check-github-actions-auth

#!/bin/bash
# -----------------------------------------------------------------------------
# This script configures the database module for the specified application
# and environment by creating the .tfvars file and .tfbackend file for the module.
#
# Positional parameters:
#   account_name (required) – the name of AWS account name in infra/accounts
# -----------------------------------------------------------------------------
set -euo pipefail

account_name="$1"

# This is used later to determine the run id of the workflow run
# See comment below about "Getting workflow run id"
prev_run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")

code_repository=$(terraform -chdir="infra/project-config" output --raw code_repository)

echo "========================="
echo "Check GitHub Actions Auth"
echo "========================="
echo "Input parameters"
echo "  account_name=${account_name}"
echo

# Get AWS account authentication details (AWS account, IAM role, AWS region)
echo "::group::AWS account authentication details"

terraform -chdir="infra/project-config" init > /dev/null
terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
aws_region=$(terraform -chdir="infra/project-config" output -raw default_region)
echo "aws_region=${aws_region}"
github_actions_role_name=$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)
echo "github_actions_role_name=${github_actions_role_name}"

# Get the account id associated with the account name extracting the
# account_id part of the tfbackend file name which looks like
# <account_name>.<account_id>.s3.tfbackend.
# The cut command splits the string with period as the delimiter and
# extracts the second field.
account_id=$(find "infra/accounts/${account_name}."*.s3.tfbackend | cut -d. -f2)
echo "account_id=${account_id}"

aws_role_to_assume="arn:aws:iam::${account_id}:role/${github_actions_role_name}"
echo "aws_role_to_assume=${aws_role_to_assume}"

echo "::endgroup::"

##################
## Run workflow ##
##################

gh workflow run check-ci-cd-auth.yml --field "aws_region=${aws_region}" --field "role_to_assume=${aws_role_to_assume}"

#########################
## Get workflow run id ##
#########################

echo "Get workflow run id"
# The following commands aims to get the workflow run id of the run that was
# just triggered by the previous workflow dispatch event. There's currently no
# simple and reliable way to do this, so for now we are going to accept that
# there is a race condition.
#
# The current implementation involves getting the create time of the previous
# run. Then continuously checking the list of workflow runs until we see a
# newly created run. Then we get the id of this new run.
#
# References:
# * This stack overflow article suggests a complicated overengineered approach:
# https://stackoverflow.com/questions/69479400/get-run-id-after-triggering-a-github-workflow-dispatch-event
# * This GitHub community discussion also requests this feature:
# https://github.com/orgs/community/discussions/17389

echo "Previous workflow run created at ${prev_run_create_time}"
echo "Check workflow run create time until we find a newer workflow run"
while : ; do
  echo -n "."
  run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
  [[ "${run_create_time}" > "${prev_run_create_time}" ]] && break
done
echo "Found newer workflow run created at ${run_create_time}"

echo "Get id of workflow run"
workflow_run_id=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json databaseId --jq ".[].databaseId")
echo "Workflow run id: ${workflow_run_id}"

workflow_run_url="https://github.com/${code_repository}/actions/runs/${workflow_run_id}"
echo "See run logs at:"
echo "    ${workflow_run_url}"

echo "Watch workflow run until it exits"
# --exit-status causes command to exit with non-zero status if run fails
gh run watch "${workflow_run_id}" --exit-status