Revert "APPEALS-53151: Update ECR Workflow to Utilize OIDC Flow (#22348…

…)"

This reverts commit 3367fbe.

.github/workflows/ecr-login.yml

@@ -4,47 +4,31 @@ on:
   # Every 6 hours, the password validity is 12 hours
   schedule:
     - cron:  '0 */6 * * *'
-
-permissions:
-  id-token: write
-  contents: read
-
 jobs:
   login:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-
-      - name: Configure AWS Credentials
-        id: acquire-credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: us-gov-west-1
-          role-to-assume: ${{ secrets.AWS_ROLE }}
-          output-credentials: true
-
       - name: retrieve ecr password and store as secret
-        if: steps.acquire-credentials.outcome == 'success'
         run: |
           pip3 install -r .github/workflows/requirements.txt
           python3 .github/workflows/ecr_password_updater.py
         env:
-          AWS_ACCESS_KEY_ID: ${{ steps.acquire-credentials.outputs.aws-access-key-id }}
-          AWS_SECRET_ACCESS_KEY: ${{ steps.acquire-credentials.outputs.aws-secret-access-key }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-gov-west-1
           GH_API_ACCESS_TOKEN: ${{ secrets.GH_API_ACCESS_TOKEN }}
-
-  # This 'test' job is useful for fast debugging
+  # This 'test' job is usefull for fast debugging
   test:
     needs: login
     runs-on: ubuntu-latest
     timeout-minutes: 1
     container:
-      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
         # Here is the password retrieved as a secret that is set by the `login` job
-        password: ${{ secrets.VAEC_ECR_PASSWORD }}
+        password: ${{ secrets.ECR_PASSWORD }}
     steps:
       - run: echo "Inside a container pulled from ECR!!"

.github/workflows/ecr_password_updater.py

@@ -41,7 +41,7 @@ def get_ecr_password() -> str:
 
     password = get_ecr_password()
     encrypted_password = encrypt(public_key_value, password)
-    update_password = requests.put('https://api.github.com/repos/department-of-veterans-affairs/caseflow/actions/secrets/VAEC_ECR_PASSWORD',
+    update_password = requests.put('https://api.github.com/repos/department-of-veterans-affairs/caseflow/actions/secrets/ECR_PASSWORD',
                                    headers={'Accept': 'application/vnd.github.v3+json',
                                             'Authorization': 'token ' + os.environ['GH_API_ACCESS_TOKEN']},
                                    data=json.dumps({'encrypted_value': encrypted_password, 'key_id': public_key_id,

.github/workflows/workflow.yml

@@ -38,10 +38,10 @@ jobs:
           - 6379:6379
 
       facols_db:
-        image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+        image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
         credentials:
           username: AWS
-          password: ${{ secrets.VAEC_ECR_PASSWORD }}
+          password: ${{ secrets.ECR_PASSWORD }}
         ports:
           - 1521:1521
 
@@ -52,11 +52,11 @@ jobs:
         ci_node_index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
 
     container:
-      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       options: --privileged # Necessary for Rspec to run with our configuration within GHA
       credentials:
         username: AWS
-        password: ${{ secrets.VAEC_ECR_PASSWORD }}
+        password: ${{ secrets.ECR_PASSWORD }}
 
       env:
         DBUS_SESSION_BUS_ADDRESS: /dev/null
@@ -266,10 +266,10 @@ jobs:
     if: true
     runs-on: ubuntu-latest
     container:
-      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
-        password: ${{ secrets.VAEC_ECR_PASSWORD }}
+        password: ${{ secrets.ECR_PASSWORD }}
       env:
         DBUS_SESSION_BUS_ADDRESS: /dev/null
         RAILS_ENV: test
@@ -328,10 +328,10 @@ jobs:
     if: true
     runs-on: ubuntu-latest
     container:
-      image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
+      image: 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
       credentials:
         username: AWS
-        password: ${{ secrets.VAEC_ECR_PASSWORD }}
+        password: ${{ secrets.ECR_PASSWORD }}
 
     steps:
       - name: Checkout

ci-bin/circle_docker_container/build_and_push.sh

@@ -7,12 +7,12 @@ fi
 
 rm instant-client-12-1.tar.gz
 
-aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
+aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
 
 docker build -t cimg-ruby .
 # In case we modify this image and keep the same ruby version, we should use a different tag (i.e. image digest)
-docker tag cimg-ruby:latest 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers
-if docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers ; then
+docker tag cimg-ruby:latest 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers
+if docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/cimg-ruby:2.7.3-browsers ; then
   echo 'Success the latest docker image has been pushed.'
 else
   echo 'Failed. You likely need to sign in with MFA https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/'

local/vacols/build_push.sh

@@ -91,12 +91,12 @@ build(){
 }
 
 push(){
-  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
+  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
   docker tag vacols_db:latest vacols_db:${today}
-  docker tag vacols_db:${today} 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today}
-  docker tag vacols_db:latest 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
-  if docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today} ; then
-    docker push 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+  docker tag vacols_db:${today} 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today}
+  docker tag vacols_db:latest 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
+  if docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:${today} ; then
+    docker push 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/facols:latest
     echo "${bold}Success. ${normal}The latest docker image has been pushed."
   else
     echo "${bold}Failed to Upload. ${normal}Probably you don't have permissions to do this. Ask the DevOps Team please"
@@ -107,7 +107,7 @@ push(){
 download(){
   # get circleci latest image from this same repo
   facols_image=$(cat ${THIS_SCRIPT_DIR}/../../.circleci/config.yml| grep -m 1 facols | awk '{print $3}')
-  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com
+  aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 008577686731.dkr.ecr.us-gov-west-1.amazonaws.com
   docker pull $facols_image
   docker tag $facols_image vacols_db:latest
 }