Update pipelines to use SSM secrets

This pattern uses pipeline-specific OIDC assumable roles for access to any resources needed; and injecting secrets explicitly to steps, using the ssm plugin, rather than using s3 secrets.
buildkite · Oct 9, 2024 · f92cdf5 · f92cdf5
1 parent 3b6b1b3
commit f92cdf5
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/.buildkite/pipeline.graphql.yml b/.buildkite/pipeline.graphql.yml
@@ -1,3 +1,10 @@
 steps:
   - label: Update GraphQL docs
     command: .buildkite/update_graphql_docs
+    plugins:
+      - aws-assume-role-with-web-identity#v1.0.0:
+          role-arn: arn:aws:iam::445615400570:role/pipeline-buildkite-docs-private
+      - aws-ssm#v1.0.0:
+          parameters:
+            GH_TOKEN: /pipelines/buildkite/docs-private/gh-token
+            API_ACCESS_TOKEN: /pipelines/buildkite/docs-private/api-access-token
diff --git a/.buildkite/pipeline.preview.yml b/.buildkite/pipeline.preview.yml
@@ -12,6 +12,14 @@ steps:
     env:
       RAILS_ENV: "production"
     plugins:
+      - aws-assume-role-with-web-identity#v1.0.0:
+          role-arn: arn:aws:iam::445615400570:role/pipeline-buildkite-docs-private
+      - aws-ssm#v1.0.0:
+          parameters:
+            GH_TOKEN: /pipelines/buildkite/docs-private/gh-token
+            BUILDKITE_ANALYTICS_TOKEN: /pipelines/buildkite/docs-private/buildkite-analytics-token
+            NETLIFY_AUTH_TOKEN: /pipelines/buildkite/docs-private/netlify-auth-token
+            NETLIFY_SITE_ID: /pipelines/buildkite/docs-private/netlify-site-id
       - docker-compose#v3.9.0:
           run: app
           dependencies: false

diff --git a/.buildkite/pipeline.sync.yml b/.buildkite/pipeline.sync.yml
@@ -1,3 +1,4 @@
+#docs-private-to-public-sync
 notify:
   - slack: "$SLACK_CHANNEL"
     if: build.state != "passed"

diff --git a/.buildkite/pipeline.sync_public_pr.yml b/.buildkite/pipeline.sync_public_pr.yml
@@ -11,6 +11,11 @@ steps:
   - label: ":git: Sync Public PR to Private Repo"
     command: "bin/sync-public-pr"
     plugins:
+      - aws-assume-role-with-web-identity#v1.0.0:
+          role-arn: arn:aws:iam::445615400570:role/pipeline-buildkite-docs-private
+      - aws-ssm#v1.0.0:
+          parameters:
+            GH_TOKEN: /pipelines/buildkite/docs-private/gh-token
       - docker#v5.11.0:
           image: "ruby:3.3-bookworm"
           propagate-environment: true