Merge pull request #581 from CDCgov/acr-password-different

More Securely Log Into Docker Registry
CDCgov · Oct 17, 2023 · c7646c6 · c7646c6
2 parents be9fc89 + e1c77fd
commit c7646c6
Show file tree

Hide file tree

Showing 11 changed files with 34 additions and 84 deletions.
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -36,8 +36,6 @@ jobs:
       APP: ${{ needs.terraform-deploy.outputs.APP }}
       REGISTRY: ${{ needs.terraform-deploy.outputs.REGISTRY }}
     secrets:
-      ACR_USERNAME: ${{ needs.terraform-deploy.outputs.ACR_USERNAME }}
-      ACR_PASSWORD: ${{ needs.terraform-deploy.outputs.ACR_PASSWORD }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/deploy_reusable.yml b/.github/workflows/deploy_reusable.yml
@@ -19,10 +19,6 @@ on:
         required: true
         type: string
     secrets:
-      ACR_USERNAME:
-        required: true
-      ACR_PASSWORD:
-        required: true
       AZURE_CLIENT_ID:
         required: true
       AZURE_TENANT_ID:
@@ -34,6 +30,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - uses: actions/checkout@v4
@@ -50,12 +49,28 @@ jobs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
+    - name: Login via Azure CLI
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Retrieve registry password
+      id: retrieve-registry-password
+      uses: azure/CLI@v1
+      with:
+        inlineScript: |
+          ACR_PASSWORD=$(az acr login --name ${{ inputs.REGISTRY }} --expose-token --output tsv --query accessToken)
+          echo "::add-mask::$ACR_PASSWORD"
+          echo "ACR_PASSWORD=$ACR_PASSWORD" >> "$GITHUB_OUTPUT"
+
     - name: Log in to registry
       uses: docker/login-action@v3
       with:
         registry: ${{ inputs.REGISTRY }}
-        username: ${{ secrets.ACR_USERNAME }}
-        password: ${{ secrets.ACR_PASSWORD }}
+        username: 00000000-0000-0000-0000-000000000000
+        password: ${{ steps.retrieve-registry-password.outputs.ACR_PASSWORD }}
 
     - name: Build and push container image to registry
       uses: docker/build-push-action@v5
@@ -99,12 +114,21 @@ jobs:
         slot-name: production
         images: '${{ inputs.REGISTRY }}/${{ inputs.REPO }}:${{ github.sha }}'
 
+    - name: Retrieve registry password
+      id: retrieve-registry-password
+      uses: azure/CLI@v1
+      with:
+        inlineScript: |
+          ACR_PASSWORD=$(az acr login --name ${{ inputs.REGISTRY }} --expose-token --output tsv --query accessToken)
+          echo "::add-mask::$ACR_PASSWORD"
+          echo "ACR_PASSWORD=$ACR_PASSWORD" >> "$GITHUB_OUTPUT"
+
     - name: Log in to registry
       uses: docker/login-action@v3
       with:
         registry: ${{ inputs.REGISTRY }}
-        username: ${{ secrets.ACR_USERNAME }}
-        password: ${{ secrets.ACR_PASSWORD }}
+        username: 00000000-0000-0000-0000-000000000000
+        password: ${{ steps.retrieve-registry-password.outputs.ACR_PASSWORD }}
 
     - name: Extract generated documentation from the documentation image
       id: extract

diff --git a/.github/workflows/dev-deploy.yml b/.github/workflows/dev-deploy.yml
@@ -29,8 +29,6 @@ jobs:
       APP: ${{ needs.terraform-deploy.outputs.APP }}
       REGISTRY: ${{ needs.terraform-deploy.outputs.REGISTRY }}
     secrets:
-      ACR_USERNAME: ${{ needs.terraform-deploy.outputs.ACR_USERNAME }}
-      ACR_PASSWORD: ${{ needs.terraform-deploy.outputs.ACR_PASSWORD }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CDC_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_CDC_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_CDC_DMZ_C1_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/internal-deploy.yml b/.github/workflows/internal-deploy.yml
@@ -29,8 +29,6 @@ jobs:
       APP: ${{ needs.terraform-deploy.outputs.APP }}
       REGISTRY: ${{ needs.terraform-deploy.outputs.REGISTRY }}
     secrets:
-      ACR_USERNAME: ${{ needs.terraform-deploy.outputs.ACR_USERNAME }}
-      ACR_PASSWORD: ${{ needs.terraform-deploy.outputs.ACR_PASSWORD }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/terraform-ci-deploy.yml b/.github/workflows/terraform-ci-deploy.yml
@@ -61,8 +61,6 @@ jobs:
       APP: ${{ needs.terraform-deploy.outputs.APP }}
       REGISTRY: ${{ needs.terraform-deploy.outputs.REGISTRY }}
     secrets:
-      ACR_USERNAME: ${{ needs.terraform-deploy.outputs.ACR_USERNAME }}
-      ACR_PASSWORD: ${{ needs.terraform-deploy.outputs.ACR_PASSWORD }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

