Skip to content

Commit

Permalink
Add IAP-adhoc account to issue token easily
Browse files Browse the repository at this point in the history
  • Loading branch information
U-lis committed Aug 19, 2024
1 parent c88e906 commit 26252f4
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 3 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ on:
required: true
KMS_KEY_ID:
required: true
ADHOC_KEY_ID:
required: true
GOOGLE_CREDENTIAL:
required: true
APPLE_CREDENTIAL:
Expand Down Expand Up @@ -135,6 +137,7 @@ jobs:
ODIN_GQL_URL: ${{ vars.ODIN_GQL_URL }}
HEIMDALL_GQL_URL: ${{ vars.HEIMDALL_GQL_URL }}
KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }}
GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }}
GOOGLE_PACKAGE_NAME: ${{ vars.GOOGLE_PACKAGE_NAME }}
APPLE_BUNDLE_ID: ${{ vars.APPLE_BUNDLE_ID }}
Expand Down Expand Up @@ -172,6 +175,7 @@ jobs:
ODIN_GQL_URL: ${{ vars.ODIN_GQL_URL }}
HEIMDALL_GQL_URL: ${{ vars.HEIMDALL_GQL_URL }}
KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }}
GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }}
GOOGLE_PACKAGE_NAME: ${{ vars.GOOGLE_PACKAGE_NAME }}
APPLE_BUNDLE_ID: ${{ vars.APPLE_BUNDLE_ID }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }}
GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }}
APPLE_CREDENTIAL: ${{ secrets.APPLE_CREDENTIAL }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
Expand Down Expand Up @@ -71,6 +72,7 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }}
GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }}
APPLE_CREDENTIAL: ${{ secrets.APPLE_CREDENTIAL }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
Expand Down Expand Up @@ -111,6 +113,7 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }}
GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }}
APPLE_CREDENTIAL: ${{ secrets.APPLE_CREDENTIAL }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/synth.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ on:
required: true
KMS_KEY_ID:
required: true
ADHOC_KMS_KEY_ID:
required: true
GOOGLE_CREDENTIAL:
required: true
APPLE_CREDENTIAL:
Expand Down Expand Up @@ -122,6 +124,7 @@ jobs:
ODIN_GQL_URL: ${{ vars.ODIN_GQL_URL }}
HEIMDALL_GQL_URL: ${{ vars.HEIMDALL_GQL_URL }}
KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }}
GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }}
GOOGLE_PACKAGE_NAME: ${{ vars.GOOGLE_PACKAGE_NAME }}
APPLE_BUNDLE_ID: ${{ vars.APPLE_BUNDLE_ID }}
Expand Down
1 change: 1 addition & 0 deletions common/shared_stack.py
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
# SecureStrings in Parameter Store
PARAMETER_LIST = (
("KMS_KEY_ID", True),
("ADHOC_KMS_KEY_ID", True),
("GOOGLE_CREDENTIAL", True),
("APPLE_CREDENTIAL", True),
("SEASON_PASS_JWT_SECRET", True),
Expand Down
7 changes: 5 additions & 2 deletions common/utils/aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,13 @@ def fetch_secrets(region: str, secret_arn: str) -> Dict:
return json.loads(resp["SecretString"])


def fetch_kms_key_id(stage: str, region: str) -> Optional[str]:
def fetch_kms_key_id(stage: str, region: str, adhoc: bool = False) -> Optional[str]:
client = boto3.client("ssm", region_name=region)
try:
return client.get_parameter(Name=f"{stage}_9c_IAP_KMS_KEY_ID", WithDecryption=True)["Parameter"]["Value"]
return client.get_parameter(
Name=f"{stage}_9c_IAP{'_ADHOC' if adhoc else ''}_KMS_KEY_ID",
WithDecryption=True
)["Parameter"]["Value"]
except Exception as e:
logger.error(e)
return None
3 changes: 2 additions & 1 deletion worker/worker/issue_tokens.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
NONCE = 0
PLANET_ID = PlanetID.XXX
GQL_URL = "https://example.com/graphql" # Use Odin/Heimdall GQL host
USE_ADHOC = True
# to here

HEADLESS_GQL_JWT_SECRET = fetch_parameter(
Expand All @@ -37,7 +38,7 @@
def issue(event, context):
spec_list = []
gql = GQL(GQL_URL, HEADLESS_GQL_JWT_SECRET)
account = Account(fetch_kms_key_id(os.environ.get("STAGE"), os.environ.get("REGION_NAME")))
account = Account(fetch_kms_key_id(os.environ.get("STAGE"), os.environ.get("REGION_NAME"), adhoc=USE_ADHOC))

for data in event:
data = dict(zip(DICT_HEADER, data))
Expand Down

0 comments on commit 26252f4

Please sign in to comment.