search

e-mission / nrel-openpath-deploy-configs

Configurations for current OpenPATH deployments, published for transparency
BSD 3-Clause "New" or "Revised" License
2 stars 9 forks source link

GH Actions Workflow for AWS Authentication #54

Closed nataliejschultz closed 2 weeks ago

nataliejschultz commented 7 months ago

This is the second PR for e-mission/e-mission-docs#1008

The primary python script used in this work, email-config.py, is from nataliejschultz:AWS-email-config . This PR aims to expand the functionality of email-config.py with automation.

main.yml is the GitHub Actions workflow file that will run email-config.py. This workflow file consists of two jobs:

The workflow should only run when a new config file (as a .json file) is added to the configs directory. The name of the new config file will be passed into email-config.py.

nataliejschultz commented 6 months ago

Current status:

I struggled a lot today with passing the name of the newly modified config file to the main job in GitHub Actions (GHA), but got it to work. Have also spent a lot of time troubleshooting file path discrepancies between local and GHA runs, but I believe that's finally figured out.

I've gotten the script to work in GHA all the way up to calling update_user_pool. I ran into yet another authentication issue, so I have to wait for our AWS liaison to get back to me tomorrow.

nataliejschultz commented 6 months ago

It worked!!!! 🎉🎉🎉

All of the AWS configuration has been figured out. I ran a push test (pushing an insignificant change to the Wyoming.nrel-op.json file) after the settings went through on Jianli's part, and I finally got my welcome email. I followed the link and logged in successfully.

I'm going to look over the code before putting it into ready for review.

nataliejschultz commented 4 months ago

Was going through my merges and saw that this PR has not been merged. Moving to ready for review.

nataliejschultz commented 1 month ago

Finishing up this project, which got pushed aside for the image project.

In adding functionality for addressing multiple changed files, I ran into an issue with the IAM role not allowing the usage of AdminDeleteUser with Cognito calls. 

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the AdminDeleteUser operation: User: arn:aws:sts::***:assumed-role/***/GitHub_to_AWS_via_FederatedOIDC is not authorized to perform: cognito-idp:AdminDeleteUser on resource: arn:aws:cognito-idp:us-west-2:***:userpool/us-west-2_------ because no identity-based policy allows the cognito-idp:AdminDeleteUser action

Reached out to Jianli, who added the functionality to the role.

Then, tried modifying two config files at once. nrel-commute had 0 users in the pool, and wyoming only had my other email present:

Screenshot 2024-06-11 at 3 50 36 PM

I modified the config files. For commute, I added my NREL email to the proper section. For Wyoming, I did the same, and did not list my other email that had an account already:


    "admin_access": [
      " nschultz@nrel.gov"

Pushing the changes ran the job:

Screenshot 2024-06-11 at 3 51 32 PM

As you can see, both of the changed config files were recognized, and the script ran for each one.

My old email was removed from the Wyoming user pool, and the NREL email was added:

Screenshot 2024-06-11 at 3 50 47 PM

I got a welcome email, and was able to log in with the temporary password sent:

Screenshot 2024-06-11 at 10 26 05 PM

Additionally, I was added to the commute pool and logged in with my temporary credentials:

Screenshot 2024-06-11 at 10 26 13 PM
shankari commented 2 weeks ago

This looks fine to me, but I have a couple of high-level comments:

  1. Alas, we will not be able to create the accounts automatically when the environment is created (@Abby-Wheelis). This is because the config needs to be in place at the time that the environment is created, at least to test out the webapp, join page etc.
    • I wonder if there is some way to figure out that the environment has been created, and then launch this again.
    • Or maybe after the DNS changes, we no longer need to have the config merged first, need to check with the cloud services team
    • I do note that the script fails if the user pool has not been created, so this will work correctly after all
  2. But this is still useful when the list of admin users is modified, which does happen fairly frequently, so I will go ahead and merge this.
  3. We need to get AWS credentials set up for this, right? @nataliejschultz can you send out an email (internally) with the credentials required so that I can configure them?
shankari commented 2 weeks ago

@nataliejschultz please note that I am squash-merging these files to avoid commit churn.

nataliejschultz commented 2 weeks ago
  1. We need to get AWS credentials set up for this, right? @nataliejschultz can you send out an email (internally) with the credentials required so that I can configure them?

This was merged from a branch that we created on the regular e-mission repo (rather than a fork), so I think the credentials should be configured already! We set it up this way so that I could test the user pools properly with AWS.

shankari commented 2 weeks ago

Ah yes, this is in fact set up! looking forward to having this work automatically for updates going forward, and maybe even initial creation if we can coordinate it with the cloud services team.

shankari commented 1 week ago

I just changed the list of admin users https://github.com/e-mission/nrel-openpath-deploy-configs/commit/6922e3ccebdc2bfc056f082f9fe5689c4ff1b8d6

and the action ran successfully!

changed files string: configs/e-bikes-for-essentials.nrel-op.json
config file name configs/e-bikes-for-essentials.nrel-op.json
bmarkham@vailgov.com removed from pool.
...
bmarkham@vail.gov not in user pool! Creating account...
Account created! Sending welcome email.