Skip to content

Commit b4d4b72

Browse files
davidgamezdavidgamez
committed
removing dev cred
1 parent 450aa85 commit b4d4b72

1 file changed

Lines changed: 9 additions & 34 deletions

File tree

.github/workflows/db-deployer.yml

Lines changed: 9 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -70,16 +70,7 @@ on:
7070
description: 1Password reference for users DB app password (e.g. op://vault/item/password)
7171
required: true
7272
type: string
73-
POSTGRE_DEV_USER_APP_NAME_1PASSWORD:
74-
description: 1Password reference for DEV users DB app username (only needed for QA deployment)
75-
required: false
76-
type: string
77-
default: ''
78-
POSTGRE_DEV_USER_APP_PASSWORD_1PASSWORD:
79-
description: 1Password reference for DEV users DB app password (only needed for QA deployment)
80-
required: false
81-
type: string
82-
default: ''
73+
8374

8475
jobs:
8576
terraform:
@@ -110,28 +101,12 @@ jobs:
110101
POSTGRE_USER_APP_NAME: ${{ inputs.POSTGRE_USER_APP_NAME_1PASSWORD }}
111102
POSTGRE_USER_APP_PASSWORD: ${{ inputs.POSTGRE_USER_APP_PASSWORD_1PASSWORD }}
112103

113-
- name: Load DEV users DB credentials from 1Password
114-
if: inputs.ENVIRONMENT == 'qa'
115-
uses: 1password/load-secrets-action@v2
116-
with:
117-
export-env: true
118-
env:
119-
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
120-
POSTGRE_DEV_USER_APP_NAME: ${{ inputs.POSTGRE_DEV_USER_APP_NAME_1PASSWORD }}
121-
POSTGRE_DEV_USER_APP_PASSWORD: ${{ inputs.POSTGRE_DEV_USER_APP_PASSWORD_1PASSWORD }}
122-
123104
- name: Validate required credentials
124105
run: |
125106
set -e
126107
missing=()
127108
[[ -z "${POSTGRE_USER_APP_NAME:-}" ]] && missing+=("POSTGRE_USER_APP_NAME (1Password ref: ${{ inputs.POSTGRE_USER_APP_NAME_1PASSWORD }})")
128109
[[ -z "${POSTGRE_USER_APP_PASSWORD:-}" ]] && missing+=("POSTGRE_USER_APP_PASSWORD (1Password ref: ${{ inputs.POSTGRE_USER_APP_PASSWORD_1PASSWORD }})")
129-
if [[ "${{ inputs.ENVIRONMENT }}" == "qa" ]]; then
130-
[[ -z "${{ inputs.POSTGRE_DEV_USER_APP_NAME_1PASSWORD }}" ]] && missing+=("input POSTGRE_DEV_USER_APP_NAME_1PASSWORD (set repo var DEV_POSTGRE_USER_APP_NAME_1PASSWORD)")
131-
[[ -z "${{ inputs.POSTGRE_DEV_USER_APP_PASSWORD_1PASSWORD }}" ]] && missing+=("input POSTGRE_DEV_USER_APP_PASSWORD_1PASSWORD (set repo var DEV_POSTGRE_USER_APP_PASSWORD_1PASSWORD)")
132-
[[ -z "${POSTGRE_DEV_USER_APP_NAME:-}" ]] && missing+=("POSTGRE_DEV_USER_APP_NAME (1Password returned empty for ${{ inputs.POSTGRE_DEV_USER_APP_NAME_1PASSWORD }})")
133-
[[ -z "${POSTGRE_DEV_USER_APP_PASSWORD:-}" ]] && missing+=("POSTGRE_DEV_USER_APP_PASSWORD (1Password returned empty for ${{ inputs.POSTGRE_DEV_USER_APP_PASSWORD_1PASSWORD }})")
134-
fi
135110
if [[ ${#missing[@]} -gt 0 ]]; then
136111
echo "::error::Missing or empty required credentials:"
137112
for v in "${missing[@]}"; do echo "::error:: - $v"; done
@@ -166,7 +141,9 @@ jobs:
166141
# Base variables required for all environments
167142
BASE_VARS="ENVIRONMENT,PROJECT_ID,REGION,DEPLOYER_SERVICE_ACCOUNT,POSTGRE_SQL_INSTANCE_NAME,POSTGRE_SQL_DB_NAME,POSTGRE_USER_NAME,POSTGRE_USER_PASSWORD,POSTGRE_INSTANCE_TIER,MAX_CONNECTIONS,POSTGRE_USER_SQL_DB_NAME,POSTGRE_USER_APP_NAME,POSTGRE_USER_APP_PASSWORD"
168143
if [[ "${{ inputs.ENVIRONMENT }}" == "qa" ]]; then
169-
# DEV users DB is co-located on QA instance — DEV creds required
144+
# DEV shares QA instance and app user — reuse QA app user creds for DEV Terraform vars
145+
export POSTGRE_DEV_USER_APP_NAME="$POSTGRE_USER_APP_NAME"
146+
export POSTGRE_DEV_USER_APP_PASSWORD="$POSTGRE_USER_APP_PASSWORD"
170147
scripts/replace-variables.sh \
171148
-in_file infra/postgresql/vars.tfvars.rename_me \
172149
-out_file infra/postgresql/vars.tfvars \
@@ -232,14 +209,14 @@ jobs:
232209
POSTGRE_SQL_DB_NAME: ${{ inputs.POSTGRE_SQL_DB_NAME }}
233210
DB_INSTANCE_HOST: ${{ needs.terraform.outputs.db_instance_host }}
234211
steps:
235-
- name: Load DEV users DB credentials from 1Password
212+
- name: Load app user credentials from 1Password
236213
uses: 1password/load-secrets-action@v2
237214
with:
238215
export-env: true
239216
env:
240217
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
241-
POSTGRE_DEV_USER_APP_NAME: ${{ inputs.POSTGRE_DEV_USER_APP_NAME_1PASSWORD }}
242-
POSTGRE_DEV_USER_APP_PASSWORD: ${{ inputs.POSTGRE_DEV_USER_APP_PASSWORD_1PASSWORD }}
218+
POSTGRE_USER_APP_NAME: ${{ inputs.POSTGRE_USER_APP_NAME_1PASSWORD }}
219+
POSTGRE_USER_APP_PASSWORD: ${{ inputs.POSTGRE_USER_APP_PASSWORD_1PASSWORD }}
243220

