From 0e69a0f0843210daaa10ae3500ebbe25f43890c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 11:45:53 +0000 Subject: [PATCH 1/6] :dependabot: github-actions(deps): Bump docker/login-action from 3.1.0 to 3.2.0 (#4411) --- .github/workflows/reusable-workflow-charts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-charts.yml b/.github/workflows/reusable-workflow-charts.yml index b7e38a6fae..7f7eedfd5e 100644 --- a/.github/workflows/reusable-workflow-charts.yml +++ b/.github/workflows/reusable-workflow-charts.yml @@ -142,7 +142,7 @@ jobs: - name: Login to GitHub Container Registry id: login_ghcr - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: ${{ github.actor }} From 0adc3755c94c6165f33627dc73d1e802d21bd904 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 11:46:32 +0000 Subject: [PATCH 2/6] :dependabot: github-actions(deps): Bump github/issue-metrics from 3.6.0 to 3.7.0 (#4407) --- .github/workflows/issue-metrics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/issue-metrics.yml b/.github/workflows/issue-metrics.yml index 6280a353cb..1509436868 100644 --- a/.github/workflows/issue-metrics.yml +++ b/.github/workflows/issue-metrics.yml @@ -32,7 +32,7 @@ jobs: - name: Run GitHub Issue Metrics action id: run_github_issue_metrics - uses: github/issue-metrics@fbe4e7c4aa13284d6960ba64db0cff8ef51bee0a # v3.6.0 + uses: github/issue-metrics@0926cffe61d20f924b1d9e3f04224da393f35a95 # v3.7.0 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SEARCH_QUERY: 'repo:ministryofjustice/data-platform is:issue created:${{ env.last_month }} -reason:"not planned"' From e1324f384e016bdf42de9a6ae25f838116a1584a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 08:53:43 +0000 Subject: [PATCH 3/6] :dependabot: terraform(deps): Bump hashicorp/aws from 5.50.0 to 5.51.1 in /terraform/auth0/ministryofjustice-data-platform (#4416) --- .../.terraform.lock.hcl | 34 +++++++++---------- .../terraform.tf | 2 +- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/terraform/auth0/ministryofjustice-data-platform/.terraform.lock.hcl b/terraform/auth0/ministryofjustice-data-platform/.terraform.lock.hcl index 3aa49425fa..4664b68251 100644 --- a/terraform/auth0/ministryofjustice-data-platform/.terraform.lock.hcl +++ b/terraform/auth0/ministryofjustice-data-platform/.terraform.lock.hcl @@ -24,24 +24,24 @@ provider "registry.terraform.io/auth0/auth0" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.50.0" - constraints = "5.50.0" + version = "5.51.1" + constraints = "5.51.1" hashes = [ - "h1:WL4SfIhP8jI5CksUGSgkOFrXvAfbcGnOw0gVrzZZ4rw=", - "zh:19be42f5a545d6712dee4bdb704b018d23bacf5d902ac3cb061eb1750dfe6a20", - "zh:1d880bdba95ce96efde37e5bcf457a57df2c1effa9b47bc67fa29c1a264ae53b", - "zh:1e9c78e324d7492be5e7744436ed71d66fe4eca3fb6af07a28efd0d1e3bf7640", - "zh:27ac672aa61b3795931561fdbe4a306ad1132af517d7711c14569429b2cc694f", - "zh:3b978423dead02f9a98d25de118adf264a2331acdc4550ea93bed01feabc12e7", - "zh:490d7eb4b922ba1b57e0ab8dec1a08df6517485febcab1e091fd6011281c3472", - "zh:64e7c84e18dac1af5778d6f516e01a46f9c91d710867c39fbc7efa3cd972dc62", - "zh:73867ac2956dcdd377121b3aa8fe2e1085e77fae9b61d018f56a863277ea4b6e", - "zh:7ed899d0d5c49f009b445d7816e4bf702d9c48205c24cf884cd2ae0247160455", + "h1:ZCkH69PXABnzc0/8Jtfga1mEN5EOecSrPZjtye2y7Kk=", + "zh:03d524b70ab300d90dc4dccad0c28b18d797b8986722b7a93e40a41500450eaa", + "zh:04dbcb7ab52181a784877c409f6c882df34bda686d8c884d511ebd4abf493f0c", + "zh:2b068f7838e0f3677829258df05d8b9d73fe6434a1a809f8710956cc1c01ea03", + "zh:41a4b1e4adbf7c90015ebff17a719fc08133b8a2c4dcefd2fa281552126e59a8", + "zh:48b1adf57f695a72c88c598f99912171ef7067638fd63fb0c6ad3fa397b3f7c3", + "zh:5c2fb26ecb83adac90d06dcf5f97edbc944824c2821816b1653e1a2b9d37b3c4", + "zh:93df05f53702df829d9b9335e559ad8b313808dbd2fad8b2ff14f176732e693d", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9b93784b3fb13d08cf95a4131c49b56bf7e1cd35daad6156b3658a89ce6fb58f", - "zh:b29d77eb75de474e46eb47e539c48916628d85599bcf14e5cc500b14a4578e75", - "zh:bbd9cec8ca705452e4a3d21d56474eacb8cc7b1b74b7f310fdea4bdcffebab32", - "zh:c352eb3169efa0e27a29b99a2630