chore: Access Secrets based on environments segregate (#231)

* segregate secrets based on environments * Added: Deployment Authorisation * fixed: typo * Added Authorisation
sprintertech · Oct 29, 2024 · d4cedef · d4cedef
1 parent eb9f98d
commit d4cedef
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 22 deletions.
diff --git a/.github/workflows/deploy_mainnet.yml b/.github/workflows/deploy_mainnet.yml
@@ -11,24 +11,33 @@ on:
         description: deploy v2
         type: string
 
+run-name: Deploy Explorer-Indexer to Mainnet - ${{ inputs.release_tag }} by @${{ github.actor }}
+
 env:
-  AWS_REGION: '${{ secrets.AWS_REGION }}'
   ENVIRONMENT: MAINNET
-  AWS_MAINNET: '${{ secrets.AWS_MAINNET }}'
   REGISTRY: 'ghcr.io'
   VERSION: ${{ inputs.release_tag }}
 
 jobs:
   deploy:
    name: deploy
    runs-on: ubuntu-latest
-
+   environment: mainnet 
    permissions:
      contents: read
      id-token: write
      actions: write
-
+   env:
+     AWS_REGION: '${{ secrets.AWS_REGION }}'
+     AWS_MAINNET: '${{ secrets.AWS_MAINNET }}'
    steps:
+     - name: Authorised User only
+       run: |
+        if [[ ! " tcar121293 eedygreen MakMuftic akchainsafe mpetrun5 " =~ " ${{ github.actor }} " ]]; then 
+          echo "You are not authorized to deploy to mainnet!"
+          exit 1
+        fi
+
      - name: checkout ecs repo
        uses: actions/checkout@v4
        with:
@@ -46,8 +55,8 @@ jobs:
            awsAccountId=${{ env.AWS_MAINNET }}
            awsRegion=${{ env.AWS_REGION }}
            awsEnv=${{ env.ENVIRONMENT }}
-           DB_USERNAME=${{ secrets.MAIN_USERNAME }}
-           DB_PASSWORD=${{ secrets.MAIN_PASSWORD }}
+           DB_USERNAME=${{ secrets.DB_USERNAME }}
+           DB_PASSWORD=${{ secrets.DB_PASSWORD }}
            imageTag=${{ env.VERSION }}
 
      - name: Configure AWS Credentials
@@ -78,12 +87,14 @@ jobs:
   #  name: deploy v2
 
   #  runs-on: ubuntu-latest
-
+  #  environment: mainnet
   #  permissions:
   #    contents: read
   #    id-token: write
   #    actions: write
-
+  #  env:
+  #    AWS_REGION: '${{ secrets.AWS_REGION }}'
+  #    AWS_MAINNET: '${{ secrets.AWS_MAINNET }}'
   #  steps:
   #    - name: checkout ecs repo
   #      uses: actions/checkout@v4

diff --git a/.github/workflows/deploy_mainnet_api.yml b/.github/workflows/deploy_mainnet_api.yml
@@ -9,24 +9,33 @@ on:
         default: 'stable' 
         type: string
 
+run-name: Deploy Explorer-API to Mainnet - ${{ inputs.release_tag }} by @${{ github.actor }}
+
 env:
-  AWS_REGION: '${{ secrets.AWS_REGION }}'
   ENVIRONMENT: MAINNET
-  AWS_MAINNET: '${{ secrets.AWS_MAINNET }}'
   REGISTRY: 'ghcr.io'
   VERSION: ${{ inputs.release_tag }}
 
 jobs:    
   deploy:
    name: deploy
    runs-on: ubuntu-latest
-
+   environment: mainnet 
    permissions:
      contents: read
      id-token: write
      actions: write
-
+   env:
+     AWS_REGION: '${{ secrets.AWS_REGION }}'
+     AWS_MAINNET: '${{ secrets.AWS_MAINNET }}'
    steps:
+     - name: Authorised User only
+       run: |
+        if [[ ! " tcar121293 eedygreen MakMuftic akchainsafe mpetrun5 " =~ " ${{ github.actor }} " ]]; then 
+          echo "You are not authorized to deploy to mainnet!"
+          exit 1
+        fi
+
      - name: checkout ecs repo
        uses: actions/checkout@v4
        with:
@@ -44,8 +53,8 @@ jobs:
            awsAccountId=${{ env.AWS_MAINNET }}
            awsRegion=${{ env.AWS_REGION }}
            awsEnv=${{ env.ENVIRONMENT }}
-           DB_USERNAME=${{ secrets.MAIN_USERNAME }}
-           DB_PASSWORD=${{ secrets.MAIN_PASSWORD }}
+           DB_USERNAME=${{ secrets.DB_USERNAME }}
+           DB_PASSWORD=${{ secrets.DB_PASSWORD }}
            imageTag=${{ env.VERSION }}
 
      - name: Configure AWS Credentials

diff --git a/.github/workflows/deploy_testnet.yml b/.github/workflows/deploy_testnet.yml
@@ -5,10 +5,10 @@ on:
     types:
       - published
 
+run-name: Deploy Explorer-Indexer to Testnet - ${{ inputs.release_tag }} by @${{ github.actor }}
+
 env:
-  AWS_REGION: '${{ secrets.AWS_REGION }}'
   ENVIRONMENT: TESTNET
-  AWS_TESTNET: '${{ secrets.AWS_ARN }}'
   REGISTRY: 'ghcr.io'
   TAG: 'stable'
   VERSION: ${{ github.event.release.tag_name }}
@@ -59,12 +59,14 @@ jobs:
    needs: push
    name: deploy
    runs-on: ubuntu-latest
-
+   environment: testnet
    permissions:
      contents: read
      id-token: write
      actions: write
-
+   env:
+     AWS_REGION: '${{ secrets.AWS_REGION }}'
+     AWS_TESTNET: '${{ secrets.AWS_ARN }}'
    steps:
      - name: checkout ecs repo
        uses: actions/checkout@v4

diff --git a/.github/workflows/deploy_testnet_api.yml b/.github/workflows/deploy_testnet_api.yml
@@ -5,10 +5,10 @@ on:
     types:
       - published
 
+run-name: Deploy Explorer-API to Testnet - ${{ inputs.release_tag }} by @${{ github.actor }}
+
 env:
-  AWS_REGION: '${{ secrets.AWS_REGION }}'
   ENVIRONMENT: TESTNET
-  AWS_TESTNET: '${{ secrets.AWS_ARN }}'
   REGISTRY: 'ghcr.io'
   TAG: 'stable'
   VERSION: ${{ github.event.release.tag_name }}
@@ -61,12 +61,14 @@ jobs:
    needs: push
    name: deploy
    runs-on: ubuntu-latest
-
+   environment: testnet
    permissions:
      contents: read
      id-token: write
      actions: write
-
+   env:
+     AWS_TESTNET: '${{ secrets.AWS_ARN }}'
+     AWS_REGION: '${{ secrets.AWS_REGION }}'
    steps:
      - name: checkout ecs repo
        uses: actions/checkout@v4