diff --git a/.github/workflows/terraform-deploy_reusable.yml b/.github/workflows/terraform-deploy_reusable.yml
@@ -28,12 +28,6 @@ on:
       APP:
         description: The web application's name
         value: ${{ jobs.terraform-deploy.outputs.APP }}
-      ACR_USERNAME:
-        description: The username to login to the container registry
-        value: ${{ jobs.terraform-deploy.outputs.ACR_USERNAME }}
-      ACR_PASSWORD:
-        description: The password to login to the container registry
-        value: ${{ jobs.terraform-deploy.outputs.ACR_PASSWORD }}
 
 jobs:
   terraform-deploy:
@@ -54,8 +48,6 @@ jobs:
     outputs:
       REGISTRY: ${{ steps.export-terraform-output.outputs.REGISTRY }}
       APP: ${{ steps.export-terraform-output.outputs.APP }}
-      ACR_USERNAME: ${{ steps.export-terraform-output.outputs.ACR_USERNAME }}
-      ACR_PASSWORD: ${{ steps.export-terraform-output.outputs.ACR_PASSWORD }}
 
     steps:
 
@@ -75,7 +67,5 @@ jobs:
       - id: export-terraform-output
         name: Export Terraform Output
         run: |
-          echo "REGISTRY=$(terraform output -raw registry)" >> $GITHUB_OUTPUT
-          echo "APP=$(terraform output -raw publish_app)" >> $GITHUB_OUTPUT
-          echo "ACR_USERNAME=$(terraform output -raw acr_username)" >> $GITHUB_OUTPUT
-          echo "ACR_PASSWORD=$(terraform output -raw acr_password)" >> $GITHUB_OUTPUT
+          echo "REGISTRY=$(terraform output -raw registry)" >> "$GITHUB_OUTPUT"
+          echo "APP=$(terraform output -raw publish_app)" >> "$GITHUB_OUTPUT"
diff --git a/operations/environments/dev/outputs.tf b/operations/environments/dev/outputs.tf
@@ -1,17 +1,6 @@
 output "registry" {
   value = module.template.registry
 }
-
-output "acr_username" {
-  value     = module.template.acr_username
-  sensitive = true
-}
-
-output "acr_password" {
-  value     = module.template.acr_password
-  sensitive = true
-}
-
 output "publish_app" {
   value = module.template.publish_app
 }
diff --git a/operations/environments/internal/outputs.tf b/operations/environments/internal/outputs.tf
@@ -2,16 +2,6 @@ output "registry" {
   value = module.template.registry
 }
 
-output "acr_username" {
-  value     = module.template.acr_username
-  sensitive = true
-}
-
-output "acr_password" {
-  value     = module.template.acr_password
-  sensitive = true
-}
-
 output "publish_app" {
   value = module.template.publish_app
 }
diff --git a/operations/environments/pr/outputs.tf b/operations/environments/pr/outputs.tf
@@ -2,16 +2,6 @@ output "registry" {
   value = module.template.registry
 }
 
-output "acr_username" {
-  value     = module.template.acr_username
-  sensitive = true
-}
-
-output "acr_password" {
-  value     = module.template.acr_password
-  sensitive = true
-}
-
 output "publish_app" {
   value = module.template.publish_app
 }
diff --git a/operations/environments/staging/outputs.tf b/operations/environments/staging/outputs.tf
@@ -2,16 +2,6 @@ output "registry" {
   value = module.template.registry
 }
 
-output "acr_username" {
-  value     = module.template.acr_username
-  sensitive = true
-}
-
-output "acr_password" {
-  value     = module.template.acr_password
-  sensitive = true
-}
-
 output "publish_app" {
   value = module.template.publish_app
 }
diff --git a/operations/template/outputs.tf b/operations/template/outputs.tf
@@ -1,22 +1,7 @@
-# Output Container Registry information
-
 output "registry" {
   value = azurerm_container_registry.registry.login_server
 }
 
-output "acr_username" {
-  value     = azurerm_container_registry.registry.admin_username
-  sensitive = true
-}
-
-output "acr_password" {
-  value     = azurerm_container_registry.registry.admin_password
-  sensitive = true
-}
-
-
-# Output App Service information
-
 output "publish_app" {
   value = azurerm_linux_web_app.api.name
 }