chore: Remove secure repo and fetch secrets from AWS

edx · Oct 23, 2023 · 7aa3baf · 7aa3baf
1 parent 9d897c6
commit 7aa3baf
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 19 deletions.
diff --git a/devops/jobs/UserRetirementArchiver.groovy b/devops/jobs/UserRetirementArchiver.groovy
@@ -74,8 +74,8 @@ class UserRetirementArchiver {
 
             wrappers {
                 credentialsBinding {
-                    file('AWS_CONFIG_FILE','tools-edx-jenkins-aws-credentials')
                     string('ROLE_ARN', extraVars.get('ENVIRONMENT_DEPLOYMENT') + '-retirement-archive-upload-role')
+                    string('SECRET_ARN', extraVars.get('ENVIRONMENT_DEPLOYMENT') + '-retirement-archive-secret-role')
                 }
             }
 

diff --git a/devops/resources/user-retirement-archiver.sh b/devops/resources/user-retirement-archiver.sh
@@ -11,8 +11,23 @@ env
 set -ex
 
 cd $WORKSPACE/configuration
+pip install -r util/jenkins/requirements.txt
+
 . util/jenkins/assume-role.sh
 
+# hide the sensitive information in the logs
+set +x
+
+SECRET_YAML=$(aws secretsmanager get-secret-value --secret-id "${SECRET_ARN}" --region "us-east-1" --output json | jq -r '.SecretString' | yq -y .)
+
+# Create a temporary file to store the YAML
+temp_yaml_file=$(mktemp $WORKSPACE/tempfile.XXXXXXXXXX.yml)
+
+# Write the YAML data to the temporary file
+echo "$SECRET_YAML" > "$temp_yaml_file"
+
+set -x
+
 assume-role ${ROLE_ARN}
 
 # prepare tubular
@@ -26,9 +41,12 @@ fi
 
 # Call the script to read the retirement statuses from the LMS, send them to S3, and delete them from the LMS.
 python scripts/retirement_archive_and_cleanup.py \
-    --config_file=$WORKSPACE/user-retirement-secure/${ENVIRONMENT_DEPLOYMENT}.yml \
+    --config_file=$SECRET_YAML \
     --cool_off_days=$COOL_OFF_DAYS \
     --batch_size=$BATCH_SIZE \
     --start_date=$START_DATE \
     --end_date=$END_DATE \
     --dry_run=$DRY_RUN
+
+# Remove the temporary file after processing
+rm -f "$temp_yaml_file"
diff --git a/src/main/groovy/org/edx/jenkins/dsl/UserRetirementConstants.groovy b/src/main/groovy/org/edx/jenkins/dsl/UserRetirementConstants.groovy
@@ -59,23 +59,6 @@ class UserRetirementConstants {
 
     public static def common_multiscm = { extraVars ->
         return {
-            git {
-                remote {
-                    url('[email protected]:edx-ops/user-retirement-secure.git')
-                    if (extraVars.containsKey('SECURE_GIT_CREDENTIALS')) {
-                        credentials(extraVars.get('SECURE_GIT_CREDENTIALS'))
-                    }
-                }
-                branch('$USER_RETIREMENT_SECURE_BRANCH')
-                extensions {
-                    relativeTargetDirectory('user-retirement-secure')
-                    cloneOptions {
-                        shallow()
-                        timeout(10)
-                    }
-                    cleanBeforeCheckout()
-                }
-            }
             git {
                 remote {
                     url('https://github.com/edx/tubular.git')