e8298710a084453c519caa39e5972ff6d1fc", - "zh:e32f4744b43be1708b309a734e0ac10b5c0f9f92e5849298cf1a90f2b906f6f3", + "zh:b5da39898602e44551b56e2803a42d92ea7115e35b1792efbf6649da37ef597b", + "zh:b7ab7f743f864ed8d479a7cb04fd3ce00c376f867ee5b53c4c1acaef6e286c54", + "zh:e7e7b2d8ee486415481a25ac7bdded20bd2897d5dd0790741798f31935b9528d", + "zh:e8008e3f5ef560fd9004d1ed1738f0f53e99b0ce961d967e95fc7c02e5954e4e", + "zh:f1296f648b8608ffa930b52519b00ed01eebedde9fdaf94205b365536e6c3916", + "zh:f8539960fd978a54990740ee984c6f7f743c9c32c7734e2601e92abfe54367e9", + "zh:fd182e6e20bb52982752a5d8c4b16887565f413a9d50d9d394d2c06eea8a195e", ] } diff --git a/terraform/auth0/ministryofjustice-data-platform/terraform.tf b/terraform/auth0/ministryofjustice-data-platform/terraform.tf index af17a61233..b5a347c704 100644 --- a/terraform/auth0/ministryofjustice-data-platform/terraform.tf +++ b/terraform/auth0/ministryofjustice-data-platform/terraform.tf @@ -10,7 +10,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.50.0" + version = "5.51.1" } auth0 = { source = "auth0/auth0" From ce5fdd2ca236a64089f0235f8fdc46b798c65a3e Mon Sep 17 00:00:00 2001 From: Mat Date: Wed, 29 May 2024 10:18:00 +0100 Subject: [PATCH 4/6] Access for data-catalogue github actions (#4413) Access for data-catalogue github actions We want to schedule Datahub DBT ingestions using github actions. (https://github.com/ministryofjustice/data-catalogue/issues/123) To do this, Github actions needs to be able to assume a role via OIDC, and use it to access the s3 bucket containing the outputs from DBT. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html We already had IRSAs (IAM roles for service accounts) which can be assumed by Datahub itself, but these assume you are running an application in a kubernetes pod on AWS, whereas in this case we are going to run the ingestion from github actions. --- .../tooling-iam/datahub-iam.tf | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf b/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf index 0b6cacfa5e..487bd21359 100644 --- a/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf +++ b/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf @@ -86,6 +86,40 @@ resource "aws_iam_policy" "datahub_read_cadet_bucket" { policy = data.aws_iam_policy_document.datahub_read_cadet_bucket.json } +# Allow Github actions to assume a role via OIDC. +# So that scheduled jobs in the data-catalogue repo can access the CaDeT bucket. +data "aws_iam_policy_document" "datahub_ingestion_github_actions" { + statement { + effect = "Allow" + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:oidc-provider/token.actions.githubusercontent.com"] + } + condition { + test = "StringEquals" + values = ["sts.amazonaws.com"] + variable = "token.actions.githubusercontent.com:aud" + } + condition { + test = "StringLike" + values = ["repo:ministryofjustice/data-catalogue:*"] + variable = "token.actions.githubusercontent.com:sub" + } + } +} + +resource "aws_iam_role" "datahub_ingestion_github_actions" { + name = "datahub-ingestion-github-actions" + assume_role_policy = data.aws_iam_policy_document.datahub_ingestion_github_actions.json +} + +resource "aws_iam_role_policy_attachment" "datahub_ingestion_github_actions" { + policy_arn = aws_iam_policy.datahub_read_cadet_bucket.arn + role = aws_iam_role.datahub_ingestion_github_actions.name +} + #trivy:ignore:avd-aws-0057:sensitive action 'glue:GetDatabases' on wildcarded resource data "aws_iam_policy_document" "datahub_ingest_glue_datasets" { statement { From e452e532f0a42c4d870b3853f7b1c1e66f24506e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 09:29:42 +0000 Subject: [PATCH 5/6] :dependabot: github-actions(deps): Bump planetscale/ghcommit-action from 0.1.39 to 0.1.40 (#4415) --- .../workflows/repository-dependabot-configuration-generator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/repository-dependabot-configuration-generator.yml b/.github/workflows/repository-dependabot-configuration-generator.yml index 96e7a945f3..ce68348778 100644 --- a/.github/workflows/repository-dependabot-configuration-generator.yml +++ b/.github/workflows/repository-dependabot-configuration-generator.yml @@ -38,7 +38,7 @@ jobs: - name: Commit Changes id: commit_changes - uses: planetscale/ghcommit-action@b662a9d7235a07e80d976152ed5afe41651c4973 # v0.1.39 + uses: planetscale/ghcommit-action@c8ba2501e51d7257efb393109e6e10bc36a3f769 # v0.1.40 with: commit_message: "🤖 Update .github/dependabot.yml" file_pattern: ".github/dependabot.yml" From 358ac7829671cf167437d1c7348a9ee5a5e7524f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 09:06:47 +0000 Subject: [PATCH 6/6] :dependabot: terraform(deps): Bump hashicorp/aws from 5.50.0 to 5.51.1 in /terraform/auth0/ministryofjustice-data-platform-development (#4421) --- .../.terraform.lock.hcl | 34 +++++++++---------- .../terraform.tf | 2 +- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/terraform/auth0/ministryofjustice-data-platform-development/.terraform.lock.hcl b/terraform/auth0/ministryofjustice-data-platform-development/.terraform.lock.hcl index 3aa49425fa..4664b68251 100644 --- a/terraform/auth0/ministryofjustice-data-platform-development/.terraform.lock.hcl +++ b/terraform/auth0/ministryofjustice-data-platform-development/.terraform.lock.hcl @@ -24,24 +24,24 @@ provider "registry.terraform.io/auth0/auth0" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.50.0" - constraints = "5.50.0" + version = "5.51.1" + constraints = "5.51.1" hashes = [ - "h1:WL4SfIhP8jI5CksUGSgkOFrXvAfbcGnOw0gVrzZZ4rw=", - "zh:19be42f5a545d6712dee4bdb704b018d23bacf5d902ac3cb061eb1750dfe6a20", - "zh:1d880bdba95ce96efde37e5bcf457a57df2c1effa9b47bc67fa29c1a264ae53b", - "zh:1e9c78e324d7492be5e7744436ed71d66fe4eca3fb6af07a28efd0d1e3bf7640", - "zh:27ac672aa61b3795931561fdbe4a306ad1132af517d7711c14569429b2cc694f", - "zh:3b978423dead02f9a98d25de118adf264a2331acdc4550ea93bed01feabc12e7", - "zh:490d7eb4b922ba1b57e0ab8dec1a08df6517485febcab1e091fd6011281c3472", - "zh:64e7c84e18dac1af5778d6f516e01a46f9c91d710867c39fbc7efa3cd972dc62", - "zh:73867ac2956dcdd377121b3aa8fe2e1085e77fae9b61d018f56a863277ea4b6e", - "zh:7ed899d0d5c49f009b445d7816e4bf702d9c48205c24cf884cd2ae0247160455", + "h1:ZCkH69PXABnzc0/8Jtfga1mEN5EOecSrPZjtye2y7Kk=", + "zh:03d524b70ab300d90dc4dccad0c28b18d797b8986722b7a93e40a41500450eaa", + "zh:04dbcb7ab52181a784877c409f6c882df34bda686d8c884d511ebd4abf493f0c", + "zh:2b068f7838e0f3677829258df05d8b9d73fe6434a1a809f8710956cc1c01ea03", + "zh:41a4b1e4adbf7c90015ebff17a719fc08133b8a2c4dcefd2fa281552126e59a8", + "zh:48b1adf57f695a72c88c598f99912171ef7067638fd63fb0c6ad3fa397b3f7c3", + "zh:5c2fb26ecb83adac90d06dcf5f97edbc944824c2821816b1653e1a2b9d37b3c4", + "zh:93df05f53702df829d9b9335e559ad8b313808dbd2fad8b2ff14f176732e693d", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9b93784b3fb13d08cf95a4131c49b56bf7e1cd35daad6156b3658a89ce6fb58f", - "zh:b29d77eb75de474e46eb47e539c48916628d85599bcf14e5cc500b14a4578e75", - "zh:bbd9cec8ca705452e4a3d21d56474eacb8cc7b1b74b7f310fdea4bdcffebab32", - "zh:c352eb3169efa0e27a29b99a2630e8298710a084453c519caa39e5972ff6d1fc", - "zh:e32f4744b43be1708b309a734e0ac10b5c0f9f92e5849298cf1a90f2b906f6f3", + "zh:b5da39898602e44551b56e2803a42d92ea7115e35b1792efbf6649da37ef597b", + "zh:b7ab7f743f864ed8d479a7cb04fd3ce00c376f867ee5b53c4c1acaef6e286c54", + "zh:e7e7b2d8ee486415481a25ac7bdded20bd2897d5dd0790741798f31935b9528d", + "zh:e8008e3f5ef560fd9004d1ed1738f0f53e99b0ce961d967e95fc7c02e5954e4e", + "zh:f1296f648b8608ffa930b52519b00ed01eebedde9fdaf94205b365536e6c3916", + "zh:f8539960fd978a54990740ee984c6f7f743c9c32c7734e2601e92abfe54367e9", + "zh:fd182e6e20bb52982752a5d8c4b16887565f413a9d50d9d394d2c06eea8a195e", ] } diff --git a/terraform/auth0/ministryofjustice-data-platform-development/terraform.tf b/terraform/auth0/ministryofjustice-data-platform-development/terraform.tf index 3fe47e967f..2ddffb5cd5 100644 --- a/terraform/auth0/ministryofjustice-data-platform-development/terraform.tf +++ b/terraform/auth0/ministryofjustice-data-platform-development/terraform.tf @@ -10,7 +10,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.50.0" + version = "5.51.1" } auth0 = { source = "auth0/auth0"