS_TOKEN']},
                                    data=json.dumps({'encrypted_value': encrypted_password, 'key_id': public_key_id,
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index 6e17eb068a6..2238acdd257 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -38,10 +38,10 @@ jobs:
           - 6379:6379
 
       facols_db:
-        image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+        image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
         credentials:
           username: AWS
-          password: ${{ secrets.ECR_PASSWORD }}
+          password: ${{ secrets.VAEC_ECR_PASSWORD }}
         ports:
           - 1521:1521
 
@@ -52,11 +52,11 @@ jobs:
         ci_node_index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
 
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       options: --privileged # Necessary for Rspec to run with our configuration within GHA
       credentials:
         username: AWS
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
 
       env:
         DBUS_SESSION_BUS_ADDRESS: /dev/null
@@ -266,10 +266,10 @@ jobs:
     if: true
     runs-on: ubuntu-latest
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
       env:
         DBUS_SESSION_BUS_ADDRESS: /dev/null
         RAILS_ENV: test
@@ -328,10 +328,10 @@ jobs:
     if: true
     runs-on: ubuntu-latest
     container:
-      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
-        password: ${{ secrets.ECR_PASSWORD }}
+        password: ${{ secrets.VAEC_ECR_PASSWORD }}
 
     steps:
       - name: Checkout
diff --git a/ci-bin/circle_docker_container/build_and_push.sh b/ci-bin/circle_docker_container/build_and_push.sh
index 4d39d48b153..1b1f808f8f2 100755
--- a/ci-bin/circle_docker_container/build_and_push.sh
+++ b/ci-bin/circle_docker_container/build_and_push.sh
@@ -7,12 +7,12 @@ fi
 
 rm instant-client-12-1.tar.gz
 
-aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
+aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
 
 docker build -t cimg-ruby .
 # In case we modify this image and keep the same ruby version, we should use a different tag (i.e. image digest)
-docker tag cimg-ruby:latest 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers
-if docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers ; then
+docker tag cimg-ruby:latest 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers
+if docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers ; then
   echo 'Success the latest docker image has been pushed.'
 else
   echo 'Failed. You likely need to sign in with MFA https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/'
diff --git a/local/vacols/build_push.sh b/local/vacols/build_push.sh
index 7f9ced50209..d7043f931ee 100755
--- a/local/vacols/build_push.sh
+++ b/local/vacols/build_push.sh
@@ -91,12 +91,12 @@ build(){
 }
 
 push(){
-  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
+  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
   docker tag vacols_db:latest vacols_db:${today}
-  docker tag vacols_db:${today} 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today}
-  docker tag vacols_db:latest 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
-  if docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today} ; then
-    docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+  docker tag vacols_db:${today} 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today}
+  docker tag vacols_db:latest 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+  if docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today} ; then
+    docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
     echo "${bold}Success. ${normal}The latest docker image has been pushed."
   else
     echo "${bold}Failed to Upload. ${normal}Probably you don't have permissions to do this. Ask the DevOps Team please"
@@ -107,7 +107,7 @@ push(){
 download(){
   # get circleci latest image from this same repo
   facols_image=$(cat ${THIS_SCRIPT_DIR}/../../.circleci/config.yml| grep -m 1 facols | awk '{print $3}')
-  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
+  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
   docker pull $facols_image
   docker tag $facols_image vacols_db:latest
 }