DDLS-434 part 1 of move to limited permissions on state file write (#…

…1782)

* DDLS-434 part 1 of move to limited permissions on state file write

.github/workflows/_build-and-push.yml

@@ -83,14 +83,6 @@ jobs:
       - name: install aws cli
         uses: unfor19/install-aws-cli-action@27d6061dae5d39e89be4d2246824f15e111a7e06 # pin@v1.0.3
 
-      - name: configure OIDC AWS credentials for ECR push
-        uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0
-        with:
-          role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push
-          role-session-name: github-actions-ecr-push
-          role-duration-seconds: 900
-          aws-region: eu-west-1
-
       - name: download resources artifact
         uses: actions/download-artifact@d0ce8fd1167ed839810201de977912a090ab10a7
         with:
@@ -136,6 +128,14 @@ jobs:
           rm -rf /tmp/.buildx-cache
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
+      - name: configure OIDC AWS credentials for ECR push
+        uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0
+        with:
+          role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push
+          role-session-name: github-actions-ecr-push
+          role-duration-seconds: 900
+          aws-region: eu-west-1
+
       - name: ecr login
         id: login_ecr
         uses: aws-actions/amazon-ecr-login@bfbd05a2dcf76451041cbd4b9d11cff82489a1ee # pin@v1.5.1
@@ -192,3 +192,10 @@ jobs:
             docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME:main-$IMAGE_TAG
           fi
           docker push --all-tags $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_codecov.yml

@@ -6,6 +6,9 @@ defaults:
 
 on:
   workflow_call:
+    secrets:
+      codecov_token:
+        required: true
 
 jobs:
   code_coverage:
@@ -44,7 +47,7 @@ jobs:
           fail_ci_if_error: true
           flags: client
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.codecov_token }}
 
       - name: service api codecov upload
         uses: codecov/codecov-action@v3
@@ -54,4 +57,4 @@ jobs:
           fail_ci_if_error: true
           flags: api
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.codecov_token }}

.github/workflows/_cycle-secrets.yml

@@ -33,3 +33,10 @@ jobs:
           AWS_REGION: eu-west-1
         working-directory: terraform/environment/scripts/cycle_secrets
         run: python3 cycle_secrets.py ${ACCOUNT_ENVIRONMENT}
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_ecr-scanning.yml

@@ -17,14 +17,6 @@ jobs:
     steps:
       - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # pin@v3
 
-      - name: configure OIDC AWS credentials for ECR scanning
-        uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573
-        with:
-          role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-scan
-          role-session-name: github-actions-ecr-scan
-          role-duration-seconds: 1800
-          aws-region: eu-west-1
-
       - name: install python
         uses: actions/setup-python@55aad42e4674b58b2b2fb7d8e7552402d922b4e7 # pin@v4.2.0
         with:
@@ -34,7 +26,22 @@ jobs:
       - name: install requirements
         run: pip install -r ./scripts/pipeline/ecrscan/requirements.txt
 
+      - name: configure OIDC AWS credentials for ECR scanning
+        uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573
+        with:
+          role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-scan
+          role-session-name: github-actions-ecr-scan
+          role-duration-seconds: 1800
+          aws-region: eu-west-1
+
       - name: Check ECR scan results
         env:
           TAG: ${{ inputs.tag }}
         run: python ./scripts/pipeline/ecrscan/ecr_scan_results.py --search digideps --tag ${TAG} --print_to_terminal --fail_pipe
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_latest-deployed-image.yml

@@ -1,5 +1,8 @@
 on:
   workflow_call:
+    secrets:
+      ssh_private_key:
+        required: true
     inputs:
       terraform_path:
         description: "The name of the terraform path"
@@ -27,24 +30,21 @@ jobs:
         with:
           fetch-depth: "0"
 
-      - name: parse terraform version
-        id: tf_version_setup
-        run: |
-          if [ -f ./versions.tf ]; then
-            terraform_version=$(cat ./versions.tf | ../../scripts/pipeline/terraform/terraform-version.sh)
-            echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY
-            echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT
-          fi
-        working-directory: terraform/${{ inputs.terraform_path }}
-
-      - name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]"
-        run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]"
+      - id: terraform_version
+        name: get terraform version
+        uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v3.1.0
+        with:
+          terraform_directory: terraform/${{ inputs.terraform_path }}
 
       - uses: hashicorp/setup-terraform@344fef46b6edc7c46ce8b3b8b0a3ece7e77e05f0 # pin@v2.0.0
         with:
-          terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}
+          terraform_version: ${{ steps.terraform_version.outputs.version }}
           terraform_wrapper: false
 
+      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
       - name: configure OIDC AWS credentials for latest deployment
         uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573
         with:
@@ -53,10 +53,6 @@ jobs:
           role-duration-seconds: 900
           aws-region: eu-west-1
 
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
-        with:
-          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }}
-
       - name: terraform init
         run: terraform init -input=false
         working-directory: terraform/${{ inputs.terraform_path }}
@@ -69,3 +65,10 @@ jobs:
           export IMAGE_TAG=$(terraform show -json | head -n 2 | tail -n 1 | jq -r '.values.root_module.child_modules[].resources[] | select(.address == "module.eu_west_1[0].aws_ecs_task_definition.front") | .values.container_definitions | fromjson[].image | split(":")[1]' | tail -n 1 2>/dev/null)
           echo "image_tag=$(echo ${IMAGE_TAG})" >> $GITHUB_OUTPUT
         working-directory: terraform/${{ inputs.terraform_path }}
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_lint-terraform.yml

@@ -6,6 +6,9 @@ defaults:
 
 on:
   workflow_call:
+    secrets:
+      ssh_private_key:
+        required: true
     inputs:
       workspace:
         description: "Terraform workspace"
@@ -33,6 +36,14 @@ jobs:
           terraform_version: ${{ steps.terraform_version.outputs.version }}
           terraform_wrapper: false
 
