From 06d0f8ca5592c8793c8e35894ff04dbc74e84731 Mon Sep 17 00:00:00 2001
From: Ricardo Campos <ricardo.campos@encora.com>
Date: Wed, 1 Mar 2023 16:01:14 -0300
Subject: [PATCH] ci(vault): add action to retrieve token from broker (#89)

---
 .github/workflows/merge-main.yml | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
index bd09b8dfb..ab2c45588 100644
--- a/.github/workflows/merge-main.yml
+++ b/.github/workflows/merge-main.yml
@@ -212,12 +212,21 @@ jobs:
       ZONE: test
       NR_SPAR_ORACLE_API_VERSION: ${{ needs.release.outputs.version }}
     steps:
+      - name: Broker
+        id: broker
+        uses: bcgov-nr/action-vault-broker-approle@v0.0.5
+        with:
+          broker_jwt: ${{ secrets.BROKER_JWT }}
+          provision_role_id: ${{ secrets.PROVISION_ROLE_ID }}
+          project_name: spar
+          app_name: app-spar
+          environment: test
       - name: Import Secrets
         id: secrets
         uses: hashicorp/vault-action@v2.5.0
         with:
           url: https://vault-iit.apps.silver.devops.gov.bc.ca
-          token: ${{ secrets.VAULT_TOKEN }}
+          token: ${{ steps.broker.outputs.vault_token }}
           exportEnv: 'false'
           secrets: |
             apps/data/test/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;
@@ -231,8 +240,7 @@ jobs:
           # Login to OpenShift and select project
           oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
           oc project ${{ secrets.OC_NAMESPACE }}
-          # Do not replace database; 'oc create' kicks up an error if objects already exist
-          #oc process -f .github/openshift/deploy.database.yml -p ZONE=${{ env.ZONE }} | oc create -f - || true
+
           # Process and apply deployment templates
           oc process -f .github/openshift/deploy.backend.yml -p ZONE=${{ env.ZONE }} \
             -p NR_SPAR_ORACLE_API_VERSION=test-${{ env.NR_SPAR_ORACLE_API_VERSION }} \
@@ -405,12 +413,21 @@ jobs:
           oc project ${{ secrets.OC_NAMESPACE }}
           oc delete is/${{ env.NAME }}-${{ env.ZONE}}-${{ env.COMPONENT }} || true
 
+      - name: Broker
+        id: broker
+        uses: bcgov-nr/action-vault-broker-approle@v0.0.5
+        with:
+          broker_jwt: ${{ secrets.BROKER_JWT }}
+          provision_role_id: ${{ secrets.PROVISION_ROLE_ID }}
+          project_name: spar
+          app_name: app-spar
+          environment: prod
       - name: Import Secrets
         id: secrets
         uses: hashicorp/vault-action@v2.5.0
         with:
           url: https://vault-iit.apps.silver.devops.gov.bc.ca
-          token: ${{ secrets.VAULT_TOKEN }}
+          token: ${{ steps.broker.outputs.vault_token }}
           exportEnv: 'false'
           secrets: |
             apps/data/prod/spar/app-spar/db_proxy_read_only db_username | VAULT_DB_USER;