From 1306e370f85dac82824b50978bfbe4fbcd5fccd4 Mon Sep 17 00:00:00 2001 From: Zac Rosenbauer Date: Wed, 13 Mar 2024 14:20:57 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A5=20bugfix:=20Security=20Upgrade=20b?= =?UTF-8?q?locks=20`allUsers`=20need=20to=20add=20tag=20to=20support=20all?= =?UTF-8?q?owing=20access=20publically=20(#372)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change * 💽 incremental change --- README.md | 3 ++- action.yaml | 19 ++++++++++++++- scripts/build-docs.mjs | 2 +- scripts/gcp-resource-tag.js | 47 +++++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 scripts/gcp-resource-tag.js diff --git a/README.md b/README.md index f02dbe0c..ff2fa109 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ jobs: | Field | Required | Description | Default | | ----- | -------- | ----------- | ------- | -| name | yes | The name of the service (must be unique) to be deployed. | - | +| name | yes | The name of the service (must be unique) to be deployed. This cannot exceed 24 characters | - | | gcp_service_account_key | yes | The Service Account JSON Key used to push images to the GCP Artifact Registry. | - | | gcp_artifact_repository | yes | The Artifact Registry name, you can override for custom names (i.e. the 'acme' in us-docker.pkg.dev/able-sailor-21423/acme) | - | | github_token | yes | Github Token, pass in the `secrets.GITHUB_TOKEN`. | - | @@ -65,6 +65,7 @@ jobs: | flags | no | List of flags that will be injected during runtime. | - | | gcp_region | no | The GCP Region where the service will be deployed. | us-central1 | | gcp_project_id | no | The GCP Project ID where the service will be deployed. | - | +| gcp_tag | no | A tag to be applied to the Cloud Run service, used for ingress or other permissions. | - | | docker_file_name | no | The Dockerfile name, you can override for custom names (i.e. DevDockerfile) | Dockerfile | | docker_directory | no | Directory where the DockerFile is located. | . | | docker_build_args | no | Comma separated list of arguments that will be injected during the build, each on a new line. | - | diff --git a/action.yaml b/action.yaml index a961057f..95ce0e6d 100644 --- a/action.yaml +++ b/action.yaml @@ -10,7 +10,7 @@ inputs: #------------------ name: - description: "The name of the service (must be unique) to be deployed." + description: "The name of the service (must be unique) to be deployed. This cannot exceed 24 characters" required: true port: description: "The port that the application will run on in the container." @@ -39,6 +39,10 @@ inputs: gcp_artifact_repository: description: "The Artifact Registry name, you can override for custom names (i.e. the 'acme' in us-docker.pkg.dev/able-sailor-21423/acme)" required: true + gcp_tag: + description: "A tag to be applied to the Cloud Run service, used for ingress or other permissions." + required: false + default: "tagValues/281479867842234" #------------------ # Pull Request Integration @@ -138,6 +142,19 @@ runs: service=${{ inputs.name }} pull_request=pr${{ steps.pr-number.outputs.result }} + - name: '🏷️ Tag Cloud Run Service for Ingress' + uses: actions/github-script@v7 + env: + GCP_TAG: '${{ inputs.gcp_tag }}' + GCP_PROJECT_ID: '${{ inputs.gcp_project_id }}' + GCP_REGION: '${{ inputs.gcp_region }}' + SERVICE_NAME: 'pvw-${{ inputs.gcp_artifact_repository }}-${{ inputs.name }}-pr${{ steps.pr-number.outputs.result }}' + with: + github-token: ${{ inputs.github_token }} + script: | + const script = require('${{ github.action_path }}/scripts/gcp-resource-tag.js'); + await script({ github, context, core, exec, env: process.env }); + - name: '💬 Add Deployment URL to Pull Request' uses: actions/github-script@v7 env: diff --git a/scripts/build-docs.mjs b/scripts/build-docs.mjs index a90417b9..41c82cc0 100644 --- a/scripts/build-docs.mjs +++ b/scripts/build-docs.mjs @@ -25,7 +25,7 @@ const run = () => { const outputs = []; for (const [key, value] of Object.entries(parsedActionYaml.inputs)) { - const def = key !== 'gcp_project_id' ? value.default : '-'; + const def = key !== 'gcp_project_id' && key !== 'gcp_tag' ? value.default : '-'; inputs.push([key, value.required ? 'yes' : 'no', value.description ?? 'no description provided', def ?? '-']); } diff --git a/scripts/gcp-resource-tag.js b/scripts/gcp-resource-tag.js new file mode 100644 index 00000000..4fceccd3 --- /dev/null +++ b/scripts/gcp-resource-tag.js @@ -0,0 +1,47 @@ +/** + * Get input from the environment + * + * @param {Node.env} env + * @param {string} name + * @returns + */ +function getInput(env, name) { + return env[name]; +} + +/** + * Tag the new Service with the GCP_TAG + * + * @param {object} payload + * @param {object} payload.env + */ +module.exports = async ({ exec, env }) => { + const gcpProjectId = getInput(env, 'GCP_PROJECT_ID'); + const gcpRegion = getInput(env, 'GCP_REGION'); + const serviceName = getInput(env, 'SERVICE_NAME'); + const gcpTag = getInput(env, 'GCP_TAG'); + + try { + await exec.exec('gcloud', [ + 'resource-manager', + 'tags', + 'bindings', + 'create', + `--tag-value=${gcpTag}`, + `--parent=//run.googleapis.com/projects/${gcpProjectId}/locations/${gcpRegion}/services/${serviceName}` + `--location=${gcpRegion}`, + ]); + } catch (error) { + console.warn('WARNING: Failed to create resource tag. This may be due to the tag already existing.'); + } + + await exec.exec('gcloud', [ + 'run', + 'services', + 'add-iam-policy-binding', + serviceName, + `--member=allUsers`, + `--role=roles/run.invoker`, + `--region=${gcpRegion}`, + ]); +}