+      - name: terraform fmt ${{ matrix.folder }} check
+        run: terraform fmt -check -recursive
+        working-directory: terraform/${{ matrix.folder }}
+
+      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
       - name: configure OIDC AWS credentials for terraform
         uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573
         with:
@@ -41,14 +52,6 @@ jobs:
           role-duration-seconds: 900
           aws-region: eu-west-1
 
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
-        with:
-          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }}
-
-      - name: terraform fmt ${{ matrix.folder }} check
-        run: terraform fmt -check -recursive
-        working-directory: terraform/${{ matrix.folder }}
-
       - name: terraform validate ${{ inputs.workspace }}
         env:
           TF_WORKSPACE: default
@@ -59,6 +62,13 @@ jobs:
           terraform validate
         working-directory: terraform/${{ matrix.folder }}
 
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV
+
       - name: configure OIDC AWS credentials for Trivy DB Ecr
         uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0
         with:
@@ -86,3 +96,10 @@ jobs:
           TRIVY_TIMEOUT: 15m
           TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db
           TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_run-task.yml

@@ -1,5 +1,8 @@
 on:
   workflow_call:
+    secrets:
+      ssh_private_key:
+        required: true
     inputs:
       workspace:
         description: "Workspace"
@@ -45,6 +48,25 @@ jobs:
           terraform_version: ${{ steps.terraform_version.outputs.version }}
           terraform_wrapper: false
 
+      - name: cache ecs-helper
+        id: cache-ecs-helper
+        uses: actions/cache@v3
+        with:
+          path: ecs-helper
+          key: ecs-helper-${{ env.HELPER_VERSION }}
+
+      - name: get ecs-helper
+        if: steps.cache-ecs-helper.outputs.cache-hit != 'true'
+        run: |
+          wget "https://github.com/ministryofjustice/opg-ecs-helper/releases/download/v$HELPER_VERSION/opg-ecs-helper_Linux_x86_64.tar.gz"
+          mkdir ecs-helper
+          tar -xvf opg-ecs-helper_Linux_x86_64.tar.gz -C ecs-helper
+          chmod +x ecs-helper/ecs-runner
+
+      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
       - name: configure OIDC AWS credentials for terraform
         uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573
         with:
@@ -53,10 +75,6 @@ jobs:
           role-duration-seconds: 3600
           aws-region: eu-west-1
 
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
-        with:
-          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }}
-
       - name: terraform init
         env:
           TF_WORKSPACE: ${{ inputs.workspace }}
@@ -71,21 +89,6 @@ jobs:
           terraform output -json > terraform.output.json
         working-directory: terraform/environment
 
-      - name: cache ecs-helper
-        id: cache-ecs-helper
-        uses: actions/cache@v3
-        with:
-          path: ecs-helper
-          key: ecs-helper-${{ env.HELPER_VERSION }}
-
-      - name: get ecs-helper
-        if: steps.cache-ecs-helper.outputs.cache-hit != 'true'
-        run: |
-          wget "https://github.com/ministryofjustice/opg-ecs-helper/releases/download/v$HELPER_VERSION/opg-ecs-helper_Linux_x86_64.tar.gz"
-          mkdir ecs-helper
-          tar -xvf opg-ecs-helper_Linux_x86_64.tar.gz -C ecs-helper
-          chmod +x ecs-helper/ecs-runner
-
       - name: run task
         env:
           OVERRIDE: ${{ inputs.override }}
@@ -102,3 +105,10 @@ jobs:
             ../../ecs-helper/ecs-runner -task ${TASK_NAME} -timeout ${TIMEOUT} -override ${OVERRIDE}
           fi
         working-directory: terraform/environment
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_run-terraform.yml

@@ -1,5 +1,8 @@
 on:
   workflow_call:
+    secrets:
+      ssh_private_key:
+        required: true
     inputs:
       terraform_path:
         description: "The name of the terraform path"
@@ -58,6 +61,15 @@ jobs:
           terraform_version: ${{ steps.terraform_version.outputs.version }}
           terraform_wrapper: false
 
+      - name: build redeployer
+        if: inputs.terraform_path == 'account'
+        run: GOARCH=amd64 GOOS=linux go build -o bootstrap ./main.go
+        working-directory: terraform/account/region/go_redeployer
+
+      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
       - name: configure OIDC AWS credentials for terraform
         uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0
         with:
@@ -66,15 +78,6 @@ jobs:
           role-duration-seconds: 7400
           aws-region: eu-west-1
 
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4
-        with:
-          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }}
-
-      - name: build redeployer
-        if: inputs.terraform_path == 'account'
-        run: GOARCH=amd64 GOOS=linux go build -o bootstrap ./main.go
-        working-directory: terraform/account/region/go_redeployer
-
       - name: terraform init for account
         if: inputs.terraform_path == 'account'
         run: terraform init -input=false
@@ -116,3 +119,10 @@ jobs:
         run: |
           terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
         working-directory: terraform/${{ inputs.terraform_path }}
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

.github/workflows/_scale-services.yml

@@ -46,3 +46,10 @@ jobs:
           aws ecs update-service --service admin-${TF_WORKSPACE} --cluster ${TF_WORKSPACE} --desired-count ${REPLICAS}
           aws ecs update-service --service api-${TF_WORKSPACE} --cluster ${TF_WORKSPACE} --desired-count ${REPLICAS}
           aws rds modify-db-cluster --db-cluster-identifier api-${TF_WORKSPACE} --serverless-v2-scaling-configuration MinCapacity=0.5,MaxCapacity=${ACU}
+
+      - name: Unset AWS variables
+        if: always()
+        run: |
+          echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV