fix(deps): bump the terraform group in /test with 1 update #39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: OIDC Tests | |
on: | |
pull_request: | |
branches: | |
- main | |
jobs: | |
oidc: | |
runs-on: ubuntu-22.04 | |
# These permissions must be set in order to successfully bind a GitHub OIDC token. | |
permissions: | |
contents: read # checkout repository | |
id-token: write # create OIDC token | |
services: | |
vault: | |
# For the purposes of testing this module, we'll use 'latest' even though that is not typically ideal | |
image: hashicorp/vault:latest | |
ports: | |
- 8200:8200 | |
env: | |
VAULT_DEV_ROOT_TOKEN_ID: toomanysecrets | |
options: >- | |
--cap-add=IPC_LOCK | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Terraform | |
uses: hashicorp/[email protected] | |
with: | |
terraform_wrapper: false | |
- name: Install Vault | |
run: .github/script/install_vault.sh | |
# This preconfigures Vault such that we can authenticate to a Vault role | |
# and access secrets. | |
- name: Setup Vault | |
run: | | |
.github/script/prep_vault.sh | |
cd test/ | |
make init | |
make apply | |
env: | |
VAULT_ADDR: http://127.0.0.1:8200 | |
VAULT_TOKEN: toomanysecrets | |
# We've configured Vault, so now let's act as a user and try to read secrets! | |
# | |
# See test/main.tf | |
# | |
# We've configured pull requests to be allowed to read the | |
# secret path "secret/data/foo/bar". | |
# We are unable to read "secret/data/main/secret". | |
- name: Import Secrets | |
uses: hashicorp/[email protected] | |
id: secrets | |
with: | |
exportEnv: false | |
url: http://127.0.0.1:8200 | |
path: github-actions | |
method: jwt | |
role: oidc-ci-test | |
secrets: | | |
secret/data/foo/bar fi | MY_SECRET | |
- name: Prove access to secrets | |
run: | | |
[[ "${{ steps.secrets.outputs.MY_SECRET }}" == "fofum" ]] | |
# The 'oidc-ci-test' role is not granted a policy to read | |
# 'secret/data/main/secret' so this will successfully authenticate | |
# but fail to pull the 'cdsecret' secret. | |
- name: Attempt to read secrets outside bound OIDC policy | |
uses: hashicorp/[email protected] | |
id: failed-secrets1 | |
continue-on-error: true | |
with: | |
exportEnv: false | |
url: http://127.0.0.1:8200 | |
path: github-actions | |
method: jwt | |
role: oidc-ci-test | |
secrets: | | |
secret/data/main/secret cdsecret | CANT_ACCESS_SECRET | |
- name: We cannot access this secret | |
run: | | |
[[ "${{ steps.failed-secrets1.outputs.CANT_ACCESS_SECRET }}" == "" ]] | |
# The oidc-cd-test role is bound to the 'main' branch of this repository | |
# so it cannot be bound to a job running from another branch or a fork. | |
# This will fail to authenticate. | |
- name: Attempt to access another OIDC role | |
uses: hashicorp/[email protected] | |
id: failed-secrets2 | |
continue-on-error: true | |
with: | |
exportEnv: false | |
url: http://127.0.0.1:8200 | |
path: github-actions | |
method: jwt | |
role: oidc-cd-test | |
secrets: | | |
secret/data/main/secret cdsecret | CANT_ACCESS_SECRET |