ref: extract the AWS Error Type as a type instead of a string match #119
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: pull_request | |
| jobs: | |
| go-lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.21.x | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run linters | |
| uses: golangci/golangci-lint-action@v3 | |
| with: | |
| version: latest | |
| args: --timeout=3m | |
| go-test: | |
| strategy: | |
| matrix: | |
| go-version: [1.21.x] | |
| platform: [ubuntu-latest] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - name: Install Go | |
| if: success() | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: go tests | |
| run: go test -v -covermode=count -json ./... > test.json | |
| - name: annotate go tests | |
| if: always() | |
| uses: guyarb/[email protected] | |
| with: | |
| test-results: test.json | |
| test: | |
| runs-on: ubuntu-latest | |
| env: | |
| BATON_GLOBAL_AWS_SSO_ENABLED: true | |
| BATON_GLOBAL_AWS_ORGS_ENABLED: true | |
| BATON_GLOBAL_AWS_SSO_REGION: us-east-1 | |
| BATON_GLOBAL_REGION: us-east-1 | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: 1.21.x | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build baton-aws | |
| run: go build ./cmd/baton-aws | |
| - name: Run baton-aws | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws | |
| - name: Checkout baton | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ConductorOne/baton | |
| ref: main | |
| path: ./baton | |
| - name: Build baton | |
| working-directory: ./baton | |
| run: go build ./cmd/baton | |
| - name: Grant entitlements | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user' | |
| - name: Check for grant before revoking | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::737118012813:user/ci-test-user"' | |
| - name: Grant already-granted entitlement | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user' | |
| - name: Revoke grants | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws --revoke-grant 'group:arn:aws:iam::737118012813:group/ci-test-group:member:iam_user:arn:aws:iam::737118012813:user/ci-test-user' | |
| - name: Check grant was revoked | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status 'if .grants then .grants[]?.principal.id.resource != "arn:aws:iam::737118012813:user/ci-test-user" else . end' | |
| - name: Grant entitlements | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user' | |
| - name: Check grant was re-granted | |
| env: | |
| BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::737118012813:user/ci-test-user"' |