244221
- name: Authenticate to Google Cloud DEV
245222
uses: google-github-actions/auth@v2
@@ -266,10 +243,8 @@ jobs:
266243
- name: Create or Update Users DB Secret in DEV
267244
run: |
268245
SECRET_NAME="DEV_USERS_DATABASE_URL"
269-
# DEV has no dedicated DB/role of its own — it shares the QA Cloud SQL instance.
270-
# Use the QA main postgres credentials (same as DEV_FEEDS_DATABASE_URL) which can
271-
# reach MobilityDatabaseUsersDEV, instead of the dev app role that isn't provisioned.
272-
SECRET_VALUE="postgresql://${{ env.POSTGRE_DEV_USER_APP_NAME }}:${{ env.POSTGRE_DEV_USER_APP_PASSWORD }}@${{ env.DB_INSTANCE_HOST }}/MobilityDatabaseUsersDEV"
246+
# DEV shares the QA Cloud SQL instance and app user — use QA app user creds with the DEV database name.
247+
SECRET_VALUE="postgresql://${{ env.POSTGRE_USER_APP_NAME }}:${{ env.POSTGRE_USER_APP_PASSWORD }}@${{ env.DB_INSTANCE_HOST }}/MobilityDatabaseUsersDEV"
273248
274249
if gcloud secrets describe $SECRET_NAME --project=mobility-feeds-dev; then
275250
echo "Secret $SECRET_NAME already exists, updating..."

0 commit comments

Comments
 (0)