Update ci scripts for assume role setup

.ci/load-ci.sh

@@ -13,6 +13,36 @@ if [ ! -e "${ldir}/.complete" ]; then
         exit 1
     fi
 
+    # Validate that we have the jq tool available
+    if ! command -v jq > /dev/null 2>&1; then
+        echo "⚠ ERROR: Missing required jq executable ⚠"
+        exit 1
+    fi
+
+    # If we have a role defined, assume it so we can get access to files
+    if [ "${AWS_ASSUME_ROLE_ARN}" != "" ] && [ "${AWS_SESSION_TOKEN}" = "" ]; then
+        if output="$(aws sts assume-role --role-arn "${AWS_ASSUME_ROLE_ARN}" --role-session-name "CI-initializer")"; then
+            export CORE_AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}"
+            export CORE_AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}"
+            id="$(printf '%s' "${output}" | jq -r .Credentials.AccessKeyId)" || failed=1
+            key="$(printf '%s' "${output}" | jq -r .Credentials.SecretAccessKey)" || failed=1
+            token="$(printf '%s' "${output}" | jq -r .Credentials.SessionToken)" || failed=1
+            expire="$(printf '%s' "${output}" | jq -r .Credentials.Expiration)" || failed=1
+            if [ "${failed}" = "1" ]; then
+                echo "🛑 ERROR: Failed to extract role credentials 🛑"
+                exit 1
+            fi
+            export AWS_ACCESS_KEY_ID="${id}"
+            export AWS_SECRET_ACCESS_KEY="${key}"
+            export AWS_SESSION_TOKEN="${token}"
+            export AWS_SESSION_EXPIRATION="${expire}"
+        else
+            echo "⛔ ERROR: Failed to assume configured AWS role ⛔"
+            exit 1
+        fi
+    fi
+
+
     # Create a local directory to stash our stuff in
     if ! mkdir -p "${ldir}"; then
         echo "⛔ ERROR: Failed to create utility file directory ⛔"

.github/workflows/build.yml

@@ -32,6 +32,7 @@ jobs:
           ASSETS_SHORTTERM_PREFIX: est
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
           HASHIBOT_EMAIL: ${{ secrets.HASHIBOT_EMAIL }}
           HASHIBOT_TOKEN: ${{ secrets.HASHIBOT_TOKEN }}
           HASHIBOT_USERNAME: ${{ secrets.HASHIBOT_USERNAME }}

.github/workflows/code.yml

@@ -24,6 +24,7 @@ jobs:
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
           HASHIBOT_TOKEN: ${{ secrets.HASHIBOT_TOKEN }}
           HASHIBOT_USERNAME: ${{ secrets.HASHIBOT_USERNAME }}
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/release.yml

@@ -32,6 +32,7 @@ jobs:
           ASSETS_SHORTTERM_PREFIX: ${{ secrets.ASSETS_SHORTTERM_PREFIX }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
           HASHIBOT_EMAIL: ${{ secrets.HASHIBOT_EMAIL }}
           HASHIBOT_TOKEN: ${{ secrets.HASHIBOT_TOKEN }}
           HASHIBOT_USERNAME: ${{ secrets.HASHIBOT_USERNAME }}

.github/workflows/spectesting.yml

@@ -19,7 +19,6 @@ jobs:
         env:
           VAGRANT_CI_LOADER_BUCKET: ${{ secrets.VAGRANT_CI_LOADER_BUCKET }}
 
-
   setup-hosts:
     if: github.repository == 'hashicorp/vagrant-acceptance'
     runs-on: self-hosted