Skip to content

fix(deps): bump the terraform group in /test with 1 update #38

fix(deps): bump the terraform group in /test with 1 update

fix(deps): bump the terraform group in /test with 1 update #38

Workflow file for this run

---
name: OIDC Tests
on:
pull_request:
branches:
- main
jobs:
oidc:
runs-on: ubuntu-22.04
# These permissions must be set in order to successfully bind a GitHub OIDC token.
permissions:
contents: read # checkout repository
id-token: write # create OIDC token
services:
vault:
# For the purposes of testing this module, we'll use 'latest' even though that is not typically ideal
image: hashicorp/vault:latest
ports:
- 8200:8200
env:
VAULT_DEV_ROOT_TOKEN_ID: toomanysecrets
options: >-
--cap-add=IPC_LOCK
steps:
- uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/[email protected]
with:
terraform_wrapper: false
- name: Install Vault
run: .github/script/install_vault.sh
# This preconfigures Vault such that we can authenticate to a Vault role
# and access secrets.
- name: Setup Vault
run: |
.github/script/prep_vault.sh
cd test/
make init
make apply
env:
VAULT_ADDR: http://127.0.0.1:8200
VAULT_TOKEN: toomanysecrets
# We've configured Vault, so now let's act as a user and try to read secrets!
#
# See test/main.tf
#
# We've configured pull requests to be allowed to read the
# secret path "secret/data/foo/bar".
# We are unable to read "secret/data/main/secret".
- name: Import Secrets
uses: hashicorp/[email protected]
id: secrets
with:
exportEnv: false
url: http://127.0.0.1:8200
path: github-actions
method: jwt
role: oidc-ci-test
secrets: |
secret/data/foo/bar fi | MY_SECRET
- name: Prove access to secrets
run: |
[[ "${{ steps.secrets.outputs.MY_SECRET }}" == "fofum" ]]
# The 'oidc-ci-test' role is not granted a policy to read
# 'secret/data/main/secret' so this will successfully authenticate
# but fail to pull the 'cdsecret' secret.
- name: Attempt to read secrets outside bound OIDC policy
uses: hashicorp/[email protected]
id: failed-secrets1
continue-on-error: true
with:
exportEnv: false
url: http://127.0.0.1:8200
path: github-actions
method: jwt
role: oidc-ci-test
secrets: |
secret/data/main/secret cdsecret | CANT_ACCESS_SECRET
- name: We cannot access this secret
run: |
[[ "${{ steps.failed-secrets1.outputs.CANT_ACCESS_SECRET }}" == "" ]]
# The oidc-cd-test role is bound to the 'main' branch of this repository
# so it cannot be bound to a job running from another branch or a fork.
# This will fail to authenticate.
- name: Attempt to access another OIDC role
uses: hashicorp/[email protected]
id: failed-secrets2
continue-on-error: true
with:
exportEnv: false
url: http://127.0.0.1:8200
path: github-actions
method: jwt
role: oidc-cd-test
secrets: |
secret/data/main/secret cdsecret | CANT_ACCESS_SECRET